Left: | ||
Right: |
LEFT | RIGHT |
---|---|
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """The output mediator object.""" | 2 """The output mediator object.""" |
3 | 3 |
4 from plaso.formatters import manager as formatters_manager | 4 from plaso.formatters import manager as formatters_manager |
5 from plaso.lib import definitions | 5 from plaso.lib import definitions |
6 | 6 |
7 import pytz # pylint: disable=wrong-import-order | 7 import pytz # pylint: disable=wrong-import-order |
8 | 8 |
9 | 9 |
10 class OutputMediator(object): | 10 class OutputMediator(object): |
11 """Class that implements the output mediator. | 11 """Output mediator. |
12 | 12 |
13 Attributes: | 13 Attributes: |
14 fields_filter (FilterObject): filter object that indicates | 14 fields_filter (FilterObject): filter object that indicates |
15 which fields to output. | 15 which fields to output. |
16 """ | 16 """ |
17 | 17 |
18 def __init__( | 18 def __init__( |
19 self, knowledge_base, formatter_mediator, fields_filter=None, | 19 self, knowledge_base, formatter_mediator, fields_filter=None, |
20 preferred_encoding=u'utf-8'): | 20 preferred_encoding=u'utf-8'): |
21 """Initializes a output mediator object. | 21 """Initializes an output mediator. |
22 | 22 |
23 Args: | 23 Args: |
24 knowledge_base (KnowledgeBase): knowledge base. | 24 knowledge_base (KnowledgeBase): knowledge base. |
25 formatter_mediator (FormatterMediator): formatter mediator. | 25 formatter_mediator (FormatterMediator): formatter mediator. |
26 fields_filter (Optional[FilterObject]): filter object that indicates | 26 fields_filter (Optional[FilterObject]): filter object that indicates |
27 which fields to output. | 27 which fields to output. |
28 preferred_encoding (Optional[str]): preferred encoding to output. | 28 preferred_encoding (Optional[str]): preferred encoding to output. |
29 """ | 29 """ |
30 super(OutputMediator, self).__init__() | 30 super(OutputMediator, self).__init__() |
31 self._formatter_mediator = formatter_mediator | 31 self._formatter_mediator = formatter_mediator |
32 self._knowledge_base = knowledge_base | 32 self._knowledge_base = knowledge_base |
33 self._preferred_encoding = preferred_encoding | 33 self._preferred_encoding = preferred_encoding |
34 self._timezone = pytz.UTC | 34 self._timezone = pytz.UTC |
35 | 35 |
36 self.fields_filter = fields_filter | 36 self.fields_filter = fields_filter |
37 | 37 |
38 @property | 38 @property |
39 def encoding(self): | 39 def encoding(self): |
40 """The preferred encoding.""" | 40 """str: preferred encoding.""" |
41 return self._preferred_encoding | 41 return self._preferred_encoding |
42 | 42 |
43 @property | 43 @property |
44 def filter_expression(self): | 44 def filter_expression(self): |
45 """The filter expression if a filter is set, None otherwise.""" | 45 """str: filter expression if a filter is set, None otherwise.""" |
46 if not self.fields_filter: | 46 if not self.fields_filter: |
47 return | 47 return |
48 | 48 |
49 return self.fields_filter.filter_expression | 49 return self.fields_filter.filter_expression |
50 | 50 |
51 @property | 51 @property |
52 def timezone(self): | 52 def timezone(self): |
53 """The timezone.""" | 53 """The timezone.""" |
54 return self._timezone | 54 return self._timezone |
55 | 55 |
56 def GetEventFormatter(self, event): | 56 def GetEventFormatter(self, event): |
57 """Retrieves the event formatter for a specific event type. | 57 """Retrieves the event formatter for a specific event type. |
58 | 58 |
59 Args: | 59 Args: |
60 event (EventObject): event. | 60 event (EventObject): event. |
61 | 61 |
62 Returns: | 62 Returns: |
63 The event formatter object (instance of EventFormatter) or None. | 63 EventFormatter: event formatter or None. |
64 """ | 64 """ |
65 data_type = getattr(event, u'data_type', None) | 65 data_type = getattr(event, u'data_type', None) |
66 if not data_type: | 66 if not data_type: |
67 return | 67 return |
68 | 68 |
69 return formatters_manager.FormattersManager.GetFormatterObject( | 69 return formatters_manager.FormattersManager.GetFormatterObject( |
70 event.data_type) | 70 event.data_type) |
71 | 71 |
72 def GetFormattedMessages(self, event): | 72 def GetFormattedMessages(self, event): |
73 """Retrieves the formatted messages related to the event. | 73 """Retrieves the formatted messages related to the event. |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
153 data_type = getattr(event, u'data_type', None) | 153 data_type = getattr(event, u'data_type', None) |
154 if not data_type: | 154 if not data_type: |
155 return u'....' | 155 return u'....' |
156 | 156 |
157 # The filestat parser is somewhat limited. | 157 # The filestat parser is somewhat limited. |
158 if data_type == u'fs:stat': | 158 if data_type == u'fs:stat': |
159 descriptions = event.timestamp_desc.split(u';') | 159 descriptions = event.timestamp_desc.split(u';') |
160 | 160 |
161 return_characters = [u'.', u'.', u'.', u'.'] | 161 return_characters = [u'.', u'.', u'.', u'.'] |
162 for description in descriptions: | 162 for description in descriptions: |
163 if description == u'mtime': | 163 if description in ( |
164 u'mtime', definitions.TIME_DESCRIPTION_MODIFICATION): | |
164 return_characters[0] = u'M' | 165 return_characters[0] = u'M' |
165 elif description == u'atime': | 166 elif description in ( |
167 u'atime', definitions.TIME_DESCRIPTION_LAST_ACCESS): | |
166 return_characters[1] = u'A' | 168 return_characters[1] = u'A' |
167 elif description == u'ctime': | 169 elif description in ( |
170 u'ctime', definitions.TIME_DESCRIPTION_CHANGE): | |
168 return_characters[2] = u'C' | 171 return_characters[2] = u'C' |
169 elif description == u'crtime': | 172 elif description in ( |
173 u'crtime', definitions.TIME_DESCRIPTION_CREATION): | |
170 return_characters[3] = u'B' | 174 return_characters[3] = u'B' |
171 | 175 |
172 return u''.join(return_characters) | 176 return u''.join(return_characters) |
173 | 177 |
174 # Access time. | 178 # Access time. |
175 if event.timestamp_desc in [ | 179 if event.timestamp_desc in [ |
176 definitions.TIME_DESCRIPTION_LAST_ACCESS, | 180 definitions.TIME_DESCRIPTION_LAST_ACCESS, |
177 definitions.TIME_DESCRIPTION_ACCOUNT_CREATED, | 181 definitions.TIME_DESCRIPTION_ACCOUNT_CREATED, |
178 definitions.TIME_DESCRIPTION_LAST_VISITED, | 182 definitions.TIME_DESCRIPTION_LAST_VISITED, |
179 definitions.TIME_DESCRIPTION_START, | 183 definitions.TIME_DESCRIPTION_START, |
(...skipping 22 matching lines...) Expand all Loading... | |
202 | 206 |
203 # Metadata modification. | 207 # Metadata modification. |
204 if event.timestamp_desc in [ | 208 if event.timestamp_desc in [ |
205 definitions.TIME_DESCRIPTION_CHANGE, | 209 definitions.TIME_DESCRIPTION_CHANGE, |
206 definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION]: | 210 definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION]: |
207 return u'..C.' | 211 return u'..C.' |
208 | 212 |
209 return u'....' | 213 return u'....' |
210 | 214 |
211 def GetMACBRepresentationFromDescriptions(self, timestamp_descriptions): | 215 def GetMACBRepresentationFromDescriptions(self, timestamp_descriptions): |
212 """Determines the MACB representation from the timestamp descriptions. | 216 """Determines the MACB representation from the timestamp descriptions. |
onager
2017/07/18 14:33:16
Please make this more descriptive, explaining what
Joachim Metz
2017/07/19 03:54:03
Done.
| |
213 | 217 |
214 Args: | 218 MACB representation is a shorthand for representing one or more of |
215 timestamp_descriptions (list[str]): timestamp descriptions. | 219 modification, access, change, birth timestamp descriptions as the letters |
onager
2017/07/18 14:33:16
Please add a mention that these strings should be
Joachim Metz
2017/07/19 03:54:02
Done.
| |
220 "MACB" or a "." if the corresponding timestamp is not set. | |
221 | |
222 Note that this is an output format shorthand and does not guarantee that | |
223 the timestamps represent the same occurence. | |
224 | |
225 Args: | |
226 timestamp_descriptions (list[str]): timestamp descriptions, which are | |
227 defined in definitions.TIME_DESCRIPTIONS. | |
216 | 228 |
217 Returns: | 229 Returns: |
218 str: MACB representation. | 230 str: MACB representation. |
219 """ | 231 """ |
220 macb_representation = [] | 232 macb_representation = [] |
221 | 233 |
222 if (u'mtime' in timestamp_descriptions or | 234 if (u'mtime' in timestamp_descriptions or |
223 definitions.TIME_DESCRIPTION_MODIFICATION in timestamp_descriptions): | 235 definitions.TIME_DESCRIPTION_MODIFICATION in timestamp_descriptions): |
224 macb_representation.append(u'M') | 236 macb_representation.append(u'M') |
225 else: | 237 else: |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
286 Raises: | 298 Raises: |
287 ValueError: if the timezone is not supported. | 299 ValueError: if the timezone is not supported. |
288 """ | 300 """ |
289 if not timezone: | 301 if not timezone: |
290 return | 302 return |
291 | 303 |
292 try: | 304 try: |
293 self._timezone = pytz.timezone(timezone) | 305 self._timezone = pytz.timezone(timezone) |
294 except pytz.UnknownTimeZoneError: | 306 except pytz.UnknownTimeZoneError: |
295 raise ValueError(u'Unsupported timezone: {0:s}'.format(timezone)) | 307 raise ValueError(u'Unsupported timezone: {0:s}'.format(timezone)) |
LEFT | RIGHT |