stefan/plaso-rubanetra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import from old repository

Browse Source
This commit is contained in:
Stefan
2020-04-06 18:48:34 +02:00
commit 0da6783a45
762 changed files with 103065 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plaso/formatters/__init__.py
+86
View File
@@ -0,0 +1,86 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains an import statement for each formatter."""
from plaso.formatters import android_app_usage
from plaso.formatters import android_calls
from plaso.formatters import android_sms
from plaso.formatters import appcompatcache
from plaso.formatters import appusage
from plaso.formatters import asl
from plaso.formatters import bencode_parser
from plaso.formatters import bsm
from plaso.formatters import chrome
from plaso.formatters import chrome_cache
from plaso.formatters import chrome_cookies
from plaso.formatters import chrome_extension_activity
from plaso.formatters import cups_ipp
from plaso.formatters import filestat
from plaso.formatters import firefox
from plaso.formatters import firefox_cache
from plaso.formatters import firefox_cookies
from plaso.formatters import ganalytics
from plaso.formatters import gdrive
from plaso.formatters import hachoir
from plaso.formatters import iis
from plaso.formatters import ipod
from plaso.formatters import java_idx
from plaso.formatters import ls_quarantine
from plaso.formatters import mac_appfirewall
from plaso.formatters import mac_document_versions
from plaso.formatters import mac_keychain
from plaso.formatters import mac_securityd
from plaso.formatters import mac_wifi
from plaso.formatters import mackeeper_cache
from plaso.formatters import mactime
from plaso.formatters import mcafeeav
from plaso.formatters import msie_webcache
from plaso.formatters import msiecf
from plaso.formatters import olecf
from plaso.formatters import opera
from plaso.formatters import oxml
from plaso.formatters import pcap
from plaso.formatters import plist
from plaso.formatters import popcontest
from plaso.formatters import pls_recall
from plaso.formatters import recycler
from plaso.formatters import rubanetra
from plaso.formatters import safari
from plaso.formatters import selinux
from plaso.formatters import shell_items
from plaso.formatters import skydrivelog
from plaso.formatters import skydrivelogerr
from plaso.formatters import skype
from plaso.formatters import symantec
from plaso.formatters import syslog
from plaso.formatters import task_scheduler
from plaso.formatters import text
from plaso.formatters import utmp
from plaso.formatters import utmpx
from plaso.formatters import windows
from plaso.formatters import winevt
from plaso.formatters import winevtx
from plaso.formatters import winfirewall
from plaso.formatters import winjob
from plaso.formatters import winlnk
from plaso.formatters import winprefetch
from plaso.formatters import winreg
from plaso.formatters import winregservice
from plaso.formatters import xchatlog
from plaso.formatters import xchatscrollback
from plaso.formatters import zeitgeist
plaso/formatters/android_app_usage.py
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Android Application Usage."""
from plaso.formatters import interface
class AndroidApplicationFormatter(interface.ConditionalEventFormatter):
"""Formatter for an Application Last Resumed event."""
DATA_TYPE = 'android:event:last_resume_time'
FORMAT_STRING_PIECES = [
u'Package: {package}',
u'Component: {component}']
SOURCE_LONG = 'Android App Usage'
SOURCE_SHORT = 'LOG'
plaso/formatters/android_calls.py
+37
View File
@@ -0,0 +1,37 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Android contacts2.db database events."""
from plaso.formatters import interface
class AndroidCallFormatter(interface.ConditionalEventFormatter):
"""Formatter for Android call history events."""
DATA_TYPE = 'android:event:call'
FORMAT_STRING_PIECES = [
u'{call_type}',
u'Number: {number}',
u'Name: {name}',
u'Duration: {duration} seconds']
FORMAT_STRING_SHORT_PIECES = [u'{call_type} Call']
SOURCE_LONG = 'Android Call History'
SOURCE_SHORT = 'LOG'
plaso/formatters/android_sms.py
+37
View File
@@ -0,0 +1,37 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Android mmssms.db database events."""
from plaso.formatters import interface
class AndroidSmsFormatter(interface.ConditionalEventFormatter):
"""Formatter for Android sms events."""
DATA_TYPE = 'android:messaging:sms'
FORMAT_STRING_PIECES = [
u'Type: {sms_type}',
u'Address: {address}',
u'Status: {sms_read}',
u'Message: {body}']
FORMAT_STRING_SHORT_PIECES = [u'{body}']
SOURCE_LONG = 'Android SMS messages'
SOURCE_SHORT = 'SMS'
plaso/formatters/appcompatcache.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the AppCompatCache entries inside the Windows Registry."""
from plaso.formatters import interface
class AppCompatCacheFormatter(interface.ConditionalEventFormatter):
"""Formatter for an AppCompatCache Windows Registry entry."""
DATA_TYPE = 'windows:registry:appcompatcache'
FORMAT_STRING_PIECES = [
u'[{keyname}]',
u'Cached entry: {entry_index}',
u'Path: {path}']
FORMAT_STRING_SHORT_PIECES = [u'Path: {path}']
SOURCE_LONG = 'AppCompatCache Registry Entry'
SOURCE_SHORT = 'REG'
plaso/formatters/appusage.py
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Mac OS X application usage."""
from plaso.formatters import interface
class ApplicationUsageFormatter(interface.EventFormatter):
"""Define the formatting for Application Usage information."""
DATA_TYPE = 'macosx:application_usage'
FORMAT_STRING = (u'{application} v.{app_version} (bundle: {bundle_id}).'
' Launched: {count} time(s)')
FORMAT_STRING_SHORT = u'{application} ({count} time(s))'
SOURCE_LONG = 'Application Usage'
SOURCE_SHORT = 'LOG'
plaso/formatters/asl.py
+47
View File
@@ -0,0 +1,47 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Apple System Log binary files."""
from plaso.formatters import interface
class AslFormatter(interface.ConditionalEventFormatter):
"""Formatter for an ASL log entry."""
DATA_TYPE = 'mac:asl:event'
FORMAT_STRING_PIECES = [
u'MessageID: {message_id}',
u'Level: {level}',
u'User ID: {user_sid}',
u'Group ID: {group_id}',
u'Read User: {read_uid}',
u'Read Group: {read_gid}',
u'Host: {computer_name}',
u'Sender: {sender}',
u'Facility: {facility}',
u'Message: {message}',
u'{extra_information}']
FORMAT_STRING_SHORT_PIECES = [
u'Host: {host}',
u'Sender: {sender}',
u'Facility: {facility}']
SOURCE_LONG = 'ASL entry'
SOURCE_SHORT = 'LOG'
plaso/formatters/bencode_parser.py
+49
View File
@@ -0,0 +1,49 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for bencode parser events."""
from plaso.formatters import interface
class uTorrentFormatter(interface.ConditionalEventFormatter):
"""Formatter for a BitTorrent uTorrent active torrents."""
DATA_TYPE = 'p2p:bittorrent:utorrent'
SOURCE_LONG = 'uTorrent Active Torrents'
SOURCE_SHORT = 'TORRENT'
FORMAT_STRING_SEPARATOR = u'; '
FORMAT_STRING_PIECES = [u'Torrent {caption}',
u'Saved to {path}',
u'Minutes seeded: {seedtime}']
class TransmissionFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Transmission active torrents."""
DATA_TYPE = 'p2p:bittorrent:transmission'
SOURCE_LONG = 'Transmission Active Torrents'
SOURCE_SHORT = 'TORRENT'
FORMAT_STRING_SEPARATOR = u'; '
FORMAT_STRING_PIECES = [u'Saved to {destination}',
u'Minutes seeded: {seedtime}']
plaso/formatters/bsm.py
+54
View File
@@ -0,0 +1,54 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Basic Security Module binary files."""
from plaso.formatters import interface
class MacBSMFormatter(interface.ConditionalEventFormatter):
"""Formatter for an BSM log entry."""
DATA_TYPE = 'mac:bsm:event'
FORMAT_STRING_PIECES = [
u'Type: {event_type}',
u'Return: {return_value}',
u'Information: {extra_tokens}']
FORMAT_STRING_SHORT_PIECES = [
u'Type: {event_type}',
u'Return: {return_value}']
SOURCE_LONG = 'BSM entry'
SOURCE_SHORT = 'LOG'
class BSMFormatter(interface.ConditionalEventFormatter):
"""Formatter for an BSM log entry."""
DATA_TYPE = 'bsm:event'
FORMAT_STRING_PIECES = [
u'Type: {event_type}',
u'Information: {extra_tokens}']
FORMAT_STRING_SHORT_PIECES = [
u'Type: {event_type}']
SOURCE_LONG = 'BSM entry'
SOURCE_SHORT = 'LOG'
plaso/formatters/chrome.py
+61
View File
@@ -0,0 +1,61 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Google Chrome history."""
from plaso.formatters import interface
class ChromePageVisitedFormatter(interface.ConditionalEventFormatter):
"""The event formatter for page visited data in Chrome History."""
DATA_TYPE = 'chrome:history:page_visited'
FORMAT_STRING_PIECES = [
u'{url}',
u'({title})',
u'[count: {typed_count}]',
u'Host: {host}',
u'Visit from: {from_visit}',
u'Visit Source: [{visit_source}]',
u'{extra}']
FORMAT_STRING_SHORT_PIECES = [
u'{url}',
u'({title})']
SOURCE_LONG = 'Chrome History'
SOURCE_SHORT = 'WEBHIST'
class ChromeFileDownloadFormatter(interface.ConditionalEventFormatter):
"""The event formatter for file downloaded data in Chrome History."""
DATA_TYPE = 'chrome:history:file_downloaded'
FORMAT_STRING_PIECES = [
u'{url}',
u'({full_path}).',
u'Received: {received_bytes} bytes',
u'out of: {total_bytes} bytes.']
FORMAT_STRING_SHORT_PIECES = [
u'{full_path} downloaded',
u'({received_bytes} bytes)']
SOURCE_LONG = 'Chrome History'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/chrome_cache.py
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Chrome Cache files based-events."""
from plaso.formatters import interface
class ChromeCacheEntryEventFormatter(interface.ConditionalEventFormatter):
"""Class contains the Chrome Cache Entry event formatter."""
DATA_TYPE = 'chrome:cache:entry'
FORMAT_STRING_PIECES = [
u'Original URL: {original_url}']
SOURCE_LONG = 'Chrome Cache'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/chrome_cookies.py
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Google Chrome cookie."""
from plaso.formatters import interface
class ChromeCookieFormatter(interface.ConditionalEventFormatter):
"""The event formatter for cookie data in Chrome Cookies database."""
DATA_TYPE = 'chrome:cookie:entry'
FORMAT_STRING_PIECES = [
u'{url}',
u'({cookie_name})',
u'Flags:',
u'[HTTP only] = {httponly}',
u'[Persistent] = {persistent}']
FORMAT_STRING_SHORT_PIECES = [
u'{host}',
u'({cookie_name})']
SOURCE_LONG = 'Chrome Cookies'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/chrome_extension_activity.py
+47
View File
@@ -0,0 +1,47 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Google extension activity database events."""
from plaso.formatters import interface
class ChromeExtensionActivityEventFormatter(
interface.ConditionalEventFormatter):
"""The event formatter for Chrome extension activity log entries."""
DATA_TYPE = 'chrome:extension_activity:activity_log'
FORMAT_STRING_PIECES = [
u'Chrome extension: {extension_id}',
u'Action type: {action_type}',
u'Activity identifier: {activity_id}',
u'Page URL: {page_url}',
u'Page title: {page_title}',
u'API name: {api_name}',
u'Args: {args}',
u'Other: {other}']
FORMAT_STRING_SHORT_PIECES = [
u'{extension_id}',
u'{api_name}',
u'{args}']
SOURCE_LONG = 'Chrome Extension Activity'
SOURCE_SHORT = 'WEBHIST'
# TODO: add action_type string representation.
plaso/formatters/cups_ipp.py
+42
View File
@@ -0,0 +1,42 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for CUPS IPP file."""
from plaso.formatters import interface
class CupsIppFormatter(interface.ConditionalEventFormatter):
"""Formatter for CUPS IPP file."""
DATA_TYPE = 'cups:ipp:event'
FORMAT_STRING_PIECES = [
u'Status: {status}',
u'User: {user}',
u'Owner: {owner}',
u'Job Name: {job_name}',
u'Application: {application}',
u'Document type: {type_doc}',
u'Printer: {printer_id}']
FORMAT_STRING_SHORT_PIECES = [
u'Status: {status}',
u'Job Name: {job_name}']
SOURCE_LONG = 'CUPS IPP Log'
SOURCE_SHORT = 'LOG'
plaso/formatters/filestat.py
+66
View File
@@ -0,0 +1,66 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Stat object of a PFile."""
from plaso.lib import errors
from plaso.formatters import interface
class PfileStatFormatter(interface.ConditionalEventFormatter):
"""Define the formatting for PFileStat."""
DATA_TYPE = 'fs:stat'
FORMAT_STRING_PIECES = [u'{display_name}',
u'({unallocated})']
FORMAT_STRING_SHORT_PIECES = [u'{filename}']
SOURCE_SHORT = 'FILE'
def GetSources(self, event_object):
"""Return a list of source short and long messages."""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_object.data_type))
self.source_string = u'{0:s} {1:s}'.format(
getattr(event_object, 'fs_type', u'Unknown FS'),
getattr(event_object, 'timestamp_desc', u'Time'))
return super(PfileStatFormatter, self).GetSources(event_object)
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
if not getattr(event_object, 'allocated', True):
event_object.unallocated = u'unallocated'
return super(PfileStatFormatter, self).GetMessages(event_object)
plaso/formatters/firefox.py
+136
View File
@@ -0,0 +1,136 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Mozilla Firefox history."""
from plaso.lib import errors
from plaso.formatters import interface
class FirefoxBookmarkAnnotationFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Firefox places.sqlite bookmark annotation."""
DATA_TYPE = 'firefox:places:bookmark_annotation'
FORMAT_STRING_PIECES = [
u'Bookmark Annotation: [{content}]',
u'to bookmark [{title}]',
u'({url})']
FORMAT_STRING_SHORT_PIECES = [u'Bookmark Annotation: {title}']
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
class FirefoxBookmarkFolderFormatter(interface.EventFormatter):
"""Formatter for a Firefox places.sqlite bookmark folder."""
DATA_TYPE = 'firefox:places:bookmark_folder'
FORMAT_STRING = u'{title}'
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
class FirefoxBookmarkFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Firefox places.sqlite URL bookmark."""
DATA_TYPE = 'firefox:places:bookmark'
FORMAT_STRING_PIECES = [
u'Bookmark {type}',
u'{title}',
u'({url})',
u'[{places_title}]',
u'visit count {visit_count}']
FORMAT_STRING_SHORT_PIECES = [
u'Bookmarked {title}',
u'({url})']
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
class FirefoxPageVisitFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Firefox places.sqlite page visited."""
DATA_TYPE = 'firefox:places:page_visited'
# Transitions defined in the source file:
# src/toolkit/components/places/nsINavHistoryService.idl
# Also contains further explanation into what each of these settings mean.
_URL_TRANSITIONS = {
1: 'LINK',
2: 'TYPED',
3: 'BOOKMARK',
4: 'EMBED',
5: 'REDIRECT_PERMANENT',
6: 'REDIRECT_TEMPORARY',
7: 'DOWNLOAD',
8: 'FRAMED_LINK',
}
_URL_TRANSITIONS.setdefault('UNKOWN')
# TODO: Make extra conditional formatting.
FORMAT_STRING_PIECES = [
u'{url}',
u'({title})',
u'[count: {visit_count}]',
u'Host: {host}',
u'{extra_string}']
FORMAT_STRING_SHORT_PIECES = [u'URL: {url}']
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
def GetMessages(self, event_object):
"""Return the message strings."""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
transition = self._URL_TRANSITIONS.get(
getattr(event_object, 'visit_type', 0), None)
if transition:
transition_str = u'Transition: {0!s}'.format(transition)
if hasattr(event_object, 'extra'):
if transition:
event_object.extra.append(transition_str)
event_object.extra_string = u' '.join(event_object.extra)
elif transition:
event_object.extra_string = transition_str
return super(FirefoxPageVisitFormatter, self).GetMessages(event_object)
class FirefoxDowloadFormatter(interface.EventFormatter):
"""Formatter for a Firefox downloads.sqlite download."""
DATA_TYPE = 'firefox:downloads:download'
FORMAT_STRING = (u'{url} ({full_path}). Received: {received_bytes} bytes '
u'out of: {total_bytes} bytes.')
FORMAT_STRING_SHORT = u'{full_path} downloaded ({received_bytes} bytes)'
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/firefox_cache.py
+39
View File
@@ -0,0 +1,39 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Firefox cache records."""
from plaso.formatters import interface
class FirefoxCacheFormatter(interface.ConditionalEventFormatter):
"""Formatter for Firefox cache record."""
DATA_TYPE = 'firefox:cache:record'
FORMAT_STRING_PIECES = [
u'Fetched {fetch_count} time(s)',
u'[{response_code}]',
u'{request_method}',
u'"{url}"']
FORMAT_STRING_SHORT_PIECES = [
u'[{response_code}]',
u'{request_method}',
u'"{url}"']
SOURCE_LONG = 'Firefox Cache'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/firefox_cookies.py
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Firefox cookie."""
from plaso.formatters import interface
class FirefoxCookieFormatter(interface.ConditionalEventFormatter):
"""The event formatter for cookie data in Firefox Cookies database."""
DATA_TYPE = 'firefox:cookie:entry'
FORMAT_STRING_PIECES = [
u'{url}',
u'({cookie_name})',
u'Flags:',
u'[HTTP only]: {httponly}',
u'(GA analysis: {ga_data})']
FORMAT_STRING_SHORT_PIECES = [
u'{host}',
u'({cookie_name})']
SOURCE_LONG = 'Firefox Cookies'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/ganalytics.py
+70
View File
@@ -0,0 +1,70 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Google Analytics cookie."""
from plaso.formatters import interface
class AnalyticsUtmaCookieFormatter(interface.ConditionalEventFormatter):
"""The event formatter for UTMA Google Analytics cookie."""
DATA_TYPE = 'cookie:google:analytics:utma'
FORMAT_STRING_PIECES = [
u'{url}',
u'({cookie_name})',
u'Sessions: {sessions}',
u'Domain Hash: {domain_hash}',
u'Visitor ID: {domain_hash}']
FORMAT_STRING_SHORT_PIECES = [
u'{url}',
u'({cookie_name})']
SOURCE_LONG = 'Google Analytics Cookies'
SOURCE_SHORT = 'WEBHIST'
class AnalyticsUtmbCookieFormatter(AnalyticsUtmaCookieFormatter):
"""The event formatter for UTMB Google Analytics cookie."""
DATA_TYPE = 'cookie:google:analytics:utmb'
FORMAT_STRING_PIECES = [
u'{url}',
u'({cookie_name})',
u'Pages Viewed: {pages_viewed}',
u'Domain Hash: {domain_hash}']
class AnalyticsUtmzCookieFormatter(AnalyticsUtmaCookieFormatter):
"""The event formatter for UTMZ Google Analytics cookie."""
DATA_TYPE = 'cookie:google:analytics:utmz'
FORMAT_STRING_PIECES = [
u'{url}',
u'({cookie_name})',
u'Sessions: {sessions}',
u'Domain Hash: {domain_hash}',
u'Sources: {sources}',
u'Last source used to access: {utmcsr}',
u'Ad campaign information: {utmccn}',
u'Last type of visit: {utmcmd}',
u'Keywords used to find site: {utmctr}',
u'Path to the page of referring link: {utmcct}']
plaso/formatters/gdrive.py
+55
View File
@@ -0,0 +1,55 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Google Drive snaphots."""
from plaso.formatters import interface
__author__ = 'David Nides (david.nides@gmail.com)'
class GDriveCloudEntryFormatter(interface.ConditionalEventFormatter):
"""Formatter for Google Drive snapshot cloud entry."""
DATA_TYPE = 'gdrive:snapshot:cloud_entry'
FORMAT_STRING_PIECES = [
u'File Path: {path}',
u'[{shared}]',
u'Size: {size}',
u'URL: {url}',
u'Type: {document_type}']
FORMAT_STRING_SHORT_PIECES = [u'{path}']
SOURCE_LONG = 'Google Drive (cloud entry)'
SOURCE_SHORT = 'LOG'
class GDriveLocalEntryFormatter(interface.ConditionalEventFormatter):
"""Formatter for Google Drive snapshot local entry."""
DATA_TYPE = 'gdrive:snapshot:local_entry'
FORMAT_STRING_PIECES = [
u'File Path: {path}',
u'Size: {size}']
FORMAT_STRING_SHORT_PIECES = [u'{path}']
SOURCE_LONG = 'Google Drive (local entry)'
SOURCE_SHORT = 'LOG'
plaso/formatters/hachoir.py
+57
View File
@@ -0,0 +1,57 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Hachoir events."""
from plaso.lib import errors
from plaso.formatters import interface
__author__ = 'David Nides (david.nides@gmail.com)'
class HachoirFormatter(interface.EventFormatter):
"""Formatter for Hachoir based events."""
DATA_TYPE = 'metadata:hachoir'
FORMAT_STRING = u'{data}'
SOURCE_LONG = 'Hachoir Metadata'
SOURCE_SHORT = 'META'
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
string_parts = []
for key, value in sorted(event_object.metadata.items()):
string_parts.append(u'{0:s}: {1:s}'.format(key, value))
event_object.data = u' '.join(string_parts)
return super(HachoirFormatter, self).GetMessages(event_object)
plaso/formatters/iis.py
+59
View File
@@ -0,0 +1,59 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Windows IIS log files."""
from plaso.formatters import interface
__author__ = 'Ashley Holtz (ashley.a.holtz@gmail.com)'
class WinIISFormatter(interface.ConditionalEventFormatter):
"""A formatter for Windows IIS log entries."""
DATA_TYPE = 'iis:log:line'
FORMAT_STRING_PIECES = [
u'{http_method}',
u'{requested_uri_stem}',
u'[',
u'{source_ip}',
u'>',
u'{dest_ip}',
u':',
u'{dest_port}',
u']',
u'Http Status: {http_status}',
u'Bytes Sent: {sent_bytes}',
u'Bytes Received: {received_bytes}',
u'User Agent: {user_agent}',
u'Protocol Version: {protocol_version}',]
FORMAT_STRING_SHORT_PIECES = [
u'{http_method}',
u'{requested_uri_stem}',
u'[',
u'{source_ip}',
u'>',
u'{dest_ip}',
u':',
u'{dest_port}',
u']',]
SOURCE_LONG = 'IIS Log'
SOURCE_SHORT = 'LOG'
plaso/formatters/interface.py
+244
View File
@@ -0,0 +1,244 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains the event formatters interface classes."""
import re
from plaso.lib import errors
from plaso.lib import registry
class EventFormatter(object):
"""Base class to format event type specific data using a format string.
Define the (long) format string and the short format string by defining
FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings
is similar to that of format() where the place holder for a certain
event object attribute is defined as {attribute_name}.
"""
__metaclass__ = registry.MetaclassRegistry
__abstract = True
# The data type is a unique identifier for the event data. The current
# approach is to define it as human readable string in the format
# root:branch: ... :leaf, e.g. a page visited entry inside a Chrome History
# database is defined as: chrome:history:page_visited.
DATA_TYPE = u'internal'
# The format string.
FORMAT_STRING = u''
FORMAT_STRING_SHORT = u''
# The source short and long strings.
SOURCE_SHORT = u'LOG'
SOURCE_LONG = u''
def __init__(self):
"""Set up the formatter and determine if this is the right formatter."""
# Forcing the format string to be unicode to make sure we don't
# try to format it as an ASCII string.
self.format_string = unicode(self.FORMAT_STRING)
self.format_string_short = unicode(self.FORMAT_STRING_SHORT)
self.source_string = unicode(self.SOURCE_LONG)
self.source_string_short = unicode(self.SOURCE_SHORT)
def GetMessages(self, event_object):
"""Return a list of messages extracted from an event object.
The l2t_csv and other formats are dependent on a message field,
referred to as description_long and description_short in l2t_csv.
Plaso does not store this field explicitly, it only contains a format
string and the appropriate attributes.
This method takes the format string and converts that back into a
formatted string that can be used for display.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
event_values = event_object.GetValues()
try:
msg = self.format_string.format(**event_values)
except KeyError as exception:
msgs = []
msgs.append(u'Format error: [{0:s}] for: <{1:s}>'.format(
exception, self.format_string))
for attr, value in event_object.GetValues().iteritems():
msgs.append(u'{0}: {1}'.format(attr, value))
msg = u' '.join(msgs)
# Strip carriage return and linefeed form the message strings.
# Using replace function here because it is faster
# than re.sub() or string.strip().
msg = msg.replace('\r', u'').replace('\n', u'')
if not self.format_string_short:
msg_short = msg
else:
try:
msg_short = self.format_string_short.format(**event_values)
# Using replace function here because it is faster
# than re.sub() or string.strip().
msg_short = msg_short.replace('\r', u'').replace('\n', u'')
except KeyError:
msg_short = u'Unable to format short message string: {0:s}'.format(
self.format_string_short)
# Truncate the short message string if necessary.
if len(msg_short) > 80:
msg_short = u'{0:s}...'.format(msg_short[0:77])
return msg, msg_short
def GetSources(self, event_object):
"""Return a list containing source short and long."""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_object.data_type))
return self.source_string_short, self.source_string
class ConditionalEventFormatter(EventFormatter):
"""Base class to conditionally format event data using format string pieces.
Define the (long) format string and the short format string by defining
FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the
format strings pieces is similar to of the event formatter
(EventFormatter). Every format string piece should contain a single
attribute name or none.
FORMAT_STRING_SEPARATOR is used to control the string which the separate
string pieces should be joined. It contains a space by default.
"""
__abstract = True
# The format string pieces.
FORMAT_STRING_PIECES = [u'']
FORMAT_STRING_SHORT_PIECES = [u'']
# The separator used to join the string pieces.
FORMAT_STRING_SEPARATOR = u' '
def __init__(self):
"""Initializes the conditional formatter.
A map is build of the string pieces and their corresponding attribute
name to optimize conditional string formatting.
Raises:
RuntimeError: when an invalid format string piece is encountered.
"""
super(ConditionalEventFormatter, self).__init__()
# The format string can be defined as:
# {name}, {name:format}, {name!conversion}, {name!conversion:format}
regexp = re.compile('{[a-z][a-zA-Z0-9_]*[!]?[^:}]*[:]?[^}]*}')
regexp_name = re.compile('[a-z][a-zA-Z0-9_]*')
# The format string pieces map is a list containing the attribute name
# per format string piece. E.g. ["Description: {description}"] would be
# mapped to: [0] = "description". If the string piece does not contain
# an attribute name it is treated as text that does not needs formatting.
self._format_string_pieces_map = []
for format_string_piece in self.FORMAT_STRING_PIECES:
result = regexp.findall(format_string_piece)
if not result:
# The text format string piece is stored as an empty map entry to
# keep the index in the map equal to the format string pieces.
self._format_string_pieces_map.append('')
elif len(result) == 1:
# Extract the attribute name.
attribute_name = regexp_name.findall(result[0])[0]
self._format_string_pieces_map.append(attribute_name)
else:
raise RuntimeError((
u'Invalid format string piece: [{0:s}] contains more than 1 '
u'attribute name.').format(format_string_piece))
self._format_string_short_pieces_map = []
for format_string_piece in self.FORMAT_STRING_SHORT_PIECES:
result = regexp.findall(format_string_piece)
if not result:
# The text format string piece is stored as an empty map entry to
# keep the index in the map equal to the format string pieces.
self._format_string_short_pieces_map.append('')
elif len(result) == 1:
# Extract the attribute name.
attribute_name = regexp_name.findall(result[0])[0]
self._format_string_short_pieces_map.append(attribute_name)
else:
raise RuntimeError((
u'Invalid short format string piece: [{0:s}] contains more '
u'than 1 attribute name.').format(format_string_piece))
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
# Using getattr here to make sure the attribute is not set to None.
# if A.b = None, hasattr(A, b) is True but getattr(A, b, None) is False.
string_pieces = []
for map_index, attribute_name in enumerate(self._format_string_pieces_map):
if not attribute_name or hasattr(event_object, attribute_name):
if attribute_name:
attribute = getattr(event_object, attribute_name, None)
# If an attribute is an int, yet has zero value we want to include
# that in the format string, since that is still potentially valid
# information. Otherwise we would like to skip it.
if type(attribute) not in (bool, int, long, float) and not attribute:
continue
string_pieces.append(self.FORMAT_STRING_PIECES[map_index])
self.format_string = unicode(
self.FORMAT_STRING_SEPARATOR.join(string_pieces))
string_pieces = []
for map_index, attribute_name in enumerate(
self._format_string_short_pieces_map):
if not attribute_name or getattr(event_object, attribute_name, None):
string_pieces.append(self.FORMAT_STRING_SHORT_PIECES[map_index])
self.format_string_short = unicode(
self.FORMAT_STRING_SEPARATOR.join(string_pieces))
return super(ConditionalEventFormatter, self).GetMessages(event_object)
plaso/formatters/ipod.py
+37
View File
@@ -0,0 +1,37 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the iPod device events."""
from plaso.formatters import interface
class IPodDeviceFormatter(interface.ConditionalEventFormatter):
"""Formatter for iPod device events."""
DATA_TYPE = 'ipod:device:entry'
FORMAT_STRING_PIECES = [
u'Device ID: {device_id}',
u'Type: {device_class}',
u'[{family_id}]',
u'Connected {use_count} times',
u'Serial nr: {serial_number}',
u'IMEI [{imei}]']
SOURCE_LONG = 'iPod Connections'
SOURCE_SHORT = 'LOG'
plaso/formatters/java_idx.py
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Java Cache IDX events."""
from plaso.formatters import interface
class JavaIDXFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Java Cache IDX download item."""
DATA_TYPE = 'java:download:idx'
SOURCE_LONG = 'Java Cache IDX'
SOURCE_SHORT = 'JAVA_IDX'
FORMAT_STRING_PIECES = [
u'IDX Version: {idx_version}',
u'Host IP address: ({ip_address})',
u'Download URL: {url}']
plaso/formatters/ls_quarantine.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Mac OS X launch services quarantine events."""
from plaso.formatters import interface
class LSQuarantineFormatter(interface.ConditionalEventFormatter):
"""Formatter for a LS Quarantine history event."""
DATA_TYPE = 'macosx:lsquarantine'
FORMAT_STRING_PIECES = [
u'[{agent}]',
u'Downloaded: {url}',
u'<{data}>']
FORMAT_STRING_SHORT_PIECES = [u'{url}']
SOURCE_LONG = 'LS Quarantine Event'
SOURCE_SHORT = 'LOG'
plaso/formatters/mac_appfirewall.py
+39
View File
@@ -0,0 +1,39 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Mac appfirewall.log file."""
from plaso.formatters import interface
class MacAppFirewallLogFormatter(interface.ConditionalEventFormatter):
"""Formatter for Mac appfirewall.log file."""
DATA_TYPE = 'mac:asl:appfirewall:line'
FORMAT_STRING_PIECES = [
u'Computer: {computer_name}',
u'Agent: {agent}',
u'Status: {status}',
u'Process name: {process_name}',
u'Log: {action}']
FORMAT_STRING_SHORT_PIECES = [
u'Process name: {process_name}',
u'Status: {status}']
SOURCE_LONG = 'Mac AppFirewall Log'
SOURCE_SHORT = 'LOG'
plaso/formatters/mac_document_versions.py
+38
View File
@@ -0,0 +1,38 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for the Mac OS X Document Versions files."""
from plaso.formatters import interface
class MacDocumentVersionsFormatter(interface.ConditionalEventFormatter):
"""The event formatter for page visited data in Document Versions."""
DATA_TYPE = 'mac:document_versions:file'
FORMAT_STRING_PIECES = [
u'Version of [{name}]',
u'({path})',
u'stored in {version_path}',
u'by {user_sid}']
FORMAT_STRING_SHORT_PIECES = [
u'Stored a document version of [{name}]']
SOURCE_LONG = 'Document Versions'
SOURCE_SHORT = 'HISTORY'
plaso/formatters/mac_keychain.py
+53
View File
@@ -0,0 +1,53 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Keychain password database file."""
from plaso.formatters import interface
class KeychainApplicationRecordFormatter(interface.ConditionalEventFormatter):
"""Formatter for keychain application record event."""
DATA_TYPE = 'mac:keychain:application'
FORMAT_STRING_PIECES = [
u'Name: {entry_name}',
u'Account: {account_name}']
FORMAT_STRING_SHORT_PIECES = [u'{entry_name}']
SOURCE_LONG = 'Keychain Application password'
SOURCE_SHORT = 'LOG'
class KeychainInternetRecordFormatter(interface.ConditionalEventFormatter):
"""Formatter for keychain internet record event."""
DATA_TYPE = 'mac:keychain:internet'
FORMAT_STRING_PIECES = [
u'Name: {entry_name}',
u'Account: {account_name}',
u'Where: {where}',
u'Protocol: {protocol}',
u'({type_protocol})']
FORMAT_STRING_SHORT_PIECES = [u'{entry_name}']
SOURCE_LONG = 'Keychain Internet password'
SOURCE_SHORT = 'LOG'
plaso/formatters/mac_securityd.py
+39
View File
@@ -0,0 +1,39 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for ASL securityd log file."""
from plaso.formatters import interface
class MacSecuritydLogFormatter(interface.ConditionalEventFormatter):
"""Formatter for ASL Securityd file."""
DATA_TYPE = 'mac:asl:securityd:line'
FORMAT_STRING_PIECES = [
u'Sender: {sender}',
u'({sender_pid})',
u'Level: {level}',
u'Facility: {facility}',
u'Text: {message}']
FORMAT_STRING_SHORT_PIECES = [u'Text: {message}']
SOURCE_LONG = 'Mac ASL Securityd Log'
SOURCE_SHORT = 'LOG'
plaso/formatters/mac_wifi.py
+38
View File
@@ -0,0 +1,38 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Mac wifi.log file."""
from plaso.formatters import interface
class MacWifiLogFormatter(interface.ConditionalEventFormatter):
"""Formatter for Mac Wifi file."""
DATA_TYPE = 'mac:wifilog:line'
FORMAT_STRING_PIECES = [
u'Action: {action}',
u'Agent: {user}',
u'({function})',
u'Log: {text}']
FORMAT_STRING_SHORT_PIECES = [
u'Action: {action}']
SOURCE_LONG = 'Mac Wifi Log'
SOURCE_SHORT = 'LOG'
plaso/formatters/mackeeper_cache.py
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a MacKeepr Cache formatter in plaso."""
from plaso.formatters import interface
class MacKeeperCacheFormatter(interface.ConditionalEventFormatter):
"""Formatter for MacKeeper Cache extracted events."""
DATA_TYPE = 'mackeeper:cache'
FORMAT_STRING_PIECES = [
u'{description}', u'<{event_type}>', u':', u'{text}', u'[',
u'URL: {url}', u'Event ID: {record_id}', 'Room: {room}', u']']
FORMAT_STRING_SHORT_PIECES = [u'<{event_type}>', u'{text}']
SOURCE_LONG = 'MacKeeper Cache'
SOURCE_SHORT = 'LOG'
plaso/formatters/mactime.py
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Sleuthkit (TSK) bodyfile or mactime format."""
from plaso.formatters import interface
class MactimeFormatter(interface.EventFormatter):
"""Class that formats mactime bodyfile events."""
DATA_TYPE = 'fs:mactime:line'
# The format string.
FORMAT_STRING = u'{filename}'
SOURCE_LONG = 'Mactime Bodyfile'
SOURCE_SHORT = 'FILE'
plaso/formatters/manager.py
+140
View File
@@ -0,0 +1,140 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains the event formatters manager class."""
import logging
from plaso.formatters import interface
from plaso.lib import utils
class DefaultFormatter(interface.EventFormatter):
"""Default formatter for events that do not have any defined formatter."""
DATA_TYPE = u'event'
FORMAT_STRING = u'<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'
FORMAT_STRING_SHORT = u'<DEFAULT> {attribute_driven}'
def GetMessages(self, event_object):
"""Return a list of messages extracted from an event object."""
text_pieces = []
for key, value in event_object.GetValues().items():
if key in utils.RESERVED_VARIABLES:
continue
text_pieces.append(u'{0:s}: {1!s}'.format(key, value))
event_object.attribute_driven = u' '.join(text_pieces)
# Due to the way the default formatter behaves it requires the data_type
# to be set as 'event', otherwise it will complain and deny processing
# the event.
# TODO: Change this behavior and allow the default formatter to accept
# arbitrary data types (as it should).
old_data_type = getattr(event_object, 'data_type', None)
event_object.data_type = self.DATA_TYPE
msg, msg_short = super(DefaultFormatter, self).GetMessages(event_object)
event_object.data_type = old_data_type
return msg, msg_short
class EventFormatterManager(object):
"""Class to manage the event formatters."""
@classmethod
def GetFormatter(cls, event_object):
"""Retrieves the formatter for a specific event object.
This function builds a map of data types and the corresponding event
formatters. At the moment this map is only build once.
Args:
event_object: The event object (EventObject) which is used to identify
the formatter.
Returns:
The corresponding formatter (EventFormatter) if available or None.
Raises:
RuntimeError if a duplicate event formatter is found while building
the map of event formatters.
"""
if not hasattr(cls, 'event_formatters'):
cls.event_formatters = {}
cls.default_formatter = DefaultFormatter()
for cls_formatter in interface.EventFormatter.classes:
try:
formatter = interface.EventFormatter.classes[cls_formatter]()
# Raise on duplicate formatters.
if formatter.DATA_TYPE in cls.event_formatters:
raise RuntimeError((
u'event formatter for data type: {0:s} defined in: {1:s} and '
u'{2:s}.').format(
formatter.DATA_TYPE, cls_formatter,
cls.event_formatters[
formatter.DATA_TYPE].__class__.__name__))
cls.event_formatters[formatter.DATA_TYPE] = formatter
except RuntimeError as exeception:
# Ignore broken formatters.
logging.warning(u'{0:s}'.format(exeception))
cls.event_formatters.setdefault(None)
if event_object.data_type in cls.event_formatters:
return cls.event_formatters[event_object.data_type]
else:
logging.warning(
u'Using default formatter for data type: {0:s}'.format(
event_object.data_type))
return cls.default_formatter
@classmethod
def GetMessageStrings(cls, event_object):
"""Retrieves the formatted message strings for a specific event object.
Args:
event_object: The event object (EventObject) which is used to identify
the formatter.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
formatter = cls.GetFormatter(event_object)
if not formatter:
return u'', u''
return formatter.GetMessages(event_object)
@classmethod
def GetSourceStrings(cls, event_object):
"""Retrieves the formatted source long and short strings for an event.
Args:
event_object: The event object (EventObject) which is used to identify
the formatter.
Returns:
A list that contains the source_short and source_long version of the
event.
"""
# TODO: change this to return the long variant first so it is consistent
# with GetMessageStrings.
formatter = cls.GetFormatter(event_object)
if not formatter:
return u'', u''
return formatter.GetSources(event_object)
plaso/formatters/manager_test.py
+163
View File
@@ -0,0 +1,163 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a unit test for the event formatters."""
import unittest
from plaso.formatters import interface
from plaso.formatters import manager
from plaso.formatters import winreg # pylint: disable=unused-import
from plaso.lib import event_test
class TestEvent1Formatter(interface.EventFormatter):
"""Test event 1 formatter."""
DATA_TYPE = 'test:event1'
FORMAT_STRING = u'{text}'
SOURCE_SHORT = 'FILE'
SOURCE_LONG = 'Weird Log File'
class WrongEventFormatter(interface.EventFormatter):
"""A simple event formatter."""
DATA_TYPE = 'test:wrong'
FORMAT_STRING = u'This format string does not match {body}.'
SOURCE_SHORT = 'FILE'
SOURCE_LONG = 'Weird Log File'
class EventFormatterUnitTest(unittest.TestCase):
"""The unit test for the event formatter."""
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._formatters_manager = manager.EventFormatterManager
self.event_objects = event_test.GetEventObjects()
def GetCSVLine(self, event_object):
"""Takes an EventObject and prints out a simple CSV line from it."""
try:
msg, _ = self._formatters_manager.GetMessageStrings(event_object)
source_short, source_long = self._formatters_manager.GetSourceStrings(
event_object)
except KeyError:
print event_object.GetAttributes()
return u'{0:d},{1:s},{2:s},{3:s}'.format(
event_object.timestamp, source_short, source_long, msg)
def testInitialization(self):
"""Test the initialization."""
self.assertTrue(TestEvent1Formatter())
def testAttributes(self):
"""Test if we can read the event attributes correctly."""
events = {}
for event_object in self.event_objects:
events[self.GetCSVLine(event_object)] = True
self.assertIn((
u'1334961526929596,REG,UNKNOWN key,[MY AutoRun key] Run: '
u'c:/Temp/evil.exe'), events)
self.assertIn(
(u'1334966206929596,REG,UNKNOWN key,[//HKCU/Secret/EvilEmpire/'
u'Malicious_key] Value: send all the exes to the other '
u'world'), events)
self.assertIn((u'1334940286000000,REG,UNKNOWN key,[//HKCU/Windows'
u'/Normal] Value: run all the benign stuff'), events)
self.assertIn((u'1335781787929596,FILE,Weird Log File,This log line reads '
u'ohh so much.'), events)
self.assertIn((u'1335781787929596,FILE,Weird Log File,Nothing of interest'
u' here, move on.'), events)
self.assertIn((u'1335791207939596,FILE,Weird Log File,Mr. Evil just logged'
u' into the machine and got root.'), events)
def testTextBasedEvent(self):
"""Test a text based event."""
for event_object in self.event_objects:
source_short, _ = self._formatters_manager.GetSourceStrings(event_object)
if source_short == 'LOG':
msg, msg_short = self._formatters_manager.GetMessageStrings(
event_object)
self.assertEquals(msg, (
u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'))
self.assertEquals(msg_short, (
u'This is a line by someone not reading the log line properly. '
u'And since this l...'))
class ConditionalTestEvent1(event_test.TestEvent1):
DATA_TYPE = 'test:conditional_event1'
class ConditionalTestEvent1Formatter(interface.ConditionalEventFormatter):
"""Test event 1 conditional (event) formatter."""
DATA_TYPE = 'test:conditional_event1'
FORMAT_STRING_PIECES = [
u'Description: {description}',
u'Comment',
u'Value: 0x{numeric:02x}',
u'Optional: {optional}',
u'Text: {text}']
SOURCE_SHORT = 'LOG'
SOURCE_LONG = 'Some Text File.'
class BrokenConditionalEventFormatter(interface.ConditionalEventFormatter):
"""A broken conditional event formatter."""
DATA_TYPE = 'test:broken_conditional'
FORMAT_STRING_PIECES = [u'{too} {many} formatting placeholders']
SOURCE_SHORT = 'LOG'
SOURCE_LONG = 'Some Text File.'
class ConditionalEventFormatterUnitTest(unittest.TestCase):
"""The unit test for the conditional event formatter."""
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self.event_object = ConditionalTestEvent1(1335791207939596, {
'numeric': 12, 'description': 'this is beyond words',
'text': 'but we\'re still trying to say something about the event'})
def testInitialization(self):
"""Test the initialization."""
self.assertTrue(ConditionalTestEvent1Formatter())
with self.assertRaises(RuntimeError):
BrokenConditionalEventFormatter()
def testGetMessages(self):
"""Test get messages."""
event_formatter = ConditionalTestEvent1Formatter()
msg, _ = event_formatter.GetMessages(self.event_object)
expected_msg = (
u'Description: this is beyond words Comment Value: 0x0c '
u'Text: but we\'re still trying to say something about the event')
self.assertEquals(msg, expected_msg)
if __name__ == '__main__':
unittest.main()
plaso/formatters/mcafeeav.py
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the McAfee AV Logs files."""
from plaso.formatters import interface
class McafeeAccessProtectionLogEventFormatter(interface.EventFormatter):
"""Class that formats the McAfee Access Protection Log events."""
DATA_TYPE = 'av:mcafee:accessprotectionlog'
# The format string.
FORMAT_STRING = (u'File Name: {filename} User: {username} {trigger_location} '
u'{status} {rule} {action}')
FORMAT_STRING_SHORT = u'{filename} {action}'
SOURCE_LONG = 'McAfee Access Protection Log'
SOURCE_SHORT = 'LOG'
plaso/formatters/msie_webcache.py
+99
View File
@@ -0,0 +1,99 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatters for the MSIE WebCache ESE database events."""
from plaso.formatters import interface
class MsieWebCacheContainerEventFormatter(interface.ConditionalEventFormatter):
"""Formatter for a MSIE WebCache ESE database Container_# table record."""
DATA_TYPE = 'msie:webcache:container'
FORMAT_STRING_PIECES = [
u'Entry identifier: {entry_identifier}',
u'Container identifier: {container_identifier}',
u'Cache identifier: {cache_identifier}',
u'URL: {url}',
u'Redirect URL: {redirect_url}',
u'Access count: {access_count}',
u'Sync count: {sync_count}',
u'Filename: {cached_filename}',
u'File extension: {file_extension}',
u'Cached file size: {cached_file_size}',
u'Request headers: {request_headers}',
u'Response headers: {response_headers}']
FORMAT_STRING_SHORT_PIECES = [
u'URL: {url}']
SOURCE_LONG = 'MSIE WebCache container record'
SOURCE_SHORT = 'WEBHIST'
class MsieWebCacheContainersEventFormatter(interface.ConditionalEventFormatter):
"""Formatter for a MSIE WebCache ESE database Containers table record."""
DATA_TYPE = 'msie:webcache:containers'
FORMAT_STRING_PIECES = [
u'Container identifier: {container_identifier}',
u'Set identifier: {set_identifier}',
u'Name: {name}',
u'Directory: {directory}',
u'Table: Container_{container_identifier}']
FORMAT_STRING_SHORT_PIECES = [
u'Directory: {directory}']
SOURCE_LONG = 'MSIE WebCache containers record'
SOURCE_SHORT = 'WEBHIST'
class MsieWebCacheLeakFilesEventFormatter(interface.ConditionalEventFormatter):
"""Formatter for a MSIE WebCache ESE database LeakFiles table record."""
DATA_TYPE = 'msie:webcache:leak_file'
FORMAT_STRING_PIECES = [
u'Leak identifier: {leak_identifier}',
u'Filename: {cached_filename}']
FORMAT_STRING_SHORT_PIECES = [
u'Filename: {cached_filename}']
SOURCE_LONG = 'MSIE WebCache partitions record'
SOURCE_SHORT = 'WEBHIST'
class MsieWebCachePartitionsEventFormatter(interface.ConditionalEventFormatter):
"""Formatter for a MSIE WebCache ESE database Partitions table record."""
DATA_TYPE = 'msie:webcache:partitions'
FORMAT_STRING_PIECES = [
u'Partition identifier: {partition_identifier}',
u'Partition type: {partition_type}',
u'Directory: {directory}',
u'Table identifier: {table_identifier}']
FORMAT_STRING_SHORT_PIECES = [
u'Directory: {directory}']
SOURCE_LONG = 'MSIE WebCache partitions record'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/msiecf.py
+65
View File
@@ -0,0 +1,65 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Microsoft Internet Explorer (MSIE) Cache Files (CF) events."""
from plaso.lib import errors
from plaso.formatters import interface
class MsiecfUrlFormatter(interface.ConditionalEventFormatter):
"""Formatter for a MSIECF URL item."""
DATA_TYPE = 'msiecf:url'
FORMAT_STRING_PIECES = [
u'Location: {url}',
u'Number of hits: {number_of_hits}',
u'Cached file size: {cached_file_size}',
u'HTTP headers: {http_headers_cleaned}',
u'{recovered_string}']
FORMAT_STRING_SHORT_PIECES = [
u'Location: {url}']
SOURCE_LONG = 'MSIE Cache File URL record'
SOURCE_SHORT = 'WEBHIST'
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
if hasattr(event_object, 'http_headers'):
event_object.http_headers_cleaned = event_object.http_headers.replace(
'\r\n', ' - ')
# TODO: Could this be moved upstream since this is done in other parsers
# as well?
if getattr(event_object, 'recovered', None):
event_object.recovered_string = '[Recovered Entry]'
return super(MsiecfUrlFormatter, self).GetMessages(event_object)
plaso/formatters/olecf.py
+149
View File
@@ -0,0 +1,149 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatters for OLE Compound File (OLECF) events."""
from plaso.formatters import interface
from plaso.lib import errors
class OleCfItemFormatter(interface.EventFormatter):
"""Formatter for an OLECF item."""
DATA_TYPE = 'olecf:item'
FORMAT_STRING = u'Name: {name}'
FORMAT_STRING_SHORT = u'Name: {name}'
SOURCE_LONG = 'OLECF Item'
SOURCE_SHORT = 'OLECF'
class OleCfDestListEntryFormatter(interface.ConditionalEventFormatter):
"""Formatter for an OLECF DestList stream."""
DATA_TYPE = 'olecf:dest_list:entry'
FORMAT_STRING_PIECES = [
u'Entry: {entry_number}',
u'Pin status: {pin_status_string}',
u'Hostname: {hostname}',
u'Path: {path}',
u'Droid volume identifier: {droid_volume_identifier}',
u'Droid file identifier: {droid_file_identifier}',
u'Birth droid volume identifier: {birth_droid_volume_identifier}',
u'Birth droid file identifier: {birth_droid_file_identifier}']
FORMAT_STRING_SHORT_PIECES = [
u'Entry: {entry_number}',
u'Pin status: {pin_status_string}',
u'Path: {path}']
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
pin_status = getattr(event_object, 'pin_status', None)
if pin_status == 0xffffffff:
event_object.pin_status_string = u'Unpinned'
else:
event_object.pin_status_string = u'Pinned'
return super(OleCfDestListEntryFormatter, self).GetMessages(event_object)
class OleCfDocumentSummaryInfoFormatter(interface.ConditionalEventFormatter):
"""Formatter for an OLECF Summary Info property set stream."""
DATA_TYPE = 'olecf:document_summary_info'
FORMAT_STRING_PIECES = [
u'Number of bytes: {number_of_bytes}',
u'Number of lines: {number_of_lines}',
u'Number of paragraphs: {number_of_paragraphs}',
u'Number of slides: {number_of_slides}',
u'Number of notes: {number_of_notes}',
u'Number of hidden slides: {number_of_hidden_slides}',
u'Number of multi-media clips: {number_of_clips}',
u'Company: {company}',
u'Manager: {manager}',
u'Shared document: {shared_document}',
u'Application version: {application_version}',
u'Content type: {content_type}',
u'Content status: {content_status}',
u'Language: {language}',
u'Document version: {document_version}']
# TODO: add support for the following properties.
# u'Digital signature: {digital_signature}',
FORMAT_STRING_SHORT_PIECES = [
u'Company: {company}']
SOURCE_LONG = 'OLECF Document Summary Info'
SOURCE_SHORT = 'OLECF'
class OleCfSummaryInfoFormatter(interface.ConditionalEventFormatter):
"""Formatter for an OLECF Summary Info property set stream."""
DATA_TYPE = 'olecf:summary_info'
FORMAT_STRING_PIECES = [
u'Title: {title}',
u'Subject: {subject}',
u'Author: {author}',
u'Keywords: {keywords}',
u'Comments: {comments}',
u'Template: {template}',
u'Revision number: {revision_number}',
u'Last saved by: {last_saved_by}',
u'Total edit time: {total_edit_time}',
u'Number of pages: {number_of_pages}',
u'Number of words: {number_of_words}',
u'Number of characters: {number_of_characters}',
u'Application: {application}',
u'Security: {security}']
FORMAT_STRING_SHORT_PIECES = [
u'Title: {title}',
u'Subject: {subject}',
u'Author: {author}',
u'Revision number: {revision_number}']
SOURCE_LONG = 'OLECF Summary Info'
SOURCE_SHORT = 'OLECF'
# TODO: add a function to print the security as a descriptive string.
_SECURITY_VALUES = {
0x00000001: 'Password protected',
0x00000002: 'Read-only recommended',
0x00000004: 'Read-only enforced',
0x00000008: 'Locked for annotations',
}
plaso/formatters/opera.py
+47
View File
@@ -0,0 +1,47 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Opera history events."""
from plaso.formatters import interface
class OperaGlobalHistoryFormatter(interface.ConditionalEventFormatter):
"""Formatter for an Opera global history event."""
DATA_TYPE = 'opera:history:entry'
FORMAT_STRING_PIECES = [
u'{url}',
u'({title})',
u'[{description}]']
SOURCE_LONG = 'Opera Browser History'
SOURCE_SHORT = 'WEBHIST'
class OperaTypedHistoryFormatter(interface.ConditionalEventFormatter):
"""Formatter for an Opera typed history event."""
DATA_TYPE = 'opera:history:typed_entry'
FORMAT_STRING_PIECES = [
u'{url}',
u'({entry_selection})']
SOURCE_LONG = 'Opera Browser History'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/oxml.py
+67
View File
@@ -0,0 +1,67 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for OpenXML events."""
from plaso.formatters import interface
__author__ = 'David Nides (david.nides@gmail.com)'
class OpenXMLParserFormatter(interface.ConditionalEventFormatter):
"""Formatter for OXML events."""
DATA_TYPE = 'metadata:openxml'
FORMAT_STRING_PIECES = [
u'Creating App: {creating_app}',
u'App version: {app_version}',
u'Title: {title}',
u'Subject: {subject}',
u'Last saved by: {last_saved_by}',
u'Author: {author}',
u'Total edit time (secs): {total_edit_time}',
u'Keywords: {keywords}',
u'Comments: {comments}',
u'Revision Num: {revision_num}',
u'Template: {template}',
u'Num pages: {num_pages}',
u'Num words: {num_words}',
u'Num chars: {num_chars}',
u'Num chars with spaces: {num_chars_w_spaces}',
u'Num lines: {num_lines}',
u'Company: {company}',
u'Manager: {manager}',
u'Shared: {shared}',
u'Security: {security}',
u'Hyperlinks changed: {hyperlinks_changed}',
u'Links up to date: {links_up_to_date}',
u'Scale crop: {scale_crop}',
u'Digital signature: {dig_sig}',
u'Slides: {slides}',
u'Hidden slides: {hidden_slides}',
u'Presentation format: {presentation_format}',
u'MM clips: {mm_clips}',
u'Notes: {notes}']
FORMAT_STRING_SHORT_PIECES = [
u'Title: {title}',
u'Subject: {subject}',
u'Author: {author}']
SOURCE_LONG = 'Open XML Metadata'
SOURCE_SHORT = 'META'
plaso/formatters/pcap.py
+50
View File
@@ -0,0 +1,50 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for PCAP files."""
from plaso.formatters import interface
__author__ = 'Dominique Kilman (lexistar97@gmail.com)'
class PCAPFormatter(interface.ConditionalEventFormatter):
"""Define the formatting PCAP record."""
DATA_TYPE = 'metadata:pcap'
FORMAT_STRING_PIECES = [
u'Source IP: {source_ip}',
u'Destination IP: {dest_ip}',
u'Source Port: {source_port}',
u'Destination Port: {dest_port}',
u'Protocol: {protocol}',
u'Type: {stream_type}',
u'Size: {size}',
u'Protocol Data: {protocol_data}',
u'Stream Data: {stream_data}',
u'First Packet ID: {first_packet_id}',
u'Last Packet ID: {last_packet_id}',
u'Packet Count: {packet_count}']
FORMAT_STRING_SHORT_PIECES = [
u'Type: {stream_type}',
u'First Packet ID: {first_packet_id}']
SOURCE_LONG = 'Packet Capture File (pcap)'
SOURCE_SHORT = 'PCAP'
plaso/formatters/plist.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for Plist Events."""
from plaso.formatters import interface
class PlistFormatter(interface.ConditionalEventFormatter):
"""Event Formatter for plist keys."""
DATA_TYPE = 'plist:key'
FORMAT_STRING_SEPARATOR = u''
FORMAT_STRING_PIECES = [
u'{root}/',
u'{key}',
u' {desc}']
SOURCE_LONG = 'Plist Entry'
SOURCE_SHORT = 'PLIST'
plaso/formatters/pls_recall.py
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for PL-Sql Recall events."""
from plaso.formatters import interface
class PlsRecallFormatter(interface.EventFormatter):
"""Formatter for a for a PL-Sql Recall file container."""
DATA_TYPE = 'PLSRecall:event'
SOURCE_LONG = 'PL-Sql Developer Recall file'
SOURCE_SHORT = 'PLSRecall'
# The format string.
FORMAT_STRING = (u'Sequence #{sequence} User: {username} '
u'Database Name: {database_name} Query: {query}')
FORMAT_STRING_SHORT = u'{sequence} {username} {database_name} {query}'
plaso/formatters/popcontest.py
+55
View File
@@ -0,0 +1,55 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Popularity Contest parser events."""
from plaso.formatters import interface
class PopularityContestSessionFormatter(interface.ConditionalEventFormatter):
"""Formatter for Popularity Contest Session information."""
DATA_TYPE = 'popularity_contest:session:event'
FORMAT_STRING_PIECES = [
u'Session {session}',
u'{status}',
u'ID {hostid}',
u'[{details}]']
FORMAT_STRING_SHORT_PIECES = [
u'Session {session}',
u'{status}']
SOURCE_LONG = 'Popularity Contest Session'
SOURCE_SHORT = 'LOG'
class PopularityContestLogFormatter(interface.ConditionalEventFormatter):
"""Formatter for Popularity Contest Log events."""
DATA_TYPE = 'popularity_contest:log:event'
FORMAT_STRING_PIECES = [
u'mru [{mru}]',
u'package [{package}]',
u'tag [{record_tag}]']
FORMAT_STRING_SHORT_PIECES = [u'{mru}']
SOURCE_LONG = 'Popularity Contest Log'
SOURCE_SHORT = 'LOG'
plaso/formatters/recycler.py
+82
View File
@@ -0,0 +1,82 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Windows recycle files."""
from plaso.lib import errors
from plaso.formatters import interface
class WinRecyclerFormatter(interface.ConditionalEventFormatter):
"""Formatter for Windows recycle bin events."""
DATA_TYPE = 'windows:metadata:deleted_item'
DRIVE_LIST = {
0x00: 'A',
0x01: 'B',
0x02: 'C',
0x03: 'D',
0x04: 'E',
0x05: 'F',
0x06: 'G',
0x07: 'H',
0x08: 'I',
0x09: 'J',
0x0A: 'K',
0x0B: 'L',
0x0C: 'M',
0x0D: 'N',
0x0E: 'O',
0x0F: 'P',
0x10: 'Q',
0x11: 'R',
0x12: 'S',
0x13: 'T',
0x14: 'U',
0x15: 'V',
0x16: 'W',
0x17: 'X',
0x18: 'Y',
0x19: 'Z',
}
# The format string.
FORMAT_STRING_PIECES = [
u'DC{index} ->',
u'{orig_filename}',
u'[{orig_filename_legacy}]',
u'(from drive {drive_letter})']
FORMAT_STRING_SHORT_PIECES = [
u'Deleted file: {orig_filename}']
SOURCE_LONG = 'Recycle Bin'
SOURCE_SHORT = 'RECBIN'
def GetMessages(self, event_object):
"""Return the message strings."""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_object.data_type))
if hasattr(event_object, 'drive_number'):
event_object.drive_letter = self.DRIVE_LIST.get(
event_object.drive_number, 'C?')
return super(WinRecyclerFormatter, self).GetMessages(event_object)
plaso/formatters/rubanetra.py
Executable
+422
View File
@@ -0,0 +1,422 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains formatters for the parsed Rubanetra events. Additionally, a Java Instant formatter was defined
as well."""
from plaso.formatters import interface
__author__ = 'Stefan Swerk (stefan_rubanetra@swerk.priv.at)'
class RubanetraBaseActivityFormatter(interface.ConditionalEventFormatter):
""" Formatter for a Rubanetra BaseActivity """
DATA_TYPE = 'java:rubanetra:base_activity'
SOURCE_SHORT = 'LOG'
SOURCE_LONG = 'at.jku.fim.rubanetra.BaseActivity'
FORMAT_STRING_PIECES = [
u'activityType: \'{activity_type}\'',
u'firstTimestamp: \'{first_timestamp}\'',
u'lastTimestamp: \'{last_timestamp}\'',
u'description: \'{description}\'',
u'sourceAddress: \'{source_address}\'',
u'destinationAddress: \'{destination_address}\'',
u'compoundFrameNumbers: \'{compound_frame_number_list}\'',
u'isReplaced: \'{replaced}\'',
u'optionalFields: \'{optional_field_dict}\'']
class RubanetraPcapActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:pcap_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.PcapActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES \
+ [u'totalSize: \'{pcap_total_size}\'',
u'frameNumber: \'{pcap_frame_number}\'',
u'wireLength: \'{pcap_packet_wirelen}\'',
u'headerCount: \'{pcap_header_count}\'']
class RubanetraHttpRequestActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:http_request_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.HttpRequestActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'serverAddress: \'{server_address}\'',
u'clientAddress: \'{client_address}\'',
u'httpVersion: \'{http_version}\'',
u'httpMethod: \'{http_method}\'',
u'httpQueryString: \'{http_query_string}\'',
u'httpQueryParameters: \'{http_query_parameters}\'',
u'httpRequestHeader: \'{http_request_header_dict}\'',
u'url: \'{url}\'',
u'originalHttpHeader: \'{orig_http_header}\'',
u'contentType: \'{content_type}\'',
u'isResponse: \'{is_response}\'',
u'JNetPcapHttpString: \'{jnetpcap_http_string}\'']
class RubanetraHttpResponseActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:http_response_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.HttpResponseActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'httpVersion: \'{http_version}\'',
u'httpStatusCode: \'{response_status_code}\'',
u'httpStatusLine: \'{response_status_line}\'',
u'httpResponseHeader: \'{response_header_dict}\'',
u'originalHttpHeader: \'{orig_http_header}\'',
u'contentType: \'{content_type}\'',
u'JNetPcapHttpString: \'{jnetpcap_http_string}\'']
class RubanetraDnsActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:dns_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.DnsActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'questionRecords: \'{question_record_list}\'',
u'answerRecords: \'{answer_record_list}\'',
u'authorityRecords: \'{authority_record_list}\'',
u'additionalRecords: \'{additional_record_list}\'',
u'dnsMessageHeader: \'{dns_message_header}\'',
u'isResponse: \'{is_response_bool}\'']
class RubanetraHttpImageActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:http_image_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.HttpImageActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'imageType: \'{image_type}\'',
u'imagePath: \'{image_path}\'']
class RubanetraArpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:arp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.ArpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'hardwareType: \'{hardware_type}\'',
u'protocolType: \'{protocol_type}\'',
u'hardwareAddressLength: \'{hardware_address_length}\'',
u'protocolAddressLength: \'{protocol_address_length}\'',
u'senderHardwareAddress: \'{sender_mac_address}\'',
u'targetHardwareAddress: \'{target_mac_address}\'',
u'senderProtocolAddress: \'{sender_protocol_address}\'',
u'targetProtocolAddress: \'{target_protocol_address}\'',
u'JNetPcapArpString: \'{jnetpcap_arp}\'']
class RubanetraDhcpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:dhcp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.DhcpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'dhcpMessage: \'{dhcp_message}\'']
class RubanetraEthernetActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ethernet_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.EthernetActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'sourceMacAddress: \'{source_mac_address}\'',
u'destinationMacAddress: \'{destination_mac_address}\'',
u'ethernetType: \'{ethernet_type}\'',
u'ethernetTypeEnum: \'{ethernet_type_enum}\'',
u'JNetPcapEthernetString: \'{jnetpcap_ethernet}\'']
class RubanetraFtpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ftp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.FtpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'ftpActivityType: \'{ftp_type}\'',
u'command: \'{command}\'',
u'reply: \'{reply}\'',
u'list: \'{list}\'']
class RubanetraIcmpv4ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:icmpv4_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Icmpv4Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'icmpSubType: \'{icmp_subtype}\'',
u'icmpPacket: \'{icmp_packet}\'',
u'icmpMessage: \'{icmp_message}\'',
u'icmpType: \'{icmp_type}\'',
u'icmpCode: \'{icmp_code}\'',
u'sourceAddress: \'{source_address}\'',
u'destinationAddress: \'{destination_address}\'',
u'identifier: \'{identifier}\'',
u'sequence: \'{sequence}\'',
u'JNetPcapIcmpString: \'{jnetpcap_icmp}\'']
class RubanetraIcmpv6ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:icmpv6_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Icmpv6Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'icmpSubType: \'{icmp_subtype}\'',
u'icmpPacket: \'{icmp_packet}\'',
u'icmpMessage: \'{icmp_message}\'',
u'icmpType: \'{icmp_type}\'',
u'JNetPcapIcmpString: \'{jnetpcap_icmp}\'']
class RubanetraIpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ip_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.IpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'version: \'{version}\'',
u'protocol: \'{protocol}\'',
u'sourceAddress: \'{source_address}\'',
u'destinationAddress: \'{destination_address}\'']
class RubanetraIpv4ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ipv4_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Ipv4Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'internetHeaderLength: \'{internet_header_length}\'',
u'differentiatedServicesCodePoint: \'{differentiated_services_code_point}\'',
u'totalLength: \'{total_length}\'',
u'identification: \'{identification}\'',
u'flags: \'{flags}\'',
u'fragmentOffset: \'{fragment_offset}\'',
u'timeToLive: \'{time_to_live}\'',
u'headerChecksum: \'{header_checksum}\'',
u'options: \'{options}\'',
u'JNetPcapIpv4String: \'{jnetpcap_ip4}\'']
class RubanetraIpv6ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ipv6_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Ipv6Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'trafficClass: \'{traffic_class}\'',
u'flowLabel: \'{flow_label}\'',
u'payloadLength: \'{payload_length}\'',
u'nextHeader: \'{next_header}\'',
u'hopLimit: \'{hop_limit}\'',
u'JNetPcapIpv6String: \'{jnetpcap_ip6}\'',
u'KrakenIpv6String: \'{kraken_ip6}\'']
class RubanetraMsnActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:msn_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.MsnActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'account: \'{account}\'',
u'chat: \'{chat}\'']
class RubanetraNetbiosActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:Netbios_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.NetbiosActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'datagramPacket: \'{datagram_packet}\'',
u'namePacket: \'{name_packet}\'']
class RubanetraPop3ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:pop3_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Pop3Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'subType: \'{sub_type}\'',
u'header: \'{header}\'',
u'data: \'{data}\'',
u'command: \'{command}\'',
u'response: \'{response}\'']
class RubanetraSmtpCommandActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:smtp_command_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SmtpCommandActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'command: \'{command}\'',
u'parameter: \'{parameter}\'']
class RubanetraSmtpReplyActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:smtp_reply_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SmtpReplyActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'code: \'{code}\'',
u'message: \'{message}\'']
class RubanetraSmtpSendActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:smtp_send_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SmtpSendActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'header: \'{header}\'',
u'data: \'{data}\'']
class RubanetraSnmpv1ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:snmpv1_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Snmpv1Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'pdu: \'{pdu}\'',
u'sourceSocketAddress: \'{source_socket_address}\'',
u'destinationSocketAddress: \'{destination_socket_address}\'']
class RubanetraSnmpv2ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:snmpv2_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Snmpv2Activity'
FORMAT_STRING_PIECES = RubanetraSnmpv1ActivityFormatter.FORMAT_STRING_PIECES
class RubanetraTcpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:tcp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.TcpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'sourcePort: \'{source_port}\'',
u'destinationPort: \'{destination_port}\'',
u'sequenceNumber: \'{sequence_number}\'',
u'acknowledgeNumber: \'{acknowledge_number}\'',
u'relativeSequenceNumber: \'{relative_sequence_number}\'',
u'relativeAcknowledgeNumber: \'{relative_acknowledge_number}\'',
u'dataOffset: \'{data_offset}\'',
u'controlBits: \'{control_bits}\'',
u'windowSize: \'{window_size}\'',
u'checksum: \'{checksum}\'',
u'urgentPointer: \'{urgent_pointer}\'',
u'tcpLength: \'{tcp_length}\'',
u'options: \'{options}\'',
u'padding: \'{padding}\'',
u'syn: \'{syn}\'',
u'ack: \'{ack}\'',
u'psh: \'{psh}\'',
u'fin: \'{fin}\'',
u'rst: \'{rst}\'',
u'urg: \'{urg}\'',
u'direction: \'{direction}\'',
u'clientState: \'{client_state}\'',
u'serverState: \'{server_state}\'',
u'JNetPcapTcpString: \'{jnetpcap_tcp}\'',
u'sourceAddress: \'{source_address}\'',
u'destinationAddress: \'{destination_address}\'',
u'sourceSocketAddress: \'{source_socket_address}\'',
u'destinationSocketAddress: \'{destination_socket_address}\'']
class RubanetraTelnetActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:telnet_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.TelnetActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'subType: \'{sub_type}\'',
u'command: \'{command}\'',
u'option: \'{option}\'',
u'ansiMode: \'{ansi_mode}\'',
u'arguments: \'{arguments}\'',
u'text: \'{text}\'',
u'title: \'{title}\'']
class RubanetraTlsActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:tls_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.TlsActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'clientToServerTraffic: \'{client_to_server_traffic}\'',
u'serverToClientTraffic: \'{server_to_client_traffic}\'']
class RubanetraUdpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:udp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.UdpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'sourcePort: \'{source_port}\'',
u'destinationPort: \'{destination_port}\'',
u'length: \'{length}\'',
u'checksum: \'{checksum}\'',
u'JNetPcapUdpString: \'{jnetpcap_udp}\'',
u'sourceSocketAddress: \'{source_socket_address}\'',
u'destinationSocketAddress: \'{destination_socket_address}\'']
class RubanetraOpenSSHActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:open_ssh_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.OpenSSHActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'clientToServerTraffic: \'{client_to_server_traffic}\'',
u'serverToClientTraffic: \'{server_to_client_traffic}\'']
class RubanetraDropboxTlsActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:dropbox_tls_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.DropboxActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'clientAddress: \'{client_address}\'',
u'serverAddress: \'{server_address}\'']
class RubanetraSpiderOakActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:spideroak_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SpiderOakActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'clientAddress: \'{client_address}\'',
u'serverAddress: \'{server_address}\'']
class RubanetraSkypePayloadActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:skype_payload_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SkypePayloadActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'sourceObjectId: \'{source_object_id}\'',
u'destinationObjectId: \'{destination_object_id}\'',
u'sourceHost: \'{source_host}\'',
u'destinationHost: \'{destination_host}\'']
class JavaInstantFormatter(interface.EventFormatter):
""" Formatter for a Java Instant """
DATA_TYPE = 'java:time:Instant'
SOURCE_SHORT = 'JAVA'
SOURCE_LONG = 'java.time.Instant'
FORMAT_STRING = (
u'epoch_seconds: \'{instant_epoch_seconds}, nano: \'{instant_nano}\'')
FORMAT_STRING_SHORT = (u'{instant_epoch_seconds}.{instant_nano}\'')
plaso/formatters/safari.py
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Safari History events."""
from plaso.formatters import interface
class SafariHistoryFormatter(interface.ConditionalEventFormatter):
"""Formatter for Safari history events."""
DATA_TYPE = 'safari:history:visit'
FORMAT_STRING_PIECES = [
u'Visited: {url}', u'({title}', u'- {display_title}', ')',
'Visit Count: {visit_count}']
SOURCE_LONG = 'Safari History'
SOURCE_SHORT = 'WEBHIST'
plaso/formatters/selinux.py
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a selinux formatter in plaso."""
from plaso.formatters import interface
class SELinuxFormatter(interface.ConditionalEventFormatter):
"""Formatter for selinux files."""
DATA_TYPE = 'selinux:line'
FORMAT_STRING_SEPARATOR = u''
FORMAT_STRING_PIECES = [u'[', u'audit_type: {audit_type}',
u', pid: {pid}', u']', u' {body}']
SOURCE_LONG = 'Audit log File'
SOURCE_SHORT = 'LOG'
plaso/formatters/shell_items.py
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the shell item events."""
from plaso.formatters import interface
class ShellItemFileEntryEventFormatter(interface.ConditionalEventFormatter):
"""Class that formats Windows volume creation events."""
DATA_TYPE = 'windows:shell_item:file_entry'
FORMAT_STRING_PIECES = [
u'Name: {name}',
u'Long name: {long_name}',
u'Localized name: {localized_name}',
u'NTFS file reference: {file_reference}',
u'Origin: {origin}']
FORMAT_STRING_SHORT_PIECES = [
u'Name: {name}',
u'NTFS file reference: {file_reference}',
u'Origin: {origin}']
SOURCE_LONG = 'File entry shell item'
SOURCE_SHORT = 'FILE'
plaso/formatters/skydrivelog.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a skydrivelog formatter in plaso."""
from plaso.formatters import interface
class SkyDriveLogFormatter(interface.ConditionalEventFormatter):
"""Formatter for SkyDrive log files events."""
DATA_TYPE = 'skydrive:log:line'
FORMAT_STRING_PIECES = [
u'[{source_code}]',
u'({log_level})',
u'{text}']
FORMAT_STRING_SHORT_PIECES = [u'{text}']
SOURCE_LONG = 'SkyDrive Log File'
SOURCE_SHORT = 'LOG'
plaso/formatters/skydrivelogerr.py
+37
View File
@@ -0,0 +1,37 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a skydrivelogerr formatter in plaso."""
from plaso.formatters import interface
class SkyDriveLogErrorFormatter(interface.ConditionalEventFormatter):
"""Formatter for SkyDrive log error files events."""
DATA_TYPE = 'skydrive:error:line'
FORMAT_STRING_PIECES = [
u'[{module}',
u'{source_code}]',
u'{text}',
u'({detail})']
FORMAT_STRING_SHORT_PIECES = [u'{text}']
SOURCE_LONG = 'SkyDrive Error Log File'
SOURCE_SHORT = 'LOG'
plaso/formatters/skype.py
+88
View File
@@ -0,0 +1,88 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Skype Main database events."""
from plaso.formatters import interface
class SkypeAccountFormatter(interface.ConditionalEventFormatter):
"""Formatter for Skype Account information."""
DATA_TYPE = 'skype:event:account'
FORMAT_STRING_PIECES = [u'{username}', u'[{email}]', u'Country: {country}']
SOURCE_LONG = 'Skype Account'
SOURCE_SHORT = 'LOG'
class SkypeChatFormatter(interface.ConditionalEventFormatter):
"""Formatter for Skype chat events."""
DATA_TYPE = 'skype:event:chat'
FORMAT_STRING_PIECES = [
u'From: {from_account}',
u'To: {to_account}',
u'[{title}]',
u'Message: [{text}]']
FORMAT_STRING_SHORT_PIECES = [u'From: {from_account}', u' To: {to_account}']
SOURCE_LONG = 'Skype Chat MSG'
SOURCE_SHORT = 'LOG'
class SkypeSMSFormatter(interface.ConditionalEventFormatter):
"""Formatter for Skype SMS."""
DATA_TYPE = 'skype:event:sms'
FORMAT_STRING_PIECES = [u'To: {number}', u'[{text}]']
SOURCE_LONG = 'Skype SMS'
SOURCE_SHORT = 'LOG'
class SkypeCallFormatter(interface.ConditionalEventFormatter):
"""Formatter for Skype calls."""
DATA_TYPE = 'skype:event:call'
FORMAT_STRING_PIECES = [
u'From: {src_call}',
u'To: {dst_call}',
u'[{call_type}]']
SOURCE_LONG = 'Skype Call'
SOURCE_SHORT = 'LOG'
class SkypeTransferFileFormatter(interface.ConditionalEventFormatter):
"""Formatter for Skype transfer files"""
DATA_TYPE = 'skype:event:transferfile'
FORMAT_STRING_PIECES = [
u'Source: {source}',
u'Destination: {destination}',
u'File: {transferred_filename}',
u'[{action_type}]']
SOURCE_LONG = 'Skype Transfer Files'
SOURCE_SHORT = 'LOG'
plaso/formatters/symantec.py
+197
View File
@@ -0,0 +1,197 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for Symantec logs."""
from plaso.lib import errors
from plaso.formatters import interface
__author__ = 'David Nides (david.nides@gmail.com)'
class SymantecFormatter(interface.ConditionalEventFormatter):
"""Define the formatting for Symantec events."""
DATA_TYPE = 'av:symantec:scanlog'
EVENT_NAMES = {
'1': 'GL_EVENT_IS_ALERT',
'2': 'GL_EVENT_SCAN_STOP',
'3': 'GL_EVENT_SCAN_START',
'4': 'GL_EVENT_PATTERN_UPDATE',
'5': 'GL_EVENT_INFECTION',
'6': 'GL_EVENT_FILE_NOT_OPEN',
'7': 'GL_EVENT_LOAD_PATTERN',
'8': 'GL_STD_MESSAGE_INFO',
'9': 'GL_STD_MESSAGE_ERROR',
'10': 'GL_EVENT_CHECKSUM',
'11': 'GL_EVENT_TRAP',
'12': 'GL_EVENT_CONFIG_CHANGE',
'13': 'GL_EVENT_SHUTDOWN',
'14': 'GL_EVENT_STARTUP',
'16': 'GL_EVENT_PATTERN_DOWNLOAD',
'17': 'GL_EVENT_TOO_MANY_VIRUSES',
'18': 'GL_EVENT_FWD_TO_QSERVER',
'19': 'GL_EVENT_SCANDLVR',
'20': 'GL_EVENT_BACKUP',
'21': 'GL_EVENT_SCAN_ABORT',
'22': 'GL_EVENT_RTS_LOAD_ERROR',
'23': 'GL_EVENT_RTS_LOAD',
'24': 'GL_EVENT_RTS_UNLOAD',
'25': 'GL_EVENT_REMOVE_CLIENT',
'26': 'GL_EVENT_SCAN_DELAYED',
'27': 'GL_EVENT_SCAN_RESTART',
'28': 'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER',
'29': 'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER',
'30': 'GL_EVENT_LICENSE_WARNING',
'31': 'GL_EVENT_LICENSE_ERROR',
'32': 'GL_EVENT_LICENSE_GRACE',
'33': 'GL_EVENT_UNAUTHORIZED_COMM',
'34': 'GL_EVENT_LOG_FWD_THRD_ERR',
'35': 'GL_EVENT_LICENSE_INSTALLED',
'36': 'GL_EVENT_LICENSE_ALLOCATED',
'37': 'GL_EVENT_LICENSE_OK',
'38': 'GL_EVENT_LICENSE_DEALLOCATED',
'39': 'GL_EVENT_BAD_DEFS_ROLLBACK',
'40': 'GL_EVENT_BAD_DEFS_UNPROTECTED',
'41': 'GL_EVENT_SAV_PROVIDER_PARSING_ERROR',
'42': 'GL_EVENT_RTS_ERROR',
'43': 'GL_EVENT_COMPLIANCE_FAIL',
'44': 'GL_EVENT_COMPLIANCE_SUCCESS',
'45': 'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION',
'46': 'GL_EVENT_ANOMALY_START',
'47': 'GL_EVENT_DETECTION_ACTION_TAKEN',
'48': 'GL_EVENT_REMEDIATION_ACTION_PENDING',
'49': 'GL_EVENT_REMEDIATION_ACTION_FAILED',
'50': 'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL',
'51': 'GL_EVENT_ANOMALY_FINISH',
'52': 'GL_EVENT_COMMS_LOGIN_FAILED',
'53': 'GL_EVENT_COMMS_LOGIN_SUCCESS',
'54': 'GL_EVENT_COMMS_UNAUTHORIZED_COMM',
'55': 'GL_EVENT_CLIENT_INSTALL_AV',
'56': 'GL_EVENT_CLIENT_INSTALL_FW',
'57': 'GL_EVENT_CLIENT_UNINSTALL',
'58': 'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK',
'59': 'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE',
'60': 'GL_EVENT_COMMS_SERVER_CERT_ISSUE',
'61': 'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE',
'62': 'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED',
'63': 'GL_EVENT_CLIENT_CHECKIN',
'64': 'GL_EVENT_CLIENT_NO_CHECKIN',
'65': 'GL_EVENT_SCAN_SUSPENDED',
'66': 'GL_EVENT_SCAN_RESUMED',
'67': 'GL_EVENT_SCAN_DURATION_INSUFFICIENT',
'68': 'GL_EVENT_CLIENT_MOVE',
'69': 'GL_EVENT_SCAN_FAILED_ENHANCED',
'70': 'GL_EVENT_MAX_event_name',
'71': 'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED',
'72': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_START',
'73': 'GL_EVENT_LOAD_ERROR_COH',
'74': 'GL_EVENT_LOAD_ERROR_SYKNAPPS',
'75': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH',
'76': 'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS',
'77': 'GL_EVENT_HEUR_THREAT_NOW_KNOWN'
}
CATEGORY_NAMES = {
'1': 'GL_CAT_INFECTION',
'2': 'GL_CAT_SUMMARY',
'3': 'GL_CAT_PATTERN',
'4': 'GL_CAT_SECURITY'
}
ACTION_1_2_NAMES = {
'1': 'Quarantine infected file',
'2': 'Rename infected file',
'3': 'Delete infected file',
'4': 'Leave alone (log only)',
'5': 'Clean virus from file',
'6': 'Clean or delete macros'
}
ACTION_0_NAMES = {
'1': 'Quarantined',
'2': 'Renamed',
'3': 'Deleted',
'4': 'Left alone',
'5': 'Cleaned',
'6': ('Cleaned or macros deleted (no longer used as of '
'Symantec AntiVirus 9.x)'),
'7': 'Saved file as...',
'8': 'Sent to Intel (AMS)',
'9': 'Moved to backup location',
'10': 'Renamed backup file',
'11': 'Undo action in Quarantine View',
'12': 'Write protected or lack of permissions - Unable to act on file',
'13': 'Backed up file'
}
# The identifier for the formatter (a regular expression)
FORMAT_STRING_SEPARATOR = u'; '
FORMAT_STRING_PIECES = [
u'Event Name: {event_map}',
u'Category Name: {category_map}',
u'Malware Name: {virus}',
u'Malware Path: {file}',
u'Action0: {action0_map}',
u'Action1: {action1_map}',
u'Action2: {action2_map}',
u'Description: {description}',
u'Scan ID: {scanid}',
u'Event Data: {event_data}',
u'Remote Machine: {remote_machine}',
u'Remote IP: {remote_machine_ip}']
FORMAT_STRING_SHORT_PIECES = [
u'{file}',
u'{virus}',
u'{action0_map}',
u'{action1_map}',
u'{action2_map}']
SOURCE_LONG = 'Symantec AV Log'
SOURCE_SHORT = 'LOG'
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
if hasattr(event_object, 'event'):
event_object.event_map = self.EVENT_NAMES.get(
event_object.event, 'Unknown')
if hasattr(event_object, 'cat'):
event_object.category_map = self.CATEGORY_NAMES.get(
event_object.cat, 'Unknown')
if hasattr(event_object, 'action1'):
event_object.action1_map = self.ACTION_1_2_NAMES.get(
event_object.action1, 'Unknown')
if hasattr(event_object, 'action2'):
event_object.action2_map = self.ACTION_1_2_NAMES.get(
event_object.action2, 'Unknown')
if hasattr(event_object, 'action0'):
event_object.action0_map = self.ACTION_0_NAMES.get(
event_object.action0, 'Unknown')
return super(SymantecFormatter, self).GetMessages(event_object)
plaso/formatters/syslog.py
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a syslog formatter in plaso."""
from plaso.formatters import interface
class SyslogLineFormatter(interface.ConditionalEventFormatter):
"""Formatter for syslog files."""
DATA_TYPE = 'syslog:line'
FORMAT_STRING_SEPARATOR = u''
FORMAT_STRING_PIECES = [u'[', u'{reporter}', u', pid: {pid}', u'] {body}']
SOURCE_LONG = 'Log File'
SOURCE_SHORT = 'LOG'
plaso/formatters/task_scheduler.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Task Scheduler events."""
from plaso.formatters import interface
class TaskCacheEventFormatter(interface.ConditionalEventFormatter):
"""Formatter for a generic Task Cache event."""
DATA_TYPE = 'task_scheduler:task_cache:entry'
FORMAT_STRING_PIECES = [
u'Task: {task_name}',
u'[Identifier: {task_identifier}]']
FORMAT_STRING_SHORT_PIECES = [
u'Task: {task_name}']
SOURCE_LONG = 'Task Cache'
SOURCE_SHORT = 'REG'
plaso/formatters/text.py
+30
View File
@@ -0,0 +1,30 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for text file-based events."""
from plaso.formatters import interface
class TextEventFormatter(interface.EventFormatter):
"""Text event formatter."""
DATA_TYPE = u'text:entry'
FORMAT_STRING = u'{text}'
SOURCE_SHORT = u'LOG'
SOURCE_LONG = u'Text File'
plaso/formatters/utmp.py
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the UTMP binary files."""
from plaso.formatters import interface
class UtmpSessionFormatter(interface.ConditionalEventFormatter):
"""Formatter for UTMP session."""
DATA_TYPE = 'linux:utmp:event'
FORMAT_STRING_PIECES = [
u'User: {user}',
u'Computer Name: {computer_name}',
u'Terminal: {terminal}',
u'PID: {pid}',
u'Terminal_ID: {terminal_id}',
u'Status: {status}',
u'IP Address: {ip_address}',
u'Exit: {exit}']
FORMAT_STRING_SHORT_PIECES = [u'User: {user}']
SOURCE_LONG = 'UTMP session'
SOURCE_SHORT = 'LOG'
plaso/formatters/utmpx.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the UTMPX binary files."""
from plaso.formatters import interface
class UtmpxSessionFormatter(interface.ConditionalEventFormatter):
"""Formatter for UTMPX session."""
DATA_TYPE = 'mac:utmpx:event'
FORMAT_STRING_PIECES = [
u'User: {user}',
u'Status: {status}',
u'Computer Name: {computer_name}',
u'Terminal: {terminal}']
FORMAT_STRING_SHORT_PIECES = [u'User: {user}']
SOURCE_LONG = 'UTMPX session'
SOURCE_SHORT = 'LOG'
plaso/formatters/windows.py
+38
View File
@@ -0,0 +1,38 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Windows events."""
from plaso.formatters import interface
class WindowsVolumeCreationEventFormatter(interface.ConditionalEventFormatter):
"""Class that formats Windows volume creation events."""
DATA_TYPE = 'windows:volume:creation'
FORMAT_STRING_PIECES = [
u'{device_path}',
u'Serial number: 0x{serial_number:08X}',
u'Origin: {origin}']
FORMAT_STRING_SHORT_PIECES = [
u'{device_path}',
u'Origin: {origin}']
SOURCE_LONG = 'System'
SOURCE_SHORT = 'LOG'
plaso/formatters/winevt.py
+113
View File
@@ -0,0 +1,113 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Windows EventLog (EVT) files."""
from plaso.lib import errors
from plaso.formatters import interface
class WinEvtFormatter(interface.ConditionalEventFormatter):
"""Define the formatting for Windows EventLog (EVT) record."""
DATA_TYPE = 'windows:evt:record'
# TODO: add string representation of facility.
FORMAT_STRING_PIECES = [
u'[{event_identifier} /',
u'0x{event_identifier:04x}]',
u'Severity: {severity_string}',
u'Record Number: {record_number}',
u'Event Type: {event_type_string}',
u'Event Category: {event_category}',
u'Source Name: {source_name}',
u'Computer Name: {computer_name}',
u'Strings: {strings}']
FORMAT_STRING_SHORT_PIECES = [
u'[{event_identifier} /',
u'0x{event_identifier:04x}]',
u'Strings: {strings}']
SOURCE_LONG = 'WinEVT'
SOURCE_SHORT = 'EVT'
# Mapping of the numeric event types to a descriptive string.
_EVENT_TYPES = [
u'Error event',
u'Warning event',
u'Information event',
u'Success Audit event',
u'Failure Audit event']
_SEVERITY = [
u'Success',
u'Informational',
u'Warning',
u'Error']
def GetEventTypeString(self, event_type):
"""Retrieves a string representation of the event type.
Args:
event_type: The numeric event type.
Returns:
An Unicode string containing a description of the event type.
"""
if event_type >= 0 and event_type < len(self._EVENT_TYPES):
return self._EVENT_TYPES[event_type]
return u'Unknown {0:d}'.format(event_type)
def GetSeverityString(self, severity):
"""Retrieves a string representation of the severity.
Args:
severity: The numeric severity.
Returns:
An Unicode string containing a description of the event type.
"""
if severity >= 0 and severity < len(self._SEVERITY):
return self._SEVERITY[severity]
return u'Unknown {0:d}'.format(severity)
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
# Update event object with the event type string.
event_object.event_type_string = self.GetEventTypeString(
event_object.event_type)
# TODO: add string representation of facility.
# Update event object with the severity string.
event_object.severity_string = self.GetSeverityString(event_object.severity)
return super(WinEvtFormatter, self).GetMessages(event_object)
plaso/formatters/winevtx.py
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatters for Windows XML EventLog (EVTX) related events."""
from plaso.formatters import interface
class WinEvtxFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Windows XML EventLog (EVTX) record."""
DATA_TYPE = 'windows:evtx:record'
FORMAT_STRING_PIECES = [
u'[{event_identifier} /',
u'0x{event_identifier:04x}]',
u'Record Number: {record_number}',
u'Event Level: {event_level}',
u'Source Name: {source_name}',
u'Computer Name: {computer_name}',
u'Strings: {strings}',
u'XML string: {xml_strings}']
FORMAT_STRING_SHORT_PIECES = [
u'[{event_identifier} /',
u'0x{event_identifier:04x}]',
u'Strings: {strings}']
SOURCE_LONG = 'WinEVTX'
SOURCE_SHORT = 'EVT'
plaso/formatters/winfirewall.py
+63
View File
@@ -0,0 +1,63 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Windows firewall log files."""
from plaso.formatters import interface
class WinFirewallFormatter(interface.ConditionalEventFormatter):
"""A formatter for Windows firewall log entries."""
DATA_TYPE = 'windows:firewall:log_entry'
# TODO: Add more "elegant" formatting, as in transform ICMP code/type into
# a more human readable format as well as translating the additional info
# column (meaning may depend on action field).
FORMAT_STRING_PIECES = [
u'{action}',
u'[',
u'{protocol}',
u'{path}',
u']',
u'From: {source_ip}',
u':{source_port}',
u'>',
u'{dest_ip}',
u':{dest_port}',
u'Size (bytes): {size}',
u'Flags [{flags}]',
u'TCP Seq Number: {tcp_seq}',
u'TCP ACK Number: {tcp_ack}',
u'TCP Window Size (bytes): {tcp_win}',
u'ICMP type: {icmp_type}',
u'ICMP code: {icmp_code}',
u'Additional info: {info}',
]
FORMAT_STRING_SHORT_PIECES = [
u'{action}',
u'[{protocol}]',
u'{source_ip}',
u': {source_port}',
u'>',
u'{dest_ip}',
u': {dest_port}',
]
SOURCE_LONG = 'Windows Firewall Log'
SOURCE_SHORT = 'LOG'
plaso/formatters/winjob.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Windows Scheduled Task job events."""
from plaso.formatters import interface
class WinJobFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Java Cache IDX download item."""
DATA_TYPE = 'windows:tasks:job'
FORMAT_STRING_PIECES = [
u'Application: {application}',
u'{parameter}',
u'Scheduled by: {username}',
u'Working Directory: {working_dir}',
u'Run Iteration: {trigger}']
SOURCE_LONG = 'Windows Scheduled Task Job'
SOURCE_SHORT = 'JOB'
plaso/formatters/winlnk.py
+101
View File
@@ -0,0 +1,101 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Windows Shortcut (LNK) files."""
from plaso.lib import errors
from plaso.formatters import interface
class WinLnkLinkFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Windows Shortcut (LNK) link event."""
DATA_TYPE = 'windows:lnk:link'
FORMAT_STRING_PIECES = [
u'[{description}]',
u'File size: {file_size}',
u'File attribute flags: 0x{file_attribute_flags:08x}',
u'Drive type: {drive_type}',
u'Drive serial number: 0x{drive_serial_number:08x}',
u'Volume label: {volume_label}',
u'Local path: {local_path}',
u'Network path: {network_path}',
u'cmd arguments: {command_line_arguments}',
u'env location: {env_var_location}',
u'Relative path: {relative_path}',
u'Working dir: {working_directory}',
u'Icon location: {icon_location}',
u'Link target: [{link_target}]']
FORMAT_STRING_SHORT_PIECES = [
u'[{description}]',
u'{linked_path}',
u'{command_line_arguments}']
SOURCE_LONG = 'Windows Shortcut'
SOURCE_SHORT = 'LNK'
def _GetLinkedPath(self, event_object):
"""Determines the linked path.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A string containing the linked path.
"""
if hasattr(event_object, 'local_path'):
return event_object.local_path
if hasattr(event_object, 'network_path'):
return event_object.network_path
if hasattr(event_object, 'relative_path'):
paths = []
if hasattr(event_object, 'working_directory'):
paths.append(event_object.working_directory)
paths.append(event_object.relative_path)
return u'\\'.join(paths)
return 'Unknown'
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
# Update event object with a description if necessary.
if not hasattr(event_object, 'description'):
event_object.description = u'Empty description'
# Update event object with the linked path.
event_object.linked_path = self._GetLinkedPath(event_object)
return super(WinLnkLinkFormatter, self).GetMessages(event_object)
plaso/formatters/winprefetch.py
+76
View File
@@ -0,0 +1,76 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Windows Prefetch events."""
from plaso.lib import errors
from plaso.formatters import interface
class WinPrefetchExecutionFormatter(interface.ConditionalEventFormatter):
"""Class that formats Windows Prefetch execution events."""
DATA_TYPE = 'windows:prefetch:execution'
FORMAT_STRING_PIECES = [
u'Prefetch',
u'[{executable}] was executed -',
u'run count {run_count}',
u'path: {path}',
u'hash: 0x{prefetch_hash:08X}',
u'{volumes_string}']
FORMAT_STRING_SHORT_PIECES = [
u'{executable} was run',
u'{run_count} time(s)']
SOURCE_LONG = 'WinPrefetch'
SOURCE_SHORT = 'LOG'
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (instance of EventObject) containing
the event specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
Raises:
WrongFormatter: when the data type of the formatter does not match
that of the event object.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Invalid event object - unsupported data type: {0:s}'.format(
event_object.data_type))
volumes_strings = []
for volume_index in range(0, event_object.number_of_volumes):
volumes_strings.append((
u'volume: {0:d} [serial number: 0x{1:08X}, device path: '
u'{2:s}]').format(
volume_index + 1,
event_object.volume_serial_numbers[volume_index],
event_object.volume_device_paths[volume_index]))
if volumes_strings:
event_object.volumes_string = u', '.join(volumes_strings)
return super(WinPrefetchExecutionFormatter, self).GetMessages(event_object)
plaso/formatters/winreg.py
+81
View File
@@ -0,0 +1,81 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for Windows NT Registry (REGF) files."""
from plaso.lib import errors
from plaso.formatters import interface
class WinRegistryGenericFormatter(interface.EventFormatter):
"""Formatter for a generic Windows Registry key or value."""
DATA_TYPE = 'windows:registry:key_value'
FORMAT_STRING = u'[{keyname}] {text}'
FORMAT_STRING_ALTERNATIVE = u'{text}'
SOURCE_LONG = 'Registry Key'
SOURCE_SHORT = 'REG'
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
regvalue = getattr(event_object, 'regvalue', {})
string_parts = []
for key, value in sorted(regvalue.items()):
string_parts.append(u'{0:s}: {1!s}'.format(key, value))
text = u' '.join(string_parts)
event_object.text = text
if hasattr(event_object, 'keyname'):
self.format_string = self.FORMAT_STRING
else:
self.format_string = self.FORMAT_STRING_ALTERNATIVE
return super(WinRegistryGenericFormatter, self).GetMessages(event_object)
def GetSources(self, event_object):
"""Returns a list of source short and long messages for the event."""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
self.source_string = getattr(event_object, 'source_long', None)
if not self.source_string:
registry_type = getattr(event_object, 'registry_type', 'UNKNOWN')
self.source_string = u'{0:s} key'.format(registry_type)
if hasattr(event_object, 'source_append'):
self.source_string += u' {0:s}'.format(event_object.source_append)
return super(WinRegistryGenericFormatter, self).GetSources(event_object)
plaso/formatters/winregservice.py
+58
View File
@@ -0,0 +1,58 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for service entries derived from Windows Registry files."""
from plaso.formatters import winreg
from plaso.winnt import human_readable_service_enums
class WinRegistryServiceFormatter(winreg.WinRegistryGenericFormatter):
"""Formatter for a Windows service event extracted from the Registry."""
DATA_TYPE = 'windows:registry:service'
def GetMessages(self, event_object):
"""Returns a list of messages extracted from the event object.
This formatter will make the values of certain service parameters more
readable by humans.
Args:
event_object: The event object (an instance of EventObject) containing
the event specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
regvalue = getattr(event_object, 'regvalue', {})
# Loop over all the registry value names in the service key.
for service_value_name in regvalue.keys():
# A temporary variable so we can refer to this long name more easily.
service_enums = human_readable_service_enums.SERVICE_ENUMS
# Check if we need to can make the value more human readable.
if service_value_name in service_enums.keys():
service_enum = service_enums[service_value_name]
# Find the human readable version of the name and fall back to the
# raw value if it's not found.
human_readable_value = service_enum.get(
regvalue[service_value_name],
regvalue[service_value_name])
regvalue[service_value_name] = human_readable_value
return super(WinRegistryServiceFormatter, self).GetMessages(event_object)
plaso/formatters/xchatlog.py
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a xchatlog formatter in plaso."""
from plaso.formatters import interface
class XChatLogFormatter(interface.ConditionalEventFormatter):
"""Formatter for XChat log files."""
DATA_TYPE = 'xchat:log:line'
FORMAT_STRING_PIECES = [u'[nickname: {nickname}]', u'{text}']
SOURCE_LONG = 'XChat Log File'
SOURCE_SHORT = 'LOG'
plaso/formatters/xchatscrollback.py
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a xchatscrollback formatter in plaso."""
from plaso.formatters import interface
class XChatScrollbackFormatter(interface.ConditionalEventFormatter):
"""Formatter for XChat scrollback files."""
DATA_TYPE = 'xchat:scrollback:line'
FORMAT_STRING_SEPARATOR = u''
FORMAT_STRING_PIECES = [u'[', u'nickname: {nickname}', u']', u' {text}']
SOURCE_LONG = 'XChat Scrollback File'
SOURCE_SHORT = 'LOG'
plaso/formatters/zeitgeist.py
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for Zeitgeist."""
from plaso.formatters import interface
class ZeitgeistEventFormatter(interface.EventFormatter):
"""The event formatter for Zeitgeist event."""
DATA_TYPE = 'zeitgeist:activity'
FORMAT_STRING = u'{subject_uri}'
SOURCE_LONG = 'Zeitgeist activity log'
SOURCE_SHORT = 'LOG'