Source code for plaso.formatters.windows

# -*- coding: utf-8 -*-
"""The Windows event formatter."""

from __future__ import unicode_literals

from plaso.formatters import interface
from plaso.formatters import manager



[docs]class WindowsDistributedLinkTrackingCreationEventFormatter(
    interface.ConditionalEventFormatter):
  """Formatter for a Windows distributed link creation event."""

  DATA_TYPE = 'windows:distributed_link_tracking:creation'

  FORMAT_STRING_PIECES = [
      '{uuid}',
      'MAC address: {mac_address}',
      'Origin: {origin}']

  FORMAT_STRING_SHORT_PIECES = [
      '{uuid}',
      'Origin: {origin}']

  SOURCE_LONG = 'System'

  SOURCE_SHORT = 'LOG'



[docs]class WindowsRegistryInstallationEventFormatter(
    interface.ConditionalEventFormatter):
  """Formatter for a Windows installation event."""

  DATA_TYPE = 'windows:registry:installation'

  FORMAT_STRING_PIECES = [
      '{product_name}',
      '{version}',
      '{service_pack}',
      'Owner: owner',
      'Origin: {key_path}']

  FORMAT_STRING_SHORT_PIECES = [
      '{product_name}',
      '{version}',
      '{service_pack}',
      'Origin: {key_path}']

  SOURCE_LONG = 'System'

  SOURCE_SHORT = 'LOG'



[docs]class WindowsRegistryListEventFormatter(interface.ConditionalEventFormatter):
  """Formatter for a Windows list event e.g. MRU or Jump list."""

  DATA_TYPE = 'windows:registry:list'

  FORMAT_STRING_PIECES = [
      'Key: {key_path}',
      'Value: {value_name}',
      'List: {list_name}',
      '[{list_values}]']

  SOURCE_LONG = 'System'

  SOURCE_SHORT = 'LOG'



[docs]class WindowsRegistryNetworkEventFormatter(interface.ConditionalEventFormatter):
  """Formatter for a Windows network event."""

  DATA_TYPE = 'windows:registry:network'

  FORMAT_STRING_PIECES = [
      'SSID: {ssid}',
      'Description: {description}',
      'Connection Type: {connection_type}',
      'Default Gateway Mac: {default_gateway_mac}',
      'DNS Suffix: {dns_suffix}']

  SOURCE_LONG = 'System: Network Connection'

  SOURCE_SHORT = 'LOG'



[docs]class WindowsVolumeCreationEventFormatter(interface.ConditionalEventFormatter):
  """Formatter for a Windows volume creation event."""

  DATA_TYPE = 'windows:volume:creation'

  FORMAT_STRING_PIECES = [
      '{device_path}',
      'Serial number: 0x{serial_number:08X}',
      'Origin: {origin}']

  FORMAT_STRING_SHORT_PIECES = [
      '{device_path}',
      'Origin: {origin}']

  SOURCE_LONG = 'System'

  SOURCE_SHORT = 'LOG'


manager.FormattersManager.RegisterFormatters([
    WindowsDistributedLinkTrackingCreationEventFormatter,
    WindowsRegistryListEventFormatter,
    WindowsRegistryNetworkEventFormatter,
    WindowsRegistryInstallationEventFormatter,
    WindowsVolumeCreationEventFormatter])