"""SQLite parser plugin for iOS Notes database files."""
from dfdatetime import cocoa_time as dfdatetime_cocoa_time
from plaso.containers import events
from plaso.parsers import sqlite
from plaso.parsers.sqlite_plugins import interface
[docs]
class IOSNotesEventData(events.EventData):
"""iOS Notes event data.
Attributes:
creation_time (dfdatetime.DateTimeValues): date and time the note was
created.
modification_time (dfdatetime.DateTimeValues): date and time the note was
last modified.
snippet (str): snippet of the note.
title (str): title of the note.
"""
DATA_TYPE = "ios:notes:note"
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.creation_time = None
self.modification_time = None
self.snippet = None
self.title = None
[docs]
class IOSNotesPlugin(interface.SQLitePlugin):
"""SQLite parser plugin for iOS Notes database files."""
NAME = "ios_notes"
DATA_FORMAT = "iOS Notes SQLite database file"
REQUIRED_STRUCTURE = {
"ZICCLOUDSYNCINGOBJECT": frozenset(
["ZCREATIONDATE3", "ZMODIFICATIONDATE1", "ZSNIPPET", "ZTITLE1"]
)
}
QUERIES = [
(
(
"SELECT ZCREATIONDATE3, ZMODIFICATIONDATE1, ZSNIPPET, ZTITLE1 "
"FROM ZICCLOUDSYNCINGOBJECT"
),
"_ParseNoteRow",
)
]
SCHEMAS = [
{
"ACHANGE": (
"CREATE TABLE ACHANGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, "
"Z_OPT INTEGER, ZCHANGETYPE INTEGER, ZENTITY INTEGER, ZENTITYPK "
"INTEGER, ZTRANSACTIONID INTEGER, ZCOLUMNS BLOB )"
),
"ATRANSACTION": (
"CREATE TABLE ATRANSACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZAUTHORTS INTEGER, ZBUNDLEIDTS INTEGER, "
"ZCONTEXTNAMETS INTEGER, ZPROCESSIDTS INTEGER, ZTIMESTAMP FLOAT, "
"ZAUTHOR VARCHAR, ZBUNDLEID VARCHAR, ZCONTEXTNAME VARCHAR, "
"ZPROCESSID VARCHAR, ZQUERYGEN BLOB )"
),
"ATRANSACTIONSTRING": (
"CREATE TABLE ATRANSACTIONSTRING ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZNAME VARCHAR )"
),
"ZICCLOUDSTATE": (
"CREATE TABLE ZICCLOUDSTATE ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZCURRENTLOCALVERSION INTEGER, ZINCLOUD "
"INTEGER, ZLATESTVERSIONSYNCEDTOCLOUD INTEGER, ZCLOUDSYNCINGOBJECT "
"INTEGER, Z2_CLOUDSYNCINGOBJECT INTEGER, ZLOCALVERSIONDATE "
"TIMESTAMP )"
),
"ZICCLOUDSYNCINGOBJECT": (
"CREATE TABLE ZICCLOUDSYNCINGOBJECT ( Z_PK INTEGER PRIMARY KEY, "
"Z_ENT INTEGER, Z_OPT INTEGER, ZCRYPTOITERATIONCOUNT INTEGER, "
"ZISPASSWORDPROTECTED INTEGER, ZMARKEDFORDELETION INTEGER, "
"ZMINIMUMSUPPORTEDNOTESVERSION INTEGER, ZNEEDSINITIALFETCHFROMCLOUD "
"INTEGER, ZNEEDSTOBEFETCHEDFROMCLOUD INTEGER, "
"ZNEEDSTOSAVEUSERSPECIFICRECORD INTEGER, ZCLOUDSTATE INTEGER, "
"ZACCOUNT INTEGER, ZCHECKEDFORLOCATION INTEGER, ZFILESIZE INTEGER, "
"ZHANDWRITINGSUMMARYVERSION INTEGER, ZHASMARKUPDATA INTEGER, "
"ZIMAGECLASSIFICATIONSUMMARYVERSION INTEGER, ZIMAGEFILTERTYPE "
"INTEGER, ZNEEDSINITIALRELATIONSHIPSETUP INTEGER, "
"ZOCRSUMMARYVERSION INTEGER, ZORIENTATION INTEGER, ZSECTION "
"INTEGER, ZURLEXPIRED INTEGER, ZLOCATION INTEGER, ZMEDIA INTEGER, "
"ZNOTE INTEGER, ZNOTEUSINGTITLEFORNOTETITLE INTEGER, "
"ZPARENTATTACHMENT INTEGER, ZAPPEARANCETYPE INTEGER, "
"ZSCALEWHENDRAWING INTEGER, ZVERSION INTEGER, ZVERSIONOUTOFDATE "
"INTEGER, ZATTACHMENT INTEGER, ZSTATE INTEGER, ZACCOUNT1 INTEGER, "
"ZACCOUNT2 INTEGER, ZMENTIONNOTIFICATIONATTEMPTCOUNT INTEGER, "
"ZMENTIONNOTIFICATIONSTATE INTEGER, ZNOTE1 INTEGER, "
"ZPARENTATTACHMENT1 INTEGER, ZTYPE INTEGER, ZACCOUNT3 INTEGER, "
"ZATTACHMENT1 INTEGER, ZATTACHMENTVIEWTYPE INTEGER, ZISPINNED "
"INTEGER, ZISSYSTEMPAPER INTEGER, ZLEGACYNOTEWASPLAINTEXT INTEGER, "
"ZNOTEHASCHANGES INTEGER, ZPAPERSTYLETYPE INTEGER, "
"ZPREFERREDBACKGROUNDTYPE INTEGER, ZACCOUNT4 INTEGER, ZFOLDER "
"INTEGER, ZNOTEDATA INTEGER, ZTITLESOURCEATTACHMENT INTEGER, "
"ZISHIDDENNOTECONTAINER INTEGER, ZSORTORDER INTEGER, ZOWNER "
"INTEGER, ZACCOUNTTYPE INTEGER, ZDIDCHOOSETOMIGRATE INTEGER, "
"ZDIDFINISHMIGRATION INTEGER, ZDIDMIGRATEONMAC INTEGER, "
"ZSERVERSIDEUPDATETASKFAILURECOUNT INTEGER, ZSTOREDATASEPARATELY "
"INTEGER, ZACCOUNTDATA INTEGER, ZCUSTOMNOTESORTTYPEVALUE INTEGER, "
"ZFOLDERTYPE INTEGER, ZIMPORTEDFROMLEGACY INTEGER, ZACCOUNT5 "
"INTEGER, ZPARENT INTEGER, ZCREATIONDATE TIMESTAMP, "
"ZCROPPINGQUADBOTTOMLEFTX FLOAT, ZCROPPINGQUADBOTTOMLEFTY FLOAT, "
"ZCROPPINGQUADBOTTOMRIGHTX FLOAT, ZCROPPINGQUADBOTTOMRIGHTY FLOAT, "
"ZCROPPINGQUADTOPLEFTX FLOAT, ZCROPPINGQUADTOPLEFTY FLOAT, "
"ZCROPPINGQUADTOPRIGHTX FLOAT, ZCROPPINGQUADTOPRIGHTY FLOAT, "
"ZDURATION FLOAT, ZMODIFICATIONDATE TIMESTAMP, ZORIGINX FLOAT, "
"ZORIGINY FLOAT, ZPREVIEWUPDATEDATE TIMESTAMP, ZSIZEHEIGHT FLOAT, "
"ZSIZEWIDTH FLOAT, ZHEIGHT FLOAT, ZMODIFIEDDATE TIMESTAMP, ZSCALE "
"FLOAT, ZWIDTH FLOAT, ZSTATEMODIFICATIONDATE TIMESTAMP, "
"ZCREATIONDATE1 TIMESTAMP, ZCREATIONDATE2 TIMESTAMP, "
"ZMODIFICATIONDATEATIMPORT TIMESTAMP, ZCREATIONDATE3 TIMESTAMP, "
"ZFOLDERMODIFICATIONDATE TIMESTAMP, "
"ZLASTACTIVITYRECENTUPDATESVIEWEDDATE TIMESTAMP, "
"ZLASTACTIVITYSUMMARYVIEWEDDATE TIMESTAMP, "
"ZLASTATTRIBUTIONSVIEWEDDATE TIMESTAMP, ZLASTNOTIFIEDDATE "
"TIMESTAMP, ZLASTOPENEDDATE TIMESTAMP, ZLASTVIEWEDMODIFICATIONDATE "
"TIMESTAMP, ZLEGACYMODIFICATIONDATEATIMPORT TIMESTAMP, "
"ZMODIFICATIONDATE1 TIMESTAMP, ZCUSTOMNOTESORTTYPEMODIFICATIONDATE "
"TIMESTAMP, ZDATEFORLASTTITLEMODIFICATION TIMESTAMP, "
"ZPARENTMODIFICATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, "
"ZPASSWORDHINT VARCHAR, ZZONEOWNERNAME VARCHAR, "
"ZADDITIONALINDEXABLETEXT VARCHAR, ZFALLBACKSUBTITLEIOS VARCHAR, "
"ZFALLBACKSUBTITLEMAC VARCHAR, ZFALLBACKTITLE VARCHAR, "
"ZHANDWRITINGSUMMARY VARCHAR, ZIMAGECLASSIFICATIONSUMMARY VARCHAR, "
"ZOCRSUMMARY VARCHAR, ZREMOTEFILEURLSTRING VARCHAR, ZSUMMARY "
"VARCHAR, ZTITLE VARCHAR, ZTYPEUTI VARCHAR, ZURLSTRING VARCHAR, "
"ZUSERTITLE VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZDISPLAYTEXT "
"VARCHAR, ZSTANDARDIZEDCONTENT VARCHAR, ZALTTEXT VARCHAR, "
"ZTOKENCONTENTIDENTIFIER VARCHAR, ZTYPEUTI1 VARCHAR, "
"ZCONTENTHASHATIMPORT VARCHAR, ZFILENAME VARCHAR, "
"ZLEGACYCONTENTHASHATIMPORT VARCHAR, ZLEGACYIMPORTDEVICEIDENTIFIER "
"VARCHAR, ZLEGACYMANAGEDOBJECTIDURIREPRESENTATION VARCHAR, "
"ZSELECTEDINKCOLORSTRING VARCHAR, ZSELECTEDINKIDENTIFIER VARCHAR, "
"ZSNIPPET VARCHAR, ZTHUMBNAILATTACHMENTIDENTIFIER VARCHAR, ZTITLE1 "
"VARCHAR, ZACCOUNTNAMEFORACCOUNTLISTSORTING VARCHAR, "
"ZNESTEDTITLEFORSORTING VARCHAR, ZNAME VARCHAR, "
"ZSERVERSIDEUPDATETASKLASTATTEMPTEDBUILD VARCHAR, "
"ZSERVERSIDEUPDATETASKLASTATTEMPTEDVERSION VARCHAR, "
"ZSERVERSIDEUPDATETASKLASTCOMPLETEDBUILD VARCHAR, "
"ZSERVERSIDEUPDATETASKLASTCOMPLETEDVERSION VARCHAR, ZUSERRECORDNAME "
"VARCHAR, ZSMARTFOLDERQUERYJSON VARCHAR, ZTITLE2 VARCHAR, "
"ZPAPERASSETSURL VARCHAR, ZPAPERDATABASEURL VARCHAR, "
"ZREPLICAIDTOBUNDLEIDENTIFIER BLOB, ZACTIVITYEVENTSDATA BLOB, "
"ZASSETCRYPTOINITIALIZATIONVECTOR BLOB, ZASSETCRYPTOTAG BLOB, "
"ZCRYPTOINITIALIZATIONVECTOR BLOB, ZCRYPTOSALT BLOB, ZCRYPTOTAG "
"BLOB, ZCRYPTOWRAPPEDKEY BLOB, ZENCRYPTEDVALUESJSON BLOB, "
"ZREPLICAIDTONOTESVERSIONDATA BLOB, ZSERVERRECORDDATA BLOB, "
"ZSERVERSHAREDATA BLOB, ZUNAPPLIEDENCRYPTEDRECORD BLOB, "
"ZUSERSPECIFICSERVERRECORDDATA BLOB, ZMERGEABLEDATA BLOB, "
"ZFALLBACKIMAGECRYPTOINITIALIZATIONVECTOR BLOB, "
"ZFALLBACKIMAGECRYPTOTAG BLOB, ZLINKPRESENTATIONARCHIVEDMETADATA "
"BLOB, ZMARKUPMODELDATA BLOB, ZMERGEABLEDATA1 BLOB, ZMETADATADATA "
"BLOB, ZSYNAPSEDATA BLOB, ZCRYPTOMETADATAINITIALIZATIONVECTOR BLOB, "
"ZCRYPTOMETADATATAG BLOB, ZENCRYPTEDMETADATA BLOB, ZMETADATA BLOB, "
"ZLASTNOTIFIEDTIMESTAMPDATA BLOB, ZLASTVIEWEDTIMESTAMPDATA BLOB, "
"ZREPLICAIDTOUSERIDDICTDATA BLOB, ZCRYPTOVERIFIER BLOB, "
"ZSERVERSIDEUPDATETASKCONTINUATIONTOKEN BLOB, ZMERGEABLEDATA2 BLOB "
")"
),
"ZICLOCATION": (
"CREATE TABLE ZICLOCATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZPLACEUPDATED INTEGER, ZATTACHMENT "
"INTEGER, ZLATITUDE FLOAT, ZLONGITUDE FLOAT, ZPLACEMARKDATA BLOB )"
),
"ZICNOTEDATA": (
"CREATE TABLE ZICNOTEDATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT "
"INTEGER, Z_OPT INTEGER, ZNOTE INTEGER, ZCRYPTOINITIALIZATIONVECTOR "
"BLOB, ZCRYPTOTAG BLOB, ZDATA BLOB )"
),
"ZICSERVERCHANGETOKEN": (
"CREATE TABLE ZICSERVERCHANGETOKEN ( Z_PK INTEGER PRIMARY KEY, "
"Z_ENT INTEGER, Z_OPT INTEGER, ZDATABASESCOPE INTEGER, ZACCOUNT "
"INTEGER, ZOWNERNAME VARCHAR, ZZONENAME VARCHAR, "
"ZCKSERVERCHANGETOKENDATA BLOB )"
),
"Z_METADATA": (
"CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID "
"VARCHAR(255), Z_PLIST BLOB)"
),
"Z_MODELCACHE": ("CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)"),
"Z_PRIMARYKEY": (
"CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME "
"VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)"
),
}
]
def _GetDateTimeRowValue(self, query_hash, row, value_name):
"""Retrieves a date and time value from the row.
Args:
query_hash (int): hash of the query, that uniquely
identifies the query that produced the row.
row (sqlite3.Row): row.
value_name (str): name of the value.
Returns:
dfdatetime.CocoaTime: date and time value or None if not available.
"""
timestamp = self._GetRowValue(query_hash, row, value_name)
if timestamp is None:
return None
return dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp)
def _ParseNoteRow(self, parser_mediator, query, row, **unused_kwargs):
"""Parses a note row.
Args:
parser_mediator (ParserMediator): mediates interactions between
parsers and other components, such as storage and dfVFS.
query (str): query that created the row.
row (sqlite3.Row): row.
"""
query_hash = hash(query)
event_data = IOSNotesEventData()
event_data.creation_time = self._GetDateTimeRowValue(
query_hash, row, "ZCREATIONDATE3"
)
event_data.modification_time = self._GetDateTimeRowValue(
query_hash, row, "ZMODIFICATIONDATE1"
)
event_data.title = self._GetRowValue(query_hash, row, "ZTITLE1")
event_data.snippet = self._GetRowValue(query_hash, row, "ZSNIPPET")
parser_mediator.ProduceEventData(event_data)
sqlite.SQLiteParser.RegisterPlugin(IOSNotesPlugin)