266 lines
9.1 KiB
Python
266 lines
9.1 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
# Copyright 2014 The Plaso Project Authors.
|
|
# Please see the AUTHORS file for details on individual authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Tests for the Windows preprocess plug-ins."""
|
|
|
|
import os
|
|
import unittest
|
|
|
|
from dfvfs.helpers import file_system_searcher
|
|
from dfvfs.path import fake_path_spec
|
|
|
|
from plaso.artifacts import knowledge_base
|
|
from plaso.preprocessors import windows
|
|
from plaso.preprocessors import test_lib
|
|
|
|
|
|
class WindowsSoftwareRegistryTest(test_lib.PreprocessPluginTest):
|
|
"""Base class for tests that use the SOFTWARE Registry file."""
|
|
|
|
def setUp(self):
|
|
"""Sets up the needed objects used throughout the test."""
|
|
file_object = open(os.path.join(
|
|
self._TEST_DATA_PATH, u'SYSTEM'), 'rb')
|
|
file_data = file_object.read()
|
|
file_object.close()
|
|
|
|
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
|
|
u'/Windows/System32/config/SYSTEM', file_data)
|
|
|
|
file_object = open(os.path.join(
|
|
self._TEST_DATA_PATH, u'SOFTWARE'), 'rb')
|
|
file_data = file_object.read()
|
|
file_object.close()
|
|
|
|
self._fake_file_system.AddFileEntry(
|
|
u'/Windows/System32/config/SOFTWARE', file_data=file_data)
|
|
|
|
mount_point = fake_path_spec.FakePathSpec(location=u'/')
|
|
self._searcher = file_system_searcher.FileSystemSearcher(
|
|
self._fake_file_system, mount_point)
|
|
|
|
|
|
class WindowsSystemRegistryTest(test_lib.PreprocessPluginTest):
|
|
"""Base class for tests that use the SYSTEM Registry file."""
|
|
|
|
def setUp(self):
|
|
"""Sets up the needed objects used throughout the test."""
|
|
file_object = open(os.path.join(
|
|
self._TEST_DATA_PATH, u'SYSTEM'), 'rb')
|
|
file_data = file_object.read()
|
|
file_object.close()
|
|
|
|
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
|
|
u'/Windows/System32/config/SYSTEM', file_data)
|
|
|
|
mount_point = fake_path_spec.FakePathSpec(location=u'/')
|
|
self._searcher = file_system_searcher.FileSystemSearcher(
|
|
self._fake_file_system, mount_point)
|
|
|
|
|
|
class WindowsCodepageTest(WindowsSystemRegistryTest):
|
|
"""Tests for the Windows codepage preprocess plug-in object."""
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
# The plug-in needs to expand {sysregistry} so we need to run
|
|
# the WindowsSystemRegistryPath plug-in first.
|
|
plugin = windows.WindowsSystemRegistryPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
plugin = windows.WindowsCodepage()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
self.assertEquals(knowledge_base_object.codepage, u'cp1252')
|
|
|
|
|
|
class WindowsHostnameTest(WindowsSystemRegistryTest):
|
|
"""Tests for the Windows hostname preprocess plug-in object."""
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
# The plug-in needs to expand {sysregistry} so we need to run
|
|
# the WindowsSystemRegistryPath plug-in first.
|
|
plugin = windows.WindowsSystemRegistryPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
plugin = windows.WindowsHostname()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
self.assertEquals(knowledge_base_object.hostname, u'WKS-WIN732BITA')
|
|
|
|
|
|
class WindowsProgramFilesPath(WindowsSoftwareRegistryTest):
|
|
"""Tests for the Windows Program Files path preprocess plug-in object."""
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
# The plug-in needs to expand {sysregistry} so we need to run
|
|
# the WindowsSystemRegistryPath plug-in first.
|
|
plugin = windows.WindowsSystemRegistryPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
plugin = windows.WindowsProgramFilesPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
path = knowledge_base_object.GetValue('programfiles')
|
|
self.assertEquals(path, u'Program Files')
|
|
|
|
|
|
class WindowsProgramFilesX86Path(WindowsSoftwareRegistryTest):
|
|
"""Tests for the Windows Program Files X86 path preprocess plug-in object."""
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
# The plug-in needs to expand {sysregistry} so we need to run
|
|
# the WindowsSystemRegistryPath plug-in first.
|
|
plugin = windows.WindowsSystemRegistryPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
plugin = windows.WindowsProgramFilesX86Path()
|
|
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
path = knowledge_base_object.GetValue('programfilesx86')
|
|
# The test SOFTWARE Registry file does not contain a value for
|
|
# the Program Files X86 path.
|
|
self.assertEquals(path, None)
|
|
|
|
|
|
class WindowsSystemRegistryPathTest(test_lib.PreprocessPluginTest):
|
|
"""Tests for the Windows system Registry path preprocess plug-in object."""
|
|
|
|
_FILE_DATA = 'regf'
|
|
|
|
def setUp(self):
|
|
"""Sets up the needed objects used throughout the test."""
|
|
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
|
|
u'/Windows/System32/config/SYSTEM', self._FILE_DATA)
|
|
|
|
mount_point = fake_path_spec.FakePathSpec(location=u'/')
|
|
self._searcher = file_system_searcher.FileSystemSearcher(
|
|
self._fake_file_system, mount_point)
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
plugin = windows.WindowsSystemRegistryPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
path = knowledge_base_object.GetValue('sysregistry')
|
|
self.assertEquals(path, u'/Windows/System32/config')
|
|
|
|
|
|
class WindowsSystemRootPathTest(test_lib.PreprocessPluginTest):
|
|
"""Tests for the Windows system Root path preprocess plug-in object."""
|
|
|
|
_FILE_DATA = 'regf'
|
|
|
|
def setUp(self):
|
|
"""Sets up the needed objects used throughout the test."""
|
|
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
|
|
u'/Windows/System32/config/SYSTEM', self._FILE_DATA)
|
|
|
|
mount_point = fake_path_spec.FakePathSpec(location=u'/')
|
|
self._searcher = file_system_searcher.FileSystemSearcher(
|
|
self._fake_file_system, mount_point)
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
plugin = windows.WindowsSystemRootPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
path = knowledge_base_object.GetValue('systemroot')
|
|
self.assertEquals(path, u'/Windows')
|
|
|
|
|
|
class WindowsTimeZoneTest(WindowsSystemRegistryTest):
|
|
"""Tests for the Windows timezone preprocess plug-in object."""
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
# The plug-in needs to expand {sysregistry} so we need to run
|
|
# the WindowsSystemRegistryPath plug-in first.
|
|
plugin = windows.WindowsSystemRegistryPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
plugin = windows.WindowsTimeZone()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
time_zone_str = knowledge_base_object.GetValue('time_zone_str')
|
|
self.assertEquals(time_zone_str, u'EST5EDT')
|
|
|
|
|
|
class WindowsUsersTest(WindowsSoftwareRegistryTest):
|
|
"""Tests for the Windows username preprocess plug-in object."""
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
# The plug-in needs to expand {sysregistry} so we need to run
|
|
# the WindowsSystemRegistryPath plug-in first.
|
|
plugin = windows.WindowsSystemRegistryPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
plugin = windows.WindowsUsers()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
users = knowledge_base_object.GetValue('users')
|
|
self.assertEquals(len(users), 11)
|
|
|
|
expected_sid = u'S-1-5-21-2036804247-3058324640-2116585241-1114'
|
|
self.assertEquals(users[9].get('sid', None), expected_sid)
|
|
self.assertEquals(users[9].get('name', None), u'rsydow')
|
|
self.assertEquals(users[9].get('path', None), u'C:\\Users\\rsydow')
|
|
|
|
|
|
class WindowsVersionTest(WindowsSoftwareRegistryTest):
|
|
"""Tests for the Windows version preprocess plug-in object."""
|
|
|
|
def testGetValue(self):
|
|
"""Tests the GetValue function."""
|
|
knowledge_base_object = knowledge_base.KnowledgeBase()
|
|
|
|
# The plug-in needs to expand {sysregistry} so we need to run
|
|
# the WindowsSystemRegistryPath plug-in first.
|
|
plugin = windows.WindowsSystemRegistryPath()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
plugin = windows.WindowsVersion()
|
|
plugin.Run(self._searcher, knowledge_base_object)
|
|
|
|
osversion = knowledge_base_object.GetValue('osversion')
|
|
self.assertEquals(osversion, u'Windows 7 Ultimate')
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|