OLD | NEW |
(Empty) | |
| 1 # -*- coding: utf-8 -*- |
| 2 """The Windows Registry Amcache entries event formatter.""" |
| 3 |
| 4 from plaso.formatters import interface |
| 5 from plaso.formatters import manager |
| 6 |
| 7 |
| 8 class AmcacheFormatter(interface.ConditionalEventFormatter): |
| 9 """Formatter for an Amcache Windows Registry event.""" |
| 10 |
| 11 DATA_TYPE = u'windows:registry:amcache' |
| 12 |
| 13 FORMAT_STRING_PIECES = [ |
| 14 u'path: {full_path}', |
| 15 u'sha1: {sha1}', |
| 16 u'productname: {productname}', |
| 17 u'companyname: {companyname}', |
| 18 u'fileversion: {fileversion}', |
| 19 u'languagecode: {languagecode}', |
| 20 u'filesize: {filesize}', |
| 21 u'filedescription: {filedescription}', |
| 22 u'linkerts: {linkerts}', |
| 23 u'lastmodifiedts: {lastmodifiedts}', |
| 24 u'createdts: {createdts}', |
| 25 u'programid: {programid}',] |
| 26 |
| 27 FORMAT_STRING_SHORT_PIECES = [u'path: {full_path}'] |
| 28 |
| 29 SOURCE_LONG = u'Amcache Registry Entry' |
| 30 SOURCE_SHORT = u'AMCACHE' |
| 31 |
| 32 class AmcacheProgramsFormatter(interface.ConditionalEventFormatter): |
| 33 """Formatter for an Amcache Programs Windows Registry event.""" |
| 34 |
| 35 DATA_TYPE = u'windows:registry:amcache:programs' |
| 36 |
| 37 FORMAT_STRING_PIECES = [ |
| 38 u'name: {name}', |
| 39 u'version: {version}', |
| 40 u'publisher: {publisher}', |
| 41 u'languagecode: {languagecode}', |
| 42 u'entrytype: {entrytype}', |
| 43 u'uninstallkey: {uninstallkey}', |
| 44 u'filepaths: {filepaths}', |
| 45 u'productcode: {productcode}', |
| 46 u'packagecode: {packagecode}', |
| 47 u'msiproductcode: {msiproductcode}', |
| 48 u'msipackagecode: {msipackagecode}', |
| 49 u'files: {files}',] |
| 50 |
| 51 FORMAT_STRING_SHORT_PIECES = [u'name: {name}'] |
| 52 |
| 53 SOURCE_LONG = u'Amcache Programs Registry Entry' |
| 54 SOURCE_SHORT = u'AMCACHEPROGRAM' |
| 55 |
| 56 manager.FormattersManager.RegisterFormatter(AmcacheFormatter) |
| 57 manager.FormattersManager.RegisterFormatter(AmcacheProgramsFormatter) |
OLD | NEW |