Continued adding artifact filters support for files and Windows Registry

plaso/cli/helpers/artifact_filters.py

@@ -87,7 +87,8 @@ def ParseOptions(cls, options, configuration_object):
 
     if artifact_filters_file and os.path.isfile(artifact_filters_file):
       with open(artifact_filters_file) as file_object:
-        artifact_filters = file_object.read().splitlines()
+        file_content = file_object.read()
+        artifact_filters = file_content.splitlines()
     elif artifact_filters:
       artifact_filters = [name.strip() for name in artifact_filters.split(',')]
 

plaso/cli/image_export_tool.py

@@ -288,7 +288,7 @@ def _ExtractFileEntry(
   # TODO: merge with collector and/or engine.
   def _ExtractWithFilter(
       self, source_path_specs, destination_path, output_writer,
-      artifacts_registry, artifact_filters_path, filter_file_path,
+      artifacts_registry, artifact_filters, filter_file,
       skip_duplicates=True):
     """Extracts files using a filter expression.
 
@@ -301,10 +301,10 @@ def _ExtractWithFilter(
       output_writer (CLIOutputWriter): output writer.
       artifacts_registry (artifacts.ArtifactDefinitionsRegistry]): artifact
           definitions registry.
-      artifact_filters_path (str): path of the file that contains the
-          names of the artifacts filter definitions or definitions directly
-          listed comma separated.
-      filter_file_path (str): path of the file that contains the filter.
+      artifact_filters (list[str]): Names of artifact definitions that are
+          used for filtering file system and Windows Registry key paths.
+      filter_file (str): path of the file that contains the filter file path
+          filters.
       skip_duplicates (Optional[bool]): True if files with duplicate content
           should be skipped.
     """
@@ -321,7 +321,7 @@ def _ExtractWithFilter(
           'Extracting file entries from: {0:s}\n'.format(display_name))
 
       find_specs = engine.BaseEngine.BuildFilterFindSpecs(artifacts_registry,
-        artifact_filters_path, filter_file_path, self._knowledge_base)
+          self._knowledge_base, artifact_filters, filter_file)
 
       searcher = file_system_searcher.FileSystemSearcher(
           file_system, mount_point)

plaso/cli/log2timeline_tool.py

@@ -420,8 +420,8 @@ def ExtractEventsFromSources(self):
     self._SetExtractionPreferredTimeZone(extraction_engine.knowledge_base)
 
     filter_find_specs = engine.BaseEngine.BuildFilterFindSpecs(
-      configuration.artifacts_registry, configuration.artifact_filters,
-      configuration.filter_file, extraction_engine.knowledge_base)
+        configuration.artifacts_registry, extraction_engine.knowledge_base,
+        configuration.artifact_filters, configuration.filter_file)
 
     processing_status = None
     if single_process_mode:

plaso/cli/psteal_tool.py

@@ -19,7 +19,6 @@
 from plaso.cli import logger
 from plaso.cli import status_view
 from plaso.cli import tool_options
-from plaso.cli import tools
 from plaso.cli import views
 from plaso.cli.helpers import manager as helpers_manager
 from plaso.engine import engine
@@ -321,8 +320,8 @@ def ExtractEventsFromSources(self):
     self._SetExtractionPreferredTimeZone(extraction_engine.knowledge_base)
 
     filter_find_specs = engine.BaseEngine.BuildFilterFindSpecs(
-      configuration.artifacts_registry, configuration.artifact_filters,
-      configuration.filter_file, extraction_engine.knowledge_base)
+        configuration.artifacts_registry, extraction_engine.knowledge_base,
+        configuration.artifact_filters, configuration.filter_file)
 
     processing_status = None
     if single_process_mode:

plaso/containers/sessions.py

@@ -19,8 +19,8 @@ class Session(interface.AttributeContainer):
     aborted (bool): True if the session was aborted.
     analysis_reports_counter (collections.Counter): number of analysis reports
         per analysis plugin.
-    artifact_filters (str): Names of artifact definitions
-        that are used for filtering file system and Windows Registry key paths.
+    artifact_filters (list[str]): Names of artifact definitions that are
+        used for filtering file system and Windows Registry key paths.
     command_line_arguments (str): command line arguments.
     completion_time (int): time that the session was completed. Contains the
         number of micro seconds since January 1, 1970, 00:00:00 UTC.
@@ -189,7 +189,8 @@ class SessionStart(interface.AttributeContainer):
   """Session start attribute container.
 
   Attributes:
-    artifact_filters (str):  names of artifact definitions.
+    artifact_filters (list[str]): Names of artifact definitions that are
+        used for filtering file system and Windows Registry key paths.
     command_line_arguments (str): command line arguments.
     debug_mode (bool): True if debug mode was enabled.
     enabled_parser_names (list[str]): parser and parser plugin names that

plaso/engine/artifact_filters.py

@@ -29,19 +29,20 @@ class ArtifactDefinitionsFilterHelper(object):
       'HKEY_LOCAL_MACHINE\\SAM',
       'HKEY_LOCAL_MACHINE\\SECURITY'])
 
-  def __init__(self, artifacts_registry, artifact_definitions, knowledge_base):
+  def __init__(self, artifacts_registry, artifact_filters, knowledge_base):
     """Initializes an artifact definitions filter helper.
 
     Args:
       artifacts_registry (artifacts.ArtifactDefinitionsRegistry]): artifact
           definitions registry.
-      artifact_definitions (list[str]): artifact definition names to filter.
+      artifact_filters (list[str]): Names of artifact definitions that are
+          used for filtering file system and Windows Registry key paths.
       path (str): path to a file that contains one or more artifact definitions.
       knowledge_base (KnowledgeBase): contains information from the source
           data needed for filtering.
     """
     super(ArtifactDefinitionsFilterHelper, self).__init__()
-    self._artifacts = artifact_definitions
+    self._artifacts = artifact_filters
     self._artifacts_registry = artifacts_registry
     self._knowledge_base = knowledge_base
 

plaso/engine/engine.py

@@ -166,16 +166,16 @@ def _StopProfiling(self):
 
   @classmethod
   def CreateSession(
-      cls, artifact_filters=None, command_line_arguments=None,
-      debug_mode=False, filter_file=None, preferred_encoding='utf-8',
+      cls, artifact_filters_names=None, command_line_arguments=None,
+      debug_mode=False, filter_file_path=None, preferred_encoding='utf-8',
       preferred_time_zone=None, preferred_year=None):
     """Creates a session attribute container.
 
     Args:
-      artifact_filters (Optional[str]): Artifact filters definitions.
+      artifact_filters_names (Optional[str]): Artifact filters definitions.
       command_line_arguments (Optional[str]): the command line arguments.
       debug_mode (bool): True if debug mode was enabled.
-      filter_file (Optional[str]): path to a file with find specifications.
+      filter_file_path (Optional[str]): path to a file with find specifications.
       preferred_encoding (Optional[str]): preferred encoding.
       preferred_time_zone (Optional[str]): preferred time zone.
       preferred_year (Optional[int]): preferred year.
@@ -185,10 +185,10 @@ def CreateSession(
     """
     session = sessions.Session()
 
-    session.artifact_filters = artifact_filters
+    session.artifact_filters = artifact_filters_names
     session.command_line_arguments = command_line_arguments
     session.debug_mode = debug_mode
-    session.filter_file = filter_file
+    session.filter_file = filter_file_path
     session.preferred_encoding = preferred_encoding
     session.preferred_time_zone = preferred_time_zone
     session.preferred_year = preferred_year
@@ -281,15 +281,14 @@ def SupportsGuppyMemoryProfiling(cls):
 
   @classmethod
   def BuildFilterFindSpecs(
-      self, artifacts_registry, artifact_filter_names, filter_file_path,
-      knowledge_base):
-    """Get Find Specs from artifacts or filter file if available.
+      cls, artifacts_registry, knowledge_base_object,
+      artifact_filter_names=None, filter_file_path=None):
+    """Build Find Specs from artifacts or filter file if available.
 
     Args:
-       artifact_filters (str): Path to file listing artifact filters by
-          name or artifact names listed directly, comma separated.
-       filter_file_path (str): Path of filter file.
-       knowledge_base (KnowledgeBase): Knowledge base.
+       knowledge_base_object (KnowledgeBase): Knowledge base.
+       artifact_filter_names (Optional list[str]): Artifact filter names.
+       filter_file_path (Optional [str]): Path of filter file.
 
     Returns:
       list[dfvfs.FindSpec]: find specifications for the file source type.
@@ -298,22 +297,22 @@ def BuildFilterFindSpecs(
       RuntimeError: if no valid FindSpecs are built.
     """
 
-    environment_variables = knowledge_base.GetEnvironmentVariables()
+    environment_variables = knowledge_base_object.GetEnvironmentVariables()
     find_specs = None
     if artifact_filter_names:
       artifact_filters_object = (
         artifact_filters.ArtifactDefinitionsFilterHelper(
-            artifacts_registry, artifact_filter_names, knowledge_base))
+            artifacts_registry, artifact_filter_names, knowledge_base_object))
       artifact_filters_object.BuildFindSpecs(environment_variables)
-      find_specs = knowledge_base.GetValue(
+      find_specs = knowledge_base_object.GetValue(
           artifact_filters_object.KNOWLEDGE_BASE_VALUE)[
               artifact_types.TYPE_INDICATOR_FILE]
     elif filter_file_path:
       filter_file_object = filter_file.FilterFile(filter_file_path)
       find_specs = filter_file_object.BuildFindSpecs(
           environment_variables=environment_variables)
 
-    if find_specs is None:
+    if (artifact_filter_names or filter_file_path) and not find_specs:
       raise RuntimeError('Error processing filters, no valid specifications'
                          'built.')
 

plaso/parsers/winreg.py

@@ -261,8 +261,6 @@ def ParseFileObject(self, parser_mediator, file_object, **kwargs):
         win_registry.MapFile(key_path_prefix, registry_file)
         self._ParseKeysFromFindSpecs(
             parser_mediator, win_registry, registry_find_specs)
-        # TODO: Confirm why this is necessary.
-        win_registry._registry_files.clear()
       except IOError as exception:
         parser_mediator.ProduceExtractionError('{0:s}'.format(exception))
     else:

tests/parsers/test_lib.py

@@ -134,7 +134,9 @@ def _ParseFileByPathSpec(
       try:
         parser.Parse(parser_mediator, file_object)
       finally:
-        file_object.close()
+        # Check if file_object is open as dfwinreg will have closed file_object.
+        if file_object._is_open:
+          file_object.close()
 
     else:
       self.fail('Got unsupported parser type: {0:s}'.format(type(parser)))

tests/parsers/winreg.py

@@ -4,7 +4,6 @@
 
 from __future__ import unicode_literals
 
-import logging
 import unittest
 
 from artifacts import reader as artifacts_reader
@@ -112,7 +111,6 @@ def testParseSystem(self):
   @shared_test_lib.skipUnlessHasTestFile(['SYSTEM'])
   def testParseSystemWithArtifactFilters(self):
     """Tests the Parse function on a SYSTEM file with artifact filters."""
-    logging.warning('HELP')
     parser = winreg.WinRegistryParser()
     knowledge_base = knowledge_base_engine.KnowledgeBase()
 
@@ -156,8 +154,10 @@ def testParseSystemWithArtifactFilters(self):
     self.assertEqual(parser_chains.get(parser_chain, 0), 5)
 
     # There will be 4 Windows boot execute chains for key_value pairs:
-    # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager', value: 'BootExecute'}
-    # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager', value: 'BootExecute'}
+    # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager', 
+    #     value: 'BootExecute'}
+    # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager',
+    #     value: 'BootExecute'}
     parser_chain = self._PluginNameToParserChain('windows_boot_execute')
     self.assertEqual(parser_chains.get(parser_chain, 0), 4)