Source code for plaso.formatters.msiecf

# -*- coding: utf-8 -*-
"""The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters."""

from __future__ import unicode_literals

from plaso.formatters import interface
from plaso.formatters import manager
from plaso.lib import errors



[docs]class MsiecfItemFormatter(interface.ConditionalEventFormatter):
  """Formatter for a MSIECF item event."""

  # pylint: disable=unused-argument

[docs]  def GetMessages(self, formatter_mediator, event):
    """Determines the formatted message strings for an event object.

    Args:
      formatter_mediator (FormatterMediator): mediates the interactions
          between formatters and other components, such as storage and Windows
          EventLog resources.
      event (EventObject): event.

    Returns:
      tuple(str, str): formatted message string and short message string.

    Raises:
      WrongFormatter: if the event object cannot be formatted by the formatter.
    """
    if self.DATA_TYPE != event.data_type:
      raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
          event.data_type))

    event_values = event.CopyToDict()

    http_headers = event_values.get('http_headers', None)
    if http_headers:
      event_values['http_headers'] = http_headers.replace('\r\n', ' - ')

    if event_values.get('recovered', None):
      event_values['recovered_string'] = '[Recovered Entry]'

    cached_file_path = event_values.get('cached_filename', None)
    if cached_file_path:
      cache_directory_name = event_values.get('cache_directory_name', None)
      if cache_directory_name:
        cached_file_path = '\\'.join([cache_directory_name, cached_file_path])
      event_values['cached_file_path'] = cached_file_path


    return self._ConditionalFormatMessages(event_values)



[docs]class MsiecfLeakFormatter(MsiecfItemFormatter):
  """Formatter for a MSIECF leak item event."""

  DATA_TYPE = 'msiecf:leak'

  FORMAT_STRING_PIECES = [
      'Cached file: {cached_file_path}',
      'Cached file size: {cached_file_size}',
      '{recovered_string}']

  FORMAT_STRING_SHORT_PIECES = [
      'Cached file: {cached_file_path}']

  SOURCE_LONG = 'MSIE Cache File leak record'

  SOURCE_SHORT = 'WEBHIST'



[docs]class MsiecfRedirectedFormatter(MsiecfItemFormatter):
  """Formatter for a MSIECF leak redirected event."""

  DATA_TYPE = 'msiecf:redirected'

  FORMAT_STRING_PIECES = [
      'Location: {url}',
      '{recovered_string}']

  FORMAT_STRING_SHORT_PIECES = [
      'Location: {url}']

  SOURCE_LONG = 'MSIE Cache File redirected record'

  SOURCE_SHORT = 'WEBHIST'



[docs]class MsiecfUrlFormatter(MsiecfItemFormatter):
  """Formatter for a MSIECF URL item event."""

  DATA_TYPE = 'msiecf:url'

  FORMAT_STRING_PIECES = [
      'Location: {url}',
      'Number of hits: {number_of_hits}',
      'Cached file: {cached_file_path}',
      'Cached file size: {cached_file_size}',
      'HTTP headers: {http_headers}',
      '{recovered_string}']

  FORMAT_STRING_SHORT_PIECES = [
      'Location: {url}',
      'Cached file: {cached_file_path}']

  SOURCE_LONG = 'MSIE Cache File URL record'

  SOURCE_SHORT = 'WEBHIST'


manager.FormattersManager.RegisterFormatters([
    MsiecfLeakFormatter, MsiecfRedirectedFormatter, MsiecfUrlFormatter])