Added event data and date time values event log2timeline#910

joachimmetz · Jan 3, 2017 · d6197a6 · d6197a6
1 parent 6784927
commit d6197a6
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 10 deletions.
diff --git a/plaso/containers/events.py b/plaso/containers/events.py
@@ -9,6 +9,29 @@
 from plaso.lib import py2to3
 
 
+class EventData(interface.AttributeContainer):
+  """Class to represent an event data attribute container.
+
+  Attributes:
+    data_type (str): event data type indicator.
+    offset (int): offset relative to the start of the data stream where
+        the event data is stored.
+    query (str): query that was used to obtain the event data.
+  """
+  CONTAINER_TYPE = u'event_data'
+
+  def __init__(self, data_type=None):
+    """Initializes an event data attribute container.
+
+    Args:
+      data_type (Optional[str]): event data type indicator.
+    """
+    super(EventData, self).__init__()
+    self.data_type = data_type
+    self.offset = None
+    self.query = None
+
+
 # TODO: split event into source and event components.
 # https://github.com/log2timeline/plaso/wiki/Scribbles-about-events
 
@@ -205,7 +228,7 @@ def GetAttributeNames(self):
       list[str]: attribute names.
     """
     attribute_names = []
-    for attribute_name in iter(self.__dict__.keys()):
+    for attribute_name in self.__dict__.keys():
       attribute_value = getattr(self, attribute_name, None)
       if attribute_value is not None:
         attribute_names.append(attribute_name)
@@ -365,4 +388,4 @@ def GetAttributes(self):
 
 
 manager.AttributeContainersManager.RegisterAttributeContainers([
-    EventObject, EventTag])
+    EventData, EventObject, EventTag])
diff --git a/plaso/containers/time_events.py b/plaso/containers/time_events.py
@@ -34,6 +34,29 @@ def __init__(self, timestamp, timestamp_description, data_type=None):
       self.data_type = data_type
 
 
+class DateTimeValuesEvent(TimestampEvent):
+  """Convenience class for a dfdatetime-based event."""
+
+  def __init__(
+      self, date_time, date_time_description, data_type=None, time_zone=None):
+    """Initializes an event.
+
+    Args:
+      date_time (dfdatetime.DateTimeValues): date and time values.
+      date_time_description (str): description of the meaning of the date and
+          time values.
+      data_type (Optional[str]): event data type. If the data type is not set
+          it is derived from the DATA_TYPE class attribute.
+      time_zone (Optional[datetime.tzinfo]): time zone.
+    """
+    timestamp = date_time.GetPlasoTimestamp()
+    if date_time.is_local_time != u'UTC' and time_zone:
+      timestamp = timelib.Timestamp.LocaltimeToUTC(timestamp, time_zone)
+
+    super(DateTimeValuesEvent, self).__init__(
+        timestamp, date_time_description, data_type=data_type)
+
+
 class CocoaTimeEvent(TimestampEvent):
   """Convenience class for a Cocoa time-based event."""
 

diff --git a/plaso/dependencies.py b/plaso/dependencies.py
@@ -20,7 +20,7 @@
     u'construct': (u'__version__', u'2.5.2', u'2.5.3'),
     u'Crypto': (u'__version__', u'2.6.0', None),
     u'dateutil': (u'__version__', u'1.5', None),
-    u'dfdatetime': (u'__version__', u'20160319', None),
+    u'dfdatetime': (u'__version__', u'20161228', None),
     u'dfvfs': (u'__version__', u'20160803', None),
     u'dfwinreg': (u'__version__', u'20160320', None),
     u'dpkt': (u'__version__', u'1.8', None),

diff --git a/plaso/parsers/mediator.py b/plaso/parsers/mediator.py
@@ -337,13 +337,13 @@ def GetParserChain(self):
     return u'/'.join(self._parser_chain_components)
 
   def MatchesFilter(self, event):
-    """Checks if the event object matches the filter.
+    """Checks if an event matches the filter.
 
     Args:
-      event (EventObject): event object.
+      event (EventObject): event.
 
     Returns:
-      bool: True if the event matches the filter.
+      A boolean value indicating if an event.matches the filter.
     """
     return self._filter_object and self._filter_object.Matches(event)
 
@@ -357,10 +357,10 @@ def ProcessEvent(
 
     Args:
       event (EventObject): event.
-      parser_chain (Optional[str]): parser chain.
+      parser_chain (Optional[str]): parsing chain up to this point.
       file_entry (Optional[dfvfs.FileEntry]): file entry, where None will
-          default to the current file entry set in the mediator.
-      query (Optional[str]): query string.
+          use the current file entry set in the mediator.
+      query (Optional[str]): query that was used to obtain the event.
     """
     # TODO: rename this to event.parser_chain or equivalent.
     if not getattr(event, u'parser', None) and parser_chain:
@@ -461,12 +461,27 @@ def ProduceEventSource(self, event_source):
     self._storage_writer.AddEventSource(event_source)
     self._number_of_event_sources += 1
 
+  def ProduceEventWithEventData(self, event, event_data):
+    """Produces an event.
+
+    Args:
+      event (EventObject): event.
+      event_data (EventData): event data.
+    """
+    # TODO: store event data and event seperately.
+    for attribute_name, attribute_value in event_data.GetAttributes():
+      setattr(event, attribute_name, attribute_value)
+
+    self.ProduceEvent(event)
+
   def ProduceExtractionError(self, message, path_spec=None):
     """Produces an extraction error.
 
     Args:
       message (str): message of the error.
-      path_spec (Optional[dfvfs.PathSpec]): path specification.
+      path_spec (Optional[dfvfs.PathSpec]): path specification, where None
+          will use the path specification of current file entry set in
+          the mediator.
 
     Raises:
       RuntimeError: when storage writer is not set.