Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(445)

Issue 340110043: [plaso] Added fseventd parser #1467 (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
6 years, 2 months ago by onager
Modified:
6 years, 2 months ago
Reviewers:
Joachim Metz
CC:
jberggren, romaing, kiddi, log2timeline-dev_googlegroups.com, aaronp
Visibility:
Public.

Description

[plaso] Added fseventd parser #1467

Patch Set 1 #

Total comments: 61

Patch Set 2 : Changes after review #

Patch Set 3 : Changes after review #

Total comments: 23

Patch Set 4 : Changes after review #

Total comments: 70

Patch Set 5 : Changes after review #

Total comments: 12

Patch Set 6 : Changes after review #

Total comments: 10

Patch Set 7 : Changes after review #

Unified diffs Side-by-side diffs Delta from patch set Stats (+401 lines, -21 lines) Patch
M plaso/engine/worker.py View 2 chunks +0 lines, -5 lines 0 comments Download
M plaso/formatters/__init__.py View 1 2 3 4 5 6 1 chunk +1 line, -0 lines 0 comments Download
A plaso/formatters/fseventsd.py View 1 2 3 4 5 6 1 chunk +99 lines, -0 lines 0 comments Download
M plaso/lib/definitions.py View 1 2 3 4 5 6 1 chunk +1 line, -0 lines 0 comments Download
M plaso/parsers/__init__.py View 1 chunk +1 line, -0 lines 0 comments Download
A plaso/parsers/fseventsd.py View 1 2 3 4 5 6 1 chunk +189 lines, -0 lines 0 comments Download
M plaso/parsers/presets.py View 1 2 3 4 5 6 2 chunks +6 lines, -6 lines 0 comments Download
A test_data/fsevents-00000000001a0b79 View Binary file 0 comments Download
A test_data/fsevents-0000000002d89b58 View Binary file 0 comments Download
A + tests/formatters/fseventsd.py View 1 2 3 4 5 6 1 chunk +8 lines, -8 lines 0 comments Download
M tests/formatters/test_lib.py View 1 2 3 4 5 1 chunk +2 lines, -2 lines 0 comments Download
A tests/parsers/fseventsd.py View 1 2 3 4 5 6 1 chunk +94 lines, -0 lines 0 comments Download

Messages

Total messages: 28
onager
6 years, 2 months ago (2018-01-04 16:09:33 UTC) #1
Joachim Metz
Initial comments https://codereview.appspot.com/340110043/diff/1/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/1/plaso/engine/worker.py#oldcode73 plaso/engine/worker.py:73: _FSEVENTSD_FILE_RE = re.compile(r'^[0-9a-fA-F]{16}$') side topic: do we ...
6 years, 2 months ago (2018-01-04 20:34:58 UTC) #2
Joachim Metz
https://codereview.appspot.com/340110043/diff/1/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/1/plaso/parsers/fseventsd.py#newcode59 plaso/parsers/fseventsd.py:59: """Parses a SLD header from a stream. Maybe it ...
6 years, 2 months ago (2018-01-04 20:39:30 UTC) #3
Joachim Metz
https://codereview.appspot.com/340110043/diff/1/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/1/plaso/parsers/fseventsd.py#newcode162 plaso/parsers/fseventsd.py:162: 'sld_record', I meant dls1_header
6 years, 2 months ago (2018-01-04 21:18:06 UTC) #4
onager
Code updated.
6 years, 2 months ago (2018-01-12 21:18:42 UTC) #5
onager
Code updated.
6 years, 2 months ago (2018-01-12 21:32:01 UTC) #6
onager
https://codereview.appspot.com/340110043/diff/1/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/1/plaso/engine/worker.py#oldcode73 plaso/engine/worker.py:73: _FSEVENTSD_FILE_RE = re.compile(r'^[0-9a-fA-F]{16}$') On 2018/01/04 20:34:56, Joachim Metz wrote: ...
6 years, 2 months ago (2018-01-12 21:32:16 UTC) #7
Joachim Metz
https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.py#newcode38 plaso/parsers/fseventsd.py:38: super(FseventsdEventData, self).__init__() + data_type=self.DATA_TYPE https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.py#newcode53 plaso/parsers/fseventsd.py:53: # The version ...
6 years, 2 months ago (2018-01-15 07:33:58 UTC) #8
onager
https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.py#newcode38 plaso/parsers/fseventsd.py:38: super(FseventsdEventData, self).__init__() On 2018/01/15 07:33:58, Joachim Metz wrote: > ...
6 years, 2 months ago (2018-01-19 05:05:11 UTC) #9
onager
Code updated.
6 years, 2 months ago (2018-01-19 05:10:03 UTC) #10
Joachim Metz
https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/40001/plaso/parsers/fseventsd.py#newcode134 plaso/parsers/fseventsd.py:134: # Node identifier is only set in DLS V2 ...
6 years, 2 months ago (2018-01-19 05:55:03 UTC) #11
onager
Code updated.
6 years, 2 months ago (2018-01-19 09:04:41 UTC) #12
onager
https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py#oldcode287 plaso/engine/worker.py:287: if len(path_segments) == 2 and path_segments[0].lower() == '.fseventsd': On ...
6 years, 2 months ago (2018-01-19 09:06:40 UTC) #13
Joachim Metz
https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py#oldcode287 plaso/engine/worker.py:287: if len(path_segments) == 2 and path_segments[0].lower() == '.fseventsd': my ...
6 years, 2 months ago (2018-01-19 09:25:32 UTC) #14
onager
https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py#oldcode287 plaso/engine/worker.py:287: if len(path_segments) == 2 and path_segments[0].lower() == '.fseventsd': On ...
6 years, 2 months ago (2018-01-19 10:39:23 UTC) #15
Joachim Metz
https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py#oldcode287 plaso/engine/worker.py:287: if len(path_segments) == 2 and path_segments[0].lower() == '.fseventsd': I ...
6 years, 2 months ago (2018-01-20 16:52:17 UTC) #16
Joachim Metz
https://codereview.appspot.com/340110043/diff/80001/plaso/formatters/fseventsd.py File plaso/formatters/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/80001/plaso/formatters/fseventsd.py#newcode25 plaso/formatters/fseventsd.py:25: _OBJECT_TYPE_MASKS = { Based on the description http://nicoleibrahim.com/apple-fsevents-forensics/ these ...
6 years, 2 months ago (2018-01-20 17:28:45 UTC) #17
Joachim Metz
https://codereview.appspot.com/340110043/diff/80001/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/80001/plaso/parsers/fseventsd.py#newcode26 plaso/parsers/fseventsd.py:26: flags (int): object type and event flags stored in ...
6 years, 2 months ago (2018-01-20 17:33:07 UTC) #18
onager
Code updated.
6 years, 2 months ago (2018-01-21 01:59:10 UTC) #19
onager
https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py File plaso/engine/worker.py (left): https://codereview.appspot.com/340110043/diff/60001/plaso/engine/worker.py#oldcode287 plaso/engine/worker.py:287: if len(path_segments) == 2 and path_segments[0].lower() == '.fseventsd': On ...
6 years, 2 months ago (2018-01-21 01:59:14 UTC) #20
Joachim Metz
one question about the event flags remaining, otherwise nearly there. https://codereview.appspot.com/340110043/diff/60001/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/60001/plaso/parsers/fseventsd.py#newcode28 ...
6 years, 2 months ago (2018-01-21 07:54:47 UTC) #21
Joachim Metz
https://codereview.appspot.com/340110043/diff/100001/plaso/parsers/fseventsd.py File plaso/parsers/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/100001/plaso/parsers/fseventsd.py#newcode59 plaso/parsers/fseventsd.py:59: construct.CString('filename'), filename => path https://codereview.appspot.com/340110043/diff/100001/plaso/parsers/fseventsd.py#newcode67 plaso/parsers/fseventsd.py:67: construct.CString('filename'), filename => ...
6 years, 2 months ago (2018-01-21 08:58:11 UTC) #22
onager
https://codereview.appspot.com/340110043/diff/100001/plaso/formatters/fseventsd.py File plaso/formatters/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/100001/plaso/formatters/fseventsd.py#newcode27 plaso/formatters/fseventsd.py:27: # those described in https://developer.apple.com/documentation/coreservices/core_services_enumerations/1455361-fseventstreameventflags On 2018/01/21 07:54:47, Joachim ...
6 years, 2 months ago (2018-01-24 06:11:45 UTC) #23
Joachim Metz
https://codereview.appspot.com/340110043/diff/100001/plaso/formatters/fseventsd.py File plaso/formatters/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/100001/plaso/formatters/fseventsd.py#newcode27 plaso/formatters/fseventsd.py:27: # those described in https://developer.apple.com/documentation/coreservices/core_services_enumerations/1455361-fseventstreameventflags at the moment I ...
6 years, 2 months ago (2018-01-24 06:46:20 UTC) #24
onager
Code updated.
6 years, 2 months ago (2018-01-25 14:00:54 UTC) #25
onager
https://codereview.appspot.com/340110043/diff/100001/plaso/formatters/fseventsd.py File plaso/formatters/fseventsd.py (right): https://codereview.appspot.com/340110043/diff/100001/plaso/formatters/fseventsd.py#newcode27 plaso/formatters/fseventsd.py:27: # those described in https://developer.apple.com/documentation/coreservices/core_services_enumerations/1455361-fseventstreameventflags On 2018/01/24 06:46:20, Joachim ...
6 years, 2 months ago (2018-01-25 14:01:30 UTC) #26
Joachim Metz
LGTM, thx for adding this
6 years, 2 months ago (2018-01-25 21:45:34 UTC) #27
onager
6 years, 2 months ago (2018-01-26 01:15:25 UTC) #28
Changes have been merged with master branch. To close the review and clean up
the feature branch you can run: review.py close fsevents
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b