Index: plaso/parsers/sqlite_plugins/zeitgeist.py |
diff --git a/plaso/parsers/sqlite_plugins/zeitgeist.py b/plaso/parsers/sqlite_plugins/zeitgeist.py |
index ef091fc1b66108b408d2c8516b86a4072e647893..86d5d36b9b724c3c18dfa8adc7e5f403217cb6c3 100644 |
--- a/plaso/parsers/sqlite_plugins/zeitgeist.py |
+++ b/plaso/parsers/sqlite_plugins/zeitgeist.py |
@@ -5,6 +5,8 @@ Zeitgeist is a service which logs the user activities and events, anywhere |
from files opened to websites visited and conversations. |
""" |
+from __future__ import unicode_literals |
+ |
from dfdatetime import java_time as dfdatetime_java_time |
from plaso.containers import events |
@@ -21,7 +23,7 @@ class ZeitgeistActivityEventData(events.EventData): |
subject_uri (str): subject URI. |
""" |
- DATA_TYPE = u'zeitgeist:activity' |
+ DATA_TYPE = 'zeitgeist:activity' |
def __init__(self): |
"""Initializes event data.""" |
@@ -32,79 +34,79 @@ class ZeitgeistActivityEventData(events.EventData): |
class ZeitgeistActivityDatabasePlugin(interface.SQLitePlugin): |
"""SQLite plugin for Zeitgeist activity database.""" |
- NAME = u'zeitgeist' |
- DESCRIPTION = u'Parser for Zeitgeist activity SQLite database files.' |
+ NAME = 'zeitgeist' |
+ DESCRIPTION = 'Parser for Zeitgeist activity SQLite database files.' |
# TODO: Explore the database more and make this parser cover new findings. |
QUERIES = [ |
- (u'SELECT id, timestamp, subj_uri FROM event_view', |
- u'ParseZeitgeistEventRow')] |
+ ('SELECT id, timestamp, subj_uri FROM event_view', |
+ 'ParseZeitgeistEventRow')] |
- REQUIRED_TABLES = frozenset([u'event', u'actor']) |
+ REQUIRED_TABLES = frozenset(['event', 'actor']) |
SCHEMAS = [{ |
- u'actor': ( |
- u'CREATE TABLE actor ( id INTEGER PRIMARY KEY AUTOINCREMENT, value ' |
- u'VARCHAR UNIQUE )'), |
- u'event': ( |
- u'CREATE TABLE event ( id INTEGER, timestamp INTEGER, interpretation ' |
- u'INTEGER, manifestation INTEGER, actor INTEGER, payload INTEGER, ' |
- u'subj_id INTEGER, subj_interpretation INTEGER, subj_manifestation ' |
- u'INTEGER, subj_origin INTEGER, subj_mimetype INTEGER, subj_text ' |
- u'INTEGER, subj_storage INTEGER, origin INTEGER, subj_id_current ' |
- u'INTEGER, CONSTRAINT interpretation_fk FOREIGN KEY(interpretation) ' |
- u'REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT ' |
- u'manifestation_fk FOREIGN KEY(manifestation) REFERENCES ' |
- u'manifestation(id) ON DELETE CASCADE, CONSTRAINT actor_fk FOREIGN ' |
- u'KEY(actor) REFERENCES actor(id) ON DELETE CASCADE, CONSTRAINT ' |
- u'origin_fk FOREIGN KEY(origin) REFERENCES uri(id) ON DELETE ' |
- u'CASCADE, CONSTRAINT payload_fk FOREIGN KEY(payload) REFERENCES ' |
- u'payload(id) ON DELETE CASCADE, CONSTRAINT subj_id_fk FOREIGN ' |
- u'KEY(subj_id) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT ' |
- u'subj_id_current_fk FOREIGN KEY(subj_id_current) REFERENCES uri(id) ' |
- u'ON DELETE CASCADE, CONSTRAINT subj_interpretation_fk FOREIGN ' |
- u'KEY(subj_interpretation) REFERENCES interpretation(id) ON DELETE ' |
- u'CASCADE, CONSTRAINT subj_manifestation_fk FOREIGN ' |
- u'KEY(subj_manifestation) REFERENCES manifestation(id) ON DELETE ' |
- u'CASCADE, CONSTRAINT subj_origin_fk FOREIGN KEY(subj_origin) ' |
- u'REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_mimetype_fk ' |
- u'FOREIGN KEY(subj_mimetype) REFERENCES mimetype(id) ON DELETE ' |
- u'CASCADE, CONSTRAINT subj_text_fk FOREIGN KEY(subj_text) REFERENCES ' |
- u'text(id) ON DELETE CASCADE, CONSTRAINT subj_storage_fk FOREIGN ' |
- u'KEY(subj_storage) REFERENCES storage(id) ON DELETE CASCADE, ' |
- u'CONSTRAINT unique_event UNIQUE (timestamp, interpretation, ' |
- u'manifestation, actor, subj_id) )'), |
- u'extensions_conf': ( |
- u'CREATE TABLE extensions_conf ( extension VARCHAR, key VARCHAR, ' |
- u'value BLOB, CONSTRAINT unique_extension UNIQUE (extension, key) )'), |
- u'interpretation': ( |
- u'CREATE TABLE interpretation ( id INTEGER PRIMARY KEY ' |
- u'AUTOINCREMENT, value VARCHAR UNIQUE )'), |
- u'manifestation': ( |
- u'CREATE TABLE manifestation ( id INTEGER PRIMARY KEY AUTOINCREMENT, ' |
- u'value VARCHAR UNIQUE )'), |
- u'mimetype': ( |
- u'CREATE TABLE mimetype ( id INTEGER PRIMARY KEY AUTOINCREMENT, ' |
- u'value VARCHAR UNIQUE )'), |
- u'payload': ( |
- u'CREATE TABLE payload (id INTEGER PRIMARY KEY, value BLOB)'), |
- u'schema_version': ( |
- u'CREATE TABLE schema_version ( schema VARCHAR PRIMARY KEY ON ' |
- u'CONFLICT REPLACE, version INT )'), |
- u'storage': ( |
- u'CREATE TABLE storage ( id INTEGER PRIMARY KEY, value VARCHAR ' |
- u'UNIQUE, state INTEGER, icon VARCHAR, display_name VARCHAR )'), |
- u'text': ( |
- u'CREATE TABLE text ( id INTEGER PRIMARY KEY, value VARCHAR ' |
- u'UNIQUE )'), |
- u'uri': ( |
- u'CREATE TABLE uri ( id INTEGER PRIMARY KEY, value VARCHAR ' |
- u'UNIQUE )')}] |
+ 'actor': ( |
+ 'CREATE TABLE actor ( id INTEGER PRIMARY KEY AUTOINCREMENT, value ' |
+ 'VARCHAR UNIQUE )'), |
+ 'event': ( |
+ 'CREATE TABLE event ( id INTEGER, timestamp INTEGER, interpretation ' |
+ 'INTEGER, manifestation INTEGER, actor INTEGER, payload INTEGER, ' |
+ 'subj_id INTEGER, subj_interpretation INTEGER, subj_manifestation ' |
+ 'INTEGER, subj_origin INTEGER, subj_mimetype INTEGER, subj_text ' |
+ 'INTEGER, subj_storage INTEGER, origin INTEGER, subj_id_current ' |
+ 'INTEGER, CONSTRAINT interpretation_fk FOREIGN KEY(interpretation) ' |
+ 'REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT ' |
+ 'manifestation_fk FOREIGN KEY(manifestation) REFERENCES ' |
+ 'manifestation(id) ON DELETE CASCADE, CONSTRAINT actor_fk FOREIGN ' |
+ 'KEY(actor) REFERENCES actor(id) ON DELETE CASCADE, CONSTRAINT ' |
+ 'origin_fk FOREIGN KEY(origin) REFERENCES uri(id) ON DELETE ' |
+ 'CASCADE, CONSTRAINT payload_fk FOREIGN KEY(payload) REFERENCES ' |
+ 'payload(id) ON DELETE CASCADE, CONSTRAINT subj_id_fk FOREIGN ' |
+ 'KEY(subj_id) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT ' |
+ 'subj_id_current_fk FOREIGN KEY(subj_id_current) REFERENCES uri(id) ' |
+ 'ON DELETE CASCADE, CONSTRAINT subj_interpretation_fk FOREIGN ' |
+ 'KEY(subj_interpretation) REFERENCES interpretation(id) ON DELETE ' |
+ 'CASCADE, CONSTRAINT subj_manifestation_fk FOREIGN ' |
+ 'KEY(subj_manifestation) REFERENCES manifestation(id) ON DELETE ' |
+ 'CASCADE, CONSTRAINT subj_origin_fk FOREIGN KEY(subj_origin) ' |
+ 'REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_mimetype_fk ' |
+ 'FOREIGN KEY(subj_mimetype) REFERENCES mimetype(id) ON DELETE ' |
+ 'CASCADE, CONSTRAINT subj_text_fk FOREIGN KEY(subj_text) REFERENCES ' |
+ 'text(id) ON DELETE CASCADE, CONSTRAINT subj_storage_fk FOREIGN ' |
+ 'KEY(subj_storage) REFERENCES storage(id) ON DELETE CASCADE, ' |
+ 'CONSTRAINT unique_event UNIQUE (timestamp, interpretation, ' |
+ 'manifestation, actor, subj_id) )'), |
+ 'extensions_conf': ( |
+ 'CREATE TABLE extensions_conf ( extension VARCHAR, key VARCHAR, ' |
+ 'value BLOB, CONSTRAINT unique_extension UNIQUE (extension, key) )'), |
+ 'interpretation': ( |
+ 'CREATE TABLE interpretation ( id INTEGER PRIMARY KEY ' |
+ 'AUTOINCREMENT, value VARCHAR UNIQUE )'), |
+ 'manifestation': ( |
+ 'CREATE TABLE manifestation ( id INTEGER PRIMARY KEY AUTOINCREMENT, ' |
+ 'value VARCHAR UNIQUE )'), |
+ 'mimetype': ( |
+ 'CREATE TABLE mimetype ( id INTEGER PRIMARY KEY AUTOINCREMENT, ' |
+ 'value VARCHAR UNIQUE )'), |
+ 'payload': ( |
+ 'CREATE TABLE payload (id INTEGER PRIMARY KEY, value BLOB)'), |
+ 'schema_version': ( |
+ 'CREATE TABLE schema_version ( schema VARCHAR PRIMARY KEY ON ' |
+ 'CONFLICT REPLACE, version INT )'), |
+ 'storage': ( |
+ 'CREATE TABLE storage ( id INTEGER PRIMARY KEY, value VARCHAR ' |
+ 'UNIQUE, state INTEGER, icon VARCHAR, display_name VARCHAR )'), |
+ 'text': ( |
+ 'CREATE TABLE text ( id INTEGER PRIMARY KEY, value VARCHAR ' |
+ 'UNIQUE )'), |
+ 'uri': ( |
+ 'CREATE TABLE uri ( id INTEGER PRIMARY KEY, value VARCHAR ' |
+ 'UNIQUE )')}] |
def ParseZeitgeistEventRow( |
self, parser_mediator, row, query=None, **unused_kwargs): |
- """Parses zeitgeist event row. |
+ """Parses a zeitgeist event row. |
Args: |
parser_mediator (ParserMediator): mediates interactions between parsers |
@@ -112,15 +114,15 @@ class ZeitgeistActivityDatabasePlugin(interface.SQLitePlugin): |
row (sqlite3.Row): row. |
query (Optional[str]): query. |
""" |
- # Note that pysqlite does not accept a Unicode string in row['string'] and |
- # will raise "IndexError: Index must be int or string". |
+ query_hash = hash(query) |
event_data = ZeitgeistActivityEventData() |
- event_data.offset = row['id'] |
+ event_data.offset = self._GetRowValue(query_hash, row, 'id') |
event_data.query = query |
- event_data.subject_uri = row['subj_uri'] |
+ event_data.subject_uri = self._GetRowValue(query_hash, row, 'subj_uri') |
- date_time = dfdatetime_java_time.JavaTime(timestamp=row['timestamp']) |
+ timestamp = self._GetRowValue(query_hash, row, 'timestamp') |
+ date_time = dfdatetime_java_time.JavaTime(timestamp=timestamp) |
event = time_events.DateTimeValuesEvent( |
date_time, definitions.TIME_DESCRIPTION_UNKNOWN) |
parser_mediator.ProduceEventWithEventData(event, event_data) |