Skip to content

Commit

Permalink
Clean up of dtFabric-based parsers #2142
Browse files Browse the repository at this point in the history
  • Loading branch information
joachimmetz committed Jun 21, 2020
1 parent 03c83fe commit 2d53708
Show file tree
Hide file tree
Showing 22 changed files with 20 additions and 65 deletions.
2 changes: 1 addition & 1 deletion config/dpkg/control
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Description: Data files for plaso (log2timeline)

Package: python3-plaso
Architecture: all
Depends: plaso-data (>= ${binary:Version}), libbde-python3 (>= 20140531), libesedb-python3 (>= 20150409), libevt-python3 (>= 20191104), libevtx-python3 (>= 20141112), libewf-python3 (>= 20131210), libfsapfs-python3 (>= 20181205), libfsntfs-python3 (>= 20200414), libfvde-python3 (>= 20160719), libfwnt-python3 (>= 20180117), libfwsi-python3 (>= 20150606), liblnk-python3 (>= 20150830), libluksde-python3 (>= 20200101), libmsiecf-python3 (>= 20150314), libolecf-python3 (>= 20151223), libqcow-python3 (>= 20131204), libregf-python3 (>= 20150315), libscca-python3 (>= 20190605), libsigscan-python3 (>= 20190629), libsmdev-python3 (>= 20140529), libsmraw-python3 (>= 20140612), libvhdi-python3 (>= 20131210), libvmdk-python3 (>= 20140421), libvshadow-python3 (>= 20160109), libvslvm-python3 (>= 20160109), python3-artifacts (>= 20190305), python3-bencode, python3-biplist (>= 1.0.3), python3-certifi (>= 2016.9.26), python3-cffi-backend (>= 1.9.1), python3-chardet (>= 2.0.1), python3-cryptography (>= 2.0.2), python3-dateutil (>= 1.5), python3-defusedxml (>= 0.5.0), python3-dfdatetime (>= 20200501), python3-dfvfs (>= 20200604), python3-dfwinreg (>= 20180712), python3-dtfabric (>= 20181128), python3-elasticsearch (>= 6.0), python3-future (>= 0.16.0), python3-idna (>= 2.5), python3-lz4 (>= 0.10.0), python3-pefile (>= 2018.8.8), python3-psutil (>= 5.4.3), python3-pyparsing (>= 2.3.0), python3-pytsk3 (>= 20160721), python3-redis (>= 3.4), python3-requests (>= 2.18.0), python3-six (>= 1.1.0), python3-tz, python3-urllib3 (>= 1.21.1), python3-xlsxwriter (>= 0.9.3), python3-yaml (>= 3.10), python3-yara (>= 3.4.0), python3-zmq (>= 2.1.11), ${python3:Depends}, ${misc:Depends}
Depends: plaso-data (>= ${binary:Version}), libbde-python3 (>= 20140531), libesedb-python3 (>= 20150409), libevt-python3 (>= 20191104), libevtx-python3 (>= 20141112), libewf-python3 (>= 20131210), libfsapfs-python3 (>= 20181205), libfsntfs-python3 (>= 20200414), libfvde-python3 (>= 20160719), libfwnt-python3 (>= 20180117), libfwsi-python3 (>= 20150606), liblnk-python3 (>= 20150830), libluksde-python3 (>= 20200101), libmsiecf-python3 (>= 20150314), libolecf-python3 (>= 20151223), libqcow-python3 (>= 20131204), libregf-python3 (>= 20150315), libscca-python3 (>= 20190605), libsigscan-python3 (>= 20190629), libsmdev-python3 (>= 20140529), libsmraw-python3 (>= 20140612), libvhdi-python3 (>= 20131210), libvmdk-python3 (>= 20140421), libvshadow-python3 (>= 20160109), libvslvm-python3 (>= 20160109), python3-artifacts (>= 20190305), python3-bencode, python3-biplist (>= 1.0.3), python3-certifi (>= 2016.9.26), python3-cffi-backend (>= 1.9.1), python3-chardet (>= 2.0.1), python3-cryptography (>= 2.0.2), python3-dateutil (>= 1.5), python3-defusedxml (>= 0.5.0), python3-dfdatetime (>= 20200501), python3-dfvfs (>= 20200604), python3-dfwinreg (>= 20180712), python3-dtfabric (>= 20200621), python3-elasticsearch (>= 6.0), python3-future (>= 0.16.0), python3-idna (>= 2.5), python3-lz4 (>= 0.10.0), python3-pefile (>= 2018.8.8), python3-psutil (>= 5.4.3), python3-pyparsing (>= 2.3.0), python3-pytsk3 (>= 20160721), python3-redis (>= 3.4), python3-requests (>= 2.18.0), python3-six (>= 1.1.0), python3-tz, python3-urllib3 (>= 1.21.1), python3-xlsxwriter (>= 0.9.3), python3-yaml (>= 3.10), python3-yara (>= 3.4.0), python3-zmq (>= 2.1.11), ${python3:Depends}, ${misc:Depends}
Description: Python 3 module of plaso (log2timeline)
Plaso (log2timeline) is a framework to create super timelines. Its
purpose is to extract timestamps from various files found on typical
Expand Down
2 changes: 1 addition & 1 deletion dependencies.ini
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ version_property: __version__

[dtfabric]
dpkg_name: python3-dtfabric
minimum_version: 20181128
minimum_version: 20200621
rpm_name: python3-dtfabric
version_property: __version__

Expand Down
2 changes: 1 addition & 1 deletion plaso/dependencies.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
'dfdatetime': ('__version__', '20200501', None, True),
'dfvfs': ('__version__', '20200604', None, True),
'dfwinreg': ('__version__', '20180712', None, True),
'dtfabric': ('__version__', '20181128', None, True),
'dtfabric': ('__version__', '20200621', None, True),
'elasticsearch': ('__versionstr__', '6.0', None, False),
'future': ('__version__', '0.16.0', None, True),
'idna': ('__version__', '2.5', None, True),
Expand Down
5 changes: 0 additions & 5 deletions plaso/parsers/asl.py
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,6 @@ class ASLParser(dtfabric_parser.DtFabricBaseParser):

_DEFINITION_FILE = 'asl.yaml'

_FILE_SIGNATURE = b'ASL DB\x00\x00\x00\x00\x00\x00'

# Most significant bit of a 64-bit string offset.
_STRING_OFFSET_MSB = 1 << 63

Expand Down Expand Up @@ -286,9 +284,6 @@ def ParseFileObject(self, parser_mediator, file_object):
'Unable to parse file header with error: {0!s}'.format(
exception))

if file_header.signature != self._FILE_SIGNATURE:
raise errors.UnableToParseFile('Invalid file signature.')

# TODO: generate event for creation time.

file_size = file_object.get_size()
Expand Down
1 change: 1 addition & 0 deletions plaso/parsers/asl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ members:
type: stream
element_data_type: byte
elements_data_size: 12
value: "ASL DB\x00\x00\x00\x00\x00\x00"
- name: format_version
data_type: uint32
- name: first_log_entry_offset
Expand Down
5 changes: 0 additions & 5 deletions plaso/parsers/bsm.py
Original file line number Diff line number Diff line change
Expand Up @@ -175,8 +175,6 @@ class BSMParser(dtfabric_parser.DtFabricBaseParser):
0x82: 'bsm_token_data_sockunix',
}

_TRAILER_TOKEN_SIGNATURE = 0xb105

_TOKEN_DATA_FORMAT_FUNCTIONS = {
0x11: '_FormatOtherFileToken',
0x21: '_FormatDataToken',
Expand Down Expand Up @@ -684,9 +682,6 @@ def _ParseRecord(self, parser_mediator, file_object):
token_values['error'], token_values['token_status'],
token_values['call_status'])

if token_data.signature != self._TRAILER_TOKEN_SIGNATURE:
raise errors.ParseError('Unsupported signature in trailer token.')

if token_data.record_size != header_record_size:
raise errors.ParseError(
'Mismatch of event record size between header and trailer token.')
Expand Down
1 change: 1 addition & 0 deletions plaso/parsers/bsm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -611,6 +611,7 @@ attributes:
members:
- name: signature
data_type: uint16
value: 0xb105
- name: record_size
data_type: uint32
---
Expand Down
10 changes: 0 additions & 10 deletions plaso/parsers/chrome_cache.py
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,6 @@ class ChromeCacheIndexFileParser(dtfabric_parser.DtFabricBaseParser):

_DEFINITION_FILE = 'chrome_cache.yaml'

_FILE_SIGNATURE = 0xc103cac3

def __init__(self):
"""Initializes an index file."""
super(ChromeCacheIndexFileParser, self).__init__()
Expand All @@ -140,9 +138,6 @@ def _ParseFileHeader(self, file_object):
'Unable to parse index file header with error: {0!s}'.format(
exception))

if file_header.signature != self._FILE_SIGNATURE:
raise errors.ParseError('Unsupported index file signature')

format_version = '{0:d}.{1:d}'.format(
file_header.major_version, file_header.minor_version)
if format_version not in ('2.0', '2.1'):
Expand Down Expand Up @@ -208,8 +203,6 @@ class ChromeCacheDataBlockFileParser(dtfabric_parser.DtFabricBaseParser):

_DEFINITION_FILE = 'chrome_cache.yaml'

_FILE_SIGNATURE = 0xc104cac3

def _ParseFileHeader(self, file_object):
"""Parses the file header.
Expand All @@ -230,9 +223,6 @@ def _ParseFileHeader(self, file_object):
'Unable to parse data block file header with error: {0!s}'.format(
exception))

if file_header.signature != self._FILE_SIGNATURE:
raise errors.ParseError('Unsupported data block file signature')

format_version = '{0:d}.{1:d}'.format(
file_header.major_version, file_header.minor_version)
if format_version not in ('2.0', '2.1'):
Expand Down
2 changes: 2 additions & 0 deletions plaso/parsers/chrome_cache.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ attributes:
members:
- name: signature
data_type: uint32
value: 0xc104cac3
- name: minor_version
data_type: uint16
- name: major_version
Expand Down Expand Up @@ -130,6 +131,7 @@ attributes:
members:
- name: signature
data_type: uint32
value: 0xc103cac3
- name: minor_version
data_type: uint16
- name: major_version
Expand Down
11 changes: 0 additions & 11 deletions plaso/parsers/custom_destinations.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,6 @@ class CustomDestinationsParser(dtfabric_parser.DtFabricBaseParser):
_LNK_GUID = (
b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46')

_FILE_FOOTER_SIGNATURE = 0xbabffbab

def _ParseLNKFile(
self, parser_mediator, file_entry, file_offset, remaining_file_size):
"""Parses a LNK file stored within the .customDestinations-ms file.
Expand Down Expand Up @@ -184,11 +182,6 @@ def ParseFileObject(self, parser_mediator, file_object):
file_footer, _ = self._ReadStructureFromFileObject(
file_object, file_offset, file_footer_map)

if file_footer.signature != self._FILE_FOOTER_SIGNATURE:
parser_mediator.ProduceExtractionWarning(
'invalid entry header signature at offset: 0x{0:08x}'.format(
file_offset))

except (ValueError, errors.ParseError) as exception:
parser_mediator.ProduceExtractionWarning((
'unable to parse footer at offset: 0x{0:08x} with error: '
Expand All @@ -212,10 +205,6 @@ def ParseFileObject(self, parser_mediator, file_object):
file_footer, _ = self._ReadStructureFromFileObject(
file_object, file_offset, file_footer_map)

if file_footer.signature != self._FILE_FOOTER_SIGNATURE:
parser_mediator.ProduceExtractionWarning(
'invalid footer signature at offset: 0x{0:08x}'.format(file_offset))

except (ValueError, errors.ParseError) as exception:
parser_mediator.ProduceExtractionWarning((
'unable to parse footer at offset: 0x{0:08x} with error: '
Expand Down
1 change: 1 addition & 0 deletions plaso/parsers/custom_destinations.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ attributes:
members:
- name: signature
data_type: uint32
value: 0xbabffbab
---
name: custom_entry_header
type: structure
Expand Down
10 changes: 0 additions & 10 deletions plaso/parsers/fseventsd.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,6 @@ class FseventsdParser(dtfabric_parser.DtFabricBaseParser):
# The version 2 format was introduced in MacOS High Sierra (10.13).
_DLS_V2_SIGNATURE = b'2SLD'

_DLS_SIGNATURES = [_DLS_V1_SIGNATURE, _DLS_V2_SIGNATURE]

_DEFINITION_FILE = 'fseventsd.yaml'

@classmethod
Expand Down Expand Up @@ -99,11 +97,6 @@ def _ParseDLSPageHeader(self, file_object, page_offset):
'Unable to parse page header at offset: 0x{0:08x} '
'with error: {1!s}'.format(page_offset, exception))

if page_header.signature not in self._DLS_SIGNATURES:
raise errors.ParseError(
'Unsupported page header signature at offset: 0x{0:08x}'.format(
page_offset))

return page_header, page_size

def _BuildEventData(self, record):
Expand Down Expand Up @@ -170,9 +163,6 @@ def ParseFileObject(self, parser_mediator, file_object):
'Unable to parse page header with error: {0!s}'.format(
exception))

if page_header.signature not in self._DLS_SIGNATURES:
raise errors.UnableToParseFile('Invalid file signature')

current_page_end = page_header.page_size

file_entry = parser_mediator.GetFileEntry()
Expand Down
1 change: 1 addition & 0 deletions plaso/parsers/fseventsd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ members:
type: stream
element_data_type: byte
number_of_elements: 4
values: ["1SLD", "2SLD"]
- name: padding
type: stream
element_data_type: byte
Expand Down
7 changes: 1 addition & 6 deletions plaso/parsers/mac_keychain.py
Original file line number Diff line number Diff line change
Expand Up @@ -120,8 +120,6 @@ class KeychainParser(dtfabric_parser.DtFabricBaseParser):

_DEFINITION_FILE = 'mac_keychain.yaml'

_FILE_SIGNATURE = b'kych'

_MAJOR_VERSION = 1
_MINOR_VERSION = 0

Expand Down Expand Up @@ -324,9 +322,6 @@ def _ReadFileHeader(self, file_object):
file_header, _ = self._ReadStructureFromFileObject(
file_object, 0, data_type_map)

if file_header.signature != self._FILE_SIGNATURE:
raise errors.ParseError('Unsupported file signature.')

if (file_header.major_format_version != self._MAJOR_VERSION or
file_header.minor_format_version != self._MINOR_VERSION):
raise errors.ParseError('Unsupported format version: {0:s}.{1:s}'.format(
Expand Down Expand Up @@ -855,7 +850,7 @@ def GetFormatSpecification(cls):
FormatSpecification: format specification.
"""
format_specification = specification.FormatSpecification(cls.NAME)
format_specification.AddNewSignature(cls._FILE_SIGNATURE, offset=0)
format_specification.AddNewSignature(b'kych', offset=0)
return format_specification

def ParseFileObject(self, parser_mediator, file_object):
Expand Down
1 change: 1 addition & 0 deletions plaso/parsers/mac_keychain.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ members:
type: stream
element_data_type: byte
elements_data_size: 4
value: "kych"
- name: major_format_version
data_type: uint16
- name: minor_format_version
Expand Down
2 changes: 2 additions & 0 deletions plaso/parsers/recycler.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ description: Windows Recycler INFO2 file entry Unicode original filename string
type: string
encoding: utf-16-le
element_data_type: wchar16
elements_data_size: 520
elements_terminator: "\x00\x00"
---
name: recycler_info2_file_entry
Expand All @@ -66,6 +67,7 @@ members:
type: stream
element_data_type: byte
elements_data_size: 260
elements_terminator: "\x00"
- name: index
data_type: uint32
- name: drive_number
Expand Down
5 changes: 0 additions & 5 deletions plaso/parsers/safari_cookies.py
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,6 @@ class BinaryCookieParser(dtfabric_parser.DtFabricBaseParser):

_DEFINITION_FILE = 'safari_cookies.yaml'

_SIGNATURE = b'cook'

def __init__(self):
"""Initializes a parser object."""
super(BinaryCookieParser, self).__init__()
Expand Down Expand Up @@ -220,9 +218,6 @@ def ParseFileObject(self, parser_mediator, file_object):
raise errors.UnableToParseFile(
'Unable to read file header with error: {0!s}.'.format(exception))

if file_header.signature != self._SIGNATURE:
raise errors.UnableToParseFile('Unsupported file signature.')

file_offset = file_header_data_size

# TODO: move page sizes array into file header, this will require dtFabric
Expand Down
1 change: 1 addition & 0 deletions plaso/parsers/safari_cookies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ members:
type: stream
element_data_type: byte
number_of_elements: 4
value: "cook"
- name: number_of_pages
data_type: uint32
---
Expand Down
7 changes: 1 addition & 6 deletions plaso/parsers/systemd_journal.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,6 @@ class SystemdJournalParser(dtfabric_parser.DtFabricBaseParser):

_DEFINITION_FILE = 'systemd_journal.yaml'

_FILE_SIGNATURE = b'LPKSHHRH'

_OBJECT_COMPRESSED_FLAG_XZ = 1
_OBJECT_COMPRESSED_FLAG_LZ4 = 2

Expand Down Expand Up @@ -271,7 +269,7 @@ def GetFormatSpecification(cls):
FormatSpecification: format specification.
"""
format_specification = specification.FormatSpecification(cls.NAME)
format_specification.AddNewSignature(cls._FILE_SIGNATURE, offset=0)
format_specification.AddNewSignature(b'LPKSHHRH', offset=0)
return format_specification

def ParseFileObject(self, parser_mediator, file_object):
Expand All @@ -294,9 +292,6 @@ def ParseFileObject(self, parser_mediator, file_object):
'Unable to parse file header with error: {0!s}'.format(
exception))

if file_header.signature != self._FILE_SIGNATURE:
raise errors.UnableToParseFile('Invalid file signature.')

if file_header.header_size not in self._SUPPORTED_FILE_HEADER_SIZES:
raise errors.UnableToParseFile(
'Unsupported file header size: {0:d}.'.format(
Expand Down
1 change: 1 addition & 0 deletions plaso/parsers/systemd_journal.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ members:
type: stream
element_data_type: byte
elements_data_size: 8
value: "LPKSHHRH"
- name: compatible_flags
data_type: uint32
- name: incompatible_flags
Expand Down
4 changes: 2 additions & 2 deletions requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ cffi >= 1.9.1
chardet >= 2.0.1
cryptography >= 2.0.2
defusedxml >= 0.5.0
dfdatetime >= 20180704
dfdatetime >= 20200501
dfvfs >= 20200604
dfwinreg >= 20180712
dtfabric >= 20181128
dtfabric >= 20200621
elasticsearch >= 6.0
future >= 0.16.0
idna >= 2.5
Expand Down
4 changes: 2 additions & 2 deletions setup.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,10 @@ requires = libbde-python3 >= 20140531
python3-cryptography >= 2.0.2
python3-dateutil >= 1.5
python3-defusedxml >= 0.5.0
python3-dfdatetime >= 20180704
python3-dfdatetime >= 20200501
python3-dfvfs >= 20200604
python3-dfwinreg >= 20180712
python3-dtfabric >= 20181128
python3-dtfabric >= 20200621
python3-elasticsearch >= 6.0
python3-future >= 0.16.0
python3-idna >= 2.5
Expand Down

0 comments on commit 2d53708

Please sign in to comment.