diff --git a/config/dpkg/changelog b/config/dpkg/changelog index cd2df0d14d..2d94186799 100644 --- a/config/dpkg/changelog +++ b/config/dpkg/changelog @@ -2,4 +2,4 @@ python-plaso (1.2.1-1) unstable; urgency=low * Auto-generated - -- Log2Timeline Wed, 03 Jun 2015 12:12:02 -0700 + -- Log2Timeline Wed, 03 Jun 2015 13:12:18 -0700 diff --git a/data/filter_windows.txt b/data/filter_windows.txt new file mode 100644 index 0000000000..e9bf6679bf --- /dev/null +++ b/data/filter_windows.txt @@ -0,0 +1,80 @@ +# Filter file for log2timeline for triaging Windows systems. +# +# This file can be used by image_export or log2timeline to selectively export +# few key files of a Windows system. This file will collect: +# * The MFT file, LogFile and the UsnJrnl +# * Contents of the Recycle Bin/Recycler. +# * Windows Registry files, e.g. SYSTEM and NTUSER.DAT. +# * Shortcut (LNK) files from recent files. +# * Jump list files, automatic and custom destination. +# * Windows Event Log files. +# * Prefetch files. +# * SetupAPI file. +# * Application Compatability files, the Recentfilecache and AmCachefile. +# * Windows At job files. +# * Browser history: IE, Firefox and Chrome. +# * Browser cookie files: IE. +# * Flash cookies, or LSO/SOL files from the Flash player. +# +# File system artifacts. +/[$]MFT +/[$]LogFile +/[$]Extend/$UsnJrnl +# Recycle Bin and Recycler. +/[$]Recycle.Bin +/[$]Recycle.Bin/.+ +/[$]Recycle.Bin/.+/.+ +/RECYCLER +/RECYCLER/.+ +/RECYCLER/.+/.+ +# Windows Registry hives. +/(Users|Documents And Settings)/.+/NTUSER[.]DAT +/(Users|Documents And Settings)/.+/AppData/Local/Microsoft/Windows/Usrclass[.]dat +# {sysregistry} points to the location that contains the system hives, +# eg: \Windows\System32\config. +{sysregistry}/(SAM|SOFTWARE|SECURITY|SYSTEM) +# Recent file activity. +/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/.+[.]LNK +/Users/.+/AppData/Roaming/Microsoft/Office/Recent/.+[.]LNK +/Documents And Settings/.+/Recent/.+[.]LNK +/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/Automaticdestinations/.+[.]automaticDestinations-ms +/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/Customdestinations/.+[.].customDestinations-ms +# Windows Event Logs. +{systemroot}/winevt/Logs/.+[.]evtx +{systemroot}/config/.+[.]evt +# Various log files. +{windir}/inf/setupapi[.].+[.]log +{windir}/setupapi.log +{windir}/System32/LogFiles/.+/.+[.]txt +# Windows Artifacts. +{windir}/Tasks/.+[.]job +{windir}/Appcompat/Programs/Recentfilecache[.]bcf +{windir}/Appcompat/Programs/AMcache[.]hve +# Prefetch files. +{windir}/Prefetch/.+[.]pf +# Browser history artifacts. +/Users/.+/AppData/Local/Microsoft/Windows/History/History.IE5/index[.]dat +/Users/.+/AppData/Local/Microsoft/Windows/History/History.IE5/MSHist.+/index[.]dat +/Users/.+/AppData/Local/Microsoft/Windows/History/Low/History.IE5/index[.]dat +/Users/.+/AppData/Local/Microsoft/Windows/History/Low/History.IE5/MSHist.+/index[.]dat +/Users/.+/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/index[.]dat +/Users/.+/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/index[.]dat +/Users/.+/AppData/Roaming/Microsoft/Windows/Cookies/index[.]dat +/Users/.+/AppData/Roaming/Microsoft/Windows/Cookies/Low/index[.]dat +/Users/.+/AppData/Local/Microsoft/Internet Explorer/Recovery/.+/.+[.]dat +/Users/.+/AppData/Local/Microsoft/Internet Explorer/Recovery/Immersive/.+/.+[.]dat +/Users/.+/AppData/Roaming/Mozilla/Firefox/Profiles/.+/.+[.]sqlite +/Users/.+/AppData/Local/Microsoft/Windows/WebCache/.+[.]dat +/Users/.+/AppData/Local/Google/Chrome/User Data/.+/History +/Users/.+/AppData/Local/Google/Chrome/User Data/.+/Current Session +/Users/.+/AppData/Local/Google/Chrome/User Data/.+/Last Session +/Users/.+/AppData/Local/Google/Chrome/User Data/.+/Current Tabs +/Users/.+/AppData/Local/Google/Chrome/User Data/.+/Last Tabs +/Users/.+/AppData/Roaming/Macromedia/FlashPlayer/#SharedObjects/.+/.+/.+[.]sol +/Documents And Settings/.+/Local Settings/History/History.IE5/index[.]dat +/Documents And Settings/.+/Local Settings/History/History.IE5/MSHist.+/index[.]dat +/Documents And Settings/.+/Local Settings/Temporary Internet Files/Content.IE5/index[.]dat +/Documents And Settings/.+/Cookies/index[.]dat +/Documents And Settings/.+/Application Data/Mozilla/Firefox/Profiles/.+/.+[.]sqlite +/Documents And Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/.+/History +/Documents And Settings/.+/Local Settings/Application Data/Google/Chrome/.+ diff --git a/plaso/cli/tools.py b/plaso/cli/tools.py index 99f426c241..75de4efef2 100644 --- a/plaso/cli/tools.py +++ b/plaso/cli/tools.py @@ -57,6 +57,36 @@ def __init__(self, input_reader=None, output_writer=None): self.list_timezones = False self.preferred_encoding = preferred_encoding + def _ConfigureLogging( + self, log_level=None, format_string=None, filename=None): + """Configure the logger. + + Args: + log_level: optional integer representing the log level, eg. logging.DEBUG. + Defaults to None, which configures the logger to use INFO + level. + format_string: optional format string for the logs. Defaults to None, + which in turn configures the logger to use a default format + string. + filename: optional path to a filename to append logs to. Defaults to None, + which means logs will not be redirected to a file. + """ + # Remove all possible log handlers. + for handler in logging.root.handlers: + logging.root.removeHandler(handler) + + if log_level is None: + log_level = logging.INFO + + if not format_string: + format_string = u'[%(levelname)s] %(message)s' + + if filename: + logging.basicConfig( + level=log_level, format=format_string, filename=filename) + else: + logging.basicConfig(level=log_level, format=format_string) + def _ParseDataLocationOption(self, options): """Parses the data location option. @@ -167,6 +197,19 @@ def AddInformationalOptions(self, argument_group): '-q', '--quiet', dest='quiet', action='store_true', default=False, help=u'disable informational output.') + def AddLogFileOptions(self, argument_group): + """Adds the log file option to the argument group. + + Args: + argument_group: The argparse argument group (instance of + argparse._ArgumentGroup). + """ + argument_group.add_argument( + u'--logfile', u'--log_file', u'--log-file', action=u'store', + metavar=u'FILENAME', dest=u'log_file', type=unicode, default=u'', help=( + u'If defined all log messages will be redirected to this file ' + u'instead the default STDERR.')) + def AddTimezoneOption(self, argument_group): """Adds the timezone option to the argument group. diff --git a/tools/image_export.py b/tools/image_export.py index cb3307487d..b8e0418beb 100755 --- a/tools/image_export.py +++ b/tools/image_export.py @@ -83,8 +83,7 @@ def ParseArguments(self): Returns: A boolean value indicating the arguments were successfully parsed. """ - logging.basicConfig( - level=logging.INFO, format=u'[%(levelname)s] %(message)s') + self._ConfigureLogging() argument_parser = argparse.ArgumentParser( description=self.DESCRIPTION, epilog=self.EPILOG, add_help=False) @@ -92,6 +91,7 @@ def ParseArguments(self): self.AddBasicOptions(argument_parser) self.AddInformationalOptions(argument_parser) self.AddDataLocationOption(argument_parser) + self.AddLogFileOptions(argument_parser) argument_parser.add_argument( u'-w', u'--write', action=u'store', dest=u'path', type=unicode, @@ -208,12 +208,16 @@ def ParseOptions(self, options): super(ImageExportTool, self).ParseOptions(options) - format_str = u'%(asctime)s [%(levelname)s] %(message)s' + format_string = u'%(asctime)s [%(levelname)s] %(message)s' if self._debug_mode: - logging.basicConfig(level=logging.DEBUG, format=format_str) + log_level = logging.DEBUG else: - logging.basicConfig(level=logging.INFO, format=format_str) + log_level = logging.INFO + + log_file = getattr(options, u'log_file', None) + self._ConfigureLogging( + format_string=format_string, log_level=log_level, filename=log_file) self._destination_path = getattr(options, u'path', u'export') diff --git a/tools/log2timeline.py b/tools/log2timeline.py index 641dafca73..dfb3585d44 100755 --- a/tools/log2timeline.py +++ b/tools/log2timeline.py @@ -309,8 +309,7 @@ def ParseArguments(self): Returns: A boolean value indicating the arguments were successfully parsed. """ - logging.basicConfig( - level=logging.INFO, format=u'[%(levelname)s] %(message)s') + self._ConfigureLogging() argument_parser = argparse.ArgumentParser( description=self.DESCRIPTION, epilog=self.EPILOG, add_help=False, @@ -335,11 +334,7 @@ def ParseArguments(self): u'--info', dest=u'show_info', action=u'store_true', default=False, help=u'Print out information about supported plugins and parsers.') - info_group.add_argument( - u'--logfile', u'--log_file', u'--log-file', action=u'store', - metavar=u'FILENAME', dest=u'log_file', type=unicode, default=u'', help=( - u'If defined all log messages will be redirected to this file ' - u'instead the default STDERR.')) + self.AddLogFileOptions(info_group) info_group.add_argument( u'--status_view', u'--status-view', dest=u'status_view_mode', @@ -439,7 +434,6 @@ def ParseOptions(self, options): u'%(asctime)s [%(levelname)s] (%(processName)-10s) PID:%(process)d ' u'<%(module)s> %(message)s') - log_file = getattr(options, u'log_file', None) if self._debug_mode: logging_level = logging.DEBUG elif self._quiet_mode: @@ -447,11 +441,10 @@ def ParseOptions(self, options): else: logging_level = logging.INFO - if log_file: - logging.basicConfig( - level=logging_level, format=format_string, filename=log_file) - else: - logging.basicConfig(level=logging_level, format=format_string) + log_file = getattr(options, u'log_file', None) + self._ConfigureLogging( + log_level=logging_level, format_string=format_string, + filename=log_file) if self._debug_mode: logging_filter = log2timeline.LoggingFilter() diff --git a/tools/pinfo.py b/tools/pinfo.py index 794ab3fec2..716a1db3af 100755 --- a/tools/pinfo.py +++ b/tools/pinfo.py @@ -469,8 +469,7 @@ def ParseArguments(self): Returns: A boolean value indicating the arguments were successfully parsed. """ - logging.basicConfig( - level=logging.INFO, format=u'[%(levelname)s] %(message)s') + self._ConfigureLogging() argument_parser = argparse.ArgumentParser( description=self.DESCRIPTION, add_help=False) @@ -526,8 +525,7 @@ def ParseOptions(self, options): else: logging_level = logging.INFO - logging.basicConfig( - level=logging_level, format=u'[%(levelname)s] %(message)s') + self._ConfigureLogging(log_level=logging_level) self._verbose = getattr(options, u'verbose', False) diff --git a/tools/psort.py b/tools/psort.py index aeffe37c2c..71bf2b01a2 100755 --- a/tools/psort.py +++ b/tools/psort.py @@ -393,8 +393,7 @@ def ParseArguments(self): Returns: A boolean value indicating the arguments were successfully parsed. """ - logging.basicConfig( - level=logging.INFO, format=u'[%(levelname)s] %(message)s') + self._ConfigureLogging() argument_parser = argparse.ArgumentParser( description=self.DESCRIPTION, add_help=False, @@ -413,6 +412,8 @@ def ParseArguments(self): info_group = argument_parser.add_argument_group(u'Informational Arguments') + self.AddLogFileOptions(info_group) + self.AddInformationalOptions(info_group) filter_group = argument_parser.add_argument_group(u'Filter Arguments') @@ -552,8 +553,8 @@ def ParseOptions(self, options): else: logging_level = logging.INFO - logging.basicConfig( - level=logging_level, format=u'[%(levelname)s] %(message)s') + log_file = getattr(options, u'log_file', None) + self._ConfigureLogging(log_level=logging_level, filename=log_file) self._output_format = getattr(options, u'output_format', None) if not self._output_format: