Source code for plaso.formatters.winlnk
# -*- coding: utf-8 -*-
"""The Windows Shortcut (LNK) event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
from plaso.lib import errors
[docs]class WinLnkLinkFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Windows Shortcut (LNK) link event."""
DATA_TYPE = 'windows:lnk:link'
FORMAT_STRING_PIECES = [
'[{description}]',
'File size: {file_size}',
'File attribute flags: 0x{file_attribute_flags:08x}',
'Drive type: {drive_type}',
'Drive serial number: 0x{drive_serial_number:08x}',
'Volume label: {volume_label}',
'Local path: {local_path}',
'Network path: {network_path}',
'cmd arguments: {command_line_arguments}',
'env location: {env_var_location}',
'Relative path: {relative_path}',
'Working dir: {working_directory}',
'Icon location: {icon_location}',
'Link target: {link_target}']
FORMAT_STRING_SHORT_PIECES = [
'[{description}]',
'{linked_path}',
'{command_line_arguments}']
SOURCE_LONG = 'Windows Shortcut'
SOURCE_SHORT = 'LNK'
def _GetLinkedPath(self, event):
"""Determines the linked path.
Args:
event (EventObject): event that contains a linked path.
Returns:
str: linked path.
"""
if hasattr(event, 'local_path'):
return event.local_path
if hasattr(event, 'network_path'):
return event.network_path
if hasattr(event, 'relative_path'):
paths = []
if hasattr(event, 'working_directory'):
paths.append(event.working_directory)
paths.append(event.relative_path)
return '\\'.join(paths)
return 'Unknown'
[docs] def GetMessages(self, unused_formatter_mediator, event):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator (FormatterMediator): mediates the interactions between
formatters and other components, such as storage and Windows EventLog
resources.
event (EventObject): event.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event.data_type))
event_values = event.CopyToDict()
if 'description' not in event_values:
event_values['description'] = 'Empty description'
event_values['linked_path'] = self._GetLinkedPath(event)
return self._ConditionalFormatMessages(event_values)
manager.FormattersManager.RegisterFormatter(WinLnkLinkFormatter)