LEFT | RIGHT |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Plugin for the Mac OS X launch services quarantine events.""" | 2 """Plugin for the Mac OS X launch services quarantine events.""" |
3 | 3 |
4 from dfdatetime import cocoa_time as dfdatetime_cocoa_time | 4 from dfdatetime import cocoa_time as dfdatetime_cocoa_time |
5 | 5 |
6 from plaso.containers import events | 6 from plaso.containers import events |
7 from plaso.containers import time_events | 7 from plaso.containers import time_events |
8 from plaso.lib import eventdata | 8 from plaso.lib import eventdata |
9 from plaso.parsers import sqlite | 9 from plaso.parsers import sqlite |
10 from plaso.parsers.sqlite_plugins import interface | 10 from plaso.parsers.sqlite_plugins import interface |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
44 # Define the needed queries. | 44 # Define the needed queries. |
45 QUERIES = [ | 45 QUERIES = [ |
46 ((u'SELECT LSQuarantineTimestamp AS Time, LSQuarantine' | 46 ((u'SELECT LSQuarantineTimestamp AS Time, LSQuarantine' |
47 u'AgentName AS Agent, LSQuarantineOriginURLString AS URL, ' | 47 u'AgentName AS Agent, LSQuarantineOriginURLString AS URL, ' |
48 u'LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ' | 48 u'LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ' |
49 u'ORDER BY Time'), u'ParseLSQuarantineRow')] | 49 u'ORDER BY Time'), u'ParseLSQuarantineRow')] |
50 | 50 |
51 # The required tables. | 51 # The required tables. |
52 REQUIRED_TABLES = frozenset([u'LSQuarantineEvent']) | 52 REQUIRED_TABLES = frozenset([u'LSQuarantineEvent']) |
53 | 53 |
54 SCHEMAS = [ | 54 SCHEMAS = [{ |
55 {u'LSQuarantineEvent': | 55 u'LSQuarantineEvent': ( |
56 u'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT ' | 56 u'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT ' |
57 u'PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, ' | 57 u'PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, ' |
58 u'LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, ' | 58 u'LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName ' |
59 u'LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, ' | 59 u'TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, ' |
60 u'LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, ' | 60 u'LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, ' |
61 u'LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, ' | 61 u'LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, ' |
62 u'LSQuarantineOriginAlias BLOB )'}] | 62 u'LSQuarantineOriginAlias BLOB )')}] |
63 | 63 |
64 def ParseLSQuarantineRow( | 64 def ParseLSQuarantineRow( |
65 self, parser_mediator, row, query=None, **unused_kwargs): | 65 self, parser_mediator, row, query=None, **unused_kwargs): |
66 """Parses a launch services quarantine event row. | 66 """Parses a launch services quarantine event row. |
67 | 67 |
68 Args: | 68 Args: |
69 parser_mediator (ParserMediator): mediates interactions between parsers | 69 parser_mediator (ParserMediator): mediates interactions between parsers |
70 and other components, such as storage and dfvfs. | 70 and other components, such as storage and dfvfs. |
71 row (sqlite3.Row): row. | 71 row (sqlite3.Row): row. |
72 query (Optional[str]): query. | 72 query (Optional[str]): query. |
73 """ | 73 """ |
74 # Note that pysqlite does not accept a Unicode string in row['string'] and | 74 # Note that pysqlite does not accept a Unicode string in row['string'] and |
75 # will raise "IndexError: Index must be int or string". | 75 # will raise "IndexError: Index must be int or string". |
76 | 76 |
77 event_data = LsQuarantineEventData() | 77 event_data = LsQuarantineEventData() |
78 event_data.agent = row['Agent'] | 78 event_data.agent = row['Agent'] |
79 event_data.data = row['Data'] | 79 event_data.data = row['Data'] |
80 event_data.query = query | 80 event_data.query = query |
81 event_data.url = row['URL'] | 81 event_data.url = row['URL'] |
82 | 82 |
83 timestamp = row['Time'] | 83 timestamp = row['Time'] |
84 date_time = dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp) | 84 date_time = dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp) |
85 event = time_events.DateTimeValuesEvent( | 85 event = time_events.DateTimeValuesEvent( |
86 date_time, eventdata.EventTimestamp.FILE_DOWNLOADED) | 86 date_time, eventdata.EventTimestamp.FILE_DOWNLOADED) |
87 parser_mediator.ProduceEventWithEventData(event, event_data) | 87 parser_mediator.ProduceEventWithEventData(event, event_data) |
88 | 88 |
89 | 89 |
90 sqlite.SQLiteParser.RegisterPlugin(LsQuarantinePlugin) | 90 sqlite.SQLiteParser.RegisterPlugin(LsQuarantinePlugin) |
LEFT | RIGHT |