LEFT | RIGHT |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Parser for the Mac OS X Document Versions files.""" | 2 """Parser for the Mac OS X Document Versions files.""" |
3 | 3 |
4 from dfdatetime import posix_time as dfdatetime_posix_time | 4 from dfdatetime import posix_time as dfdatetime_posix_time |
5 | 5 |
6 from plaso.containers import events | 6 from plaso.containers import events |
7 from plaso.containers import time_events | 7 from plaso.containers import time_events |
8 from plaso.lib import eventdata | 8 from plaso.lib import eventdata |
9 from plaso.parsers import sqlite | 9 from plaso.parsers import sqlite |
10 from plaso.parsers.sqlite_plugins import interface | 10 from plaso.parsers.sqlite_plugins import interface |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
52 QUERIES = [ | 52 QUERIES = [ |
53 ((u'SELECT f.file_name AS name, f.file_path AS path, ' | 53 ((u'SELECT f.file_name AS name, f.file_path AS path, ' |
54 u'f.file_last_seen AS last_time, g.generation_path AS version_path, ' | 54 u'f.file_last_seen AS last_time, g.generation_path AS version_path, ' |
55 u'g.generation_add_time AS version_time FROM files f, generations g ' | 55 u'g.generation_add_time AS version_time FROM files f, generations g ' |
56 u'WHERE f.file_storage_id = g.generation_storage_id;'), | 56 u'WHERE f.file_storage_id = g.generation_storage_id;'), |
57 u'DocumentVersionsRow')] | 57 u'DocumentVersionsRow')] |
58 | 58 |
59 # The required tables for the query. | 59 # The required tables for the query. |
60 REQUIRED_TABLES = frozenset([u'files', u'generations']) | 60 REQUIRED_TABLES = frozenset([u'files', u'generations']) |
61 | 61 |
62 SCHEMAS = [ | 62 SCHEMAS = [{ |
63 {u'files': | 63 u'files': ( |
64 u'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC,file_name ' | 64 u'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name ' |
65 u'TEXT,file_parent_id INTEGER,file_path TEXT,file_inode ' | 65 u'TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, ' |
66 u'INTEGER,file_last_seen INTEGER NOT NULL DEFAULT 0,file_status ' | 66 u'file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT ' |
67 u'INTEGER NOT NULL DEFAULT 1,file_storage_id INTEGER NOT NULL)', | 67 u'NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)'), |
68 u'generations': | 68 u'generations': ( |
69 u'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ' | 69 u'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, ' |
70 u'ASC,generation_storage_id INTEGER NOT NULL,generation_name TEXT NOT ' | 70 u'generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT ' |
71 u'NULL,generation_client_id TEXT NOT NULL,generation_path TEXT ' | 71 u'NULL, generation_client_id TEXT NOT NULL, generation_path TEXT ' |
72 u'UNIQUE,generation_options INTEGER NOT NULL DEFAULT ' | 72 u'UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, ' |
73 u'1,generation_status INTEGER NOT NULL DEFAULT 1,generation_add_time ' | 73 u'generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time ' |
74 u'INTEGER NOT NULL DEFAULT 0,generation_size INTEGER NOT NULL DEFAULT ' | 74 u'INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL ' |
75 u'0,generation_prunable INTEGER NOT NULL DEFAULT 0)', | 75 u'DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)'), |
76 u'storage': | 76 u'storage': ( |
77 u'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC ' | 77 u'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC ' |
78 u'AUTOINCREMENT,storage_options INTEGER NOT NULL DEFAULT ' | 78 u'AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, ' |
79 u'1,storage_status INTEGER NOT NULL DEFAULT 1)'}] | 79 u'storage_status INTEGER NOT NULL DEFAULT 1)')}] |
80 | 80 |
81 # The SQL field path is the relative path from DocumentRevisions. | 81 # The SQL field path is the relative path from DocumentRevisions. |
82 # For this reason the Path to the program has to be added at the beginning. | 82 # For this reason the Path to the program has to be added at the beginning. |
83 ROOT_VERSION_PATH = u'/.DocumentRevisions-V100/' | 83 ROOT_VERSION_PATH = u'/.DocumentRevisions-V100/' |
84 | 84 |
85 def DocumentVersionsRow( | 85 def DocumentVersionsRow( |
86 self, parser_mediator, row, query=None, **unused_kwargs): | 86 self, parser_mediator, row, query=None, **unused_kwargs): |
87 """Parses a document versions row. | 87 """Parses a document versions row. |
88 | 88 |
89 Args: | 89 Args: |
(...skipping 25 matching lines...) Expand all Loading... |
115 event_data.user_sid = u'{0!s}'.format(user_sid) | 115 event_data.user_sid = u'{0!s}'.format(user_sid) |
116 event_data.version_path = version_path | 116 event_data.version_path = version_path |
117 | 117 |
118 date_time = dfdatetime_posix_time.PosixTime(timestamp=row['version_time']) | 118 date_time = dfdatetime_posix_time.PosixTime(timestamp=row['version_time']) |
119 event = time_events.DateTimeValuesEvent( | 119 event = time_events.DateTimeValuesEvent( |
120 date_time, eventdata.EventTimestamp.CREATION_TIME) | 120 date_time, eventdata.EventTimestamp.CREATION_TIME) |
121 parser_mediator.ProduceEventWithEventData(event, event_data) | 121 parser_mediator.ProduceEventWithEventData(event, event_data) |
122 | 122 |
123 | 123 |
124 sqlite.SQLiteParser.RegisterPlugin(MacDocumentVersionsPlugin) | 124 sqlite.SQLiteParser.RegisterPlugin(MacDocumentVersionsPlugin) |
LEFT | RIGHT |