Source code for plaso.formatters.msiecf
# -*- coding: utf-8 -*-
"""The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
from plaso.lib import errors
[docs]class MsiecfItemFormatter(interface.ConditionalEventFormatter):
"""Formatter for a MSIECF item event."""
# pylint: disable=unused-argument
[docs] def GetMessages(self, formatter_mediator, event):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator (FormatterMediator): mediates the interactions
between formatters and other components, such as storage and Windows
EventLog resources.
event (EventObject): event.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event.data_type))
event_values = event.CopyToDict()
http_headers = event_values.get('http_headers', None)
if http_headers:
event_values['http_headers'] = http_headers.replace('\r\n', ' - ')
if event_values.get('recovered', None):
event_values['recovered_string'] = '[Recovered Entry]'
cached_file_path = event_values.get('cached_filename', None)
if cached_file_path:
cache_directory_name = event_values.get('cache_directory_name', None)
if cache_directory_name:
cached_file_path = '\\'.join([cache_directory_name, cached_file_path])
event_values['cached_file_path'] = cached_file_path
return self._ConditionalFormatMessages(event_values)
[docs]class MsiecfLeakFormatter(MsiecfItemFormatter):
"""Formatter for a MSIECF leak item event."""
DATA_TYPE = 'msiecf:leak'
FORMAT_STRING_PIECES = [
'Cached file: {cached_file_path}',
'Cached file size: {cached_file_size}',
'{recovered_string}']
FORMAT_STRING_SHORT_PIECES = [
'Cached file: {cached_file_path}']
SOURCE_LONG = 'MSIE Cache File leak record'
SOURCE_SHORT = 'WEBHIST'
[docs]class MsiecfRedirectedFormatter(MsiecfItemFormatter):
"""Formatter for a MSIECF leak redirected event."""
DATA_TYPE = 'msiecf:redirected'
FORMAT_STRING_PIECES = [
'Location: {url}',
'{recovered_string}']
FORMAT_STRING_SHORT_PIECES = [
'Location: {url}']
SOURCE_LONG = 'MSIE Cache File redirected record'
SOURCE_SHORT = 'WEBHIST'
[docs]class MsiecfUrlFormatter(MsiecfItemFormatter):
"""Formatter for a MSIECF URL item event."""
DATA_TYPE = 'msiecf:url'
FORMAT_STRING_PIECES = [
'Location: {url}',
'Number of hits: {number_of_hits}',
'Cached file: {cached_file_path}',
'Cached file size: {cached_file_size}',
'HTTP headers: {http_headers}',
'{recovered_string}']
FORMAT_STRING_SHORT_PIECES = [
'Location: {url}',
'Cached file: {cached_file_path}']
SOURCE_LONG = 'MSIE Cache File URL record'
SOURCE_SHORT = 'WEBHIST'
manager.FormattersManager.RegisterFormatters([
MsiecfLeakFormatter, MsiecfRedirectedFormatter, MsiecfUrlFormatter])