Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(97)

Issue 340110043: [plaso] Added fseventd parsers #1467

Can't Edit
Can't Publish+Mail
Start Review
Created:
1 week, 4 days ago by onager
Modified:
5 hours, 1 minute ago
Reviewers:
Joachim Metz
CC:
jberggren, romaing, kiddi, log2timeline-dev_googlegroups.com, aaronp
Visibility:
Public.

Description

[plaso] Added fseventd parsers #1467

Patch Set 1 #

Total comments: 61

Patch Set 2 : Changes after review #

Patch Set 3 : Changes after review #

Total comments: 11
Unified diffs Side-by-side diffs Delta from patch set Stats (+401 lines, -15 lines) Patch
M plaso/engine/worker.py View 2 chunks +0 lines, -5 lines 0 comments Download
M plaso/formatters/__init__.py View 1 chunk +1 line, -0 lines 0 comments Download
A plaso/formatters/fseventsd.py View 1 1 chunk +108 lines, -0 lines 0 comments Download
M plaso/lib/definitions.py View 1 1 chunk +1 line, -0 lines 0 comments Download
M plaso/parsers/__init__.py View 1 chunk +1 line, -0 lines 0 comments Download
A plaso/parsers/fseventsd.py View 1 2 1 chunk +200 lines, -0 lines 10 comments Download
M plaso/parsers/presets.py View 1 2 chunks +3 lines, -3 lines 0 comments Download
A test_data/fsevents-00000000001a0b79 View Binary file 0 comments Download
A test_data/fsevents-0000000002d89b58 View Binary file 0 comments Download
A + tests/formatters/fseventsd.py View 1 2 2 chunks +8 lines, -7 lines 0 comments Download
A tests/parsers/fseventsd.py View 1 2 1 chunk +79 lines, -0 lines 1 comment Download

Messages

Total messages: 8
onager
1 week, 4 days ago (2018-01-04 16:09:33 UTC) #1
Joachim Metz
Initial comments https://codereview.appspot.com/340110043/diff/1/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/1/plaso/engine/worker.py#oldcode73 plaso/engine/worker.py:73: _FSEVENTSD_FILE_RE = re.compile(r'^[0-9a-fA-F]{16}$') side topic: do we ...
1 week, 4 days ago (2018-01-04 20:34:58 UTC) #2
Joachim Metz
https://codereview.appspot.com/340110043/diff/1/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/1/plaso/parsers/fseventsd.py#newcode59 plaso/parsers/fseventsd.py:59: """Parses a SLD header from a stream. Maybe it ...
1 week, 4 days ago (2018-01-04 20:39:30 UTC) #3
Joachim Metz
https://codereview.appspot.com/340110043/diff/1/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/1/plaso/parsers/fseventsd.py#newcode162 plaso/parsers/fseventsd.py:162: 'sld_record', I meant dls1_header
1 week, 4 days ago (2018-01-04 21:18:06 UTC) #4
onager
Code updated.
3 days, 14 hours ago (2018-01-12 21:18:42 UTC) #5
onager
Code updated.
3 days, 14 hours ago (2018-01-12 21:32:01 UTC) #6
onager
https://codereview.appspot.com/340110043/diff/1/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/1/plaso/engine/worker.py#oldcode73 plaso/engine/worker.py:73: _FSEVENTSD_FILE_RE = re.compile(r'^[0-9a-fA-F]{16}$') On 2018/01/04 20:34:56, Joachim Metz wrote: ...
3 days, 14 hours ago (2018-01-12 21:32:16 UTC) #7
Joachim Metz
1 day, 4 hours ago (2018-01-15 07:33:58 UTC) #8
https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.py
File plaso/parsers/fseventsd.py (right):

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:38: super(FseventsdEventData, self).__init__()
+ data_type=self.DATA_TYPE

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:53: # The version 1 format was used in Mac OS X 10.5
(Leopard) through macOS 10.12
I opt to move these comments to the docstring.

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:93: 
- 1x whiteline

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:96: """Parses a DLS header from a stream.
stream => file-like object.

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:103: int: the version of the header that was parsed,
either 1 or 2.
version => format version

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:111: for version, header_type in headers.items():
since _DLS_HEADER_V1 and _DLS_HEADER_V2 are the same structure, why not read the
structure and check the signature?

This will make the code more straightforward

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:134: # Node identifier is only set in DLS V2 records.
if you pass format_version and check format_version >= 2 this comment will
become clear from the code.

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:155: dfdatetime.DateTimeValues: time values, or None
if not available.
time values, or => parent modification time or

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:173: version, header =
self._ParseDLSHeader(file_object)
version => format_version

https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.p...
plaso/parsers/fseventsd.py:178: #
https://github.com/log2timeline/dfdatetime/issues/65 is resolved.
Please explain in the comment that you need timespan support here

https://codereview.appspot.com/340110043/diff/40001/tests/parsers/fseventsd.py
File tests/parsers/fseventsd.py (right):

https://codereview.appspot.com/340110043/diff/40001/tests/parsers/fseventsd.p...
tests/parsers/fseventsd.py:75: self.assertEqual(event.timestamp,
expected_timestamp)
Please add a messages (formatter) test as well
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 204d58d