"""SQLite parser plugin for iOS accounts (Accounts3.db) database files."""
from dfdatetime import cocoa_time as dfdatetime_cocoa_time
from plaso.containers import events
from plaso.parsers import sqlite
from plaso.parsers.sqlite_plugins import interface
[docs]
class IOSAccountsEventData(events.EventData):
"""iOS accounts event data.
Attributes:
account_type (str): account type.
creation_time (dfdatetime.DateTimeValues): date and time the account
was created.
identifier (str): identifier.
owning_bundle_identifier (str): owning bundle identifier of the
application managing the account.
username (str): user name.
"""
DATA_TYPE = "ios:accounts:entry"
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.account_type = None
self.creation_time = None
self.identifier = None
self.owning_bundle_identifier = None
self.username = None
[docs]
class IOSAccountsPlugin(interface.SQLitePlugin):
"""SQLite parser plugin for iOS accounts (Accounts3.db) database files."""
NAME = "ios_accounts"
DATA_FORMAT = "iOS accounts SQLite database (Accounts3.db) file"
REQUIRED_STRUCTURE = {
"ZACCOUNT": frozenset(
["ZACCOUNTTYPE", "ZDATE", "ZUSERNAME", "ZIDENTIFIER", "ZOWNINGBUNDLEID"]
),
"ZACCOUNTTYPE": frozenset(["Z_PK", "ZACCOUNTTYPEDESCRIPTION"]),
}
QUERIES = [
(
(
"SELECT ZACCOUNT.ZDATE, ZACCOUNTTYPE.ZACCOUNTTYPEDESCRIPTION, "
"ZACCOUNT.ZUSERNAME, ZACCOUNT.ZIDENTIFIER, ZACCOUNT.ZOWNINGBUNDLEID "
"FROM ZACCOUNT LEFT JOIN ZACCOUNTTYPE "
"ON ZACCOUNT.ZACCOUNTTYPE = ZACCOUNTTYPE.Z_PK"
),
"ParseAccountRow",
)
]
SCHEMAS = [
{
"ZACCESSOPTIONSKEY": (
"CREATE TABLE ZACCESSOPTIONSKEY ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZNAME VARCHAR )"
),
"ZACCOUNT": (
"CREATE TABLE ZACCOUNT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, "
"Z_OPT INTEGER, ZACTIVE INTEGER, ZAUTHENTICATED INTEGER, "
"ZSUPPORTSAUTHENTICATION INTEGER, ZVISIBLE INTEGER, ZACCOUNTTYPE "
"INTEGER, ZPARENTACCOUNT INTEGER, ZDATE TIMESTAMP, "
"ZLASTCREDENTIALRENEWALREJECTIONDATE TIMESTAMP, ZACCOUNTDESCRIPTION "
"VARCHAR, ZAUTHENTICATIONTYPE VARCHAR, ZCREDENTIALTYPE VARCHAR, "
"ZIDENTIFIER VARCHAR, ZOWNINGBUNDLEID VARCHAR, ZUSERNAME VARCHAR, "
"ZDATACLASSPROPERTIES BLOB )"
),
"ZACCOUNTPROPERTY": (
"CREATE TABLE ZACCOUNTPROPERTY ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZOWNER INTEGER, ZKEY VARCHAR, ZVALUE BLOB "
")"
),
"ZACCOUNTTYPE": (
"CREATE TABLE ZACCOUNTTYPE ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZENCRYPTACCOUNTPROPERTIES INTEGER, "
"ZOBSOLETE INTEGER, ZSUPPORTSAUTHENTICATION INTEGER, "
"ZSUPPORTSMULTIPLEACCOUNTS INTEGER, ZVISIBILITY INTEGER, "
"ZACCOUNTTYPEDESCRIPTION VARCHAR, ZCREDENTIALPROTECTIONPOLICY "
"VARCHAR, ZCREDENTIALTYPE VARCHAR, ZIDENTIFIER VARCHAR, "
"ZOWNINGBUNDLEID VARCHAR )"
),
"ZAUTHORIZATION": (
"CREATE TABLE ZAUTHORIZATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZACCOUNTTYPE INTEGER, ZBUNDLEID VARCHAR, "
"ZGRANTEDPERMISSIONS VARCHAR, ZOPTIONS BLOB )"
),
"ZCREDENTIALITEM": (
"CREATE TABLE ZCREDENTIALITEM ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZPERSISTENT INTEGER, ZEXPIRATIONDATE "
"TIMESTAMP, ZACCOUNTIDENTIFIER VARCHAR, ZSERVICENAME VARCHAR )"
),
"ZDATACLASS": (
"CREATE TABLE ZDATACLASS ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, "
"Z_OPT INTEGER, ZNAME BLOB )"
),
"Z_1OWNINGACCOUNTTYPES": (
"CREATE TABLE Z_1OWNINGACCOUNTTYPES ( Z_1ACCESSKEYS INTEGER, "
"Z_4OWNINGACCOUNTTYPES INTEGER, PRIMARY KEY (Z_1ACCESSKEYS, "
"Z_4OWNINGACCOUNTTYPES) )"
),
"Z_2ENABLEDDATACLASSES": (
"CREATE TABLE Z_2ENABLEDDATACLASSES ( Z_2ENABLEDACCOUNTS INTEGER, "
"Z_7ENABLEDDATACLASSES INTEGER, PRIMARY KEY (Z_2ENABLEDACCOUNTS, "
"Z_7ENABLEDDATACLASSES) )"
),
"Z_2PROVISIONEDDATACLASSES": (
"CREATE TABLE Z_2PROVISIONEDDATACLASSES ( Z_2PROVISIONEDACCOUNTS "
"INTEGER, Z_7PROVISIONEDDATACLASSES INTEGER, PRIMARY KEY "
"(Z_2PROVISIONEDACCOUNTS, Z_7PROVISIONEDDATACLASSES) )"
),
"Z_4SUPPORTEDDATACLASSES": (
"CREATE TABLE Z_4SUPPORTEDDATACLASSES ( Z_4SUPPORTEDTYPES INTEGER, "
"Z_7SUPPORTEDDATACLASSES INTEGER, PRIMARY KEY (Z_4SUPPORTEDTYPES, "
"Z_7SUPPORTEDDATACLASSES) )"
),
"Z_4SYNCABLEDATACLASSES": (
"CREATE TABLE Z_4SYNCABLEDATACLASSES ( Z_4SYNCABLETYPES INTEGER, "
"Z_7SYNCABLEDATACLASSES INTEGER, PRIMARY KEY (Z_4SYNCABLETYPES, "
"Z_7SYNCABLEDATACLASSES) )"
),
"Z_METADATA": (
"CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID "
"VARCHAR(255), Z_PLIST BLOB)"
),
"Z_MODELCACHE": ("CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)"),
"Z_PRIMARYKEY": (
"CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME "
"VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)"
),
}
]
REQUIRES_SCHEMA_MATCH = False
def _GetTimeRowValue(self, query_hash, row, value_name):
"""Retrieves a date and time value from the row.
Args:
query_hash (int): hash of the query, that uniquely
identifies the query that produced the row.
row (sqlite3.Row): row.
value_name (str): name of the value.
Returns:
dfdatetime.CocoaTime: date and time value or None if not available.
"""
timestamp = self._GetRowValue(query_hash, row, value_name)
if timestamp is None:
return None
return dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp)
# pylint: disable=unused-argument
[docs]
def ParseAccountRow(self, parser_mediator, query, row, **unused_kwargs):
"""Parses an account row.
Args:
parser_mediator (ParserMediator): mediates interactions between
parsers and other components, such as storage and dfVFS.
query (str): query that created the row.
row (sqlite3.Row): row.
"""
query_hash = hash(query)
event_data = IOSAccountsEventData()
event_data.account_type = self._GetRowValue(
query_hash, row, "ZACCOUNTTYPEDESCRIPTION"
)
event_data.creation_time = self._GetTimeRowValue(query_hash, row, "ZDATE")
event_data.identifier = self._GetRowValue(query_hash, row, "ZIDENTIFIER")
event_data.owning_bundle_identifier = self._GetRowValue(
query_hash, row, "ZOWNINGBUNDLEID"
)
event_data.username = self._GetRowValue(query_hash, row, "ZUSERNAME")
parser_mediator.ProduceEventData(event_data)
sqlite.SQLiteParser.RegisterPlugin(IOSAccountsPlugin)