"""SQLite parser plugin for Google Chrome autofill database files.
The Google Chrome autofill database (Web Data) file is typically stored in: Web Data
"""
from dfdatetime import posix_time as dfdatetime_posix_time
from plaso.containers import events
from plaso.parsers import sqlite
from plaso.parsers.sqlite_plugins import interface
[docs]
class ChromeAutofillEventData(events.EventData):
"""Chrome Autofill event data.
Attributes:
creation_time (dfdatetime.DateTimeValues): creation date and time of
the autofill entry.
field_name (str): name of form field.
last_used_time (dfdatetime.DateTimeValues): last date and time
the autofill entry was last used.
query (str): SQL query that was used to obtain the event data.
usage_count (int): count of times value has been used in field_name.
value (str): value populated in form field.
"""
DATA_TYPE = "chrome:autofill:entry"
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.creation_time = None
self.field_name = None
self.last_used_time = None
self.query = None
self.usage_count = None
self.value = None
[docs]
class ChromeAutofillPlugin(interface.SQLitePlugin):
"""SQLite parser plugin for Google Chrome autofill database files."""
NAME = "chrome_autofill"
DATA_FORMAT = "Google Chrome autofill SQLite database (Web Data) file"
REQUIRED_STRUCTURE = {
"autofill": frozenset(
["count", "date_created", "date_last_used", "name", "value"]
)
}
QUERIES = [
(
(
"SELECT count, date_created, date_last_used, name, value "
"FROM autofill"
),
"_ParseAutofillRow",
)
]
SCHEMAS = [
{
"autofill": (
"CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower "
"VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER "
"DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value))"
),
"autofill_model_type_state": (
"CREATE TABLE autofill_model_type_state (id INTEGER PRIMARY KEY, "
"value BLOB)"
),
"autofill_profile_emails": (
"CREATE TABLE autofill_profile_emails ( guid VARCHAR, email " "VARCHAR)"
),
"autofill_profile_names": (
"CREATE TABLE autofill_profile_names ( guid VARCHAR, first_name "
"VARCHAR, middle_name VARCHAR, last_name VARCHAR, full_name "
"VARCHAR)"
),
"autofill_profile_phones": (
"CREATE TABLE autofill_profile_phones ( guid VARCHAR, number "
"VARCHAR)"
),
"autofill_profiles": (
"CREATE TABLE autofill_profiles ( guid VARCHAR PRIMARY KEY, "
"company_name VARCHAR, street_address VARCHAR, dependent_locality "
"VARCHAR, city VARCHAR, state VARCHAR, zipcode VARCHAR, "
"sorting_code VARCHAR, country_code VARCHAR, date_modified INTEGER "
"NOT NULL DEFAULT 0, origin VARCHAR DEFAULT '', language_code "
"VARCHAR, use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER "
"NOT NULL DEFAULT 0, validity_bitfield UNSIGNED NOT NULL DEFAULT 0)"
),
"autofill_profiles_trash": (
"CREATE TABLE autofill_profiles_trash ( guid VARCHAR)"
),
"autofill_sync_metadata": (
"CREATE TABLE autofill_sync_metadata (storage_key VARCHAR PRIMARY "
"KEY NOT NULL,value BLOB)"
),
"credit_cards": (
"CREATE TABLE credit_cards ( guid VARCHAR PRIMARY KEY, name_on_card "
"VARCHAR, expiration_month INTEGER, expiration_year INTEGER, "
"card_number_encrypted BLOB, date_modified INTEGER NOT NULL DEFAULT "
"0, origin VARCHAR DEFAULT '', use_count INTEGER NOT NULL DEFAULT "
"0, use_date INTEGER NOT NULL DEFAULT 0, billing_address_id "
"VARCHAR)"
),
"keywords": (
"CREATE TABLE keywords (id INTEGER PRIMARY KEY,short_name VARCHAR "
"NOT NULL,keyword VARCHAR NOT NULL,favicon_url VARCHAR NOT NULL,url "
"VARCHAR NOT NULL,safe_for_autoreplace INTEGER,originating_url "
"VARCHAR,date_created INTEGER DEFAULT 0,usage_count INTEGER DEFAULT "
"0,input_encodings VARCHAR,suggest_url VARCHAR,prepopulate_id "
"INTEGER DEFAULT 0,created_by_policy INTEGER DEFAULT "
"0,last_modified INTEGER DEFAULT 0,sync_guid VARCHAR,alternate_urls "
"VARCHAR,image_url VARCHAR,search_url_post_params "
"VARCHAR,suggest_url_post_params VARCHAR,image_url_post_params "
"VARCHAR,new_tab_url VARCHAR,last_visited INTEGER DEFAULT 0)"
),
"masked_credit_cards": (
"CREATE TABLE masked_credit_cards (id VARCHAR,status "
"VARCHAR,name_on_card VARCHAR,network VARCHAR,last_four "
"VARCHAR,exp_month INTEGER DEFAULT 0,exp_year INTEGER DEFAULT 0, "
"bank_name VARCHAR, type INTEGER DEFAULT 0)"
),
"meta": (
"CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, "
"value LONGVARCHAR)"
),
"payment_method_manifest": (
"CREATE TABLE payment_method_manifest ( expire_date INTEGER NOT "
"NULL DEFAULT 0, method_name VARCHAR, web_app_id VARCHAR)"
),
"server_address_metadata": (
"CREATE TABLE server_address_metadata (id VARCHAR NOT "
"NULL,use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT "
"NULL DEFAULT 0, has_converted BOOL NOT NULL DEFAULT FALSE)"
),
"server_addresses": (
"CREATE TABLE server_addresses (id VARCHAR,company_name "
"VARCHAR,street_address VARCHAR,address_1 VARCHAR,address_2 "
"VARCHAR,address_3 VARCHAR,address_4 VARCHAR,postal_code "
"VARCHAR,sorting_code VARCHAR,country_code VARCHAR,language_code "
"VARCHAR, recipient_name VARCHAR, phone_number VARCHAR)"
),
"server_card_metadata": (
"CREATE TABLE server_card_metadata (id VARCHAR NOT NULL,use_count "
"INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, "
"billing_address_id VARCHAR)"
),
"unmasked_credit_cards": (
"CREATE TABLE unmasked_credit_cards (id "
"VARCHAR,card_number_encrypted VARCHAR, use_count INTEGER NOT NULL "
"DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, unmask_date "
"INTEGER NOT NULL DEFAULT 0)"
),
"web_app_manifest_section": (
"CREATE TABLE web_app_manifest_section ( expire_date INTEGER NOT "
"NULL DEFAULT 0, id VARCHAR, min_version INTEGER NOT NULL DEFAULT "
"0, fingerprints BLOB)"
),
}
]
def _GetDateTimeRowValue(self, query_hash, row, value_name):
"""Retrieves a date and time value from the row.
Args:
query_hash (int): hash of the query, that uniquely identifies the query
that produced the row.
row (sqlite3.Row): row.
value_name (str): name of the value.
Returns:
dfdatetime.PosixTime: date and time value or None if not available.
"""
timestamp = self._GetRowValue(query_hash, row, value_name)
if timestamp is None:
return None
return dfdatetime_posix_time.PosixTime(timestamp=timestamp)
def _ParseAutofillRow(self, parser_mediator, query, row, **unused_kwargs):
"""Parses an autofill entry row.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfVFS.
query (str): query that created the row.
row (sqlite3.Row): row.
"""
query_hash = hash(query)
event_data = ChromeAutofillEventData()
event_data.creation_time = self._GetDateTimeRowValue(
query_hash, row, "date_created"
)
event_data.field_name = self._GetRowValue(query_hash, row, "name")
event_data.last_used_time = self._GetDateTimeRowValue(
query_hash, row, "date_last_used"
)
event_data.query = query
event_data.usage_count = self._GetRowValue(query_hash, row, "count")
event_data.value = self._GetRowValue(query_hash, row, "value")
parser_mediator.ProduceEventData(event_data)
sqlite.SQLiteParser.RegisterPlugin(ChromeAutofillPlugin)