stefan/plaso-rubanetra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
plaso-rubanetra/plaso/formatters/recycler.py
Stefan 0da6783a45 Import from old repository
2020-04-06 18:48:34 +02:00

83 lines
2.1 KiB
Python
Raw Permalink Blame History

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Windows recycle files."""
from plaso.lib import errors
from plaso.formatters import interface
class WinRecyclerFormatter(interface.ConditionalEventFormatter):
"""Formatter for Windows recycle bin events."""
DATA_TYPE = 'windows:metadata:deleted_item'
DRIVE_LIST = {
0x00: 'A',
0x01: 'B',
0x02: 'C',
0x03: 'D',
0x04: 'E',
0x05: 'F',
0x06: 'G',
0x07: 'H',
0x08: 'I',
0x09: 'J',
0x0A: 'K',
0x0B: 'L',
0x0C: 'M',
0x0D: 'N',
0x0E: 'O',
0x0F: 'P',
0x10: 'Q',
0x11: 'R',
0x12: 'S',
0x13: 'T',
0x14: 'U',
0x15: 'V',
0x16: 'W',
0x17: 'X',
0x18: 'Y',
0x19: 'Z',
}
# The format string.
FORMAT_STRING_PIECES = [
u'DC{index} ->',
u'{orig_filename}',
u'[{orig_filename_legacy}]',
u'(from drive {drive_letter})']
FORMAT_STRING_SHORT_PIECES = [
u'Deleted file: {orig_filename}']
SOURCE_LONG = 'Recycle Bin'
SOURCE_SHORT = 'RECBIN'
def GetMessages(self, event_object):
"""Return the message strings."""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_object.data_type))
if hasattr(event_object, 'drive_number'):
event_object.drive_letter = self.DRIVE_LIST.get(
event_object.drive_number, 'C?')
return super(WinRecyclerFormatter, self).GetMessages(event_object)
Reference in New Issue View Git Blame Copy Permalink