Left: | ||
Right: |
OLD | NEW |
---|---|
(Empty) | |
1 # -*- coding: utf-8 -*- | |
2 """The fseventsd event formatter.""" | |
3 | |
4 from __future__ import unicode_literals | |
5 | |
6 from plaso.formatters import interface | |
7 from plaso.formatters import manager | |
8 from plaso.lib import errors | |
9 | |
10 | |
11 class FSEventsdEventFormatter(interface.ConditionalEventFormatter): | |
12 """The fseventsd event formatter.""" | |
13 | |
14 DATA_TYPE = 'macos:fseventsd:record' | |
15 | |
16 FORMAT_STRING_PIECES = [ | |
17 '{object_type}:', '{path}', 'Changes:', '{event_types}', 'Event ID:', | |
18 '{event_identifier}' | |
19 ] | |
20 | |
21 FORMAT_STRING_SHORT_PIECES = ['{path}', '{event_types}'] | |
22 | |
23 SOURCE_SHORT = 'FSEVENT' | |
24 | |
25 _OBJECT_TYPE_MASKS = { | |
Joachim Metz
2018/01/20 17:28:44
Based on the description http://nicoleibrahim.com/
onager
2018/01/21 01:59:14
Done.
| |
26 0x00000001: 'Folder', | |
27 0x00001000: 'HardLink', | |
28 0x00004000: 'SymbolicLink', | |
29 0x00008000: 'File'} | |
30 | |
31 _EVENT_MASKS = { | |
32 0x00000000: 'None', | |
Joachim Metz
2018/01/20 16:52:17
remove none
onager
2018/01/21 01:59:14
This is documented here, and seems to be a valid f
| |
33 0x00000002: 'Mount', | |
Joachim Metz
2018/01/20 16:52:17
make these descriptions a bit more indicative of w
onager
2018/01/21 01:59:14
Added a link to the Apple documentation for the fl
| |
34 0x00000004: 'Unmount', | |
35 0x00000020: 'EndOfTransaction', | |
36 0x00000800: 'LastHardLinkRemoved', | |
37 0x00010000: 'PermissionChanged', | |
38 0x00020000: 'ExtendedAttrModified', | |
39 0x00040000: 'ExtendedAttrRemoved', | |
40 0x00100000: 'DocumentRevision', | |
41 0x00400000: 'ItemCloned', | |
42 0x01000000: 'Created', | |
43 0x02000000: 'Removed', | |
44 0x04000000: 'InodeMetaModified', | |
45 0x08000000: 'Renamed', | |
46 0x10000000: 'Modified', | |
47 0x20000000: 'Exchange', | |
48 0x40000000: 'FinderInfoModified', | |
49 0x80000000: 'FolderCreated'} | |
50 | |
51 def _GetObjectType(self, flags): | |
52 """Determines the object type for a given set of FSEvents flags. | |
53 | |
54 Args: | |
55 flags (int): fsevents record type flags. | |
56 | |
57 Returns: | |
58 str: name of the object type represented by the mask. | |
59 """ | |
60 for mask, description in self._OBJECT_TYPE_MASKS.items(): | |
61 if mask & flags: | |
62 return description | |
63 return 'UNKNOWN' | |
64 | |
65 def _GetEventTypes(self, flags): | |
66 """Determines which events are stored in a set of fsevents flags. | |
67 | |
68 Args: | |
69 flags (int): fsevents record type flags. | |
70 | |
71 Returns: | |
72 str: a comma separated string containing all the events listed in an | |
73 fsevents record. | |
74 """ | |
75 event_types = [] | |
76 for mask, description in self._EVENT_MASKS.items(): | |
77 if mask & flags: | |
78 event_types.append(description) | |
79 return ','.join(event_types) | |
80 | |
81 def GetMessages(self, unused_formatter_mediator, event): | |
82 """Determines the formatted message strings for an event object. | |
83 | |
84 Args: | |
85 formatter_mediator (FormatterMediator): mediates the interactions between | |
86 formatters and other components, such as storage and Windows EventLog | |
87 resources. | |
88 event (EventObject): event. | |
89 | |
90 Returns: | |
91 tuple(str, str): formatted message string and short message string. | |
92 | |
93 Raises: | |
94 WrongFormatter: if the event object cannot be formatted by the formatter. | |
95 """ | |
96 if self.DATA_TYPE != event.data_type: | |
97 raise errors.WrongFormatter( | |
98 'Unsupported data type: {0:s}.'.format(event.data_type)) | |
99 | |
100 event_values = event.CopyToDict() | |
101 flags = event_values['flags'] | |
102 event_values['object_type'] = self._GetObjectType(flags) | |
103 event_values['event_types'] = self._GetEventTypes(flags) | |
104 | |
105 return self._ConditionalFormatMessages(event_values) | |
106 | |
107 | |
108 manager.FormattersManager.RegisterFormatter(FSEventsdEventFormatter) | |
OLD | NEW |