"""Plist parser plugin for Spotlight volume configuration plist files."""
from plaso.containers import events
from plaso.parsers import plist
from plaso.parsers.plist_plugins import interface
[docs]
class SpotlightVolumeConfigurationEventData(events.EventData):
"""Spotlight volume configuration event data.
Attributes:
creation_time (dfdatetime.DateTimeValues): volume creation date and time.
partial_path (str): part of the path.
volume_identifier (str): identifier of the volume.
"""
DATA_TYPE = "spotlight_volume_configuration:store"
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.creation_time = None
self.partial_path = None
self.volume_identifier = None
[docs]
class SpotlightVolumeConfigurationPlistPlugin(interface.PlistPlugin):
"""Plist parser plugin for Spotlight volume configuration plist files."""
NAME = "spotlight_volume"
DATA_FORMAT = "Spotlight volume configuration plist file"
PLIST_PATH_FILTERS = frozenset(
[interface.PlistPathFilter("VolumeConfiguration.plist")]
)
PLIST_KEYS = frozenset(["Stores"])
# pylint: disable=arguments-differ
def _ParsePlist(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Volume Configuration Spotlight entries.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfVFS.
match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
"""
stores = match.get("Stores", {})
for volume_identifier, plist_key in stores.items():
event_data = SpotlightVolumeConfigurationEventData()
event_data.creation_time = self._GetDateTimeValueFromPlistKey(
plist_key, "CreationDate"
)
event_data.partial_path = plist_key.get("PartialPath")
event_data.volume_identifier = volume_identifier
parser_mediator.ProduceEventData(event_data)
plist.PlistParser.RegisterPlugin(SpotlightVolumeConfigurationPlistPlugin)