Migrated plaso timestamp to dfdatetime for Windows Registry plugins l…

…og2timeline#910
joachimmetz · Dec 30, 2016 · b62cc2b · b62cc2b
1 parent 9fa1391
commit b62cc2b
Show file tree

Hide file tree

Showing 70 changed files with 1,630 additions and 1,316 deletions.
diff --git a/plaso/containers/windows_events.py b/plaso/containers/windows_events.py
@@ -1,9 +1,9 @@
 # -*- coding: utf-8 -*-
 """This file contains the Windows specific event object classes."""
 
+from plaso.containers import events
 from plaso.containers import time_events
 from plaso.lib import eventdata
-from plaso.lib import py2to3
 
 
 class WindowsDistributedLinkTrackingCreationEvent(time_events.UUIDTimeEvent):
@@ -29,62 +29,10 @@ def __init__(self, uuid, origin):
     super(WindowsDistributedLinkTrackingCreationEvent, self).__init__(
         uuid, eventdata.EventTimestamp.CREATION_TIME)
 
+    # TODO: replace origin my something machine readable.
     self.origin = origin
 
 
-class WindowsRegistryEvent(time_events.FiletimeEvent):
-  """Convenience class for a Windows Registry-based event.
-
-  Attributes:
-    key_path: a string containing the Windows Registry key path.
-    offset: an integer containing the data offset of the Windows Registry
-            key or value.
-    regvalue: a dictionary containing the values of the key.
-    urls: optional list of strings containing URLs.
-  """
-
-  DATA_TYPE = u'windows:registry:key_value'
-
-  def __init__(
-      self, filetime, key_path, values_dict, usage=None, offset=None,
-      source_append=None, urls=None):
-    """Initializes a Windows Registry event.
-
-    Args:
-      filetime: a FILETIME timestamp time object (instance of
-                dfdatetime.Filetime).
-      key_path: a string containing the Windows Registry key path.
-      values_dict: dictionary object containing values of the key.
-      usage: optional string containing the description of the usage of
-             the filetime timestamp.
-      offset: optional integer containing the data offset of the Windows
-              Registry key or value.
-      source_append: optional string to append to the source_long of the event.
-      urls: optional list of strings containing URLs.
-    """
-    # TODO: remove this override any other meaning derived from the timestamp
-    # should be done at the analysis phase.
-    if usage is None:
-      usage = eventdata.EventTimestamp.WRITTEN_TIME
-
-    super(WindowsRegistryEvent, self).__init__(filetime.timestamp, usage)
-
-    self.key_path = key_path
-    # TODO: rename regvalue to ???.
-    self.regvalue = values_dict
-
-    # TODO: determine how should offset 0 be handled.
-    if offset or isinstance(offset, py2to3.INTEGER_TYPES):
-      self.offset = offset
-
-    # TODO: deprecate and remove.
-    if source_append:
-      self.source_append = source_append
-
-    if urls:
-      self.urls = urls
-
-
 class WindowsRegistryInstallationEvent(time_events.PosixTimeEvent):
   """Convenience class for a Windows installation event.
 
@@ -119,80 +67,98 @@ def __init__(
     self.version = version
 
 
-class WindowsRegistryListEvent(time_events.FiletimeEvent):
-  """Convenience class for a list retrieved from the Registry e.g. MRU.
+class WindowsRegistryInstallationEventData(events.EventData):
+  """Windows installation event data.
 
   Attributes:
-    key_path: a string containing the Windows Registry key path.
-    list_name: a string containing the name of the list.
-    list_values: a string containing the list values.
-    value_name: a string containing the Windows Registry value name.
+    key_path (str): Windows Registry key path.
+    owner (str): owner.
+    product_name (str): product name.
+    service_pack (str): service pack.
+    version (str): version.
   """
-  DATA_TYPE = u'windows:registry:list'
 
-  def __init__(
-      self, filetime, key_path, list_name, list_values,
-      timestamp_description=None, value_name=None):
-    """Initializes a Windows Registry event.
+  DATA_TYPE = u'windows:registry:installation'
 
-    Args:
-      filetime: a FILETIME timestamp time object (instance of
-                dfdatetime.Filetime).
-      key_path: a string containing the Windows Registry key path.
-      list_name: a string containing the name of the list.
-      list_values: a string containing the list values.
-      timestamp_description: optional usage string for the timestamp value.
-      value_name: optional string containing the Windows Registry value name.
-    """
-    super(WindowsRegistryListEvent, self).__init__(
-        filetime.timestamp, eventdata.EventTimestamp.WRITTEN_TIME)
-    self.key_path = key_path
-    self.list_name = list_name
-    self.list_values = list_values
-    self.value_name = value_name
+  def __init__(self):
+    """Initializes event data."""
+    super(WindowsRegistryInstallationEventData, self).__init__(
+        data_type=self.DATA_TYPE)
+    self.key_path = None
+    self.owner = None
+    self.product_name = None
+    self.service_pack = None
+    self.version = None
 
 
-class WindowsRegistryServiceEvent(WindowsRegistryEvent):
-  """Convenience class for service information retrieved from the Registry."""
-  DATA_TYPE = u'windows:registry:service'
+class WindowsRegistryEventData(events.EventData):
+  """Windows Registry event data.
+
+  Attributes:
+    key_path (str): Windows Registry key path.
+    regvalue (dict[str, object]): values in the key.
+    source_append (str): text to append to the source_long of the event.
+    urls (list[str]): URLs.
+  """
+
+  DATA_TYPE = u'windows:registry:key_value'
+
+  def __init__(self):
+    """Initializes event data."""
+    super(WindowsRegistryEventData, self).__init__(data_type=self.DATA_TYPE)
+    self.key_path = None
+    # TODO: deprecate regvalue.
+    self.regvalue = None
+    # TODO: deprecate source_append.
+    self.source_append = None
+    # TODO: deprecate urls.
+    self.urls = None
 
 
-class WindowsRegistryNetworkEvent(time_events.SystemtimeEvent):
-  """Convenience class for a Windows network event.
+class WindowsRegistryListEventData(events.EventData):
+  """Windows Registry list event data e.g. MRU.
 
   Attributes:
-    connection_type: a string containing the type of connection.
-    default_gateway_mac: MAC address for the default gateway.
-    description: a string containing the description of the wireless connection.
-    dns_suffix: the DNS suffix.
-    source_append: optional string to append to the source_long of the event.
-    ssid: the SSID of the connection.
+    key_path (str): Windows Registry key path.
+    list_name (str): name of the list.
+    list_values (str): values in the list.
+    value_name (str): Windows Registry value name.
   """
-  DATA_TYPE = u'windows:registry:network'
+  DATA_TYPE = u'windows:registry:list'
 
-  def __init__(
-      self, systemtime, timestamp_description, ssid, description,
-      connection_type, default_gateway_mac, dns_suffix):
-    """Initializes an event object.
+  def __init__(self):
+    """Initializes event data."""
+    super(WindowsRegistryListEventData, self).__init__(data_type=self.DATA_TYPE)
+    self.key_path = None
+    self.list_name = None
+    self.list_values = None
+    self.value_name = None
 
-    Args:
-      systemtime: a bytestring containing the SYSTEMTIME timestamp value.
-      timestamp_description: string containing timestamp description.
-      ssid: the SSID of the connection.
-      description: a string containing the description of the wireless
-                   connection.
-      connection_type: a string containing the type of connection.
-      default_gateway_mac: MAC address for the default gateway.
-      dns_suffix: the DNS suffix.
-    """
-    super(WindowsRegistryNetworkEvent, self).__init__(
-        systemtime, timestamp_description)
-
-    self.connection_type = connection_type
-    self.default_gateway_mac = default_gateway_mac
-    self.description = description
-    self.dns_suffix = dns_suffix
-    self.ssid = ssid
+
+class WindowsRegistryServiceEventData(events.EventData):
+  """Windows Registry service event data.
+
+  Attributes:
+    key_path: a string containing the Windows Registry key path.
+    offset: an integer containing the data offset of the Windows Registry
+            key or value.
+    regvalue: a dictionary containing the values of the key.
+    urls: optional list of strings containing URLs.
+  """
+
+  DATA_TYPE = u'windows:registry:service'
+
+  def __init__(self):
+    """Initializes event data."""
+    super(WindowsRegistryServiceEventData, self).__init__(
+        data_type=self.DATA_TYPE)
+    self.key_path = None
+    # TODO: deprecate regvalue.
+    self.regvalue = None
+    # TODO: deprecate source_append.
+    self.source_append = None
+    # TODO: deprecate urls.
+    self.urls = None
 
 
 class WindowsVolumeCreationEvent(time_events.FiletimeEvent):

diff --git a/plaso/formatters/appcompatcache.py b/plaso/formatters/appcompatcache.py
@@ -11,7 +11,7 @@ class AppCompatCacheFormatter(interface.ConditionalEventFormatter):
   DATA_TYPE = u'windows:registry:appcompatcache'
 
   FORMAT_STRING_PIECES = [
-      u'[{keyname}]',
+      u'[{key_path}]',
       u'Cached entry: {entry_index}',
       u'Path: {path}']
 

diff --git a/plaso/formatters/userassist.py b/plaso/formatters/userassist.py
@@ -3,7 +3,6 @@
 
 from plaso.formatters import interface
 from plaso.formatters import manager
-from plaso.lib import errors
 
 
 class UserAssistWindowsRegistryEventFormatter(
@@ -14,43 +13,19 @@ class UserAssistWindowsRegistryEventFormatter(
 
   FORMAT_STRING_PIECES = [
       u'[{key_path}]',
-      u'{text}']
+      u'UserAssist entry: {entry_index}',
+      u'Value name: {value_name}',
+      u'Count: {number_of_executions}',
+      u'Application focus count: {application_focus_count}',
+      u'Application focus duration: {application_focus_duration}']
 
   FORMAT_STRING_SHORT_PIECES = [
-      u'{text}']
+      u'{value_name}',
+      u'Count: {number_of_executions}']
 
   SOURCE_LONG = u'Registry Key: UserAssist'
   SOURCE_SHORT = u'REG'
 
-  def GetMessages(self, unused_formatter_mediator, event):
-    """Determines the formatted message strings for an event object.
-
-    Args:
-      formatter_mediator (FormatterMediator): mediates the interactions between
-          formatters and other components, such as storage and Windows EventLog
-          resources.
-      event (EventObject): event.
-
-    Returns:
-      tuple(str, str): formatted message string and short message string.
-
-    Raises:
-      WrongFormatter: if the event object cannot be formatted by the formatter.
-    """
-    if self.DATA_TYPE != event.data_type:
-      raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
-          event.data_type))
-
-    event_values = event.CopyToDict()
-
-    regvalue = event_values.get(u'regvalue', {})
-    string_parts = []
-    for key, value in sorted(regvalue.items()):
-      string_parts.append(u'{0:s}: {1!s}'.format(key, value))
-    event_values[u'text'] = u' '.join(string_parts)
-
-    return self._ConditionalFormatMessages(event_values)
-
 
 manager.FormattersManager.RegisterFormatter(
     UserAssistWindowsRegistryEventFormatter)
diff --git a/plaso/parsers/winreg_plugins/__init__.py b/plaso/parsers/winreg_plugins/__init__.py
@@ -27,4 +27,4 @@
 from plaso.parsers.winreg_plugins import usbstor
 from plaso.parsers.winreg_plugins import winlogon
 from plaso.parsers.winreg_plugins import winrar
-from plaso.parsers.winreg_plugins import winver
+from plaso.parsers.winreg_plugins import windows_version