"""Parser for Java Cache IDX files."""
# TODO:
# * 6.02 files did not retain IP addresses. However, the
# deploy_resource_codebase header field may contain the host IP.
# This needs to be researched further, as that field may not always
# be present. 6.02 files will currently return 'Unknown'.
import os
from dfdatetime import java_time as dfdatetime_java_time
from dfdatetime import time_elements as dfdatetime_time_elements
from plaso.containers import events
from plaso.lib import dtfabric_helper
from plaso.lib import errors
from plaso.parsers import interface
from plaso.parsers import manager
[docs]
class JavaIDXEventData(events.EventData):
"""Java IDX cache file event data.
Attributes:
downloaded_time (dfdatetime.DateTimeValues): date and time the content
was downloaded.
expiration_time (dfdatetime.DateTimeValues): date and time the cached
download expires.
idx_version (str): format version of IDX file.
ip_address (str): IP address of the host in the URL.
modification_time (dfdatetime.DateTimeValues): date and time the cached
download expires.
url (str): URL of the downloaded file.
"""
DATA_TYPE = 'java:download:idx'
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.downloaded_time = None
self.expiration_time = None
self.idx_version = None
self.ip_address = None
self.modification_time = None
self.url = None
[docs]
class JavaIDXParser(interface.FileObjectParser, dtfabric_helper.DtFabricHelper):
"""Parser for Java WebStart Cache IDX files.
There are five structures defined. 6.02 files had one generic section
that retained all data. From 6.03, the file went to a multi-section
format where later sections were optional and had variable-lengths.
6.03, 6.04, and 6.05 files all have their main data section (#2)
begin at offset 128. The short structure is because 6.05 files
deviate after the 8th byte. So, grab the first 8 bytes to ensure it's
valid, get the file version, then continue on with the correct
structures.
"""
NAME = 'java_idx'
DATA_FORMAT = 'Java WebStart Cache IDX file'
_INITIAL_FILE_OFFSET = None
_DEFINITION_FILE = os.path.join(
os.path.dirname(__file__), 'java_idx.yaml')
_SUPPORTED_FORMAT_VERSIONS = (602, 603, 604, 605)
[docs]
def ParseFileObject(self, parser_mediator, file_object):
"""Parses a Java WebStart Cache IDX file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfVFS.
file_object (dfvfs.FileIO): a file-like object to parse.
Raises:
WrongParser: when the file cannot be parsed.
"""
file_header_map = self._GetDataTypeMap('java_idx_file_header')
try:
file_header, file_offset = self._ReadStructureFromFileObject(
file_object, 0, file_header_map)
except (ValueError, errors.ParseError) as exception:
raise errors.WrongParser(
f'Unable to parse file header with error: {exception!s}')
if not file_header.format_version in self._SUPPORTED_FORMAT_VERSIONS:
raise errors.WrongParser('Unsupported format version.')
if file_header.format_version == 602:
section1_map = self._GetDataTypeMap('java_idx_602_section1')
elif file_header.format_version in (603, 604):
section1_map = self._GetDataTypeMap('java_idx_603_section1')
elif file_header.format_version == 605:
section1_map = self._GetDataTypeMap('java_idx_605_section1')
else:
section1_map = None
try:
section1, data_size = self._ReadStructureFromFileObject(
file_object, file_offset, section1_map)
except (ValueError, errors.ParseError) as exception:
raise errors.WrongParser(
f'Unable to parse section 1 (format version: '
f'{file_header.format_version:d}) with error: {exception!s}')
file_offset += data_size
if file_header.format_version == 602:
section2_map = self._GetDataTypeMap('java_idx_602_section2')
elif file_header.format_version in (603, 604, 605):
file_offset = 128
section2_map = self._GetDataTypeMap('java_idx_603_section2')
else:
section2_map = None
try:
section2, data_size = self._ReadStructureFromFileObject(
file_object, file_offset, section2_map)
except (ValueError, errors.ParseError) as exception:
raise errors.WrongParser(
f'Unable to parse section 2 (format version: '
f'{file_header.format_version:d}) with error: {exception!s}')
file_offset += data_size
if not section2.url:
raise errors.WrongParser('URL not found in file.')
date_http_header = None
for _ in range(section2.number_of_http_headers):
http_header_map = self._GetDataTypeMap('java_idx_http_header')
try:
http_header, data_size = self._ReadStructureFromFileObject(
file_object, file_offset, http_header_map)
except (ValueError, errors.ParseError) as exception:
parser_mediator.ProduceExtractionWarning(
f'Unable to parse HTTP header value at offset: 0x{file_offset:08x}')
break
file_offset += data_size
if http_header.name == 'date':
date_http_header = http_header
break
if date_http_header:
# A HTTP header date and time should be formatted according to RFC 1123.
# The date "should" be in UTC or have associated time zone information
# in the string itself. If that is not the case then there is no reliable
# method for Plaso to determine the proper time zone, so the assumption
# is that the date and time is in UTC.
try:
downloaded_time = dfdatetime_time_elements.TimeElements()
downloaded_time.CopyFromStringRFC1123(date_http_header.value)
except ValueError as exception:
parser_mediator.ProduceExtractionWarning(
f'Unable to parse date HTTP header string: '
f'{date_http_header.value:s} with error: {exception!s}')
event_data = JavaIDXEventData()
event_data.downloaded_time = downloaded_time
event_data.idx_version = file_header.format_version
event_data.ip_address = getattr(section2, 'ip_address', None)
event_data.modification_time = dfdatetime_java_time.JavaTime(
timestamp=section1.modification_time)
event_data.url = section2.url
if section1.expiration_time:
event_data.expiration_time = dfdatetime_java_time.JavaTime(
timestamp=section1.expiration_time)
parser_mediator.ProduceEventData(event_data)
manager.ParsersManager.RegisterParser(JavaIDXParser)