Code review: 237680043: Issue log2timeline#219 and adding a filter fi…

…le for Windows artifacts

config/dpkg/changelog

@@ -2,4 +2,4 @@ python-plaso (1.2.1-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Log2Timeline <[email protected]>  Wed, 03 Jun 2015 12:12:02 -0700
+ -- Log2Timeline <[email protected]>  Wed, 03 Jun 2015 13:12:18 -0700

data/filter_windows.txt

@@ -0,0 +1,80 @@
+# Filter file for log2timeline for triaging Windows systems.
+#
+# This file can be used by image_export or log2timeline to selectively export
+# few key files of a Windows system. This file will collect:
+# * The MFT file, LogFile and the UsnJrnl
+# * Contents of the Recycle Bin/Recycler.
+# * Windows Registry files, e.g. SYSTEM and NTUSER.DAT.
+# * Shortcut (LNK) files from recent files.
+# * Jump list files, automatic and custom destination.
+# * Windows Event Log files.
+# * Prefetch files.
+# * SetupAPI file.
+# * Application Compatability files, the Recentfilecache and AmCachefile.
+# * Windows At job files.
+# * Browser history: IE, Firefox and Chrome.
+# * Browser cookie files: IE.
+# * Flash cookies, or LSO/SOL files from the Flash player.
+#
+# File system artifacts.
+/[$]MFT
+/[$]LogFile
+/[$]Extend/$UsnJrnl
+# Recycle Bin and Recycler.
+/[$]Recycle.Bin
+/[$]Recycle.Bin/.+
+/[$]Recycle.Bin/.+/.+
+/RECYCLER
+/RECYCLER/.+
+/RECYCLER/.+/.+
+# Windows Registry hives.
+/(Users|Documents And Settings)/.+/NTUSER[.]DAT
+/(Users|Documents And Settings)/.+/AppData/Local/Microsoft/Windows/Usrclass[.]dat
+# {sysregistry} points to the location that contains the system hives,
+# eg: \Windows\System32\config.
+{sysregistry}/(SAM|SOFTWARE|SECURITY|SYSTEM)
+# Recent file activity.
+/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/.+[.]LNK
+/Users/.+/AppData/Roaming/Microsoft/Office/Recent/.+[.]LNK
+/Documents And Settings/.+/Recent/.+[.]LNK
+/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/Automaticdestinations/.+[.]automaticDestinations-ms
+/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/Customdestinations/.+[.].customDestinations-ms
+# Windows Event Logs.
+{systemroot}/winevt/Logs/.+[.]evtx
+{systemroot}/config/.+[.]evt
+# Various log files.
+{windir}/inf/setupapi[.].+[.]log
+{windir}/setupapi.log
+{windir}/System32/LogFiles/.+/.+[.]txt
+# Windows Artifacts.
+{windir}/Tasks/.+[.]job
+{windir}/Appcompat/Programs/Recentfilecache[.]bcf
+{windir}/Appcompat/Programs/AMcache[.]hve
+# Prefetch files.
+{windir}/Prefetch/.+[.]pf
+# Browser history artifacts.
+/Users/.+/AppData/Local/Microsoft/Windows/History/History.IE5/index[.]dat
+/Users/.+/AppData/Local/Microsoft/Windows/History/History.IE5/MSHist.+/index[.]dat
+/Users/.+/AppData/Local/Microsoft/Windows/History/Low/History.IE5/index[.]dat
+/Users/.+/AppData/Local/Microsoft/Windows/History/Low/History.IE5/MSHist.+/index[.]dat
+/Users/.+/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/index[.]dat
+/Users/.+/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/index[.]dat
+/Users/.+/AppData/Roaming/Microsoft/Windows/Cookies/index[.]dat
+/Users/.+/AppData/Roaming/Microsoft/Windows/Cookies/Low/index[.]dat
+/Users/.+/AppData/Local/Microsoft/Internet Explorer/Recovery/.+/.+[.]dat
+/Users/.+/AppData/Local/Microsoft/Internet Explorer/Recovery/Immersive/.+/.+[.]dat
+/Users/.+/AppData/Roaming/Mozilla/Firefox/Profiles/.+/.+[.]sqlite
+/Users/.+/AppData/Local/Microsoft/Windows/WebCache/.+[.]dat
+/Users/.+/AppData/Local/Google/Chrome/User Data/.+/History
+/Users/.+/AppData/Local/Google/Chrome/User Data/.+/Current Session
+/Users/.+/AppData/Local/Google/Chrome/User Data/.+/Last Session
+/Users/.+/AppData/Local/Google/Chrome/User Data/.+/Current Tabs
+/Users/.+/AppData/Local/Google/Chrome/User Data/.+/Last Tabs
+/Users/.+/AppData/Roaming/Macromedia/FlashPlayer/#SharedObjects/.+/.+/.+[.]sol
+/Documents And Settings/.+/Local Settings/History/History.IE5/index[.]dat
+/Documents And Settings/.+/Local Settings/History/History.IE5/MSHist.+/index[.]dat
+/Documents And Settings/.+/Local Settings/Temporary Internet Files/Content.IE5/index[.]dat
+/Documents And Settings/.+/Cookies/index[.]dat
+/Documents And Settings/.+/Application Data/Mozilla/Firefox/Profiles/.+/.+[.]sqlite
+/Documents And Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/.+/History
+/Documents And Settings/.+/Local Settings/Application Data/Google/Chrome/.+

plaso/cli/tools.py

@@ -57,6 +57,36 @@ def __init__(self, input_reader=None, output_writer=None):
     self.list_timezones = False
     self.preferred_encoding = preferred_encoding
 
+  def _ConfigureLogging(
+      self, log_level=None, format_string=None, filename=None):
+    """Configure the logger.
+
+    Args:
+      log_level: optional integer representing the log level, eg. logging.DEBUG.
+                 Defaults to None, which configures the logger to use INFO
+                 level.
+      format_string: optional format string for the logs. Defaults to None,
+                     which in turn configures the logger to use a default format
+                     string.
+      filename: optional path to a filename to append logs to. Defaults to None,
+                which means logs will not be redirected to a file.
+    """
+    # Remove all possible log handlers.
+    for handler in logging.root.handlers:
+      logging.root.removeHandler(handler)
+
+    if log_level is None:
+      log_level = logging.INFO
+
+    if not format_string:
+      format_string = u'[%(levelname)s] %(message)s'
+
+    if filename:
+      logging.basicConfig(
+          level=log_level, format=format_string, filename=filename)
+    else:
+      logging.basicConfig(level=log_level, format=format_string)
+
   def _ParseDataLocationOption(self, options):
     """Parses the data location option.
 
@@ -167,6 +197,19 @@ def AddInformationalOptions(self, argument_group):
         '-q', '--quiet', dest='quiet', action='store_true', default=False,
         help=u'disable informational output.')
 
+  def AddLogFileOptions(self, argument_group):
+    """Adds the log file option to the argument group.
+
+    Args:
+      argument_group: The argparse argument group (instance of
+                      argparse._ArgumentGroup).
+    """
+    argument_group.add_argument(
+        u'--logfile', u'--log_file', u'--log-file', action=u'store',
+        metavar=u'FILENAME', dest=u'log_file', type=unicode, default=u'', help=(
+            u'If defined all log messages will be redirected to this file '
+            u'instead the default STDERR.'))
+
   def AddTimezoneOption(self, argument_group):
     """Adds the timezone option to the argument group.
 

tools/image_export.py

@@ -83,15 +83,15 @@ def ParseArguments(self):
     Returns:
       A boolean value indicating the arguments were successfully parsed.
     """
-    logging.basicConfig(
-        level=logging.INFO, format=u'[%(levelname)s] %(message)s')
+    self._ConfigureLogging()
 
     argument_parser = argparse.ArgumentParser(
         description=self.DESCRIPTION, epilog=self.EPILOG, add_help=False)
 
     self.AddBasicOptions(argument_parser)
     self.AddInformationalOptions(argument_parser)
     self.AddDataLocationOption(argument_parser)
+    self.AddLogFileOptions(argument_parser)
 
     argument_parser.add_argument(
         u'-w', u'--write', action=u'store', dest=u'path', type=unicode,
@@ -208,12 +208,16 @@ def ParseOptions(self, options):
 
     super(ImageExportTool, self).ParseOptions(options)
 
-    format_str = u'%(asctime)s [%(levelname)s] %(message)s'
+    format_string = u'%(asctime)s [%(levelname)s] %(message)s'
 
     if self._debug_mode:
-      logging.basicConfig(level=logging.DEBUG, format=format_str)
+      log_level = logging.DEBUG
     else:
-      logging.basicConfig(level=logging.INFO, format=format_str)
+      log_level = logging.INFO
+
+    log_file = getattr(options, u'log_file', None)
+    self._ConfigureLogging(
+        format_string=format_string, log_level=log_level, filename=log_file)
 
     self._destination_path = getattr(options, u'path', u'export')
 

tools/log2timeline.py

@@ -309,8 +309,7 @@ def ParseArguments(self):
     Returns:
       A boolean value indicating the arguments were successfully parsed.
     """
-    logging.basicConfig(
-        level=logging.INFO, format=u'[%(levelname)s] %(message)s')
+    self._ConfigureLogging()
 
     argument_parser = argparse.ArgumentParser(
         description=self.DESCRIPTION, epilog=self.EPILOG, add_help=False,
@@ -335,11 +334,7 @@ def ParseArguments(self):
         u'--info', dest=u'show_info', action=u'store_true', default=False,
         help=u'Print out information about supported plugins and parsers.')
 
-    info_group.add_argument(
-        u'--logfile', u'--log_file', u'--log-file', action=u'store',
-        metavar=u'FILENAME', dest=u'log_file', type=unicode, default=u'', help=(
-            u'If defined all log messages will be redirected to this file '
-            u'instead the default STDERR.'))
+    self.AddLogFileOptions(info_group)
 
     info_group.add_argument(
         u'--status_view', u'--status-view', dest=u'status_view_mode',
@@ -439,19 +434,17 @@ def ParseOptions(self, options):
         u'%(asctime)s [%(levelname)s] (%(processName)-10s) PID:%(process)d '
         u'<%(module)s> %(message)s')
 
-    log_file = getattr(options, u'log_file', None)
     if self._debug_mode:
       logging_level = logging.DEBUG
     elif self._quiet_mode:
       logging_level = logging.WARNING
     else:
       logging_level = logging.INFO
 
-    if log_file:
-      logging.basicConfig(
-          level=logging_level, format=format_string, filename=log_file)
-    else:
-      logging.basicConfig(level=logging_level, format=format_string)
+    log_file = getattr(options, u'log_file', None)
+    self._ConfigureLogging(
+        log_level=logging_level, format_string=format_string,
+        filename=log_file)
 
     if self._debug_mode:
       logging_filter = log2timeline.LoggingFilter()

tools/pinfo.py

@@ -469,8 +469,7 @@ def ParseArguments(self):
     Returns:
       A boolean value indicating the arguments were successfully parsed.
     """
-    logging.basicConfig(
-        level=logging.INFO, format=u'[%(levelname)s] %(message)s')
+    self._ConfigureLogging()
 
     argument_parser = argparse.ArgumentParser(
         description=self.DESCRIPTION, add_help=False)
@@ -526,8 +525,7 @@ def ParseOptions(self, options):
     else:
       logging_level = logging.INFO
 
-    logging.basicConfig(
-        level=logging_level, format=u'[%(levelname)s] %(message)s')
+    self._ConfigureLogging(log_level=logging_level)
 
     self._verbose = getattr(options, u'verbose', False)
 

tools/psort.py

@@ -393,8 +393,7 @@ def ParseArguments(self):
     Returns:
       A boolean value indicating the arguments were successfully parsed.
     """
-    logging.basicConfig(
-        level=logging.INFO, format=u'[%(levelname)s] %(message)s')
+    self._ConfigureLogging()
 
     argument_parser = argparse.ArgumentParser(
         description=self.DESCRIPTION, add_help=False,
@@ -413,6 +412,8 @@ def ParseArguments(self):
 
     info_group = argument_parser.add_argument_group(u'Informational Arguments')
 
+    self.AddLogFileOptions(info_group)
+
     self.AddInformationalOptions(info_group)
 
     filter_group = argument_parser.add_argument_group(u'Filter Arguments')
@@ -552,8 +553,8 @@ def ParseOptions(self, options):
     else:
       logging_level = logging.INFO
 
-    logging.basicConfig(
-        level=logging_level, format=u'[%(levelname)s] %(message)s')
+    log_file = getattr(options, u'log_file', None)
+    self._ConfigureLogging(log_level=logging_level, filename=log_file)
 
     self._output_format = getattr(options, u'output_format', None)
     if not self._output_format: