110 lines
3.5 KiB
Python
110 lines
3.5 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
# Copyright 2013 The Plaso Project Authors.
|
|
# Please see the AUTHORS file for details on individual authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Contains helper functions for output modules."""
|
|
|
|
from plaso.lib import eventdata
|
|
|
|
|
|
def GetLegacy(evt):
|
|
"""Return a legacy MACB representation of the event."""
|
|
# TODO: Fix this function when the MFT parser has been implemented.
|
|
# The filestat parser is somewhat limited.
|
|
# Also fix this when duplicate entries have been implemented so that
|
|
# the function actually returns more than a single entry (as in combined).
|
|
if evt.data_type.startswith('fs:'):
|
|
letter = evt.timestamp_desc[0]
|
|
|
|
if letter == 'm':
|
|
return 'M...'
|
|
elif letter == 'a':
|
|
return '.A..'
|
|
elif letter == 'c':
|
|
if evt.timestamp_desc[1] == 'r':
|
|
return '...B'
|
|
|
|
return '..C.'
|
|
else:
|
|
return '....'
|
|
|
|
# Access time.
|
|
if evt.timestamp_desc in [
|
|
eventdata.EventTimestamp.ACCESS_TIME,
|
|
eventdata.EventTimestamp.ACCOUNT_CREATED,
|
|
eventdata.EventTimestamp.PAGE_VISITED,
|
|
eventdata.EventTimestamp.LAST_VISITED_TIME,
|
|
eventdata.EventTimestamp.START_TIME,
|
|
eventdata.EventTimestamp.LAST_SHUTDOWN,
|
|
eventdata.EventTimestamp.LAST_LOGIN_TIME,
|
|
eventdata.EventTimestamp.LAST_PASSWORD_RESET,
|
|
eventdata.EventTimestamp.LAST_CONNECTED,
|
|
eventdata.EventTimestamp.LAST_RUNTIME,
|
|
eventdata.EventTimestamp.LAST_PRINTED]:
|
|
return '.A..'
|
|
|
|
# Content modification.
|
|
if evt.timestamp_desc in [
|
|
eventdata.EventTimestamp.MODIFICATION_TIME,
|
|
eventdata.EventTimestamp.WRITTEN_TIME,
|
|
eventdata.EventTimestamp.DELETED_TIME]:
|
|
return 'M...'
|
|
|
|
# Content creation time.
|
|
if evt.timestamp_desc in [
|
|
eventdata.EventTimestamp.CREATION_TIME,
|
|
eventdata.EventTimestamp.ADDED_TIME,
|
|
eventdata.EventTimestamp.FILE_DOWNLOADED,
|
|
eventdata.EventTimestamp.FIRST_CONNECTED]:
|
|
return '...B'
|
|
|
|
# Metadata modification.
|
|
if evt.timestamp_desc in [
|
|
eventdata.EventTimestamp.CHANGE_TIME,
|
|
eventdata.EventTimestamp.ENTRY_MODIFICATION_TIME]:
|
|
return '..C.'
|
|
|
|
return '....'
|
|
|
|
|
|
def BuildHostDict(storage_object):
|
|
"""Return a dict object from a StorageFile object.
|
|
|
|
Build a dict object based on the preprocess objects stored inside
|
|
a storage file.
|
|
|
|
Args:
|
|
storage_object: The StorageFile object that stores all the EventObjects.
|
|
|
|
Returns:
|
|
A dict object that has the store number as a key and the hostname
|
|
as the value to that key.
|
|
"""
|
|
host_dict = {}
|
|
if not storage_object:
|
|
return host_dict
|
|
|
|
if not hasattr(storage_object, 'GetStorageInformation'):
|
|
return host_dict
|
|
|
|
for info in storage_object.GetStorageInformation():
|
|
if hasattr(info, 'store_range') and hasattr(info, 'hostname'):
|
|
for store_number in range(info.store_range[0], info.store_range[1]):
|
|
# TODO: A bit wasteful, if the range is large we are wasting keys.
|
|
# Rewrite this logic into a more optimal one.
|
|
host_dict[store_number] = info.hostname
|
|
|
|
return host_dict
|