diff --git a/data/formatters/browser.yaml b/data/formatters/browser.yaml index 3d1f5cc5ba..5f04c1a14b 100644 --- a/data/formatters/browser.yaml +++ b/data/formatters/browser.yaml @@ -71,6 +71,53 @@ short_message: - '({received_bytes} bytes)' --- type: 'conditional' +data_type: 'chrome:history:page_visited' +boolean_helpers: +- input_attribute: 'url_hidden' + output_attribute: 'url_hidden_string' + value_if_true: '(URL hidden)' +enumeration_helpers: +- input_attribute: 'page_transition_type' + output_attribute: 'page_transition' + default_value: 'UNKNOWN' + # Also see: https://cs.chromium.org/chromium/src/ui/base/page_transition_types.h + values: + 0: 'LINK - User clicked a link' + 1: 'TYPED - User typed the URL in the URL bar' + 2: 'AUTO_BOOKMARK - Got through a suggestion in the UI' + 3: 'AUTO_SUBFRAME - Content automatically loaded in a non-toplevel frame - user may not realize' + 4: 'MANUAL_SUBFRAME - Subframe explicitly requested by the user' + 5: 'GENERATED - User typed in the URL bar and selected an entry from the list - such as a search bar' + 6: 'START_PAGE - The start page of the browser' + 7: 'FORM_SUBMIT - A form the user has submitted values to' + 8: 'RELOAD - The user reloaded the page, eg by hitting the reload button or restored a session' + 9: 'KEYWORD - URL what was generated from a replaceable keyword other than the default search provider' + 10: 'KEYWORD_GENERATED - Corresponds to a visit generated from a KEYWORD' +- input_attribute: 'visit_source' + output_attribute: 'visit_source' + default_value: 'UNKNOWN' + # Also see: https://cs.chromium.org/chromium/src/ui/app_list/search/history_types.h + values: + 0: 'SOURCE_SYNCED' + 1: 'SOURCE_BROWSED' + 2: 'SOURCE_EXTENSION' + 3: 'SOURCE_FIREFOX_IMPORTED' + 4: 'SOURCE_IE_IMPORTED' + 5: 'SOURCE_SAFARI_IMPORTED' +message: +- '{url}' +- '({title})' +- '[count: {typed_count}]' +- 'Visit from: {from_visit}' +- 'Visit Source: [{visit_source}]' +- 'Type: [{page_transition}]' +- '{url_hidden_string}' +- '{url_typed_string}' +short_message: +- '{url}' +- '({title})' +--- +type: 'conditional' data_type: 'chrome:preferences:clear_history' message: - '{message}' @@ -78,6 +125,17 @@ short_message: - '{message}' --- type: 'conditional' +data_type: 'chrome:preferences:content_settings:exceptions' +message: +- 'Permission {permission}' +- 'used by {primary_url}' +- 'embedded in {secondary_url}' +short_message: +- 'Permission {permission}' +- 'used by {primary_url}' +- 'embedded in {secondary_url}' +--- +type: 'conditional' data_type: 'chrome:preferences:extensions_autoupdater' message: - '{message}' @@ -193,12 +251,53 @@ data_type: 'firefox:places:bookmark_folder' message: '{title}' short_message: '{title}' --- +type: 'conditional' +data_type: 'firefox:places:page_visited' +enumeration_helpers: +- input_attribute: 'visit_type' + output_attribute: 'transition_string' + default_value: 'UNKOWN' + # Also see: src/toolkit/components/places/nsINavHistoryService.idl + values: + 1: 'LINK' + 2: 'TYPED' + 3: 'BOOKMARK' + 4: 'EMBED' + 5: 'REDIRECT_PERMANENT' + 6: 'REDIRECT_TEMPORARY' + 7: 'DOWNLOAD' + 8: 'FRAMED_LINK' +message: +- '{url}' +- '({title})' +- '[count: {visit_count}]' +- 'Host: {host}' +- 'visited from: {from_visit}' +- '{url_hidden_string}' +- '{url_typed_string}' +- 'Transition: {transition_string}' +short_message: +- 'URL: {url}' +--- type: 'basic' data_type: 'firefox:downloads:download' message: '{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.' short_message: '{full_path} downloaded ({received_bytes} bytes)' --- type: 'conditional' +data_type: 'msiecf:leak' +boolean_helpers: +- input_attribute: 'recovered' + output_attribute: 'recovered_string' + value_if_true: '[Recovered Entry]' +message: +- 'Cached file: {cached_file_path}' +- 'Cached file size: {cached_file_size}' +- '{recovered_string}' +short_message: +- 'Cached file: {cached_file_path}' +--- +type: 'conditional' data_type: 'msiecf:redirected' boolean_helpers: - input_attribute: 'recovered' @@ -211,6 +310,23 @@ short_message: - 'Location: {url}' --- type: 'conditional' +data_type: 'msiecf:url' +boolean_helpers: +- input_attribute: 'recovered' + output_attribute: 'recovered_string' + value_if_true: '[Recovered Entry]' +message: +- 'Location: {url}' +- 'Number of hits: {number_of_hits}' +- 'Cached file: {cached_file_path}' +- 'Cached file size: {cached_file_size}' +- 'HTTP headers: {http_headers}' +- '{recovered_string}' +short_message: +- 'Location: {url}' +- 'Cached file: {cached_file_path}' +--- +type: 'conditional' data_type: 'msie:webcache:container' message: - 'URL: {url}' diff --git a/data/formatters/generic.yaml b/data/formatters/generic.yaml index bc9595eac6..8e50b19798 100644 --- a/data/formatters/generic.yaml +++ b/data/formatters/generic.yaml @@ -182,10 +182,55 @@ message: '{filename}' short_message: '{filename}' --- type: 'conditional' +data_type: 'fs:ntfs:usn_change' +flags_helpers: +- input_attribute: 'update_reason_flags' + output_attribute: 'update_reason' + values: + 0x00000001: 'USN_REASON_DATA_OVERWRITE' + 0x00000002: 'USN_REASON_DATA_EXTEND' + 0x00000004: 'USN_REASON_DATA_TRUNCATION' + 0x00000010: 'USN_REASON_NAMED_DATA_OVERWRITE' + 0x00000020: 'USN_REASON_NAMED_DATA_EXTEND' + 0x00000040: 'USN_REASON_NAMED_DATA_TRUNCATION' + 0x00000100: 'USN_REASON_FILE_CREATE' + 0x00000200: 'USN_REASON_FILE_DELETE' + 0x00000400: 'USN_REASON_EA_CHANGE' + 0x00000800: 'USN_REASON_SECURITY_CHANGE' + 0x00001000: 'USN_REASON_RENAME_OLD_NAME' + 0x00002000: 'USN_REASON_RENAME_NEW_NAME' + 0x00004000: 'USN_REASON_INDEXABLE_CHANGE' + 0x00008000: 'USN_REASON_BASIC_INFO_CHANGE' + 0x00010000: 'USN_REASON_HARD_LINK_CHANGE' + 0x00020000: 'USN_REASON_COMPRESSION_CHANGE' + 0x00040000: 'USN_REASON_ENCRYPTION_CHANGE' + 0x00080000: 'USN_REASON_OBJECT_ID_CHANGE' + 0x00100000: 'USN_REASON_REPARSE_POINT_CHANGE' + 0x00200000: 'USN_REASON_STREAM_CHANGE' + 0x00400000: 'USN_REASON_TRANSACTED_CHANGE' + 0x80000000: 'USN_REASON_CLOSE' +- input_attribute: 'update_source_flags' + output_attribute: 'update_source' + values: + 0x00000001: 'USN_SOURCE_DATA_MANAGEMENT' + 0x00000002: 'USN_SOURCE_AUXILIARY_DATA' + 0x00000004: 'USN_SOURCE_REPLICATION_MANAGEMENT' +message: +- '{filename}' +- 'File reference: {file_reference}' +- 'Parent file reference: {parent_file_reference}' +- 'Update source: {update_source}' +- 'Update reason: {update_reason}' +short_message: +- '{filename}' +- '{file_reference}' +- '{update_reason}' +--- +type: 'conditional' data_type: 'fs:stat' boolean_helpers: - input_attribute: 'is_allocated' - output_attribute: 'is_allocated' + output_attribute: 'unallocated' value_if_false: 'unallocated' message: - '{display_name}' @@ -195,6 +240,32 @@ short_message: - '{filename}' --- type: 'conditional' +data_type: 'fs:stat:ntfs' +boolean_helpers: +- input_attribute: 'is_allocated' + output_attribute: 'unallocated' + value_if_false: 'unallocated' +enumeration_helpers: +- input_attribute: 'attribute_type' + output_attribute: 'attribute_name' + default_value: 'UNKNOWN' + values: + 0x00000010: '$STANDARD_INFORMATION' + 0x00000030: '$FILE_NAME' +message: +- '{display_name}' +- 'File reference: {file_reference}' +- 'Attribute name: {attribute_name}' +- 'Name: {name}' +- 'Parent file reference: {parent_file_reference}' +- '({unallocated})' +- 'Path hints: {path_hints}' +short_message: +- '{filename}' +- '{file_reference}' +- '{attribute_name}' +--- +type: 'conditional' data_type: 'gdrive:snapshot:cloud_entry' boolean_helpers: - input_attribute: 'shared' diff --git a/data/formatters/windows.yaml b/data/formatters/windows.yaml index 35c039681e..fad6c77407 100644 --- a/data/formatters/windows.yaml +++ b/data/formatters/windows.yaml @@ -160,6 +160,28 @@ short_message: - ': {dest_port}' --- type: 'conditional' +data_type: 'windows:lnk:link' +message: +- '[{description}]' +- 'File size: {file_size}' +- 'File attribute flags: 0x{file_attribute_flags:08x}' +- 'Drive type: {drive_type}' +- 'Drive serial number: 0x{drive_serial_number:08x}' +- 'Volume label: {volume_label}' +- 'Local path: {local_path}' +- 'Network path: {network_path}' +- 'cmd arguments: {command_line_arguments}' +- 'env location: {env_var_location}' +- 'Relative path: {relative_path}' +- 'Working dir: {working_directory}' +- 'Icon location: {icon_location}' +- 'Link target: {link_target}' +short_message: +- '[{description}]' +- '{linked_path}' +- '{command_line_arguments}' +--- +type: 'conditional' data_type: 'windows:metadata:deleted_item' enumeration_helpers: - input_attribute: 'drive_number' @@ -201,15 +223,17 @@ short_message: - 'Deleted file: {original_filename}' --- type: 'conditional' -data_type: 'windows:registry:explorer:programcache' +data_type: 'windows:prefetch:execution' message: -- 'Key: {key_path}' -- 'Value: {value_name}' -- 'Entries: [{entries}]' +- 'Prefetch' +- '[{executable}] was executed -' +- 'run count {run_count}' +- 'path hints: {path_hints}' +- 'hash: 0x{prefetch_hash:08X}' +- '{volumes_string}' short_message: -- 'Key: {key_path}' -- 'Value: {value_name}' -- 'Entries: [{entries}]' +- '{executable} was run' +- '{run_count} time(s)' --- type: 'conditional' data_type: 'windows:registry:amcache' @@ -278,6 +302,17 @@ message: '[{key_path}] ImagePath: {image_path}' short_message: '[{key_path}] ImagePath: {image_path}' --- type: 'conditional' +data_type: 'windows:registry:explorer:programcache' +message: +- 'Key: {key_path}' +- 'Value: {value_name}' +- 'Entries: [{entries}]' +short_message: +- 'Key: {key_path}' +- 'Value: {value_name}' +- 'Entries: [{entries}]' +--- +type: 'conditional' data_type: 'windows:registry:installation' message: - '{product_name}' @@ -592,6 +627,20 @@ message: '[{key_path}] {entries}' short_message: '[{key_path}] {entries}' --- type: 'conditional' +data_type: 'windows:shell_item:file_entry' +message: +- 'Name: {name}' +- 'Long name: {long_name}' +- 'Localized name: {localized_name}' +- 'NTFS file reference: {file_reference}' +- 'Shell item path: {shell_item_path}' +- 'Origin: {origin}' +short_message: +- 'Name: {file_entry_name}' +- 'NTFS file reference: {file_reference}' +- 'Origin: {origin}' +--- +type: 'conditional' data_type: 'windows:srum:application_usage' message: - 'Application: {application}' diff --git a/plaso/formatters/chrome.py b/plaso/formatters/chrome.py index 768340fa50..84f7b30a3d 100644 --- a/plaso/formatters/chrome.py +++ b/plaso/formatters/chrome.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""The Google Chrome history event formatters.""" +"""Google Chrome history custom event formatter helpers.""" from __future__ import unicode_literals @@ -7,89 +7,17 @@ from plaso.formatters import manager -class ChromePageVisitedFormatter(interface.ConditionalEventFormatter): - """Formatter for a Chrome page visited event.""" +class ChromePageVisitedFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for Chrome page visited event values.""" DATA_TYPE = 'chrome:history:page_visited' - FORMAT_STRING_PIECES = [ - '{url}', - '({title})', - '[count: {typed_count}]', - 'Visit from: {from_visit}', - 'Visit Source: [{visit_source}]', - 'Type: [{page_transition}]', - '{url_hidden_string}', - '{url_typed_string}'] - - FORMAT_STRING_SHORT_PIECES = [ - '{url}', - '({title})'] - - # The following definition for values can be found here: - # https://cs.chromium.org/chromium/src/ui/base/page_transition_types.h - _PAGE_TRANSITIONS = { - 0: ('LINK', 'User clicked a link'), - 1: ('TYPED', 'User typed the URL in the URL bar'), - 2: ('AUTO_BOOKMARK', 'Got through a suggestion in the UI'), - 3: ('AUTO_SUBFRAME', - ('Content automatically loaded in a non-toplevel frame - user may not' - 'realize')), - 4: ('MANUAL_SUBFRAME', 'Subframe explicitly requested by the user'), - 5: ('GENERATED', - ('User typed in the URL bar and selected an entry from the list - ' - 'such as a search bar')), - 6: ('START_PAGE', 'The start page of the browser'), - 7: ('FORM_SUBMIT', 'A form the user has submitted values to'), - 8: ('RELOAD', - ('The user reloaded the page, eg by hitting the reload button or ' - 'restored a session')), - 9: ('KEYWORD', - ('URL what was generated from a replaceable keyword other than the ' - 'default search provider')), - 10: ('KEYWORD_GENERATED', - 'Corresponds to a visit generated from a KEYWORD')} - - _UNKNOWN_PAGE_TRANSITION = ('UNKNOWN', None) - - # The following is the values for the source enum found in the visit_source - # table and describes where a record originated from (if it originates from a - # different storage than locally generated). The source can be found here: - # https://cs.chromium.org/chromium/src/ui/app_list/search/history_types.h - _VISIT_SOURCE = { - 0: 'SOURCE_SYNCED', - 1: 'SOURCE_BROWSED', - 2: 'SOURCE_EXTENSION', - 3: 'SOURCE_FIREFOX_IMPORTED', - 4: 'SOURCE_IE_IMPORTED', - 5: 'SOURCE_SAFARI_IMPORTED'} - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. """ - page_transition_type = event_values.get('page_transition_type', None) - if page_transition_type is not None: - page_transition, page_transition_long = self._PAGE_TRANSITIONS.get( - page_transition_type, self._UNKNOWN_PAGE_TRANSITION) - - if page_transition_long: - event_values['page_transition'] = '{0:s} - {1:s}'.format( - page_transition, page_transition_long) - else: - event_values['page_transition'] = page_transition - - visit_source = event_values.get('visit_source', None) - if visit_source is not None: - event_values['visit_source'] = self._VISIT_SOURCE.get( - visit_source, 'UNKNOWN') - - url_hidden = event_values.get('url_hidden', False) - if url_hidden: - event_values['url_hidden_string'] = '(URL hidden)' - typed_count = event_values.get('typed_count', 0) if typed_count == 0: url_typed_string = '(URL not typed directly)' @@ -101,4 +29,5 @@ def FormatEventValues(self, event_values): event_values['url_typed_string'] = url_typed_string -manager.FormattersManager.RegisterFormatter(ChromePageVisitedFormatter) +manager.FormattersManager.RegisterEventFormatterHelper( + ChromePageVisitedFormatter) diff --git a/plaso/formatters/chrome_preferences.py b/plaso/formatters/chrome_preferences.py index 0b283696ea..6095ca33cb 100644 --- a/plaso/formatters/chrome_preferences.py +++ b/plaso/formatters/chrome_preferences.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""The Google Chrome Preferences file event formatter.""" +"""Google Chrome preferences custom event formatter helpers.""" from __future__ import unicode_literals @@ -8,23 +8,13 @@ class ChromeContentSettingsExceptionsFormatter( - interface.ConditionalEventFormatter): - """Formatter for a Chrome content_settings exceptions event.""" + interface.CustomEventFormatterHelper): + """Custom formatter for Chrome content settings exceptions event values.""" DATA_TYPE = 'chrome:preferences:content_settings:exceptions' - FORMAT_STRING_PIECES = [ - 'Permission {permission}', - 'used by {primary_url}', - 'embedded in {secondary_url}'] - - FORMAT_STRING_SHORT_PIECES = [ - 'Permission {permission}', - 'used by {primary_url}', - 'embedded in {secondary_url}'] - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. @@ -53,5 +43,5 @@ def FormatEventValues(self, event_values): event_values['secondary_url'] = secondary_url -manager.FormattersManager.RegisterFormatter( +manager.FormattersManager.RegisterEventFormatterHelper( ChromeContentSettingsExceptionsFormatter) diff --git a/plaso/formatters/file_system.py b/plaso/formatters/file_system.py index 7270513cbc..202d02b10c 100644 --- a/plaso/formatters/file_system.py +++ b/plaso/formatters/file_system.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""The file system stat event formatter.""" +"""File system custom event formatter helpers.""" from __future__ import unicode_literals @@ -7,39 +7,17 @@ from plaso.formatters import manager -class NTFSFileStatEventFormatter(interface.ConditionalEventFormatter): - """The NTFS file system stat event formatter.""" +class NTFSFileStatEventFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for NTFS file system stat event values.""" DATA_TYPE = 'fs:stat:ntfs' - FORMAT_STRING_PIECES = [ - '{display_name}', - 'File reference: {file_reference}', - 'Attribute name: {attribute_name}', - 'Name: {name}', - 'Parent file reference: {parent_file_reference}', - '({unallocated})', - 'Path hints: {path_hints}'] - - FORMAT_STRING_SHORT_PIECES = [ - '{filename}', - '{file_reference}', - '{attribute_name}'] - - _ATTRIBUTE_NAMES = { - 0x00000010: '$STANDARD_INFORMATION', - 0x00000030: '$FILE_NAME'} - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. """ - attribute_type = event_values.get('attribute_type', 0) - event_values['attribute_name'] = self._ATTRIBUTE_NAMES.get( - attribute_type, 'UNKNOWN') - file_reference = event_values.get('file_reference', None) if file_reference: event_values['file_reference'] = '{0:d}-{1:d}'.format( @@ -50,62 +28,18 @@ def FormatEventValues(self, event_values): event_values['parent_file_reference'] = '{0:d}-{1:d}'.format( parent_file_reference & 0xffffffffffff, parent_file_reference >> 48) - if not event_values.get('is_allocated', False): - event_values['unallocated'] = 'unallocated' - path_hints = event_values.get('path_hints', []) if path_hints: event_values['path_hints'] = ';'.join(path_hints) -class NTFSUSNChangeEventFormatter(interface.ConditionalEventFormatter): - """The NTFS USN change event formatter.""" +class NTFSUSNChangeEventFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for NTFS USN change event values.""" DATA_TYPE = 'fs:ntfs:usn_change' - FORMAT_STRING_PIECES = [ - '{filename}', - 'File reference: {file_reference}', - 'Parent file reference: {parent_file_reference}', - 'Update source: {update_source}', - 'Update reason: {update_reason}'] - - FORMAT_STRING_SHORT_PIECES = [ - '{filename}', - '{file_reference}', - '{update_reason}'] - - _USN_REASON_FLAGS = { - 0x00000001: 'USN_REASON_DATA_OVERWRITE', - 0x00000002: 'USN_REASON_DATA_EXTEND', - 0x00000004: 'USN_REASON_DATA_TRUNCATION', - 0x00000010: 'USN_REASON_NAMED_DATA_OVERWRITE', - 0x00000020: 'USN_REASON_NAMED_DATA_EXTEND', - 0x00000040: 'USN_REASON_NAMED_DATA_TRUNCATION', - 0x00000100: 'USN_REASON_FILE_CREATE', - 0x00000200: 'USN_REASON_FILE_DELETE', - 0x00000400: 'USN_REASON_EA_CHANGE', - 0x00000800: 'USN_REASON_SECURITY_CHANGE', - 0x00001000: 'USN_REASON_RENAME_OLD_NAME', - 0x00002000: 'USN_REASON_RENAME_NEW_NAME', - 0x00004000: 'USN_REASON_INDEXABLE_CHANGE', - 0x00008000: 'USN_REASON_BASIC_INFO_CHANGE', - 0x00010000: 'USN_REASON_HARD_LINK_CHANGE', - 0x00020000: 'USN_REASON_COMPRESSION_CHANGE', - 0x00040000: 'USN_REASON_ENCRYPTION_CHANGE', - 0x00080000: 'USN_REASON_OBJECT_ID_CHANGE', - 0x00100000: 'USN_REASON_REPARSE_POINT_CHANGE', - 0x00200000: 'USN_REASON_STREAM_CHANGE', - 0x00400000: 'USN_REASON_TRANSACTED_CHANGE', - 0x80000000: 'USN_REASON_CLOSE'} - - _USN_SOURCE_FLAGS = { - 0x00000001: 'USN_SOURCE_DATA_MANAGEMENT', - 0x00000002: 'USN_SOURCE_AUXILIARY_DATA', - 0x00000004: 'USN_SOURCE_REPLICATION_MANAGEMENT'} - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. @@ -120,22 +54,6 @@ def FormatEventValues(self, event_values): event_values['parent_file_reference'] = '{0:d}-{1:d}'.format( parent_file_reference & 0xffffffffffff, parent_file_reference >> 48) - update_reason_flags = event_values.get('update_reason_flags', 0) - update_reasons = [] - for bitmask, description in sorted(self._USN_REASON_FLAGS.items()): - if bitmask & update_reason_flags: - update_reasons.append(description) - - event_values['update_reason'] = ', '.join(update_reasons) - - update_source_flags = event_values.get('update_source_flags', 0) - update_sources = [] - for bitmask, description in sorted(self._USN_SOURCE_FLAGS.items()): - if bitmask & update_source_flags: - update_sources.append(description) - - event_values['update_source'] = ', '.join(update_sources) - -manager.FormattersManager.RegisterFormatters([ +manager.FormattersManager.RegisterEventFormatterHelpers([ NTFSFileStatEventFormatter, NTFSUSNChangeEventFormatter]) diff --git a/plaso/formatters/firefox.py b/plaso/formatters/firefox.py index 8f8915fe12..bb02dec62f 100644 --- a/plaso/formatters/firefox.py +++ b/plaso/formatters/firefox.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""The Mozilla Firefox history event formatter.""" +"""Mozilla Firefox history custom event formatter helpers.""" from __future__ import unicode_literals @@ -7,40 +7,13 @@ from plaso.formatters import manager -class FirefoxPageVisitFormatter(interface.ConditionalEventFormatter): - """The Firefox page visited event formatter.""" +class FirefoxPageVisitFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for Firefox page visited event values.""" DATA_TYPE = 'firefox:places:page_visited' - # Transitions defined in the source file: - # src/toolkit/components/places/nsINavHistoryService.idl - # Also contains further explanation into what each of these settings mean. - _URL_TRANSITIONS = { - 1: 'LINK', - 2: 'TYPED', - 3: 'BOOKMARK', - 4: 'EMBED', - 5: 'REDIRECT_PERMANENT', - 6: 'REDIRECT_TEMPORARY', - 7: 'DOWNLOAD', - 8: 'FRAMED_LINK', - } - - FORMAT_STRING_PIECES = [ - '{url}', - '({title})', - '[count: {visit_count}]', - 'Host: {host}', - 'visited from: {from_visit}', - '{url_hidden_string}', - '{url_typed_string}', - 'Transition: {transition_string}'] - - FORMAT_STRING_SHORT_PIECES = [ - 'URL: {url}'] - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. @@ -57,9 +30,6 @@ def FormatEventValues(self, event_values): event_values['url_typed_string'] = url_typed_string - visit_type = event_values.get('visit_type', 0) - event_values['transition_string'] = self._URL_TRANSITIONS.get( - visit_type, 'UNKOWN') - -manager.FormattersManager.RegisterFormatter(FirefoxPageVisitFormatter) +manager.FormattersManager.RegisterEventFormatterHelper( + FirefoxPageVisitFormatter) diff --git a/plaso/formatters/interface.py b/plaso/formatters/interface.py index 80141b2d9a..db2655055f 100644 --- a/plaso/formatters/interface.py +++ b/plaso/formatters/interface.py @@ -77,6 +77,20 @@ def FormatEventValues(self, event_values): event_values[self.output_attribute] = output_value +class CustomEventFormatterHelper(EventFormatterHelper): + """Base class for a helper for custom formatting of event data.""" + + DATA_TYPE = '' + + @abc.abstractmethod + def FormatEventValues(self, event_values): + """Formats event values using the helper. + + Args: + event_values (dict[str, object]): event values. + """ + + class EnumerationEventFormatterHelper(EventFormatterHelper): """Helper for formatting enumeration event data. @@ -119,13 +133,13 @@ def FormatEventValues(self, event_values): event_values (dict[str, object]): event values. """ input_value = event_values.get(self.input_attribute, None) + if input_value is not None: + default_value = self.default + if default_value is None: + default_value = input_value - default_value = self.default - if default_value is None: - default_value = input_value - - event_values[self.output_attribute] = self.values.get( - input_value, default_value) + event_values[self.output_attribute] = self.values.get( + input_value, default_value) class FlagsEventFormatterHelper(EventFormatterHelper): diff --git a/plaso/formatters/manager.py b/plaso/formatters/manager.py index 61a6018dcb..a907fb4627 100644 --- a/plaso/formatters/manager.py +++ b/plaso/formatters/manager.py @@ -14,6 +14,8 @@ class FormattersManager(object): """Class that implements the formatters manager.""" + _custom_formatter_helpers = {} + _formatter_classes = {} _formatter_objects = {} @@ -35,10 +37,16 @@ def _ReadFormattersFile(cls, path): """ formatters_file = yaml_formatters_file.YAMLFormattersFile() for formatter in formatters_file.ReadFromFile(path): + data_type = formatter.DATA_TYPE.lower() + + custom_formatter_helper = cls._custom_formatter_helpers.get( + data_type, None) + if custom_formatter_helper: + formatter.AddHelper(custom_formatter_helper) + # TODO: refactor RegisterFormatter to only use formatter objects. cls.RegisterFormatter(formatter) - data_type = formatter.DATA_TYPE.lower() cls._formatter_objects[data_type] = formatter cls._formatters_from_file.append(data_type) @@ -55,15 +63,15 @@ def DeregisterFormatter(cls, formatter_class): Raises: KeyError: if formatter class is not set for the corresponding data type. """ - formatter_data_type = formatter_class.DATA_TYPE.lower() - if formatter_data_type not in cls._formatter_classes: + data_type = formatter_class.DATA_TYPE.lower() + if data_type not in cls._formatter_classes: raise KeyError('Formatter class not set for data type: {0:s}.'.format( formatter_class.DATA_TYPE)) - del cls._formatter_classes[formatter_data_type] + del cls._formatter_classes[data_type] - if formatter_data_type in cls._formatter_objects: - del cls._formatter_objects[formatter_data_type] + if data_type in cls._formatter_objects: + del cls._formatter_objects[data_type] @classmethod def GetFormatterObject(cls, data_type): @@ -126,40 +134,63 @@ def ReadFormattersFromFile(cls, path): cls._ReadFormattersFile(path) @classmethod - def RegisterFormatter(cls, formatter_class): - """Registers a formatter class. + def RegisterEventFormatterHelper(cls, formatter_helper_class): + """Registers a custom event formatter helper. - The formatter classes are identified based on their lower case data type. + The custom event formatter helpers are identified based on their lower + case data type. Args: - formatter_class (type): class of the formatter. + formatter_helper_class (type): class of the custom event formatter helper. Raises: - KeyError: if formatter class is already set for the corresponding - data type. + KeyError: if a custom formatter helper is already set for the + corresponding data type. """ - formatter_data_type = formatter_class.DATA_TYPE.lower() - if formatter_data_type in cls._formatter_classes: - raise KeyError('Formatter class already set for data type: {0:s}.'.format( - formatter_class.DATA_TYPE)) + data_type = formatter_helper_class.DATA_TYPE.lower() + if data_type in cls._custom_formatter_helpers: + raise KeyError(( + 'Custom event formatter helper already set for data type: ' + '{0:s}.').format(formatter_helper_class.DATA_TYPE)) + + cls._custom_formatter_helpers[data_type] = formatter_helper_class() - cls._formatter_classes[formatter_data_type] = formatter_class + @classmethod + def RegisterEventFormatterHelpers(cls, formatter_helper_classes): + """Registers custom event formatter helpers. + + The formatter classes are identified based on their lower case data type. + + Args: + formatter_helper_classes (list[type]): classes of the custom event + formatter helpers. + + Raises: + KeyError: if a custom formatter helper is already set for the + corresponding data type. + """ + for formatter_helper_class in formatter_helper_classes: + cls.RegisterEventFormatterHelper(formatter_helper_class) @classmethod - def RegisterFormatters(cls, formatter_classes): - """Registers formatter classes. + def RegisterFormatter(cls, formatter_class): + """Registers a formatter class. The formatter classes are identified based on their lower case data type. Args: - formatter_classes (list[type]): classes of the formatters. + formatter_class (type): class of the formatter. Raises: KeyError: if formatter class is already set for the corresponding data type. """ - for formatter_class in formatter_classes: - cls.RegisterFormatter(formatter_class) + data_type = formatter_class.DATA_TYPE.lower() + if data_type in cls._formatter_classes: + raise KeyError('Formatter class already set for data type: {0:s}.'.format( + formatter_class.DATA_TYPE)) + + cls._formatter_classes[data_type] = formatter_class @classmethod def Reset(cls): diff --git a/plaso/formatters/msiecf.py b/plaso/formatters/msiecf.py index ef78672840..4d5eeab877 100644 --- a/plaso/formatters/msiecf.py +++ b/plaso/formatters/msiecf.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.""" +"""Microsoft Internet Explorer (MSIE) custom event formatter helpers.""" from __future__ import unicode_literals @@ -7,21 +7,13 @@ from plaso.formatters import manager -class MsiecfLeakFormatter(interface.ConditionalEventFormatter): - """Formatter for a MSIECF leak item event.""" +class MsiecfLeakFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for MSIE cache file leak item event values.""" DATA_TYPE = 'msiecf:leak' - FORMAT_STRING_PIECES = [ - 'Cached file: {cached_file_path}', - 'Cached file size: {cached_file_size}', - '{recovered_string}'] - - FORMAT_STRING_SHORT_PIECES = [ - 'Cached file: {cached_file_path}'] - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. @@ -33,29 +25,14 @@ def FormatEventValues(self, event_values): cached_file_path = '\\'.join([cache_directory_name, cached_file_path]) event_values['cached_file_path'] = cached_file_path - if event_values.get('recovered', None): - event_values['recovered_string'] = '[Recovered Entry]' - -class MsiecfUrlFormatter(interface.ConditionalEventFormatter): - """Formatter for a MSIECF URL item event.""" +class MsiecfUrlFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for MSIE cache file URL item event values.""" DATA_TYPE = 'msiecf:url' - FORMAT_STRING_PIECES = [ - 'Location: {url}', - 'Number of hits: {number_of_hits}', - 'Cached file: {cached_file_path}', - 'Cached file size: {cached_file_size}', - 'HTTP headers: {http_headers}', - '{recovered_string}'] - - FORMAT_STRING_SHORT_PIECES = [ - 'Location: {url}', - 'Cached file: {cached_file_path}'] - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. @@ -71,9 +48,6 @@ def FormatEventValues(self, event_values): if http_headers: event_values['http_headers'] = http_headers.replace('\r\n', ' - ') - if event_values.get('recovered', None): - event_values['recovered_string'] = '[Recovered Entry]' - -manager.FormattersManager.RegisterFormatters([ +manager.FormattersManager.RegisterEventFormatterHelpers([ MsiecfLeakFormatter, MsiecfUrlFormatter]) diff --git a/plaso/formatters/shell_items.py b/plaso/formatters/shell_items.py index ff4db32a33..344e8cedce 100644 --- a/plaso/formatters/shell_items.py +++ b/plaso/formatters/shell_items.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""The shell item event formatter.""" +"""Windows shell item custom event formatter helpers.""" from __future__ import unicode_literals @@ -7,26 +7,13 @@ from plaso.formatters import manager -class ShellItemFileEntryEventFormatter(interface.ConditionalEventFormatter): - """Formatter for a shell item file entry event.""" +class ShellItemFileEntryEventFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for Windows shell item file entry event values.""" DATA_TYPE = 'windows:shell_item:file_entry' - FORMAT_STRING_PIECES = [ - 'Name: {name}', - 'Long name: {long_name}', - 'Localized name: {localized_name}', - 'NTFS file reference: {file_reference}', - 'Shell item path: {shell_item_path}', - 'Origin: {origin}'] - - FORMAT_STRING_SHORT_PIECES = [ - 'Name: {file_entry_name}', - 'NTFS file reference: {file_reference}', - 'Origin: {origin}'] - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. @@ -36,4 +23,5 @@ def FormatEventValues(self, event_values): event_values['file_entry_name'] = event_values.get('name', None) -manager.FormattersManager.RegisterFormatter(ShellItemFileEntryEventFormatter) +manager.FormattersManager.RegisterEventFormatterHelper( + ShellItemFileEntryEventFormatter) diff --git a/plaso/formatters/winlnk.py b/plaso/formatters/winlnk.py index e5bf118b4b..34cbbfb1a3 100644 --- a/plaso/formatters/winlnk.py +++ b/plaso/formatters/winlnk.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""The Windows Shortcut (LNK) event formatter.""" +"""Windows Shortcut (LNK) custom event formatter helpers.""" from __future__ import unicode_literals @@ -7,41 +7,20 @@ from plaso.formatters import manager -class WinLnkLinkFormatter(interface.ConditionalEventFormatter): - """Formatter for a Windows Shortcut (LNK) link event.""" +class WinLnkLinkFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for Windows Shortcut (LNK) link event values.""" DATA_TYPE = 'windows:lnk:link' - FORMAT_STRING_PIECES = [ - '[{description}]', - 'File size: {file_size}', - 'File attribute flags: 0x{file_attribute_flags:08x}', - 'Drive type: {drive_type}', - 'Drive serial number: 0x{drive_serial_number:08x}', - 'Volume label: {volume_label}', - 'Local path: {local_path}', - 'Network path: {network_path}', - 'cmd arguments: {command_line_arguments}', - 'env location: {env_var_location}', - 'Relative path: {relative_path}', - 'Working dir: {working_directory}', - 'Icon location: {icon_location}', - 'Link target: {link_target}'] - - FORMAT_STRING_SHORT_PIECES = [ - '[{description}]', - '{linked_path}', - '{command_line_arguments}'] - - def _GetLinkedPath(self, event_values): - """Determines the linked path. + def FormatEventValues(self, event_values): + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. - - Returns: - str: linked path or "Unknown" if not set. """ + if 'description' not in event_values: + event_values['description'] = 'Empty description' + linked_path = event_values.get('local_path', None) if not linked_path: linked_path = event_values.get('network_path', None) @@ -53,18 +32,7 @@ def _GetLinkedPath(self, event_values): if working_directory: linked_path = '\\'.join([working_directory, linked_path]) - return linked_path or 'Unknown' - - def FormatEventValues(self, event_values): - """Formats event values using the helpers. - - Args: - event_values (dict[str, object]): event values. - """ - if 'description' not in event_values: - event_values['description'] = 'Empty description' - - event_values['linked_path'] = self._GetLinkedPath(event_values) + event_values['linked_path'] = linked_path or 'Unknown' -manager.FormattersManager.RegisterFormatter(WinLnkLinkFormatter) +manager.FormattersManager.RegisterEventFormatterHelper(WinLnkLinkFormatter) diff --git a/plaso/formatters/winprefetch.py b/plaso/formatters/winprefetch.py index c9079c0841..75cfeb86a4 100644 --- a/plaso/formatters/winprefetch.py +++ b/plaso/formatters/winprefetch.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""The Windows Prefetch event formatter.""" +"""Windows Prefetch custom event formatter helpers.""" from __future__ import unicode_literals @@ -7,25 +7,13 @@ from plaso.formatters import manager -class WinPrefetchExecutionFormatter(interface.ConditionalEventFormatter): - """Formatter for a Windows Prefetch execution event.""" +class WinPrefetchExecutionFormatter(interface.CustomEventFormatterHelper): + """Custom formatter for Windows Prefetch execution event values.""" DATA_TYPE = 'windows:prefetch:execution' - FORMAT_STRING_PIECES = [ - 'Prefetch', - '[{executable}] was executed -', - 'run count {run_count}', - 'path hints: {path_hints}', - 'hash: 0x{prefetch_hash:08X}', - '{volumes_string}'] - - FORMAT_STRING_SHORT_PIECES = [ - '{executable} was run', - '{run_count} time(s)'] - def FormatEventValues(self, event_values): - """Formats event values using the helpers. + """Formats event values using the helper. Args: event_values (dict[str, object]): event values. @@ -58,4 +46,5 @@ def FormatEventValues(self, event_values): event_values['path_hints'] = '; '.join(path_hints) -manager.FormattersManager.RegisterFormatter(WinPrefetchExecutionFormatter) +manager.FormattersManager.RegisterEventFormatterHelper( + WinPrefetchExecutionFormatter) diff --git a/tests/formatters/chrome.py b/tests/formatters/chrome.py index 3d55398249..5f020d6093 100644 --- a/tests/formatters/chrome.py +++ b/tests/formatters/chrome.py @@ -19,24 +19,7 @@ def testInitialization(self): event_formatter = chrome.ChromePageVisitedFormatter() self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = chrome.ChromePageVisitedFormatter() - - expected_attribute_names = [ - 'from_visit', - 'page_transition', - 'title', - 'typed_count', - 'url', - 'url_hidden_string', - 'url_typed_string', - 'visit_source'] - - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) - - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. if __name__ == '__main__': diff --git a/tests/formatters/chrome_preferences.py b/tests/formatters/chrome_preferences.py index 14064fc71c..df8f47a5e1 100644 --- a/tests/formatters/chrome_preferences.py +++ b/tests/formatters/chrome_preferences.py @@ -21,17 +21,7 @@ def testInitialization(self): chrome_preferences.ChromeContentSettingsExceptionsFormatter()) self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = ( - chrome_preferences.ChromeContentSettingsExceptionsFormatter()) - - expected_attribute_names = ['permission', 'primary_url', 'secondary_url'] - - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) - - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. if __name__ == '__main__': diff --git a/tests/formatters/file_system.py b/tests/formatters/file_system.py index c4277aa39b..37b614a631 100644 --- a/tests/formatters/file_system.py +++ b/tests/formatters/file_system.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -"""Tests for the file system stat event formatter.""" +"""Tests for the file system event formatters.""" from __future__ import unicode_literals @@ -19,18 +19,18 @@ def testInitialization(self): event_formatter = file_system.NTFSFileStatEventFormatter() self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = file_system.NTFSFileStatEventFormatter() + # TODO: add test for FormatEventValues. + - expected_attribute_names = [ - 'attribute_name', 'display_name', 'file_reference', 'name', - 'parent_file_reference', 'path_hints', 'unallocated'] +class NTFSUSNChangeEventFormatter(test_lib.EventFormatterTestCase): + """Tests for the NTFS USN change event formatter.""" - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) + def testInitialization(self): + """Tests the initialization.""" + event_formatter = file_system.NTFSUSNChangeEventFormatter() + self.assertIsNotNone(event_formatter) - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. if __name__ == '__main__': diff --git a/tests/formatters/firefox.py b/tests/formatters/firefox.py index 8635ff92c5..c2f9eef072 100644 --- a/tests/formatters/firefox.py +++ b/tests/formatters/firefox.py @@ -19,18 +19,7 @@ def testInitialization(self): event_formatter = firefox.FirefoxPageVisitFormatter() self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = firefox.FirefoxPageVisitFormatter() - - expected_attribute_names = [ - 'from_visit', 'host', 'title', 'transition_string', 'url', - 'url_hidden_string', 'url_typed_string', 'visit_count'] - - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) - - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. if __name__ == '__main__': diff --git a/tests/formatters/msiecf.py b/tests/formatters/msiecf.py index c4df682490..917190fe93 100644 --- a/tests/formatters/msiecf.py +++ b/tests/formatters/msiecf.py @@ -19,19 +19,7 @@ def testInitialization(self): event_formatter = msiecf.MsiecfLeakFormatter() self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = msiecf.MsiecfLeakFormatter() - - expected_attribute_names = [ - 'cached_file_path', - 'cached_file_size', - 'recovered_string'] - - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) - - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. class MsiecfUrlFormatterTest(test_lib.EventFormatterTestCase): @@ -42,22 +30,7 @@ def testInitialization(self): event_formatter = msiecf.MsiecfUrlFormatter() self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = msiecf.MsiecfUrlFormatter() - - expected_attribute_names = [ - 'url', - 'number_of_hits', - 'cached_file_path', - 'cached_file_size', - 'http_headers', - 'recovered_string'] - - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) - - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. if __name__ == '__main__': diff --git a/tests/formatters/shell_items.py b/tests/formatters/shell_items.py index 050153da90..f176822417 100644 --- a/tests/formatters/shell_items.py +++ b/tests/formatters/shell_items.py @@ -19,22 +19,7 @@ def testInitialization(self): event_formatter = shell_items.ShellItemFileEntryEventFormatter() self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = shell_items.ShellItemFileEntryEventFormatter() - - expected_attribute_names = [ - 'name', - 'long_name', - 'localized_name', - 'file_reference', - 'shell_item_path', - 'origin'] - - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) - - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. if __name__ == '__main__': diff --git a/tests/formatters/winlnk.py b/tests/formatters/winlnk.py index 1c346a04d5..b0fb1fdfd1 100644 --- a/tests/formatters/winlnk.py +++ b/tests/formatters/winlnk.py @@ -19,21 +19,7 @@ def testInitialization(self): event_formatter = winlnk.WinLnkLinkFormatter() self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = winlnk.WinLnkLinkFormatter() - - expected_attribute_names = [ - 'description', 'file_size', 'file_attribute_flags', 'drive_type', - 'drive_serial_number', 'volume_label', 'local_path', - 'network_path', 'command_line_arguments', 'env_var_location', - 'relative_path', 'working_directory', 'icon_location', - 'link_target'] - - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) - - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. if __name__ == '__main__': diff --git a/tests/formatters/winprefetch.py b/tests/formatters/winprefetch.py index 517401b7bb..1e7e4a00bc 100644 --- a/tests/formatters/winprefetch.py +++ b/tests/formatters/winprefetch.py @@ -19,21 +19,7 @@ def testInitialization(self): event_formatter = winprefetch.WinPrefetchExecutionFormatter() self.assertIsNotNone(event_formatter) - def testGetFormatStringAttributeNames(self): - """Tests the GetFormatStringAttributeNames function.""" - event_formatter = winprefetch.WinPrefetchExecutionFormatter() - - expected_attribute_names = [ - 'executable', - 'run_count', - 'path_hints', - 'prefetch_hash', - 'volumes_string'] - - self._TestGetFormatStringAttributeNames( - event_formatter, expected_attribute_names) - - # TODO: add test for GetMessages. + # TODO: add test for FormatEventValues. if __name__ == '__main__': diff --git a/tests/parsers/chrome_preferences.py b/tests/parsers/chrome_preferences.py index 627a8dc58a..942c6f089f 100644 --- a/tests/parsers/chrome_preferences.py +++ b/tests/parsers/chrome_preferences.py @@ -6,7 +6,6 @@ import unittest -from plaso.formatters import chrome_preferences as _ # pylint: disable=unused-import from plaso.parsers import chrome_preferences from tests.parsers import test_lib diff --git a/tests/parsers/msiecf.py b/tests/parsers/msiecf.py index eb40327535..2504c8149d 100644 --- a/tests/parsers/msiecf.py +++ b/tests/parsers/msiecf.py @@ -6,7 +6,6 @@ import unittest -from plaso.formatters import msiecf as _ # pylint: disable=unused-import from plaso.lib import definitions from plaso.parsers import msiecf diff --git a/tests/parsers/recycler.py b/tests/parsers/recycler.py index 498e060b89..c7050b9125 100644 --- a/tests/parsers/recycler.py +++ b/tests/parsers/recycler.py @@ -35,7 +35,7 @@ def testParseVista(self): self.assertEqual(event_data.original_filename, expected_filename) self.assertEqual(event_data.file_size, 724919) - expected_message = '{0:s} (from drive: UNKNOWN)'.format(expected_filename) + expected_message = expected_filename expected_short_message = 'Deleted file: {0:s}'.format(expected_filename) self._TestGetMessageStrings( event_data, expected_message, expected_short_message) @@ -60,7 +60,7 @@ def testParseWindows10(self): self.assertEqual(event_data.original_filename, expected_filename) self.assertEqual(event_data.file_size, 222255) - expected_message = '{0:s} (from drive: UNKNOWN)'.format(expected_filename) + expected_message = expected_filename expected_short_message = 'Deleted file: {0:s}'.format(expected_filename) self._TestGetMessageStrings( event_data, expected_message, expected_short_message) diff --git a/tests/parsers/sqlite_plugins/chrome_history.py b/tests/parsers/sqlite_plugins/chrome_history.py index c6df6109e8..1cf04b366b 100644 --- a/tests/parsers/sqlite_plugins/chrome_history.py +++ b/tests/parsers/sqlite_plugins/chrome_history.py @@ -6,7 +6,6 @@ import unittest -from plaso.formatters import chrome as _ # pylint: disable=unused-import from plaso.lib import definitions from plaso.parsers.sqlite_plugins import chrome_history diff --git a/tests/parsers/winlnk.py b/tests/parsers/winlnk.py index 6ecca856b7..5589e4ea85 100644 --- a/tests/parsers/winlnk.py +++ b/tests/parsers/winlnk.py @@ -6,7 +6,6 @@ import unittest -from plaso.formatters import winlnk as _ # pylint: disable=unused-import from plaso.lib import definitions from plaso.parsers import winlnk diff --git a/tests/parsers/winprefetch.py b/tests/parsers/winprefetch.py index f9d2baaaa1..d97f516353 100644 --- a/tests/parsers/winprefetch.py +++ b/tests/parsers/winprefetch.py @@ -6,7 +6,6 @@ import unittest -from plaso.formatters import winprefetch as _ # pylint: disable=unused-import from plaso.lib import definitions from plaso.parsers import winprefetch