OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Parser for the Google Chrome extension activity database files. | 2 """Parser for the Google Chrome extension activity database files. |
3 | 3 |
4 The Chrome extension activity is stored in SQLite database files named | 4 The Chrome extension activity is stored in SQLite database files named |
5 Extension Activity. | 5 Extension Activity. |
6 """ | 6 """ |
7 | 7 |
| 8 from __future__ import unicode_literals |
| 9 |
8 from dfdatetime import webkit_time as dfdatetime_webkit_time | 10 from dfdatetime import webkit_time as dfdatetime_webkit_time |
9 | 11 |
10 from plaso.containers import events | 12 from plaso.containers import events |
11 from plaso.containers import time_events | 13 from plaso.containers import time_events |
12 from plaso.lib import definitions | 14 from plaso.lib import definitions |
13 from plaso.parsers import sqlite | 15 from plaso.parsers import sqlite |
14 from plaso.parsers.sqlite_plugins import interface | 16 from plaso.parsers.sqlite_plugins import interface |
15 | 17 |
16 | 18 |
17 class ChromeExtensionActivityEventData(events.EventData): | 19 class ChromeExtensionActivityEventData(events.EventData): |
18 """Chrome Extension Activity event data. | 20 """Chrome Extension Activity event data. |
19 | 21 |
20 Attributes: | 22 Attributes: |
21 action_type (str): action type. | 23 action_type (str): action type. |
22 activity_id (str): activity identifier. | 24 activity_id (str): activity identifier. |
23 api_name (str): name of API. | 25 api_name (str): name of API. |
24 arg_url (str): URL argument. | 26 arg_url (str): URL argument. |
25 args (str): arguments. | 27 args (str): arguments. |
26 extension_id (str): extension identifier. | 28 extension_id (str): extension identifier. |
27 other (str): other. | 29 other (str): other. |
28 page_title (str): title of webpage. | 30 page_title (str): title of webpage. |
29 page_url (str): URL of webpage. | 31 page_url (str): URL of webpage. |
30 """ | 32 """ |
31 | 33 |
32 DATA_TYPE = u'chrome:extension_activity:activity_log' | 34 DATA_TYPE = 'chrome:extension_activity:activity_log' |
33 | 35 |
34 def __init__(self): | 36 def __init__(self): |
35 """Initializes event data.""" | 37 """Initializes event data.""" |
36 super(ChromeExtensionActivityEventData, self).__init__( | 38 super(ChromeExtensionActivityEventData, self).__init__( |
37 data_type=self.DATA_TYPE) | 39 data_type=self.DATA_TYPE) |
38 self.action_type = None | 40 self.action_type = None |
39 self.activity_id = None | 41 self.activity_id = None |
40 self.api_name = None | 42 self.api_name = None |
41 self.arg_url = None | 43 self.arg_url = None |
42 self.args = None | 44 self.args = None |
43 self.extension_id = None | 45 self.extension_id = None |
44 self.other = None | 46 self.other = None |
45 self.page_title = None | 47 self.page_title = None |
46 self.page_url = None | 48 self.page_url = None |
47 | 49 |
48 | 50 |
49 class ChromeExtensionActivityPlugin(interface.SQLitePlugin): | 51 class ChromeExtensionActivityPlugin(interface.SQLitePlugin): |
50 """Plugin to parse Chrome extension activity database files.""" | 52 """Plugin to parse Chrome extension activity database files.""" |
51 | 53 |
52 NAME = u'chrome_extension_activity' | 54 NAME = 'chrome_extension_activity' |
53 DESCRIPTION = u'Parser for Chrome extension activity SQLite database files.' | 55 DESCRIPTION = 'Parser for Chrome extension activity SQLite database files.' |
54 | 56 |
55 # Define the needed queries. | 57 # Define the needed queries. |
56 QUERIES = [ | 58 QUERIES = [ |
57 ((u'SELECT time, extension_id, action_type, api_name, args, page_url, ' | 59 (('SELECT time, extension_id, action_type, api_name, args, page_url, ' |
58 u'page_title, arg_url, other, activity_id ' | 60 'page_title, arg_url, other, activity_id ' |
59 u'FROM activitylog_uncompressed ORDER BY time'), | 61 'FROM activitylog_uncompressed ORDER BY time'), |
60 u'ParseActivityLogUncompressedRow')] | 62 'ParseActivityLogUncompressedRow')] |
61 | 63 |
62 REQUIRED_TABLES = frozenset([ | 64 REQUIRED_TABLES = frozenset([ |
63 u'activitylog_compressed', u'string_ids', u'url_ids']) | 65 'activitylog_compressed', 'string_ids', 'url_ids']) |
64 | 66 |
65 SCHEMAS = [{ | 67 SCHEMAS = [{ |
66 u'activitylog_compressed': ( | 68 'activitylog_compressed': ( |
67 u'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL ' | 69 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL ' |
68 u'DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, ' | 70 'DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, ' |
69 u'action_type INTEGER, api_name_x INTEGER, args_x INTEGER, ' | 71 'action_type INTEGER, api_name_x INTEGER, args_x INTEGER, ' |
70 u'page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, ' | 72 'page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, ' |
71 u'other_x INTEGER)'), | 73 'other_x INTEGER)'), |
72 u'string_ids': ( | 74 'string_ids': ( |
73 u'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT ' | 75 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT ' |
74 u'NULL)'), | 76 'NULL)'), |
75 u'url_ids': ( | 77 'url_ids': ( |
76 u'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT ' | 78 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT ' |
77 u'NULL)')}] | 79 'NULL)')}] |
78 | 80 |
79 def ParseActivityLogUncompressedRow( | 81 def ParseActivityLogUncompressedRow( |
80 self, parser_mediator, row, query=None, **unused_kwargs): | 82 self, parser_mediator, row, query=None, **unused_kwargs): |
81 """Parses an activity log row. | 83 """Parses an activity log row. |
82 | 84 |
83 Args: | 85 Args: |
84 parser_mediator (ParserMediator): mediates interactions between parsers | 86 parser_mediator (ParserMediator): mediates interactions between parsers |
85 and other components, such as storage and dfvfs. | 87 and other components, such as storage and dfvfs. |
86 row (sqlite3.Row): row. | 88 row (sqlite3.Row): row. |
87 query (Optional[str]): query. | 89 query (Optional[str]): query. |
88 """ | 90 """ |
89 # Note that pysqlite does not accept a Unicode string in row['string'] and | 91 query_hash = hash(query) |
90 # will raise "IndexError: Index must be int or string". | |
91 | 92 |
92 event_data = ChromeExtensionActivityEventData() | 93 event_data = ChromeExtensionActivityEventData() |
93 event_data.action_type = row['action_type'] | 94 event_data.action_type = self._GetRowValue(query_hash, row, 'action_type') |
94 event_data.activity_id = row['activity_id'] | 95 event_data.activity_id = self._GetRowValue(query_hash, row, 'activity_id') |
95 event_data.api_name = row['api_name'] | 96 event_data.api_name = self._GetRowValue(query_hash, row, 'api_name') |
96 event_data.arg_url = row['arg_url'] | 97 event_data.arg_url = self._GetRowValue(query_hash, row, 'arg_url') |
97 event_data.args = row['args'] | 98 event_data.args = self._GetRowValue(query_hash, row, 'args') |
98 event_data.extension_id = row['extension_id'] | 99 event_data.extension_id = self._GetRowValue(query_hash, row, 'extension_id') |
99 event_data.other = row['other'] | 100 event_data.other = self._GetRowValue(query_hash, row, 'other') |
100 event_data.page_title = row['page_title'] | 101 event_data.page_title = self._GetRowValue(query_hash, row, 'page_title') |
101 event_data.page_url = row['page_url'] | 102 event_data.page_url = self._GetRowValue(query_hash, row, 'page_url') |
102 event_data.query = query | 103 event_data.query = query |
103 | 104 |
104 timestamp = row['time'] | 105 timestamp = self._GetRowValue(query_hash, row, 'time') |
105 date_time = dfdatetime_webkit_time.WebKitTime(timestamp=timestamp) | 106 date_time = dfdatetime_webkit_time.WebKitTime(timestamp=timestamp) |
106 event = time_events.DateTimeValuesEvent( | 107 event = time_events.DateTimeValuesEvent( |
107 date_time, definitions.TIME_DESCRIPTION_UNKNOWN) | 108 date_time, definitions.TIME_DESCRIPTION_UNKNOWN) |
108 parser_mediator.ProduceEventWithEventData(event, event_data) | 109 parser_mediator.ProduceEventWithEventData(event, event_data) |
109 | 110 |
110 | 111 |
111 sqlite.SQLiteParser.RegisterPlugin(ChromeExtensionActivityPlugin) | 112 sqlite.SQLiteParser.RegisterPlugin(ChromeExtensionActivityPlugin) |
OLD | NEW |