Code review: 266870043: Initial version of a ProgramsCache Registry p…

…lugin log2timeline#235
fabionitto · Dec 31, 2015 · 06692b8 · 06692b8
1 parent a8f3567
commit 06692b8
Show file tree

Hide file tree

Showing 11 changed files with 449 additions and 26 deletions.
diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -2,4 +2,4 @@ python-plaso (1.3.1-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Log2Timeline <[email protected]>  Thu, 17 Sep 2015 19:44:25 +0200
+ -- Log2Timeline <[email protected]>  Sat, 19 Sep 2015 07:45:06 +0200
diff --git a/docs/plaso.parsers.winreg_plugins.rst b/docs/plaso.parsers.winreg_plugins.rst
@@ -100,6 +100,14 @@ plaso.parsers.winreg_plugins.outlook module
     :undoc-members:
     :show-inheritance:
 
+plaso.parsers.winreg_plugins.programscache module
+-------------------------------------------------
+
+.. automodule:: plaso.parsers.winreg_plugins.programscache
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
 plaso.parsers.winreg_plugins.run module
 ---------------------------------------
 

diff --git a/plaso/__init__.py b/plaso/__init__.py
@@ -3,7 +3,7 @@
 __version__ = '1.3.1'
 
 VERSION_DEV = True
-VERSION_DATE = '20150917'
+VERSION_DATE = '20150919'
 
 
 def GetVersion():

diff --git a/plaso/events/windows_events.py b/plaso/events/windows_events.py
@@ -6,16 +6,24 @@
 
 
 class WindowsDistributedLinkTrackingCreationEvent(time_events.UUIDTimeEvent):
-  """Convenience class for a Windows distributed link creation event."""
+  """Convenience class for a Windows distributed link creation event.
+
+  Attributes:
+    origin: a string containing the origin of the event (event source).
+            E.g. the path of the corresponding LNK file or file reference
+            MFT entry with the corresponding NTFS $OBJECT_ID attribute.
+  """
 
   DATA_TYPE = 'windows:distributed_link_tracking:creation'
 
   def __init__(self, uuid, origin):
     """Initializes an event object.
 
     Args:
-      uuid: A uuid object (instance of uuid.UUID).
-      origin: A string containing the origin of the event (event source).
+      uuid: an uuid object (instance of uuid.UUID).
+      origin: a string containing the origin of the event (event source).
+              E.g. the path of the corresponding LNK file or file reference
+              MFT entry with the corresponding NTFS $OBJECT_ID attribute.
     """
     super(WindowsDistributedLinkTrackingCreationEvent, self).__init__(
         uuid, eventdata.EventTimestamp.CREATION_TIME)
@@ -36,16 +44,13 @@ def __init__(
     Args:
       filetime: the FILETIME timestamp value.
       key_path: the Windows Registry key path.
-      values_dict: Dictionary object containing values of the key.
-      usage: Optional description of the usage of the time value.
-             The default is None.
-      offset: Optional (data) offset of the Registry key or value.
-              The default is None.
-      registry_file_type: Optional string containing the Windows Registry file
-                          type, e.g. NTUSER, SOFTWARE. The default is None.
-      source_append: Optional string to append to the source_long of the event.
-                     The default is None.
-      urls: Optional list of URLs. The default is None.
+      values_dict: dictionary object containing values of the key.
+      usage: optional description of the usage of the time value.
+      offset: optional (data) offset of the Registry key or value.
+      registry_file_type: optional string containing the Windows Registry file
+                          type, e.g. NTUSER, SOFTWARE.
+      source_append: optional string to append to the source_long of the event.
+      urls: optional list of URLs.
     """
     if usage is None:
       usage = eventdata.EventTimestamp.WRITTEN_TIME
@@ -81,7 +86,6 @@ class WindowsRegistryInstallationEvent(time_events.PosixTimeEvent):
     service_pack: string containing service pack.
     version: string containing the version.
   """
-
   DATA_TYPE = 'windows:registry:installation'
 
   def __init__(
@@ -106,24 +110,67 @@ def __init__(
     self.version = version
 
 
+class WindowsRegistryListEvent(time_events.FiletimeEvent):
+  """Convenience class for a list retrieved from the Registry e.g. MRU.
+
+  Attributes:
+    key_path: string containing the Windows Registry key path.
+    list_name: string containing the name of the list.
+    list_values: string containing the list values.
+    value_name: string containing the Windows Registry value name.
+  """
+  DATA_TYPE = 'windows:registry:list'
+
+  def __init__(
+      self, filetime, key_path, list_name, list_values,
+      timestamp_description=None, value_name=None):
+    """Initializes a Windows registry event.
+
+    Args:
+      filetime: the FILETIME timestamp value.
+      key_path: string containing the Windows Registry key path.
+      list_name: string containing the name of the list.
+      list_values: string containing the list values.
+      timestamp_description: optional usage string for the timestamp value.
+      value_name: optional string containing the Windows Registry value name.
+    """
+    if timestamp_description is None:
+      timestamp_description = eventdata.EventTimestamp.WRITTEN_TIME
+
+    super(WindowsRegistryListEvent, self).__init__(
+        filetime, timestamp_description)
+
+    self.key_path = key_path
+    self.list_name = list_name
+    self.list_values = list_values
+    self.value_name = value_name
+
+
 class WindowsRegistryServiceEvent(WindowsRegistryEvent):
-  """Convenience class for service entries retrieved from the registry."""
+  """Convenience class for service information retrieved from the Registry."""
   DATA_TYPE = 'windows:registry:service'
 
 
 class WindowsVolumeCreationEvent(time_events.FiletimeEvent):
-  """Convenience class for a Windows volume creation event."""
+  """Convenience class for a Windows volume creation event.
 
+  Attributes:
+    device_path: a string containing the volume device path.
+    serial_number: a string containing the volume serial number.
+    origin: a string containing the origin of the event (event source).
+            E.g. corresponding Prefetch file name.
+  """
   DATA_TYPE = 'windows:volume:creation'
 
   def __init__(self, filetime, device_path, serial_number, origin):
     """Initializes an event object.
 
     Args:
-      filetime: The FILETIME timestamp value.
-      device_path: A string containing the volume device path.
-      serial_number: A string containing the volume serial number.
-      origin: A string containing the origin of the event (event source).
+      filetime: the FILETIME timestamp value.
+      device_path: a string containing the volume device path.
+      serial_number: a string containing the volume serial number.
+      origin: a string containing the origin of the event (event source).
+              E.g. corresponding Prefetch file name.
     """
     super(WindowsVolumeCreationEvent, self).__init__(
         filetime, eventdata.EventTimestamp.CREATION_TIME)

diff --git a/plaso/formatters/windows.py b/plaso/formatters/windows.py
@@ -47,6 +47,21 @@ class WindowsRegistryInstallationEventFormatter(
   SOURCE_SHORT = u'LOG'
 
 
+class WindowsRegistryListEventFormatter(interface.ConditionalEventFormatter):
+  """Formatter for a Windows list event e.g. MRU or Jump list."""
+
+  DATA_TYPE = u'windows:registry:list'
+
+  FORMAT_STRING_PIECES = [
+      u'Key: {key_path}',
+      u'Value: {value_name}',
+      u'List: {list_name}',
+      u'[{list_values}]']
+
+  SOURCE_LONG = u'System'
+  SOURCE_SHORT = u'LOG'
+
+
 class WindowsVolumeCreationEventFormatter(interface.ConditionalEventFormatter):
   """Formatter for a Windows volume creation event."""
 
@@ -67,5 +82,6 @@ class WindowsVolumeCreationEventFormatter(interface.ConditionalEventFormatter):
 
 manager.FormattersManager.RegisterFormatters([
     WindowsDistributedLinkTrackingCreationEventFormatter,
+    WindowsRegistryListEventFormatter,
     WindowsRegistryInstallationEventFormatter,
     WindowsVolumeCreationEventFormatter])
diff --git a/plaso/parsers/asl.py b/plaso/parsers/asl.py
@@ -274,10 +274,11 @@ def ReadAslEvent(self, file_object, parser_mediator, offset):
     while tam_fields > 0:
       try:
         raw_field = file_object.read(8)
-      except (IOError, construct.FieldError) as exception:
+      except IOError as exception:
         logging.warning(
-            u'Unable to parse ASL event with error: {0:d}'.format(exception))
+            u'Unable to read ASL event with error: {0:d}'.format(exception))
         return None, None
+
       try:
         # Try to read as a String.
         field = self.ASL_STRING.parse(raw_field)

diff --git a/plaso/parsers/mediator.py b/plaso/parsers/mediator.py
@@ -250,6 +250,7 @@ def ProcessEvent(
                   file entry set in the mediator.
       query: Optional query string. The default is None.
     """
+    # TODO: rename this to event_object.parser_chain or equivalent.
     if not getattr(event_object, u'parser', None) and parser_chain:
       event_object.parser = parser_chain
 

diff --git a/plaso/parsers/winreg_plugins/__init__.py b/plaso/parsers/winreg_plugins/__init__.py
@@ -12,6 +12,7 @@
 from plaso.parsers.winreg_plugins import msie_zones
 from plaso.parsers.winreg_plugins import officemru
 from plaso.parsers.winreg_plugins import outlook
+from plaso.parsers.winreg_plugins import programscache
 from plaso.parsers.winreg_plugins import run
 from plaso.parsers.winreg_plugins import sam_users
 from plaso.parsers.winreg_plugins import services
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@ python-plaso (1.3.1-1) unstable; urgency=low

		* Auto-generated

		-- Log2Timeline <[email protected]> Thu, 17 Sep 2015 19:44:25 +0200
		-- Log2Timeline <[email protected]> Sat, 19 Sep 2015 07:45:06 +0200