LEFT | RIGHT |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """This file contains a parser for the Kik database on iOS. | 2 """This file contains a parser for the Kik database on iOS. |
3 | 3 |
4 Kik messages on iOS devices are stored in an | 4 Kik messages on iOS devices are stored in an |
5 SQLite database file named kik.sqlite. | 5 SQLite database file named kik.sqlite. |
6 """ | 6 """ |
7 | 7 |
8 from dfdatetime import cocoa_time as dfdatetime_cocoa_time | 8 from dfdatetime import cocoa_time as dfdatetime_cocoa_time |
9 | 9 |
10 from plaso.containers import events | 10 from plaso.containers import events |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
46 # Define the needed queries. | 46 # Define the needed queries. |
47 QUERIES = [ | 47 QUERIES = [ |
48 (u'SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,' | 48 (u'SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,' |
49 u'a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY ' | 49 u'a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY ' |
50 u'FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', | 50 u'FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', |
51 u'ParseMessageRow')] | 51 u'ParseMessageRow')] |
52 | 52 |
53 # The required tables. | 53 # The required tables. |
54 REQUIRED_TABLES = frozenset([u'ZKIKMESSAGE', u'ZKIKUSER']) | 54 REQUIRED_TABLES = frozenset([u'ZKIKMESSAGE', u'ZKIKUSER']) |
55 | 55 |
56 SCHEMAS = [ | 56 SCHEMAS = [{ |
57 {u'Z_3MESSAGES': | 57 u'Z_3MESSAGES': ( |
58 u'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, ' | 58 u'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, ' |
59 u'PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', | 59 u'PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )'), |
60 u'Z_6ADMINSINVERSE': | 60 u'Z_6ADMINSINVERSE': ( |
61 u'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE ' | 61 u'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, ' |
62 u'INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', | 62 u'Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, ' |
63 u'Z_6BANSINVERSE': | 63 u'Z_6ADMINSINVERSE) )'), |
64 u'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE ' | 64 u'Z_6BANSINVERSE': ( |
65 u'INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', | 65 u'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE ' |
66 u'Z_6MEMBERS': | 66 u'INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )'), |
67 u'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS ' | 67 u'Z_6MEMBERS': ( |
68 u'INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', | 68 u'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS ' |
69 u'Z_METADATA': | 69 u'INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )'), |
70 u'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID ' | 70 u'Z_METADATA': ( |
71 u'VARCHAR(255), Z_PLIST BLOB)', | 71 u'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID ' |
72 u'Z_PRIMARYKEY': | 72 u'VARCHAR(255), Z_PLIST BLOB)'), |
73 u'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME ' | 73 u'Z_PRIMARYKEY': ( |
74 u'VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)', | 74 u'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME ' |
75 u'ZKIKATTACHMENT': | 75 u'VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'), |
76 u'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' | 76 u'ZKIKATTACHMENT': ( |
77 u'INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ' | 77 u'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' |
78 u'ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ' | 78 u'INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ' |
79 u'ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP ' | 79 u'ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA ' |
80 u'TIMESTAMP, ZCONTENT VARCHAR )', | 80 u'INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ' |
81 u'ZKIKATTACHMENTEXTRA': | 81 u'ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )'), |
82 u'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' | 82 u'ZKIKATTACHMENTEXTRA': ( |
83 u'INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', | 83 u'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' |
84 u'ZKIKCHAT': | 84 u'INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY ' |
85 u'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, ' | 85 u'BLOB )'), |
86 u'Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA ' | 86 u'ZKIKCHAT': ( |
87 u'INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED ' | 87 u'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, ' |
88 u'TIMESTAMP )', | 88 u'Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA ' |
89 u'ZKIKCHATEXTRA': | 89 u'INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED ' |
90 u'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' | 90 u'TIMESTAMP )'), |
91 u'INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ' | 91 u'ZKIKCHATEXTRA': ( |
92 u'ZMUTEDTIMESTAMP TIMESTAMP )', | 92 u'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' |
93 u'ZKIKMESSAGE': | 93 u'INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ' |
94 u'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, ' | 94 u'ZMUTEDTIMESTAMP TIMESTAMP )'), |
95 u'Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ' | 95 u'ZKIKMESSAGE': ( |
96 u'ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ' | 96 u'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' |
97 u'ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ' | 97 u'INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ' |
98 u'ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP ' | 98 u'ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA ' |
99 u'TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ' | 99 u'INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ' |
100 u'ZRENDERINSTRUCTIONSET BLOB )', | 100 u'ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP ' |
101 u'ZKIKUSER': | 101 u'TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ' |
102 u'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, ' | 102 u'ZRENDERINSTRUCTIONSET BLOB )'), |
103 u'Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID ' | 103 u'ZKIKUSER': ( |
104 u'INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ' | 104 u'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, ' |
105 u'ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ' | 105 u'Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID ' |
106 u'ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ' | 106 u'INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ' |
107 u'ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP ' | 107 u'ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ' |
108 u'VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ' | 108 u'ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ' |
109 u'ZCONTENTLINKSPROTODATA BLOB )', | 109 u'ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP ' |
110 u'ZKIKUSEREXTRA': | 110 u'VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ' |
111 u'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' | 111 u'ZCONTENTLINKSPROTODATA BLOB )'), |
112 u'INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ' | 112 u'ZKIKUSEREXTRA': ( |
113 u'ZPUBLICMESSAGINGKEY BLOB )'}] | 113 u'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT ' |
| 114 u'INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ' |
| 115 u'ZPUBLICMESSAGINGKEY BLOB )')}] |
114 | 116 |
115 def ParseMessageRow(self, parser_mediator, row, query=None, **unused_kwargs): | 117 def ParseMessageRow(self, parser_mediator, row, query=None, **unused_kwargs): |
116 """Parses a message row. | 118 """Parses a message row. |
117 | 119 |
118 Args: | 120 Args: |
119 parser_mediator (ParserMediator): mediates interactions between parsers | 121 parser_mediator (ParserMediator): mediates interactions between parsers |
120 and other components, such as storage and dfvfs. | 122 and other components, such as storage and dfvfs. |
121 row (sqlite3.Row): row. | 123 row (sqlite3.Row): row. |
122 query (Optional[str]): query. | 124 query (Optional[str]): query. |
123 """ | 125 """ |
(...skipping 11 matching lines...) Expand all Loading... |
135 | 137 |
136 # Convert the floating point value to an integer. | 138 # Convert the floating point value to an integer. |
137 timestamp = int(row['ZRECEIVEDTIMESTAMP']) | 139 timestamp = int(row['ZRECEIVEDTIMESTAMP']) |
138 date_time = dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp) | 140 date_time = dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp) |
139 event = time_events.DateTimeValuesEvent( | 141 event = time_events.DateTimeValuesEvent( |
140 date_time, eventdata.EventTimestamp.CREATION_TIME) | 142 date_time, eventdata.EventTimestamp.CREATION_TIME) |
141 parser_mediator.ProduceEventWithEventData(event, event_data) | 143 parser_mediator.ProduceEventWithEventData(event, event_data) |
142 | 144 |
143 | 145 |
144 sqlite.SQLiteParser.RegisterPlugin(KikIOSPlugin) | 146 sqlite.SQLiteParser.RegisterPlugin(KikIOSPlugin) |
LEFT | RIGHT |