Move path_spec exporting to filestat event exporter.

Author: casework

case_plaso/__init__.py

@@ -1,9 +1,5 @@
 
 import rdflib
-from rdflib import RDF
-
-# Store CASE binding in here, because it needs to be used in many modules.
-CASE = rdflib.Namespace('http://case.example.org/core#')
 
 # Store custom properties and objects not defined in CASE as the PLASO prefix.
 PLASO = rdflib.Namespace('http://plaso.example.org/core#')

case_plaso/event_exporters/__init__.py

@@ -1,4 +1,5 @@
 # -*- coding: utf-8 -*-
 
 from case_plaso.event_exporters import android_calls
+from case_plaso.event_exporters import filestat
 from case_plaso.event_exporters import ntfs

case_plaso/event_exporters/filestat.py

@@ -0,0 +1,90 @@
+
+import os
+
+from case import CASE
+from case_plaso import event_exporter, lib, mappings, property_bundles
+
+
+@event_exporter.register
+class FileStatExporter(event_exporter.EventExporter):
+
+    DATA_TYPE = 'fs:stat'
+
+    TIMESTAMP_MAP = {
+        'atime': 'accessedTime',
+        'ctime': 'metadataChangedTime',
+        'crtime': 'createdTime',
+        'mtime': 'modifiedTime'}
+
+    def __init__(self, document):
+        super(FileStatExporter, self).__init__(document)
+        self._path_spec_traces = {}
+
+    def export_path_spec(self, path_spec):
+        """Exports the given DFVFS path spec into the graph.
+
+        Returns: tuple containing URIRefs for Trace and File property bundle.
+        """
+        comparable = path_spec.comparable
+        if comparable in self._path_spec_traces:
+            return self._path_spec_traces[comparable]
+
+        trace = self.document.create_trace()
+        file_pb = trace.create_property_bundle('File')
+
+        self._path_spec_traces[comparable] = (trace, file_pb)
+
+        # Add file path information.
+        location = getattr(path_spec, 'location', None)
+        if location:
+            file_pb.add('filePath', location)
+            file_name, extension = os.path.splitext(os.path.basename(location))
+            file_pb.add('fileName', file_name)
+            if extension:
+                file_pb.add('extension', extension)
+
+        file_pb.add(
+            'fileSystemType', mappings.FileSystemType.get(path_spec.type_indicator, None))
+
+        # If path spec has a parent, create the parent then create a relationship
+        # object pointing to its parent.
+        if path_spec.HasParent():
+            parent_trace, _ = self.export_path_spec(path_spec.parent)
+            relationship = self.document.create_relationship(
+                source=trace,
+                target=parent_trace,
+                kindOfRelationship=mappings.kindOfRelationship.get(
+                    path_spec.type_indicator, mappings.kindOfRelationship['_default']),
+                # TODO: Not exactly sure what isDirectional means..
+                isDirectional=True)
+
+            # Add a property bundle to relationship if available.
+            property_bundles.construct(path_spec.type_indicator, relationship)
+
+        return trace, file_pb
+
+    def export_event(self, event):
+        trace, file_pb = self.export_path_spec(event.pathspec)
+        # NOTE: Re-adding the same property is fine. Duplicate triples will be removed.
+        file_pb.add(
+            'fileSystemType', mappings.FileSystemType.get(event.file_system_type, None))
+        file_pb.add('isAllocated', event.is_allocated)
+        file_pb.add('fileSize', getattr(event, 'file_size', None))
+        # TODO: What is file_entry_type?
+
+        # Add timestamps.
+        if event.timestamp_desc in self.TIMESTAMP_MAP:
+            file_pb.add(
+                self.TIMESTAMP_MAP[event.timestamp_desc],
+                lib.convert_timestamp(event.timestamp))
+
+        # Add file system specific property bundles.
+        # TODO: Is there anyway to get more information?
+        elif event.timestamp_desc == 'bkup_time':
+            trace.create_property_bundle(
+                'HFSFileSystem',
+                hfsBackupTime=lib.convert_timestamp(event.timestamp))
+        elif event.timestamp_desc == 'dtime':
+            trace.create_property_bundle(
+                'ExtInode',
+                extDeletionTime=lib.convert_timestamp(event.timestamp))

case_plaso/event_exporters/ntfs.py

@@ -1,6 +1,7 @@
 
 from plaso.lib.eventdata import EventTimestamp
 
+from case import CASE
 from case_plaso import event_exporter, lib
 
 
@@ -16,8 +17,9 @@ class NTFSExporter(event_exporter.EventExporter):
         EventTimestamp.ENTRY_MODIFICATION_TIME: 'mftFileNameRecordChangeTime'}
 
     def export_event_data(self, event):
-        # TODO: Figure out how to associate MftRecord pb with the accosiated
+        # TODO: Figure out how to associate MftRecord pb with the associated
         # File pb so we don't have to make separate traces.
+        # (The path spec points to the $Mft file.)
         trace = self.document.create_trace()
         pb = trace.create_property_bundle(
             'MftRecord',
@@ -28,7 +30,9 @@ def export_event_data(self, event):
 
     def export_timestamp(self, event, pb):
         try:
-            pb.add(self.TIMESTAMP_MAP[event.timestamp_desc], lib.convert_timestamp(event.timestamp))
+            pb.add(
+                self.TIMESTAMP_MAP[event.timestamp_desc],
+                lib.convert_timestamp(event.timestamp))
         except KeyError:
             # TODO: Log this or something.
             pass

case_plaso/mappings.py

@@ -2,7 +2,7 @@
 
 from dfvfs.lib import definitions as dfvfs_definitions
 
-from case_plaso import CASE
+from case import CASE
 
 # Maps dfvfs compression methods to CASE CompressionMethod
 CompressionMethod = {

case_plaso/plaso_exporter.py

@@ -1,7 +1,5 @@
 
 import os
-import rdflib
-from rdflib import RDF, OWL, BNode, Literal
 from dfvfs.lib import definitions as dfvfs_definitions
 from plaso.storage import zip_file
 
@@ -26,13 +24,10 @@ def __init__(self, document):
         self.document = document
         # Add 'plaso' prefix used by custom property bundles to internal graph.
         self.document.graph.namespace_manager.bind('plaso', PLASO)
-        self._path_spec_traces = {}
-        self._event_traces = {}
         self._event_exporters = {}
 
-    def get_event_exporter(self, event):
-        """Retrieves event exporter for given event."""
-        data_type = event.data_type
+    def get_event_exporter(self, data_type):
+        """Retrieves event exporter for given event data_type."""
         if data_type not in self._event_exporters:
             self._event_exporters[data_type] = EventExporter.from_data_type(
                 data_type, self.document)
@@ -43,43 +38,10 @@ def export_path_spec(self, path_spec):
 
         Returns: tuple containing URIRefs for Trace and File property bundle.
         """
-        comparable = path_spec.comparable
-        if comparable in self._path_spec_traces:
-            # TODO: When filestat events call this, it will want to add more timestamps to the file pb.
-            return self._path_spec_traces[comparable]
-
-        trace = self.document.create_trace()
-        file_pb = trace.create_property_bundle('File')
-
-        self._path_spec_traces[comparable] = (trace, file_pb)
-
-        # Add file path information.
-        location = getattr(path_spec, 'location', None)
-        if location:
-            file_pb.add('filePath', location)
-            file_name, extension = os.path.splitext(os.path.basename(location))
-            file_pb.add('fileName', file_name)
-            file_pb.add('extension', extension)
-
-        file_pb.add(
-            'fileSystemType', mappings.FileSystemType.get(path_spec.type_indicator, None))
-
-        # If path spec has a parent, create the parent then create a relationship
-        # object pointing to its parent.
-        if path_spec.HasParent():
-            parent_trace, _ = self.export_path_spec(path_spec.parent)
-            relationship = self.document.create_relationship(
-                source=trace,
-                target=parent_trace,
-                kindOfRelationship=mappings.kindOfRelationship.get(
-                    path_spec.type_indicator, mappings.kindOfRelationship['_default']),
-                # TODO: Not exactly sure what isDirectional means..
-                isDirectional=True)
-
-            # Add a property bundle to relationship if available.
-            property_bundles.construct(path_spec.type_indicator, relationship)
-
-        return trace, file_pb
+        # The event exporter for 'fs:stat' contains functionality to export
+        # path_specs.
+        file_stat_exporter = self.get_event_exporter('fs:stat')
+        return file_stat_exporter.export_path_spec(path_spec)
 
     def export_event_source(self, event_source):
         if event_source.file_entry_type == dfvfs_definitions.FILE_ENTRY_TYPE_DEVICE:
@@ -96,20 +58,9 @@ def export_event_source(self, event_source):
             pass
 
     def export_event(self, event):
-        # Append extra file stat information to the "File" property bundle.
-        if event.data_type == 'fs:stat':
-            trace, file_pb = self.export_path_spec(event.pathspec)
-            file_pb.add(
-                'fileSystemType', mappings.FileSystemType.get(event.file_system_type, None))
-            file_pb.add('isAllocated', event.is_allocated)
-            file_pb.add('fileSize', getattr(event, 'file_size', None))
-
-            # # Add extra file system specific property bundles. (eg. MFtRecord, Inode)
-            # property_bundles.construct(event.data_type, trace, event)
-
-        else:
-            event_exporter = self.get_event_exporter(event)
-            event_exporter.export_event(event)
+        """Exports the given plaso EventObject into the graph."""
+        event_exporter = self.get_event_exporter(event.data_type)
+        event_exporter.export_event(event)
 
     def export_storage_file(self, storage_file):
         """Extracts and exports plaso event data and sources into the graph."""

case_plaso/property_bundles.py

@@ -1,9 +1,8 @@
 """Contains constructors for converting dfvfs and plaso entities into CASE property bundles."""
 
-from rdflib import RDF, Literal, BNode
 from dfvfs.lib import definitions as dfvfs_definitions
 
-from case_plaso import CASE, mappings
+from case_plaso import mappings
 
 
 # Register functions based on indicators.
@@ -62,13 +61,3 @@ def SQLiteBlob(uco_object, path_spec):
         pb.add('rowIndex', path_spec.row_index)
     elif hasattr(path_spec, 'row_condition'):
         pb.add('rowCondition', ' '.join(path_spec.row_condition))
-
-
-@register('fs:stat:ntfs')
-def MftRecord(uco_object, event):
-    uco_object.create_property_bundle(
-        'MftRecord',
-        mftFileID=getattr(event, 'file_reference', None),
-        mftFlags=getattr(event, 'file_attribute_flags', None),
-        mftParentID=getattr(event, 'parent_file_reference', None))
-