Left: | ||
Right: |
OLD | NEW |
---|---|
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """This file contains a default plist plugin in Plaso.""" | 2 """This file contains a default plist plugin in Plaso.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 import datetime | 6 import datetime |
7 import logging | 7 import logging |
8 | 8 |
9 from dfdatetime import posix_time as dfdatetime_posix_time | 9 from dfdatetime import time_elements as dfdatetime_time_elements |
10 | 10 |
11 from plaso.containers import plist_event | 11 from plaso.containers import plist_event |
12 from plaso.containers import time_events | 12 from plaso.containers import time_events |
13 from plaso.lib import definitions | 13 from plaso.lib import definitions |
14 from plaso.lib import timelib | |
15 from plaso.parsers import plist | 14 from plaso.parsers import plist |
16 from plaso.parsers.plist_plugins import interface | 15 from plaso.parsers.plist_plugins import interface |
17 | 16 |
18 | 17 |
19 class DefaultPlugin(interface.PlistPlugin): | 18 class DefaultPlugin(interface.PlistPlugin): |
20 """Basic plugin to extract keys with timestamps as values from plists.""" | 19 """Basic plugin to extract keys with timestamps as values from plists.""" |
21 | 20 |
22 NAME = 'plist_default' | 21 NAME = 'plist_default' |
23 DESCRIPTION = 'Parser for plist files.' | 22 DESCRIPTION = 'Parser for plist files.' |
24 | 23 |
25 # pylint: disable=arguments-differ | 24 # pylint: disable=arguments-differ |
26 def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs): | 25 def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs): |
27 """Simple method to exact date values from a Plist. | 26 """Simple method to exact date values from a Plist. |
28 | 27 |
29 Args: | 28 Args: |
30 parser_mediator (ParserMediator): mediates interactions between parsers | 29 parser_mediator (ParserMediator): mediates interactions between parsers |
31 and other components, such as storage and dfvfs. | 30 and other components, such as storage and dfvfs. |
32 top_level (dict[str, object]): plist top-level key. | 31 top_level (dict[str, object]): plist top-level key. |
33 """ | 32 """ |
34 for root, key, value in interface.RecurseKey(top_level): | 33 for root, key, value in interface.RecurseKey(top_level): |
35 if not isinstance(value, datetime.datetime): | 34 if not isinstance(value, datetime.datetime): |
36 continue | 35 continue |
37 | 36 |
38 event_data = plist_event.PlistTimeEventData() | 37 event_data = plist_event.PlistTimeEventData() |
39 event_data.key = key | 38 event_data.key = key |
40 event_data.root = root | 39 event_data.root = root |
41 | 40 |
42 timestamp = timelib.Timestamp.FromPythonDatetime(value) | 41 year, month, day_of_month, hours, minutes, seconds, _, _, _ = ( |
onager
2018/01/15 20:18:17
Replace this with PythonDatetimeEvent
Joachim Metz
2018/01/15 20:25:48
Done.
| |
43 date_time = dfdatetime_posix_time.PosixTimeInMicroseconds( | 42 value.utctimetuple()) |
44 timestamp=timestamp) | 43 |
44 time_elements_tuple = ( | |
45 year, month, day_of_month, hours, minutes, seconds, value.microsecond) | |
46 | |
47 date_time = dfdatetime_time_elements.TimeElementsInMicroseconds( | |
48 time_elements_tuple=time_elements_tuple) | |
45 event = time_events.DateTimeValuesEvent( | 49 event = time_events.DateTimeValuesEvent( |
46 date_time, definitions.TIME_DESCRIPTION_WRITTEN) | 50 date_time, definitions.TIME_DESCRIPTION_WRITTEN) |
47 parser_mediator.ProduceEventWithEventData(event, event_data) | 51 parser_mediator.ProduceEventWithEventData(event, event_data) |
48 | 52 |
49 # TODO: Binplist keeps a list of offsets but not mapped to a key. | 53 # TODO: Binplist keeps a list of offsets but not mapped to a key. |
50 # adjust code when there is a way to map keys to offsets. | 54 # adjust code when there is a way to map keys to offsets. |
51 | 55 |
52 # TODO: move this into the parser as with the olecf plugins. | 56 # TODO: move this into the parser as with the olecf plugins. |
53 def Process(self, parser_mediator, plist_name, top_level, **kwargs): | 57 def Process(self, parser_mediator, plist_name, top_level, **kwargs): |
54 """Overwrite the default Process function so it always triggers. | 58 """Overwrite the default Process function so it always triggers. |
(...skipping 11 matching lines...) Expand all Loading... | |
66 and other components, such as storage and dfvfs. | 70 and other components, such as storage and dfvfs. |
67 plist_name (str): name of the plist. | 71 plist_name (str): name of the plist. |
68 top_level (dict[str, object]): plist top-level key. | 72 top_level (dict[str, object]): plist top-level key. |
69 """ | 73 """ |
70 logging.debug('Plist {0:s} plugin used for: {1:s}'.format( | 74 logging.debug('Plist {0:s} plugin used for: {1:s}'.format( |
71 self.NAME, plist_name)) | 75 self.NAME, plist_name)) |
72 self.GetEntries(parser_mediator, top_level=top_level, **kwargs) | 76 self.GetEntries(parser_mediator, top_level=top_level, **kwargs) |
73 | 77 |
74 | 78 |
75 plist.PlistParser.RegisterPlugin(DefaultPlugin) | 79 plist.PlistParser.RegisterPlugin(DefaultPlugin) |
OLD | NEW |