LEFT | RIGHT |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Plugin for the Mac OS X launch services quarantine events.""" | 2 """Plugin for the Mac OS X launch services quarantine events.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 from dfdatetime import cocoa_time as dfdatetime_cocoa_time | 6 from dfdatetime import cocoa_time as dfdatetime_cocoa_time |
7 | 7 |
8 from plaso.containers import events | 8 from plaso.containers import events |
9 from plaso.containers import time_events | 9 from plaso.containers import time_events |
10 from plaso.lib import definitions | 10 from plaso.lib import definitions |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
66 def ParseLSQuarantineRow( | 66 def ParseLSQuarantineRow( |
67 self, parser_mediator, row, query=None, **unused_kwargs): | 67 self, parser_mediator, row, query=None, **unused_kwargs): |
68 """Parses a launch services quarantine event row. | 68 """Parses a launch services quarantine event row. |
69 | 69 |
70 Args: | 70 Args: |
71 parser_mediator (ParserMediator): mediates interactions between parsers | 71 parser_mediator (ParserMediator): mediates interactions between parsers |
72 and other components, such as storage and dfvfs. | 72 and other components, such as storage and dfvfs. |
73 row (sqlite3.Row): row. | 73 row (sqlite3.Row): row. |
74 query (Optional[str]): query. | 74 query (Optional[str]): query. |
75 """ | 75 """ |
76 # Note that pysqlite does not accept a Unicode string in row['string'] and | 76 query_hash = hash(query) |
77 # will raise "IndexError: Index must be int or string". | |
78 | 77 |
79 event_data = LsQuarantineEventData() | 78 event_data = LsQuarantineEventData() |
80 event_data.agent = row['Agent'] | 79 event_data.agent = self._GetRowValue(query_hash, row, 'Agent') |
81 event_data.data = row['Data'] | 80 event_data.data = self._GetRowValue(query_hash, row, 'Data') |
82 event_data.query = query | 81 event_data.query = query |
83 event_data.url = row['URL'] | 82 event_data.url = self._GetRowValue(query_hash, row, 'URL') |
84 | 83 |
85 timestamp = row['Time'] | 84 timestamp = self._GetRowValue(query_hash, row, 'Time') |
86 date_time = dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp) | 85 date_time = dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp) |
87 event = time_events.DateTimeValuesEvent( | 86 event = time_events.DateTimeValuesEvent( |
88 date_time, definitions.TIME_DESCRIPTION_FILE_DOWNLOADED) | 87 date_time, definitions.TIME_DESCRIPTION_FILE_DOWNLOADED) |
89 parser_mediator.ProduceEventWithEventData(event, event_data) | 88 parser_mediator.ProduceEventWithEventData(event, event_data) |
90 | 89 |
91 | 90 |
92 sqlite.SQLiteParser.RegisterPlugin(LsQuarantinePlugin) | 91 sqlite.SQLiteParser.RegisterPlugin(LsQuarantinePlugin) |
LEFT | RIGHT |