"""Windows event data attribute containers."""
from dfdatetime import uuid_time as dfdatetime_uuid_time
from plaso.containers import events
[docs]
class WindowsDistributedLinkTrackingEventData(events.EventData):
"""Windows distributed link event data attribute container.
Attributes:
creation_time (dfdatetime.DateTimeValues): file entry creation date
and time.
mac_address (str): MAC address stored in the UUID.
origin (str): origin of the event (event source).
E.g. the path of the corresponding LNK file or file reference
MFT entry with the corresponding NTFS $OBJECT_ID attribute.
uuid (str): UUID.
"""
DATA_TYPE = "windows:distributed_link_tracking:creation"
[docs]
def __init__(self, uuid, origin):
"""Initializes an event object.
Args:
uuid (uuid.UUID): UUID.
origin (str): origin of the event (event source).
E.g. the path of the corresponding LNK file or file reference
MFT entry with the corresponding NTFS $OBJECT_ID attribute.
Raises:
ValueError: if the UUID version is not supported.
"""
if uuid.version != 1:
raise ValueError("Unsupported UUID version.")
mac_address = (
f"{uuid.hex[20:22]:s}:{uuid.hex[22:24]:s}:"
f"{uuid.hex[24:26]:s}:{uuid.hex[26:28]:s}:"
f"{uuid.hex[28:30]:s}:{uuid.hex[30:32]:s}"
)
super().__init__(data_type=self.DATA_TYPE)
self.creation_time = dfdatetime_uuid_time.UUIDTime(timestamp=uuid.time)
self.mac_address = mac_address
# TODO: replace origin my something machine readable.
self.origin = origin
self.uuid = f"{uuid!s}"
[docs]
class WindowsRegistryEventData(events.EventData):
"""Windows Registry event data attribute container.
Attributes:
key_path (str): Windows Registry key path.
last_written_time (dfdatetime.DateTimeValues): key last written date and
time.
values (list[tuple[str, str, str]]): name, data type and data of the values
in the key.
"""
DATA_TYPE = "windows:registry:key_value"
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.key_path = None
self.last_written_time = None
self.values = None
[docs]
class WindowsShellItemFileEntryEventData(events.EventData):
"""Windows shell item file entry event data attribute container.
Attributes:
access_time (dfdatetime.DateTimeValues): file entry last access date
and time.
creation_time (dfdatetime.DateTimeValues): file entry creation date
and time.
file_reference (str): NTFS file reference, in the format:
"MTF entry - sequence number".
localized_name (str): localized name of the file entry shell item.
long_name (str): long name of the file entry shell item.
modification_time (dfdatetime.DateTimeValues): file entry last modification
date and time.
name (str): name of the file entry shell item.
origin (str): origin of the event.
shell_item_path (str): shell item path.
"""
DATA_TYPE = "windows:shell_item:file_entry"
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.access_time = None
self.creation_time = None
self.file_reference = None
self.localized_name = None
self.long_name = None
self.modification_time = None
self.name = None
self.origin = None
self.shell_item_path = None
[docs]
class WindowsVolumeEventData(events.EventData):
"""Windows volume event data attribute container.
Attributes:
creation_time (dfdatetime.DateTimeValues): volume creation date and time.
device_path (str): volume device path.
origin (str): origin of the event (event source), for example
the corresponding Prefetch file name.
serial_number (str): volume serial number.
"""
DATA_TYPE = "windows:volume:creation"
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.creation_time = None
self.device_path = None
# TODO: replace origin with something machine readable.
self.origin = None
self.serial_number = None