Left: | ||
Right: |
LEFT | RIGHT |
---|---|
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """The fseventsd event formatter.""" | 2 """The fseventsd event formatter.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 from plaso.formatters import interface | 6 from plaso.formatters import interface |
7 from plaso.formatters import manager | 7 from plaso.formatters import manager |
8 from plaso.lib import errors | 8 from plaso.lib import errors |
9 | 9 |
10 | 10 |
11 class FSEventsdEventFormatter(interface.ConditionalEventFormatter): | 11 class FSEventsdEventFormatter(interface.ConditionalEventFormatter): |
12 """The fseventsd event formatter.""" | 12 """The fseventsd event formatter.""" |
13 | 13 |
14 DATA_TYPE = 'macos:fseventsd:record' | 14 DATA_TYPE = 'macos:fseventsd:record' |
15 | 15 |
16 FORMAT_STRING_PIECES = [ | 16 FORMAT_STRING_PIECES = [ |
17 '{object_type}', ':', '{path}', 'Changes:', '{event_types}', 'Event ID:', | 17 '{path}', 'Flag Values:', '{flag_values}', 'Flags:', '{hex_flags}', |
18 '{event_id}' | 18 'Event Identifier:', '{event_identifier}' |
19 ] | 19 ] |
20 | 20 |
21 FORMAT_STRING_SHORT_PIECES = ['{path}', '{event_types}'] | 21 FORMAT_STRING_SHORT_PIECES = ['{path}', '{flag_values}'] |
22 | 22 |
23 SOURCE_SHORT = 'FSEVENT' | 23 SOURCE_SHORT = 'FSEVENT' |
24 | 24 |
25 _OBJECT_TYPE_MASKS = { | 25 # pylint: disable=line-too-long |
26 0x00000001: 'Folder', | 26 # Flag values are similar, but not identical to those described in the Apple |
27 0x00001000: 'HardLink', | 27 # documentation [1]. For example, the value of the IsDir flag is 0x00020000 |
28 0x00004000: 'SymbolicLink', | 28 # but the value 0x00000001 corresponds to a change to a directory item in |
29 0x00008000: 'File'} | 29 # an fseventsd file, by observation. |
30 # [1] https://developer.apple.com/documentation/coreservices/core_services_enu merations/1455361-fseventstreameventflags | |
30 | 31 |
31 _EVENT_MASKS = { | 32 _FLAG_VALUES = { |
32 0x00000000: 'None', | 33 0x00000000: 'None', |
34 0x00000001: 'IsDirectory', | |
33 0x00000002: 'Mount', | 35 0x00000002: 'Mount', |
34 0x00000004: 'Unmount', | 36 0x00000004: 'Unmount', |
35 0x00000020: 'EndOfTransaction', | 37 0x00000020: 'EndOfTransaction', |
36 0x00000800: 'LastHardLinkRemoved', | 38 0x00000800: 'LastHardLinkRemoved', |
39 0x00001000: 'IsHardLink', | |
40 0x00004000: 'IsSymbolicLink', | |
41 0x00008000: 'IsFile', | |
37 0x00010000: 'PermissionChanged', | 42 0x00010000: 'PermissionChanged', |
38 0x00020000: 'ExtendedAttrModified', | 43 0x00020000: 'ExtendedAttributeModified', |
39 0x00040000: 'ExtendedAttrRemoved', | 44 0x00040000: 'ExtendedAttributeRemoved', |
40 0x00100000: 'DocumentRevision', | 45 0x00100000: 'DocumentRevision', |
41 0x00400000: 'Item Cloned', | 46 0x00400000: 'ItemCloned', |
42 0x01000000: 'Created', | 47 0x01000000: 'Created', |
43 0x02000000: 'Removed', | 48 0x02000000: 'Removed', |
44 0x04000000: 'InodeMetaModified', | 49 0x04000000: 'InodeMetadataModified', |
45 0x08000000: 'Renamed', | 50 0x08000000: 'Renamed', |
46 0x10000000: 'Modified', | 51 0x10000000: 'Modified', |
47 0x20000000: 'Exchange', | 52 0x20000000: 'Exchange', |
48 0x40000000: 'FinderInfoModified', | 53 0x40000000: 'FinderInfoModified', |
49 0x80000000: 'FolderCreated'} | 54 0x80000000: 'DirectoryCreated'} |
50 | 55 |
51 def _GetObjectType(self, mask): | 56 def _GetFlagValues(self, flags): |
52 """Determines the object type for a given FSEvents mask. | 57 """Determines which events are indicated by a set of fsevents flags. |
53 | 58 |
54 Args: | 59 Args: |
55 mask (int): fsevents record type mask. | 60 flags (int): fsevents record flags. |
56 | 61 |
57 Returns: | 62 Returns: |
58 str: name of the object type represented by the mask. | 63 str: a comma separated string containing descriptions of the flag values |
59 """ | 64 stored in an fsevents record. |
60 for value in self._OBJECT_TYPE_MASKS: | |
61 if value & mask: | |
62 return self._OBJECT_TYPE_MASKS[value] | |
63 return 'UNKNOWN' | |
64 | |
65 def _GetEventTypes(self, mask): | |
66 """Determines which events are stored in a fsevents mask. | |
67 | |
68 Args: | |
69 mask (int): fsevents record type mask. | |
70 | |
71 Returns: | |
72 str: a comma separated string containing all the events listed in an | |
73 fsevents record. | |
74 """ | 65 """ |
75 event_types = [] | 66 event_types = [] |
76 for value in self._EVENT_MASKS: | 67 for event_flag, description in self._FLAG_VALUES.items(): |
77 if value & mask: | 68 if event_flag & flags: |
78 event_types.append(self._EVENT_MASKS[value]) | 69 event_types.append(description) |
79 return ','.join(event_types) | 70 return ', '.join(event_types) |
80 | 71 |
81 def GetMessages(self, unused_formatter_mediator, event): | 72 def GetMessages(self, unused_formatter_mediator, event): |
82 """Determines the formatted message strings for an event object. | 73 """Determines the formatted message strings for an event object. |
83 | 74 |
84 Args: | 75 Args: |
85 formatter_mediator (FormatterMediator): mediates the interactions between | 76 formatter_mediator (FormatterMediator): mediates the interactions between |
86 formatters and other components, such as storage and Windows EventLog | 77 formatters and other components, such as storage and Windows EventLog |
87 resources. | 78 resources. |
88 event (EventObject): event. | 79 event (EventObject): event. |
89 | 80 |
90 Returns: | 81 Returns: |
91 tuple(str, str): formatted message string and short message string. | 82 tuple(str, str): formatted message string and short message string. |
92 | 83 |
93 Raises: | 84 Raises: |
94 WrongFormatter: if the event object cannot be formatted by the formatter. | 85 WrongFormatter: if the event object cannot be formatted by the formatter. |
95 """ | 86 """ |
96 if self.DATA_TYPE != event.data_type: | 87 if self.DATA_TYPE != event.data_type: |
97 raise errors.WrongFormatter( | 88 raise errors.WrongFormatter( |
98 'Unsupported data type: {0:s}.'.format(event.data_type)) | 89 'Unsupported data type: {0:s}.'.format(event.data_type)) |
99 | 90 |
100 event_values = event.CopyToDict() | 91 event_values = event.CopyToDict() |
101 mask = event_values['flags'] | 92 flags = event_values['flags'] |
Joachim Metz
2018/01/04 20:34:56
why is the same value named mask here and flags in
onager
2018/01/12 21:32:14
Done.
| |
102 event_values['object_type'] = self._GetObjectType(mask) | 93 event_values['hex_flags'] = '0x{0:X}'.format(flags) |
103 event_values['event_types'] = self._GetEventTypes(mask) | 94 event_values['flag_values'] = self._GetFlagValues(flags) |
104 | 95 |
105 return self._ConditionalFormatMessages(event_values) | 96 return self._ConditionalFormatMessages(event_values) |
106 | 97 |
107 | 98 |
108 manager.FormattersManager.RegisterFormatter(FSEventsdEventFormatter) | 99 manager.FormattersManager.RegisterFormatter(FSEventsdEventFormatter) |
LEFT | RIGHT |