Changes after review

log2timeline · Dec 25, 2024 · 600daae · 600daae
1 parent ff4f6af
commit 600daae
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/plaso/parsers/winreg_plugins/amcache.py b/plaso/parsers/winreg_plugins/amcache.py
@@ -18,6 +18,8 @@ class AMCacheFileEventData(events.EventData):
   """AMCache file event data.
 
   Attributes:
+    application_key_last_written_time (dfdatetime.DateTimeValues): last written
+        date and time of the application key.
     company_name (str): company name that created product file belongs to.
     file_creation_time (dfdatetime.DateTimeValues): file entry creation date
         and time.
@@ -49,6 +51,7 @@ class AMCacheFileEventData(events.EventData):
   def __init__(self):
     """Initializes event data."""
     super(AMCacheFileEventData, self).__init__(data_type=self.DATA_TYPE)
+    self.application_key_last_written_time = None
     self.company_name = None
     self.file_creation_time = None
     self.file_description = None
@@ -239,7 +242,8 @@ def _ParseApplicationSubKey(self, parser_mediator, application_sub_key):
       event_data.link_time = self._ParseDateStringValue(
           parser_mediator, application_sub_key.path, link_date_value)
 
-    event_data.last_written_time = application_sub_key.last_written_time
+    event_data.application_key_last_written_time = (
+        application_sub_key.last_written_time)
 
     parser_mediator.ProduceEventData(event_data)
 

diff --git a/tests/parsers/winreg_plugins/amcache.py b/tests/parsers/winreg_plugins/amcache.py
@@ -55,6 +55,7 @@ def testProcess(self):
         'is-f4510.tmp\\idafree50.tmp')
 
     expected_event_values = {
+        'application_key_last_written_time': None,
         'data_type': 'windows:registry:amcache',
         'file_creation_time': '2017-08-01T12:43:35.1772758+00:00',
         'file_modification_time': '2017-08-01T12:43:35.3024523+00:00',
@@ -113,13 +114,14 @@ def testProcessWindows10(self):
     self.assertEqual(number_of_warnings, 0)
 
     expected_event_values = {
+        'application_key_last_written_time': '2019-12-17T05:30:28.2416496+00:00',
         'data_type': 'windows:registry:amcache',
         'file_creation_time': None,
         'file_identifier': '000075c5a97f521f760e32a4a9639a653eed862e9c61',
         'file_modification_time': None,
         'full_path': 'c:\\windows\\system32\\svchost.exe',
         'installation_time': None,
-        'last_written_time': '2019-12-17T05:30:28.2416496+00:00',
+        'last_written_time': None,
         'link_time': '1997-01-10T22:26:24+00:00',
         'msi_installation_time': None}