OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """A plugin to generate a list of unique hashes and paths.""" | 2 """A plugin to generate a list of unique hashes and paths.""" |
3 | 3 |
4 from plaso.analysis import interface | 4 from plaso.analysis import interface |
5 from plaso.analysis import manager | 5 from plaso.analysis import manager |
6 from plaso.containers import reports | 6 from plaso.containers import reports |
7 | 7 |
8 | 8 |
9 class FileHashesPlugin(interface.AnalysisPlugin): | 9 class FileHashesPlugin(interface.AnalysisPlugin): |
10 """A plugin for generating a list of file paths and corresponding hashes.""" | 10 """A plugin for generating a list of file paths and corresponding hashes.""" |
11 | 11 |
12 NAME = u'file_hashes' | 12 NAME = u'file_hashes' |
13 | 13 |
14 # Indicate that we can run this plugin during regular extraction. | 14 # Indicate that we can run this plugin during regular extraction. |
15 ENABLE_IN_EXTRACTION = True | 15 ENABLE_IN_EXTRACTION = True |
16 | 16 |
17 def __init__(self): | 17 def __init__(self): |
18 """Initializes the unique hashes plugin.""" | 18 """Initializes the unique hashes plugin.""" |
19 super(FileHashesPlugin, self).__init__() | 19 super(FileHashesPlugin, self).__init__() |
20 self._paths_with_hashes = {} | 20 self._paths_with_hashes = {} |
21 | 21 |
22 def ExamineEvent(self, mediator, event): | 22 def ExamineEvent(self, mediator, event): |
23 """Analyzes an event and creates extracts hashes as required. | 23 """Analyzes an event and creates extracts hashes as required. |
24 | 24 |
25 Args: | 25 Args: |
26 mediator (AnalysisMediator): mediates interactions between | 26 mediator (AnalysisMediator): mediates interactions between |
27 analysis plugins and other components, such as storage and dfvfs. | 27 analysis plugins and other components, such as storage and dfvfs. |
28 event (EventObject): event to examine. | 28 event (EventObject): event to examine. |
29 """ | 29 """ |
30 pathspec = getattr(event, u'pathspec', None) | 30 path_specification = getattr(event, u'pathspec', None) |
31 if pathspec is None: | 31 if path_specification is None: |
32 return | 32 return |
33 if self._paths_with_hashes.get(pathspec, None): | 33 |
34 # We've already processed an event with this pathspec and extracted the | 34 if self._paths_with_hashes.get(path_specification, None): |
35 # hashes from it. | 35 # We've already processed an event with this path_specification and |
| 36 # extracted the hashes from it. |
36 return | 37 return |
| 38 |
37 hash_attributes = {} | 39 hash_attributes = {} |
38 for attribute_name, attribute_value in event.GetAttributes(): | 40 for attribute_name, attribute_value in event.GetAttributes(): |
39 if attribute_name.endswith(u'_hash'): | 41 if attribute_name.endswith(u'_hash'): |
40 hash_attributes[attribute_name] = attribute_value | 42 hash_attributes[attribute_name] = attribute_value |
41 self._paths_with_hashes[pathspec] = hash_attributes | |
42 | 43 |
43 def _GeneratePathString(self, mediator, pathspec, hashes): | 44 self._paths_with_hashes[path_specification] = hash_attributes |
44 """Generates a string containing a pathspec and its hashes. | 45 |
| 46 def _GeneratePathString(self, mediator, path_specification, hashes): |
| 47 """Generates a string containing a path specification and its hashes. |
45 | 48 |
46 Args: | 49 Args: |
47 mediator (AnalysisMediator): mediates interactions between analysis | 50 mediator (AnalysisMediator): mediates interactions between analysis |
48 plugins and other components, such as storage and dfvfs. | 51 plugins and other components, such as storage and dfvfs. |
49 pathspec (dfvfs.Pathspec): the path specification) to generate a string | 52 path_specification (dfvfs.Pathspec): the path specification to generate |
50 for. | 53 a string for. |
51 hashes (dict[str, str]): mapping of hash attribute names to the value of | 54 hashes (dict[str, str]): mapping of hash attribute names to the value of |
52 that hash for the path specification being processed. | 55 that hash for the path specification being processed. |
53 | 56 |
54 Returns: | 57 Returns: |
55 str: string of the form "display_name: hash_type=hash_value". For example, | 58 str: string of the form "display_name: hash_type=hash_value". For example, |
56 "OS:/path/spec: test_hash=4 other_hash=5". | 59 "OS:/path/spec: test_hash=4 other_hash=5". |
57 """ | 60 """ |
58 display_name = mediator.GetDisplayName(pathspec) | 61 display_name = mediator.GetDisplayName(path_specification) |
59 path_string = u'{0:s}:'.format(display_name) | 62 path_string = u'{0:s}:'.format(display_name) |
60 for hash_name, hash_value in sorted(hashes.items()): | 63 for hash_name, hash_value in sorted(hashes.items()): |
61 path_string = u'{0:s} {1:s}={2:s}'.format( | 64 path_string = u'{0:s} {1:s}={2:s}'.format( |
62 path_string, hash_name, hash_value) | 65 path_string, hash_name, hash_value) |
63 return path_string | 66 return path_string |
64 | 67 |
65 def CompileReport(self, mediator): | 68 def CompileReport(self, mediator): |
66 """Compiles an analysis report. | 69 """Compiles an analysis report. |
67 | 70 |
68 Args: | 71 Args: |
69 mediator (AnalysisMediator): mediates interactions between analysis | 72 mediator (AnalysisMediator): mediates interactions between analysis |
70 plugins and other components, such as storage and dfvfs. | 73 plugins and other components, such as storage and dfvfs. |
71 | 74 |
72 Returns: | 75 Returns: |
73 AnalysisReport: report. | 76 AnalysisReport: report. |
74 """ | 77 """ |
75 lines_of_text = [u'Listing file paths and hashes'] | 78 lines_of_text = [u'Listing file paths and hashes'] |
76 for pathspec, hashes in sorted( | 79 for path_specification, hashes in sorted( |
77 self._paths_with_hashes.items(), | 80 self._paths_with_hashes.items(), |
78 key=lambda tuple: tuple[0].comparable): | 81 key=lambda tuple: tuple[0].comparable): |
79 | 82 |
80 path_string = self._GeneratePathString(mediator, pathspec, hashes) | 83 path_string = self._GeneratePathString( |
| 84 mediator, path_specification, hashes) |
81 lines_of_text.append(path_string) | 85 lines_of_text.append(path_string) |
82 | 86 |
83 lines_of_text.append(u'') | 87 lines_of_text.append(u'') |
84 report_text = u'\n'.join(lines_of_text) | 88 report_text = u'\n'.join(lines_of_text) |
85 return reports.AnalysisReport(plugin_name=self.NAME, text=report_text) | 89 return reports.AnalysisReport(plugin_name=self.NAME, text=report_text) |
86 | 90 |
87 | 91 |
88 manager.AnalysisPluginManager.RegisterPlugin(FileHashesPlugin) | 92 manager.AnalysisPluginManager.RegisterPlugin(FileHashesPlugin) |
OLD | NEW |