LEFT | RIGHT |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """This file contains a parser for the Google Drive snapshots. | 2 """This file contains a parser for the Google Drive snapshots. |
3 | 3 |
4 The Google Drive snapshots are stored in SQLite database files named | 4 The Google Drive snapshots are stored in SQLite database files named |
5 snapshot.db. | 5 snapshot.db. |
6 """ | 6 """ |
7 | 7 |
8 from dfdatetime import posix_time as dfdatetime_posix_time | 8 from dfdatetime import posix_time as dfdatetime_posix_time |
9 | 9 |
10 from plaso.containers import events | 10 from plaso.containers import events |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
77 u'ParseCloudEntryRow'), | 77 u'ParseCloudEntryRow'), |
78 ((u'SELECT inode_number, filename, modified, checksum, size ' | 78 ((u'SELECT inode_number, filename, modified, checksum, size ' |
79 u'FROM local_entry WHERE modified IS NOT NULL;'), | 79 u'FROM local_entry WHERE modified IS NOT NULL;'), |
80 u'ParseLocalEntryRow')] | 80 u'ParseLocalEntryRow')] |
81 | 81 |
82 # The required tables. | 82 # The required tables. |
83 REQUIRED_TABLES = frozenset([ | 83 REQUIRED_TABLES = frozenset([ |
84 u'cloud_entry', u'cloud_relations', u'local_entry', u'local_relations', | 84 u'cloud_entry', u'cloud_relations', u'local_entry', u'local_relations', |
85 u'mapping', u'overlay_status']) | 85 u'mapping', u'overlay_status']) |
86 | 86 |
87 SCHEMAS = [ | 87 SCHEMAS = [{ |
88 {u'cloud_entry': | 88 u'cloud_entry': ( |
89 u'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified ' | 89 u'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, ' |
90 u'INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, ' | 90 u'modified INTEGER, created INTEGER, acl_role INTEGER, doc_type ' |
91 u'removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared ' | 91 u'INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, ' |
92 u'INTEGER, PRIMARY KEY (resource_id))', | 92 u'shared INTEGER, PRIMARY KEY (resource_id))'), |
93 u'cloud_relations': | 93 u'cloud_relations': ( |
94 u'CREATE TABLE cloud_relations (child_resource_id TEXT, ' | 94 u'CREATE TABLE cloud_relations (child_resource_id TEXT, ' |
95 u'parent_resource_id TEXT, UNIQUE (child_resource_id, ' | 95 u'parent_resource_id TEXT, UNIQUE (child_resource_id, ' |
96 u'parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES ' | 96 u'parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES ' |
97 u'cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) ' | 97 u'cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) ' |
98 u'REFERENCES cloud_entry(resource_id))', | 98 u'REFERENCES cloud_entry(resource_id))'), |
99 u'local_entry': | 99 u'local_entry': ( |
100 u'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, ' | 100 u'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, ' |
101 u'modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY ' | 101 u'modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY ' |
102 u'(inode_number))', | 102 u'(inode_number))'), |
103 u'local_relations': | 103 u'local_relations': ( |
104 u'CREATE TABLE local_relations (child_inode_number INTEGER, ' | 104 u'CREATE TABLE local_relations (child_inode_number INTEGER, ' |
105 u'parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN ' | 105 u'parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN ' |
106 u'KEY (parent_inode_number) REFERENCES local_entry(inode_number), ' | 106 u'KEY (parent_inode_number) REFERENCES local_entry(inode_number), ' |
107 u'FOREIGN KEY (child_inode_number) REFERENCES ' | 107 u'FOREIGN KEY (child_inode_number) REFERENCES ' |
108 u'local_entry(inode_number))', | 108 u'local_entry(inode_number))'), |
109 u'mapping': | 109 u'mapping': ( |
110 u'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, ' | 110 u'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, ' |
111 u'UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES ' | 111 u'UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES ' |
112 u'local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES ' | 112 u'local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES ' |
113 u'cloud_entry(resource_id))', | 113 u'cloud_entry(resource_id))'), |
114 u'overlay_status': | 114 u'overlay_status': ( |
115 u'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, ' | 115 u'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, ' |
116 u'PRIMARY KEY (path))'}] | 116 u'PRIMARY KEY (path))')}] |
117 | 117 |
118 # Queries used to build cache. | 118 # Queries used to build cache. |
119 LOCAL_PATH_CACHE_QUERY = ( | 119 LOCAL_PATH_CACHE_QUERY = ( |
120 u'SELECT local_relations.child_inode_number, ' | 120 u'SELECT local_relations.child_inode_number, ' |
121 u'local_relations.parent_inode_number, local_entry.filename ' | 121 u'local_relations.parent_inode_number, local_entry.filename ' |
122 u'FROM local_relations, local_entry ' | 122 u'FROM local_relations, local_entry ' |
123 u'WHERE local_relations.child_inode_number = local_entry.inode_number') | 123 u'WHERE local_relations.child_inode_number = local_entry.inode_number') |
124 CLOUD_PATH_CACHE_QUERY = ( | 124 CLOUD_PATH_CACHE_QUERY = ( |
125 u'SELECT cloud_entry.filename, cloud_entry.resource_id, ' | 125 u'SELECT cloud_entry.filename, cloud_entry.resource_id, ' |
126 u'cloud_relations.parent_resource_id AS parent ' | 126 u'cloud_relations.parent_resource_id AS parent ' |
(...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
273 event_data.query = query | 273 event_data.query = query |
274 event_data.size = row['size'] | 274 event_data.size = row['size'] |
275 | 275 |
276 date_time = dfdatetime_posix_time.PosixTime(timestamp=row['modified']) | 276 date_time = dfdatetime_posix_time.PosixTime(timestamp=row['modified']) |
277 event = time_events.DateTimeValuesEvent( | 277 event = time_events.DateTimeValuesEvent( |
278 date_time, eventdata.EventTimestamp.MODIFICATION_TIME) | 278 date_time, eventdata.EventTimestamp.MODIFICATION_TIME) |
279 parser_mediator.ProduceEventWithEventData(event, event_data) | 279 parser_mediator.ProduceEventWithEventData(event, event_data) |
280 | 280 |
281 | 281 |
282 sqlite.SQLiteParser.RegisterPlugin(GoogleDrivePlugin) | 282 sqlite.SQLiteParser.RegisterPlugin(GoogleDrivePlugin) |
LEFT | RIGHT |