plaso.parsers.sqlite_plugins package

Submodules

plaso.parsers.sqlite_plugins.android_calls module

SQLite parser plugin for Android call history database files.

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android Call event data.

call_type

type of call, such as: Incoming, Outgoing, or Missed.

Type:: int

duration

number of seconds the call lasted.

Type:: int

end_time

date and time the call was stopped.

Type:: dfdatetime.DateTimeValues

name

name associated to the remote party.

Type:: str

number

phone number associated to the remote party.

Type:: str

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

start_time

date and time the call was started.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'android:event:call'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Android call history database files.

The Android call history database file is typically stored in: contacts2.db

DATA_FORMAT = 'Android call history SQLite database (contacts2.db) file'

NAME = 'android_calls'

ParseCallsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Call record row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, date, number, name, duration, type FROM calls', 'ParseCallsRow')]

REQUIRED_STRUCTURE = {'calls': frozenset({'_id', 'date', 'duration', 'name', 'number', 'type'})}

SCHEMAS = [{'_sync_state': 'CREATE TABLE _sync_state (_id INTEGER PRIMARY KEY, account_name TEXT NOT NULL, account_type TEXT NOT NULL, data TEXT, UNIQUE(account_name, account_type))', '_sync_state_metadata': 'CREATE TABLE _sync_state_metadata (version INTEGER)', 'accounts': 'CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT, account_name TEXT, account_type TEXT, data_set TEXT)', 'agg_exceptions': 'CREATE TABLE agg_exceptions (_id INTEGER PRIMARY KEY AUTOINCREMENT, type INTEGER NOT NULL, raw_contact_id1 INTEGER REFERENCES raw_contacts(_id), raw_contact_id2 INTEGER REFERENCES raw_contacts(_id))', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'calls': 'CREATE TABLE calls (_id INTEGER PRIMARY KEY AUTOINCREMENT, number TEXT, date INTEGER, duration INTEGER, type INTEGER, new INTEGER, name TEXT, numbertype INTEGER, numberlabel TEXT, countryiso TEXT, voicemail_uri TEXT, is_read INTEGER, geocoded_location TEXT, lookup_uri TEXT, matched_number TEXT, normalized_number TEXT, photo_id INTEGER NOT NULL DEFAULT 0, formatted_number TEXT, _data TEXT, has_content INTEGER, mime_type TEXT, source_data TEXT, source_package TEXT, state INTEGER)', 'contacts': 'CREATE TABLE contacts (_id INTEGER PRIMARY KEY AUTOINCREMENT, name_raw_contact_id INTEGER REFERENCES raw_contacts(_id), photo_id INTEGER REFERENCES data(_id), photo_file_id INTEGER REFERENCES photo_files(_id), custom_ringtone TEXT, send_to_voicemail INTEGER NOT NULL DEFAULT 0, times_contacted INTEGER NOT NULL DEFAULT 0, last_time_contacted INTEGER, starred INTEGER NOT NULL DEFAULT 0, has_phone_number INTEGER NOT NULL DEFAULT 0, lookup TEXT, status_update_id INTEGER REFERENCES data(_id), contact_last_updated_timestamp INTEGER)', 'data': 'CREATE TABLE data (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), mimetype_id INTEGER REFERENCES mimetype(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, is_read_only INTEGER NOT NULL DEFAULT 0, is_primary INTEGER NOT NULL DEFAULT 0, is_super_primary INTEGER NOT NULL DEFAULT 0, data_version INTEGER NOT NULL DEFAULT 0, data1 TEXT, data2 TEXT, data3 TEXT, data4 TEXT, data5 TEXT, data6 TEXT, data7 TEXT, data8 TEXT, data9 TEXT, data10 TEXT, data11 TEXT, data12 TEXT, data13 TEXT, data14 TEXT, data15 TEXT, data_sync1 TEXT, data_sync2 TEXT, data_sync3 TEXT, data_sync4 TEXT )', 'data_usage_stat': 'CREATE TABLE data_usage_stat(stat_id INTEGER PRIMARY KEY AUTOINCREMENT, data_id INTEGER NOT NULL, usage_type INTEGER NOT NULL DEFAULT 0, times_used INTEGER NOT NULL DEFAULT 0, last_time_used INTEGER NOT NULL DEFAULT 0, FOREIGN KEY(data_id) REFERENCES data(_id))', 'default_directory': 'CREATE TABLE default_directory (_id INTEGER PRIMARY KEY)', 'deleted_contacts': 'CREATE TABLE deleted_contacts (contact_id INTEGER PRIMARY KEY, contact_deleted_timestamp INTEGER NOT NULL default 0)', 'directories': 'CREATE TABLE directories(_id INTEGER PRIMARY KEY AUTOINCREMENT, packageName TEXT NOT NULL, authority TEXT NOT NULL, typeResourceId INTEGER, typeResourceName TEXT, accountType TEXT, accountName TEXT, displayName TEXT, exportSupport INTEGER NOT NULL DEFAULT 0, shortcutSupport INTEGER NOT NULL DEFAULT 0, photoSupport INTEGER NOT NULL DEFAULT 0)', 'groups': 'CREATE TABLE groups (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), account_name STRING DEFAULT NULL, account_type STRING DEFAULT NULL, data_set STRING DEFAULT NULL, sourceid TEXT, version INTEGER NOT NULL DEFAULT 1, dirty INTEGER NOT NULL DEFAULT 0, title TEXT, title_res INTEGER, notes TEXT, system_id TEXT, deleted INTEGER NOT NULL DEFAULT 0, group_visible INTEGER NOT NULL DEFAULT 0, should_sync INTEGER NOT NULL DEFAULT 1, auto_add INTEGER NOT NULL DEFAULT 0, favorites INTEGER NOT NULL DEFAULT 0, group_is_read_only INTEGER NOT NULL DEFAULT 0, sync1 TEXT, sync2 TEXT, sync3 TEXT, sync4 TEXT , account_id INTEGER REFERENCES accounts(_id))', 'mimetypes': 'CREATE TABLE mimetypes (_id INTEGER PRIMARY KEY AUTOINCREMENT, mimetype TEXT NOT NULL)', 'name_lookup': 'CREATE TABLE name_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_name TEXT NOT NULL, name_type INTEGER NOT NULL, PRIMARY KEY (data_id, normalized_name, name_type))', 'nickname_lookup': 'CREATE TABLE nickname_lookup (name TEXT, cluster TEXT)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL)', 'phone_lookup': 'CREATE TABLE phone_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_number TEXT NOT NULL, min_match TEXT NOT NULL)', 'photo_files': 'CREATE TABLE photo_files (_id INTEGER PRIMARY KEY AUTOINCREMENT, height INTEGER NOT NULL, width INTEGER NOT NULL, filesize INTEGER NOT NULL)', 'properties': 'CREATE TABLE properties (property_key TEXT PRIMARY KEY, property_value TEXT )'}]

plaso.parsers.sqlite_plugins.android_hangouts module

SQLite parser plugin for Google Hangouts conversations database files.

class plaso.parsers.sqlite_plugins.android_hangouts.AndroidHangoutsMessageData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Google Hangouts Message event data.

body

content of the SMS text message.

Type:: str

creation_time

date and time the Google Hangouts message was created.

Type:: dfdatetime.DateTimeValues

message_status

message status.

Type:: int

message_type

message type.

Type:: int

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

sender

Name with the sender.

Type:: str

DATA_TYPE = 'android:messaging:hangouts'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_hangouts.AndroidHangoutsMessagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Hangouts conversations database files.

The Google Hangouts conversations database file is typically stored in: /data/com.google.android.talk/databases/babel.db

This SQLite database is the conversation database for conversations, participant names, messages, and information about the Google Hangout event. There can be multiple babel.db databases, and each database name will be followed by an integer starting with 0, for example: “babel0.db,babel1.db,babel3.db”.

DATA_FORMAT = 'Google Hangouts conversations SQLite database (babel.db) file'

NAME = 'hangouts_messages'

ParseMessagesRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an Messages row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT messages._id, participants.full_name, text, messages.timestamp,status, type FROM messages INNER JOIN participants ON messages.author_chat_id=participants.chat_id;', 'ParseMessagesRow')]

REQUIRED_STRUCTURE = {'blocked_people': frozenset({}), 'messages': frozenset({'_id', 'author_chat_id', 'status', 'text', 'timestamp', 'type'}), 'participants': frozenset({'chat_id', 'full_name'})}

SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'blocked_people': 'CREATE TABLE blocked_people (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY, participant_row_id INT, participant_type INT, conversation_id TEXT, sequence INT, active INT, invitation_status INT DEFAULT(0), UNIQUE (conversation_id,participant_row_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, FOREIGN KEY (participant_row_id) REFERENCES participants(_id))', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY, conversation_id TEXT, conversation_type INT, latest_message_timestamp INT DEFAULT(0), latest_message_expiration_timestamp INT, metadata_present INT,notification_level INT, name TEXT, generated_name TEXT, snippet_type INT, snippet_text TEXT, snippet_image_url TEXT, snippet_author_gaia_id TEXT, snippet_author_chat_id TEXT, snippet_message_row_id INT, snippet_selector INT, snippet_status INT, snippet_new_conversation_name TEXT, snippet_participant_keys TEXT, snippet_sms_type TEXT, previous_latest_timestamp INT, status INT, view INT, inviter_gaia_id TEXT, inviter_chat_id TEXT, inviter_affinity INT, is_pending_leave INT, account_id INT, is_otr INT, packed_avatar_urls TEXT, self_avatar_url TEXT, self_watermark INT DEFAULT(0), chat_watermark INT DEFAULT(0), hangout_watermark INT DEFAULT(0), is_draft INT, sequence_number INT, call_media_type INT DEFAULT(0), has_joined_hangout INT, has_chat_notifications DEFAULT(0),has_video_notifications DEFAULT(0),last_hangout_event_time INT, draft TEXT, otr_status INT, otr_toggle INT, last_otr_modification_time INT, continuation_token BLOB, continuation_event_timestamp INT, has_oldest_message INT DEFAULT(0), sort_timestamp INT, first_peak_scroll_time INT, first_peak_scroll_to_message_timestamp INT, second_peak_scroll_time INT, second_peak_scroll_to_message_timestamp INT, conversation_hash BLOB, disposition INT DEFAULT(0), has_persistent_events INT DEFAULT(-1), transport_type INT DEFAULT(1), default_transport_phone TEXT, sms_service_center TEXT, is_temporary INT DEFAULT (0), sms_thread_id INT DEFAULT (-1), chat_ringtone_uri TEXT, hangout_ringtone_uri TEXT, snippet_voicemail_duration INT DEFAULT (0), share_count INT DEFAULT(0), has_unobserved TEXT, last_share_timestamp INT DEFAULT(0), gls_status INT DEFAULT(0), gls_link TEXT, is_guest INT DEFAULT(0), UNIQUE (conversation_id ))', 'dismissed_contacts': 'CREATE TABLE dismissed_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'event_suggestions': 'CREATE TABLE event_suggestions (_id INTEGER PRIMARY KEY, conversation_id TEXT, event_id TEXT, suggestion_id TEXT, timestamp INT, expiration_time_usec INT, type INT, gem_asset_url STRING, gem_horizontal_alignment INT, matched_message_substring TEXT, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,suggestion_id) ON CONFLICT REPLACE)', 'merge_keys': 'CREATE TABLE merge_keys (_id INTEGER PRIMARY KEY, conversation_id TEXT, merge_key TEXT, UNIQUE (conversation_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE )', 'merged_contact_details': 'CREATE TABLE merged_contact_details (_id INTEGER PRIMARY KEY, merged_contact_id INT, lookup_data_type INT, lookup_data TEXT, lookup_data_standardized TEXT, lookup_data_search TEXT, lookup_data_label TEXT, needs_gaia_ids_resolved INT DEFAULT (1), is_hangouts_user INT DEFAULT (0), gaia_id TEXT, avatar_url TEXT, display_name TEXT, last_checked_ts INT DEFAULT (0), lookup_data_display TEXT, detail_affinity_score REAL DEFAULT (0.0), detail_logging_id TEXT, is_in_viewer_dasher_domain INT DEFAULT (0), FOREIGN KEY (merged_contact_id) REFERENCES merged_contacts(_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'merged_contacts': 'CREATE TABLE merged_contacts (_id INTEGER PRIMARY KEY, contact_lookup_key TEXT, contact_id INT, raw_contact_id INT, display_name TEXT, avatar_url TEXT, is_frequent INT DEFAULT (0), is_favorite INT DEFAULT (0), contact_source INT DEFAULT(0), frequent_order INT, person_logging_id TEXT, person_affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'messages': 'CREATE TABLE messages (_id INTEGER PRIMARY KEY, message_id TEXT, message_type INT, conversation_id TEXT, author_chat_id TEXT, author_gaia_id TEXT, text TEXT, timestamp INT, delete_after_read_timetamp INT, status INT, type INT, local_url TEXT, remote_url TEXT, attachment_content_type TEXT, width_pixels INT, height_pixels INT, stream_id TEXT, image_id TEXT, album_id TEXT, latitude DOUBLE, longitude DOUBLE, address ADDRESS, notification_level INT, expiration_timestamp INT, notified_for_failure INT DEFAULT(0), off_the_record INT DEFAULT(0), transport_type INT NOT NULL DEFAULT(1), transport_phone TEXT, external_ids TEXT, sms_timestamp_sent INT DEFAULT(0), sms_priority INT DEFAULT(0), sms_message_size INT DEFAULT(0), mms_subject TEXT, sms_raw_sender TEXT, sms_raw_recipients TEXT, persisted INT DEFAULT(1), sms_message_status INT DEFAULT(-1), sms_type INT DEFAULT(-1), stream_url TEXT, attachment_target_url TEXT, attachment_name TEXT, image_rotation INT DEFAULT (0), new_conversation_name TEXT, participant_keys TEXT, forwarded_mms_url TEXT, forwarded_mms_count INT DEFAULT(0), attachment_description TEXT, attachment_target_url_description TEXT, attachment_target_url_name TEXT, attachment_blob_data BLOB,attachment_uploading_progress INT DEFAULT(0), sending_error INT DEFAULT(0), stream_expiration INT, voicemail_length INT DEFAULT (0), call_media_type INT DEFAULT(0), last_seen_timestamp INT DEFAULT(0), observed_status INT DEFAULT(2), receive_type INT DEFAULT(0), init_timestamp INT DEFAULT(0), in_app_msg_latency INT DEFAULT(0), notified INT DEFAULT(0), alert_in_conversation_list INT DEFAULT(0), attachments BLOB, is_user_mentioned INT DEFAULT(0), local_id TEXT, request_task_row_id INT DEFAULT(-1), FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,message_id) ON CONFLICT REPLACE)', 'mms_notification_inds': 'CREATE TABLE mms_notification_inds (_id INTEGER PRIMARY KEY, content_location TEXT, transaction_id TEXT, from_address TEXT, message_size INT DEFAULT(0), expiry INT)', 'multipart_attachments': 'CREATE TABLE multipart_attachments (_id INTEGER PRIMARY KEY, message_id TEXT, conversation_id TEXT, url TEXT, content_type TEXT, width INT, height INT, FOREIGN KEY (message_id, conversation_id) REFERENCES messages(message_id, conversation_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participant_email_fts': 'CREATE VIRTUAL TABLE participant_email_fts USING fts4(content="merged_contact_details", gaia_id,lookup_data)', 'participant_email_fts_docsize': "CREATE TABLE 'participant_email_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participant_email_fts_segdir': "CREATE TABLE 'participant_email_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participant_email_fts_segments': "CREATE TABLE 'participant_email_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participant_email_fts_stat': "CREATE TABLE 'participant_email_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'participants': "CREATE TABLE participants (_id INTEGER PRIMARY KEY, participant_type INT DEFAULT 1, gaia_id TEXT, chat_id TEXT, phone_id TEXT, circle_id TEXT, first_name TEXT, full_name TEXT, fallback_name TEXT, profile_photo_url TEXT, batch_gebi_tag STRING DEFAULT('-1'), blocked INT DEFAULT(0), in_users_domain BOOLEAN, UNIQUE (circle_id) ON CONFLICT REPLACE, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)", 'participants_fts': 'CREATE VIRTUAL TABLE participants_fts USING fts4(content="participants",gaia_id,full_name)', 'participants_fts_docsize': "CREATE TABLE 'participants_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participants_fts_segdir': "CREATE TABLE 'participants_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participants_fts_segments': "CREATE TABLE 'participants_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participants_fts_stat': "CREATE TABLE 'participants_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'presence': 'CREATE TABLE presence (_id INTEGER PRIMARY KEY, gaia_id TEXT NOT NULL, reachable INT DEFAULT(0), reachable_time INT DEFAULT(0), available INT DEFAULT(0), available_time INT DEFAULT(0), status_message TEXT, status_message_time INT DEFAULT(0), call_type INT DEFAULT(0), call_type_time INT DEFAULT(0), device_status INT DEFAULT(0), device_status_time INT DEFAULT(0), last_seen INT DEFAULT(0), last_seen_time INT DEFAULT(0), location BLOB, location_time INT DEFAULT(0), UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'recent_calls': 'CREATE TABLE recent_calls (_id INTEGER PRIMARY KEY, normalized_number TEXT NOT NULL, phone_number TEXT, contact_id TEXT, call_timestamp INT, call_type INT, contact_type INT, call_rate TEXT, is_free_call BOOLEAN)', 'search': 'CREATE TABLE search (search_key TEXT NOT NULL,continuation_token TEXT,PRIMARY KEY (search_key))', 'sticker_albums': 'CREATE TABLE sticker_albums (album_id TEXT NOT NULL, title TEXT, cover_photo_id TEXT, last_used INT DEFAULT(0), PRIMARY KEY (album_id))', 'sticker_photos': 'CREATE TABLE sticker_photos (photo_id TEXT NOT NULL, album_id TEXT NOT NULL, url TEXT NOT NULL, file_name TEXT, last_used INT DEFAULT(0), PRIMARY KEY (photo_id), FOREIGN KEY (album_id) REFERENCES sticker_albums(album_id) ON DELETE CASCADE)', 'suggested_contacts': 'CREATE TABLE suggested_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, first_name TEXT, packed_circle_ids TEXT, profile_photo_url TEXT, sequence INT, suggestion_type INT, logging_id TEXT, affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))'}]

plaso.parsers.sqlite_plugins.android_sms module

SQLite parser plugin for Android text messages (SMS) database files.

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android SMS event data.

address

phone number associated to the sender or receiver.

Type:: str

body

content of the SMS text message.

Type:: str

creation_time

creation date and time of the message.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

sms_read

message read status, either Read or Unread.

Type:: int

sms_type

message type, either Sent or Received.

Type:: int

DATA_TYPE = 'android:messaging:sms'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Android text messages (SMS) database files.

The Android text messages (SMS) database file is typically stored in: mmssms.dbs

DATA_FORMAT = 'Android text messages (SMS) SQLite database (mmssms.dbs) file'

NAME = 'android_sms'

ParseSmsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an SMS row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, address, date, read, type, body FROM sms', 'ParseSmsRow')]

REQUIRED_STRUCTURE = {'sms': frozenset({'_id', 'address', 'body', 'date', 'read', 'type'})}

SCHEMAS = [{'addr': 'CREATE TABLE addr (_id INTEGER PRIMARY KEY, msg_id INTEGER, contact_id INTEGER, address TEXT, type INTEGER, charset INTEGER)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'attachments': 'CREATE TABLE attachments (sms_id INTEGER, content_url TEXT, offset INTEGER)', 'canonical_addresses': 'CREATE TABLE canonical_addresses (_id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT)', 'drm': 'CREATE TABLE drm (_id INTEGER PRIMARY KEY, _data TEXT)', 'part': 'CREATE TABLE part (_id INTEGER PRIMARY KEY AUTOINCREMENT, mid INTEGER, seq INTEGER DEFAULT 0, ct TEXT, name TEXT, chset INTEGER, cd TEXT, fn TEXT, cid TEXT, cl TEXT, ctt_s INTEGER, ctt_t TEXT, _data TEXT, text TEXT)', 'pd': 'CREATE TABLE pdu (_id INTEGER PRIMARY KEY AUTOINCREMENT, thread_id INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, msg_box INTEGER, read INTEGER DEFAULT 0, m_id TEXT, sub TEXT, sub_cs INTEGER, ct_t TEXT, ct_l TEXT, exp INTEGER, m_cls TEXT, m_type INTEGER, v INTEGER, m_size INTEGER, pri INTEGER, rr INTEGER, rpt_a INTEGER, resp_st INTEGER, st INTEGER, tr_id TEXT, retr_st INTEGER, retr_txt TEXT, retr_txt_cs INTEGER, read_status INTEGER, ct_cls INTEGER, resp_txt TEXT, d_tm INTEGER, d_rpt INTEGER, locked INTEGER DEFAULT 0, seen INTEGER DEFAULT 0, text_only INTEGER DEFAULT 0)', 'pending_msgs': 'CREATE TABLE pending_msgs (_id INTEGER PRIMARY KEY, proto_type INTEGER, msg_id INTEGER, msg_type INTEGER, err_type INTEGER, err_code INTEGER, retry_index INTEGER NOT NULL DEFAULT 0, due_time INTEGER, last_try INTEGER)', 'rate': 'CREATE TABLE rate (sent_time INTEGER)', 'raw': 'CREATE TABLE raw (_id INTEGER PRIMARY KEY, date INTEGER, reference_number INTEGER, count INTEGER, sequence INTEGER, destination_port INTEGER, address TEXT, pdu TEXT)', 'sms': 'CREATE TABLE sms (_id INTEGER PRIMARY KEY, thread_id INTEGER, address TEXT, person INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, protocol INTEGER, read INTEGER DEFAULT 0, status INTEGER DEFAULT -1, type INTEGER, reply_path_present INTEGER, subject TEXT, body TEXT, service_center TEXT, locked INTEGER DEFAULT 0, error_code INTEGER DEFAULT 0, seen INTEGER DEFAULT 0)', 'sr_pending': 'CREATE TABLE sr_pending (reference_number INTEGER, action TEXT, data TEXT)', 'threads': 'CREATE TABLE threads (_id INTEGER PRIMARY KEY AUTOINCREMENT, date INTEGER DEFAULT 0, message_count INTEGER DEFAULT 0, recipient_ids TEXT, snippet TEXT, snippet_cs INTEGER DEFAULT 0, read INTEGER DEFAULT 1, type INTEGER DEFAULT 0, error INTEGER DEFAULT 0, has_attachment INTEGER DEFAULT 0)', 'words': 'CREATE VIRTUAL TABLE words USING FTS3 (_id INTEGER PRIMARY KEY, index_text TEXT, source_id INTEGER, table_to_use INTEGER)', 'words_content': "CREATE TABLE 'words_content'(docid INTEGER PRIMARY KEY, 'c0_id', 'c1index_text', 'c2source_id', 'c3table_to_use')", 'words_segdir': "CREATE TABLE 'words_segdir'(level INTEGER, idx INTEGER, start_block INTEGER, leaves_end_block INTEGER, end_block INTEGER, root BLOB, PRIMARY KEY(level, idx))", 'words_segments': "CREATE TABLE 'words_segments'(blockid INTEGER PRIMARY KEY, block BLOB)"}]

plaso.parsers.sqlite_plugins.android_tango module

SQLite parser plugin for Tango on Android database files.

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoContactEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Tango on Android contact event data.

access_time

date and time the contact was last accessed.

Type:: dfdatetime.DateTimeValues

birthday

contact profile birthday.

Type:: str

distance

contact profile distance.

Type:: int

first_name

contact profile first name.

Type:: str

friend_request_message

message sent on friend request.

Type:: str

friend_request_time

date and time a friend request was sent.

Type:: dfdatetime.DateTimeValues

friend_request_type

flag indicating the type of friend request sent for example outRequest for request sent or noRequest for no request.

Type:: str

gender

contact profile gender.

Type:: str

is_friend

True if the contact is considered a friend.

Type:: bool

last_active_time

date and time the contact was last active.

Type:: dfdatetime.DateTimeValues

last_name

contact profile last name.

Type:: str

status

contact status message.

Type:: str

DATA_TYPE = 'android:tango:contact'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoConversationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Tango on Android conversation event data.

conversation_identifier

conversation identifier.

Type:: int

DATA_TYPE = 'android:tango:conversation'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoMessageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Tango on Android message event data.

creation_time

date and time the message was created.

Type:: dfdatetime.DateTimeValues

direction

flag indicating direction of the message.

Type:: int

message_identifier

message identifier.

Type:: int

sent_time

date and time the message was sent.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'android:tango:message'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoProfilePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Tango on Android profile database files.

DATA_FORMAT = 'Tango on Android profile SQLite database file'

NAME = 'tango_android_profile'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT itemLastActiveTime AS last_active_time, itemLastLocalAccessTime AS last_access_time, itemFriendRequestTime AS friend_request_time, itemFirstName AS first_name, itemLastName AS last_name, itemBirthday AS birthday, itemGender AS gender, itemStatus AS status, itemDistance AS distance, itemIsFriend AS friend, itemFriendRequestType AS friend_request_type, itemFriendRequestMessage AS friend_request_message FROM profiletable', 'ParseContactRow')]

REQUIRED_STRUCTURE = {'profiletable': frozenset({'itemBirthday', 'itemDistance', 'itemFirstName', 'itemFriendRequestMessage', 'itemFriendRequestTime', 'itemFriendRequestType', 'itemGender', 'itemIsFriend', 'itemLastActiveTime', 'itemLastLocalAccessTime', 'itemLastName', 'itemStatus'})}

SCHEMAS = [{'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'profiletable': 'CREATE TABLE `profiletable` (`itemUserId` TEXT PRIMARY KEY, `itemFirstName` TEXT NOT NULL, `itemLastName` TEXT NOT NULL, `itemBirthday` TEXT NOT NULL, `itemGender` TEXT NOT NULL, `itemStatus` TEXT NOT NULL, `itemLastActiveTime` BIGINT NOT NULL, `itemDistance` DOUBLE NOT NULL, `itemCity` TEXT NOT NULL, `itemGeoCountryCode` TEXT NOT NULL, `itemAvatarUrl` TEXT NOT NULL, `itemThumbnailUrl` TEXT NOT NULL, `itemVideoUrl` TEXT NOT NULL, `itemVideoThumbnailUrl` TEXT NOT NULL, `itemBackgroundUrl` TEXT NOT NULL, `itemIsFriend` INTEGER NOT NULL, `itemIsBlocked` INTEGER NOT NULL, `itemFriendRequestType` TEXT NOT NULL, `itemReverseRelationships` TEXT NOT NULL, `itemFavoriterCount` INTEGER NOT NULL, `itemFavoritingCount` INTEGER NOT NULL, `itemFeedCount` INTEGER NOT NULL, `itemRefereneCount` INTEGER NOT NULL, `itemLevel1DataSyncTime` BIGINT NOT NULL, `itemLevel2DataSyncTime` BIGINT NOT NULL, `itemLevel3DataSyncTime` BIGINT NOT NULL, `itemLevel4DataSyncTime` BIGINT NOT NULL, `itemLevel5DataSyncTime` BIGINT NOT NULL, `itemLastLocalAccessTime` BIGINT NOT NULL, `itemFriendRequestId` TEXT NOT NULL, `itemFriendRequestMessage` TEXT NOT NULL, `itemFriendRequestTime` BIGINT NOT NULL, `itemIsNewFriendRequest` INTEGER NOT NULL, `itemFriendRequestTCMessageId` INTEGER NOT NULL, `itemFriendRequestContext` TEXT NOT NULL, `itemFriendRequestAttachedPostType` INTEGER NOT NULL, `itemFriendRequestAttachedPostContent` TEXT NOT NULL, `itemFriendRequestHasBeenForwardedToTc` INTEGER NOT NULL, `itemProfileType` TEXT NOT NULL, `itemDatingAge` INTEGER NOT NULL, `itemDatingLocationString` TEXT NOT NULL, `itemDatingSeekingString` TEXT NOT NULL, `itemDatingEssayText` TEXT NOT NULL, `itemDatingBodyType` TEXT NOT NULL, `itemDatingLastActive` TEXT NOT NULL, `itemDatingProfileUrl` TEXT NOT NULL, `itemLastTimeOfLikeProfile` BIGINT NOT NULL, `itemIsHidden` INTEGER NOT NULL, `itemPrivacy` INTEGER NOT NULL, `itemCanSeeMyPost` INTEGER NOT NULL, `itemCanShareMyPost` INTEGER NOT NULL, `itemCanContactMe` INTEGER NOT NULL)'}]

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoTCPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Tango on Android TC database files.

DATA_FORMAT = 'Tango on Android TC SQLite database file'

NAME = 'tango_android_tc'

ParseConversationRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a conversation row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT conversations.conv_id AS conv_id, conversations.payload AS payload FROM conversations', 'ParseConversationRow'), ('SELECT messages.create_time AS create_time, messages.send_time AS send_time, messages.msg_id AS msg_id, messages.payload AS payload, messages.direction AS direction FROM messages LEFT JOIN likes ON messages.msg_id = likes.msg_id', 'ParseMessageRow')]

REQUIRED_STRUCTURE = {'conversations': frozenset({'conv_id', 'payload'}), 'likes': frozenset({'msg_id'}), 'messages': frozenset({'create_time', 'direction', 'msg_id', 'payload', 'send_time'})}

SCHEMAS = [{'conversations': 'CREATE TABLE `conversations` (`conv_id` TEXT PRIMARY KEY, `conv_type` INTEGER DEFAULT 0, `payload` BLOB, `last_msg_id` INTEGER, `unread_count` INTEGER, `last_read_sent_msg_id` INTEGER, `conv_del_status` INTEGER DEFAULT 0, `deleting_ts` BIGINT DEFAULT 0, `conv_restore_status` INTEGER DEFAULT 0, `peers_read` TEXT, `total_received_msg_count` INTEGER DEFAULT -1, `communication_context` INTEGER DEFAULT 0)', 'games': 'CREATE TABLE `games` (`game_session_id` TEXT PRIMARY KEY, `message_id` INTEGER, `conversation_id` TEXT, `game_id` TEXT, `game_state` INTEGER, `action_timestamp` BIGINT, `current_player_account_id` TEXT)', 'likes': 'CREATE TABLE `likes` (`msg_id` INTEGER PRIMARY KEY, `global_msg_id` TEXT, `conv_id` TEXT, `liker_aid` TEXT, `act_type` INTEGER, `status` INTEGER, `act_ts` BIGINT, `payload` BLOB)', 'messages': 'CREATE TABLE `messages` (`msg_id` INTEGER PRIMARY KEY, `conv_id` TEXT, `type` INTEGER, `media_id` TEXT, `share_id` TEXT, `create_time` BIGINT, `send_time` BIGINT, `direction` INTEGER, `status` INTEGER, `payload` BLOB, `del_status` INTEGER)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'receipts': 'CREATE TABLE `receipts` (`conv_id` TEXT PRIMARY KEY, `msg_id` INTEGER, `sender_msg_id` INTEGER, `sender_aids` TEXT, `type` INTEGER, `create_time` BIGINT, `status` INTEGER, `payload` BLOB)', 'sms': 'CREATE TABLE `sms` (`msg_id` INTEGER PRIMARY KEY, `phonenumber` TEXT, `text` TEXT)'}]

plaso.parsers.sqlite_plugins.android_twitter module

SQLite parser plugin for Twitter on Android database files.

class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterContactEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Twitter on Android contact event data.

creation_time

date and time the contact was created.

Type:: dfdatetime.DateTimeValues

description

twitter account profile description.

Type:: str

followers

number of followers.

Type:: int

friends

number of following.

Type:: int

friendship_time

date and time the contact was befriended.

Type:: dfdatetime.DateTimeValues

identifier

contact row id.

Type:: int

image_url

profile picture url.

Type:: str

location

twitter account profile location content.

Type:: str

modification_time

date and time the contact was last modified.

Type:: dfdatetime.DateTimeValues

name

twitter account name.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

statuses

twitter account number of tweets.

Type:: int

user_identifier

twitter account id.

Type:: int

username

twitter account handler.

Type:: str

web_url

twitter account profile url content.

Type:: str

DATA_TYPE = 'android:twitter:contact'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Twitter on Android database files.

DATA_FORMAT = 'Twitter on Android SQLite database file'

NAME = 'twitter_android'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a status row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

ParseSearchRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a search row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a status row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT name, query, time FROM search_queries', 'ParseSearchRow'), ('SELECT statuses._id AS _id, statuses.author_id AS author_id, users.username AS username, statuses.content AS content, statuses.created AS time, statuses.favorited AS favorited, statuses.retweeted AS retweeted FROM statuses LEFT JOIN users ON statuses.author_id = users.user_id', 'ParseStatusRow'), ('SELECT _id, user_id, username, name, profile_created, description, web_url, location, followers, friends, statuses, image_url, updated, friendship_time FROM users', 'ParseContactRow')]

REQUIRED_STRUCTURE = {'search_queries': frozenset({'name', 'query', 'time'}), 'statuses': frozenset({'_id', 'author_id', 'content', 'created', 'favorited', 'retweeted'}), 'users': frozenset({'_id', 'description', 'followers', 'friends', 'friendship_time', 'image_url', 'location', 'name', 'profile_created', 'statuses', 'updated', 'user_id', 'username', 'web_url'})}

SCHEMAS = [{'activities': 'CREATE TABLE activities (_id INTEGER PRIMARY KEY,type INT,event INT,created_at INT,hash INT,max_position INT,min_position INT,sources_size INT,source_type INT,sources BLOB,targets_size INT,target_type INT,targets BLOB,target_objects_size INT,target_object_type INT,target_objects BLOB,is_last INT,tag INT,magic_rec_id INT,UNIQUE (type, max_position) ON CONFLICT REPLACE)', 'ads_account_permissions': 'CREATE TABLE ads_account_permissions (_id INTEGER PRIMARY KEY,promotable_users BLOB,last_synced INT NOT NULL)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'business_profiles': 'CREATE TABLE business_profiles (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,business_profile BLOB,last_synced INT NOT NULL)', 'card_state': 'CREATE TABLE card_state (_id INTEGER PRIMARY KEY AUTOINCREMENT,card_status_id INT,card_id INT, card_state BLOB)', 'category_timestamp': 'CREATE TABLE category_timestamp (_id INTEGER PRIMARY KEY,cat_status_id INT NOT NULL,cat_tag INT NOT NULL,cat_timestamp INT NOT NULL)', 'clusters': 'CREATE TABLE clusters (_id INTEGER PRIMARY KEY,cl_cluster_id TEXT UNIQUE NOT NULL,cl_type INT,cl_title TEXT,cl_subtitle TEXT,cl_size INT,cl_timestamp INT,cl_content BLOB)', 'conversation_entries': 'CREATE TABLE conversation_entries (_id INTEGER PRIMARY KEY,entry_id INT UNIQUE NOT NULL,sort_entry_id INT UNIQUE NOT NULL,conversation_id TEXT,user_id INT,created INT,entry_type INT,data BLOB,request_id TEXT)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY,conversation_id TEXT NOT NULL,user_id TEXT NOT NULL,join_time INT NOT NULL,participant_type INT NOT NULL)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY,conversation_id TEXT UNIQUE NOT NULL,title TEXT,avatar_url TEXT,type INT,sort_event_id BIGINT,last_readable_event_id BIGINT,last_read_event_id BIGINT,sort_timestamp BIGINT,is_muted INT,min_event_id BIGINT,is_hidden INT,has_more INT,read_only INT)', 'cursors': 'CREATE TABLE cursors (_id INTEGER PRIMARY KEY,kind INT,type INT,owner_id INT,ref_id TEXT,next TEXT)', 'dismiss_info': 'CREATE TABLE dismiss_info(timeline_id INTEGER REFERENCES timeline(_id),feedback_action_id INTEGER REFERENCES feedback_action(_id),UNIQUE(timeline_id,feedback_action_id))', 'feedback_action': 'CREATE TABLE feedback_action(_id INTEGER PRIMARY KEY AUTOINCREMENT,feedback_type TEXT,prompt TEXT,confirmation TEXT,UNIQUE(feedback_type,prompt,confirmation))', 'list_mapping': 'CREATE TABLE list_mapping (_id INTEGER PRIMARY KEY,list_mapping_list_id TEXT,list_mapping_type INT,list_mapping_user_id INT,list_is_last INT)', 'locations': 'CREATE TABLE locations (_id INTEGER PRIMARY KEY,name TEXT,woeid INT,country TEXT,country_code TEXT)', 'moments': 'CREATE TABLE moments (_id INTEGER PRIMARY KEY,title TEXT NOT NULL,can_subscribe INT,is_live INT,is_sensitive INT,subcategory_string TEXT,subcategory_favicon_url TEXT,time_string TEXT,duration_string TEXT,is_subscribed INT,description TEXT NOT NULL,moment_url TEXT,num_subscribers INT,author_info BLOB,promoted_content BLOB)', 'moments_guide': 'CREATE TABLE moments_guide (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,section_id INT NOT NULL,tweet_id INT NOT NULL, crop_data BLOB,media_id INT,media_url TEXT,media_size BLOB,FOREIGN KEY(section_id) REFERENCES moments_sections(_id) ON DELETE CASCADE)', 'moments_guide_categories': 'CREATE TABLE moments_guide_categories (_id INTEGER PRIMARY KEY,category_id TEXT NOT NULL,is_default_category INT NOT NULL,category_name TEXT NOT NULL,fetch_timestamp INT NOT NULL)', 'moments_guide_user_states': 'CREATE TABLE moments_guide_user_states (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,is_read INT,is_updated INT,FOREIGN KEY(moment_id) REFERENCES moments(_id) ON DELETE CASCADE)', 'moments_pages': 'CREATE TABLE moments_pages (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,page_id TEXT,type BLOB,tweet_id INT,display_mode BLOB,page_number INT,crop_data BLOB,theme_data BLOB,media_id INT,media_size BLOB,media_url TEXT,last_read_timestamp INT,FOREIGN KEY(moment_id) REFERENCES moments(_id))', 'moments_sections': 'CREATE TABLE moments_sections (_id INTEGER PRIMARY KEY,section_title TEXT,section_type BLOB NOT NULL,section_group_id TEXT,section_group_type INT NOT NULL)', 'moments_visit_badge': 'CREATE TABLE moments_visit_badge (_id INTEGER PRIMARY KEY,moment_id INT UNIQUE NOT NULL,is_new_since_visit INT,is_updated_since_visit INT)', 'news': 'CREATE TABLE news (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,topic_id INT,news_id TEXT,title TEXT,image_url TEXT,author_name TEXT,article_description TEXT,article_url TEXT,tweet_count INT,start_time INT,news_id_hash INT)', 'notifications': 'CREATE TABLE notifications (_id INTEGER PRIMARY KEY,type INT,notif_id INT,source_user_name TEXT,s_name TEXT,s_id INT,notif_txt TEXT,aggregation_data TEXT,notif_extra_data BLOB)', 'one_click': 'CREATE TABLE one_click (_id INTEGER PRIMARY KEY,topic TEXT,filter_name TEXT,filter_location TEXT,filter_follow INT)', 'order_history': 'CREATE TABLE order_history (_id INTEGER PRIMARY KEY,ordered_at INT ,order_id INT ,data BLOB)', 'promoted_retry': 'CREATE TABLE promoted_retry(impression_id TEXT,event INT NOT NULL,is_earned INT NOT NULL,trend_id INT,num_retries INT NOT NULL,url TEXT,video_playlist_url TEXT,video_content_uuid TEXT,video_content_type TEXT,video_cta_url TEXT,video_cta_app_id TEXT,video_cta_app_name TEXT,card_event TEXT,PRIMARY KEY(impression_id,event,is_earned,trend_id))', 'prompts': 'CREATE TABLE prompts (_id INTEGER PRIMARY KEY,p_id INT,p_format TEXT,p_template TEXT,p_header TEXT,p_text TEXT,p_action_text TEXT,p_action_url TEXT,p_icon TEXT,p_background_image_url TEXT,p_persistence TEXT,p_entities BLOB,p_header_entities BLOB,p_status_id LONG,p_insertion_index INT,p_trigger TEXT)', 'rankings': 'CREATE TABLE rankings (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,granularity TEXT,category TEXT,date INT)', 'search_queries': 'CREATE TABLE search_queries (_id INTEGER PRIMARY KEY,type INT,name TEXT NOT NULL,query TEXT NOT NULL,query_id INT,time INT,latitude REAL,longitude REAL,radius REAL,location TEXT,pc BLOB,cluster_titles BLOB)', 'search_results': 'CREATE TABLE search_results (_id INTEGER PRIMARY KEY,search_id INT,s_type INT,data_type INT,type_id INT,polled INT,data_id INT,related_data BLOB,cluster_id INT)', 'search_suggestion_metadata': 'CREATE TABLE search_suggestion_metadata (_id INTEGER PRIMARY KEY,type INT,last_update LONG)', 'status_groups': 'CREATE TABLE status_groups (_id INTEGER PRIMARY KEY,tweet_type INT DEFAULT 0,type INT,sender_id INT,owner_id INT,ref_id INT,tag INT,g_status_id INT,is_read INT,page INT,is_last INT,updated_at INT,timeline INT,pc BLOB,g_flags INT,preview_draft_id INT,preview_media BLOB,tweet_pivots BLOB)', 'status_metadata': 'CREATE TABLE status_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,status_id INT NOT NULL,status_group INT NOT NULL,status_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_second_name TEXT,soc_others_count INT,soc_fav_count INT,soc_rt_count INT,reason_icon_type TEXT,reason_text TEXT,scribe_component TEXT,scribe_data BLOB,highlights TEXT)', 'statuses': 'CREATE TABLE statuses (_id INTEGER PRIMARY KEY,status_id INT UNIQUE NOT NULL,author_id INT,content TEXT,source TEXT,created INT,in_r_user_id INT,in_r_status_id INT,favorited INT,latitude TEXT,longitude TEXT,place_data BLOB,entities TEXT,retweet_count INT,r_content TEXT,cards BLOB,flags INT,favorite_count INT,lang TEXT,supplemental_language TEXT,view_count INT,quoted_tweet_data BLOB,quoted_tweet_id INT,retweeted INT)', 'stories': 'CREATE TABLE stories ( _id INTEGER PRIMARY KEY,story_id TEXT,story_order INT,story_type INT,story_proof_type INT,story_proof_addl_count INT,data_type INT,data_id INT,story_is_read INT,story_meta_title TEXT,story_meta_subtitle TEXT,story_meta_query TEXT,story_meta_header_img_url TEXT,story_source TEXT,story_impression_info TEXT,story_tag INT)', 'timeline': 'CREATE TABLE timeline (_id INTEGER PRIMARY KEY AUTOINCREMENT,owner_id INT,type INT,sort_index INT,entity_id INT,entity_type INT,data_type INT,data_type_group INT,data_type_tag INT,timeline_tag TEXT,timeline_group_id INT,timeline_scribe_group_id INT,data_id INT,data BLOB,flags INT,updated_at INT,data_origin_id TEXT,is_last INT,is_read INT,scribe_content BLOB,timeline_moment_info BLOB,dismissed INT NOT NULL DEFAULT 0,dismiss_actions INT NOT NULL DEFAULT 0)', 'tokens': 'CREATE TABLE tokens (_id INTEGER PRIMARY KEY,text TEXT,weight INT,type INT,ref_id INT)', 'topics': 'CREATE TABLE topics (_id INTEGER PRIMARY KEY,ev_id TEXT UNIQUE NOT NULL,ev_type INT,ev_query TEXT NOT NULL,ev_seed_hashtag TEXT,ev_title STRING,ev_subtitle STRING,ev_view_url STRING,ev_status STRING,ev_image_url TEXT,ev_explanation TEXT,ev_tweet_count INT,ev_start_time INT,ev_owner_id INT,ev_pc BLOB,ev_content BLOB,ev_hash INT)', 'user_groups': 'CREATE TABLE user_groups (_id INTEGER PRIMARY KEY,type INT,tag INT,rank INT,owner_id INT,user_id INT,is_last INT,pc BLOB,g_flags INT)', 'user_metadata': 'CREATE TABLE user_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,user_id INT NOT NULL,user_group_type INT NOT NULL,user_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_follow_count INT,user_title TEXT,token TEXT)', 'users': 'CREATE TABLE users (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,username TEXT,name TEXT,description TEXT,web_url TEXT,bg_color INT,location TEXT,structured_location BLOB,user_flags INT,followers INT,fast_followers INT DEFAULT 0,friends INT,statuses INT,profile_created INT,image_url TEXT,hash INT,updated INT,friendship INT,friendship_time INT,favorites INT DEFAULT 0,header_url TEXT,description_entities BLOB,url_entities BLOB,media_count INT,extended_profile_fields BLOB,pinned_tweet_id INT,link_color INT,advertiser_type TEXT,business_profile_state TEXT)'}]

class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterSearchEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Twitter on Android search event data.

creation_time

date and time the search was created.

Type:: dfdatetime.DateTimeValues

name

twitter name handler.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

search_query

search query.

Type:: str

DATA_TYPE = 'android:twitter:search'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterStatusEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Twitter on Android status event data.

author_identifier

twitter account identifier.

Type:: int

content

status content.

Type:: str

creation_time

date and time the status was created.

Type:: dfdatetime.DateTimeValues

favorited

favorited flag as 0/1 value.

Type:: int

identifier

status row identifier.

Type:: int

query

SQL query that was used to obtain the event data.

Type:: str

retweeted

retweeted flag as 0/1 value.

Type:: int

username

twitter account handler.

Type:: str

DATA_TYPE = 'android:twitter:status'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.android_webview module

SQLite parser plugin for Android WebView database files.

class plaso.parsers.sqlite_plugins.android_webview.AndroidWebViewCookieEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android WebView cookie event data.

cookie_name

name of the cookie.

Type:: str

data

data stored in the cookie.

Type:: str

expiration_time

date and time the cache entry expires.

Type:: dfdatetime.DateTimeValues

host

host that set the cookie.

Type:: str

offset

identifier of the row, from which the event data was extracted.

Type:: str

path

path for which the cookie was set.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

secure

True if the cookie should only be transmitted over a secure channel.

Type:: bool

url

URL of the cookie.

Type:: str

DATA_TYPE = 'android:webview:cookie'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_webview.AndroidWebViewPlugin[source]

Bases: SQLitePlugin, CookiePluginsHelper

SQLite parser plugin for Android WebView database files.

DATA_FORMAT = 'Android WebView SQLite database file'

NAME = 'android_webview'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT _id, name, value, domain, expires, path, secure FROM cookies', 'ParseCookieRow')})

REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cookies': frozenset({'_id', 'domain', 'expires', 'name', 'path', 'secure', 'value'})}

SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cookies': 'CREATE TABLE cookies (_id INTEGER PRIMARY KEY, name TEXT, value TEXT, domain TEXT, path TEXT, expires INTEGER, secure INTEGER)', 'formdata': 'CREATE TABLE formdata (_id INTEGER PRIMARY KEY, urlid INTEGER, name TEXT, value TEXT, UNIQUE (urlid, name, value) ON CONFLICT IGNORE)', 'formurl': 'CREATE TABLE formurl (_id INTEGER PRIMARY KEY, url TEXT)', 'httpauth': 'CREATE TABLE httpauth (_id INTEGER PRIMARY KEY, host TEXT, realm TEXT, username TEXT, password TEXT, UNIQUE (host, realm) ON CONFLICT REPLACE)', 'password': 'CREATE TABLE password (_id INTEGER PRIMARY KEY, host TEXT, username TEXT, password TEXT, UNIQUE (host, username) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.android_webviewcache module

SQLite parser plugin for Android WebviewCache database files.

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android WebViewCache event data.

content_length

size of the cached content.

Type:: int

expiration_time

date and time the cache entry expires.

Type:: dfdatetime.DateTimeValues

last_modified_time

date and time the cache entry was last modified.

Type:: dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:: str

url

URL the content was retrieved from.

Type:: str

DATA_TYPE = 'android:webviewcache'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Android WebviewCache database files.

DATA_FORMAT = 'Android WebViewCache SQLite database file'

NAME = 'android_webviewcache'

ParseRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT url, contentlength, expires, lastmodify FROM cache', 'ParseRow')})

REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cache': frozenset({'contentlength', 'expires', 'lastmodify', 'url'})}

SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cache': 'CREATE TABLE cache (_id INTEGER PRIMARY KEY, url TEXT, filepath TEXT, lastmodify TEXT, etag TEXT, expires INTEGER, expiresstring TEXT, mimetype TEXT, encoding TEXT, httpstatus INTEGER, location TEXT, contentlength INTEGER, contentdisposition TEXT, UNIQUE (url) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.chrome_autofill module

SQLite parser plugin for Google Chrome autofill database (Web Data) files.

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Autofill event data.

creation_time

creation date and time of the autofill entry.

Type:: dfdatetime.DateTimeValues

field_name

name of form field.

Type:: str

last_used_time

last date and time the autofill entry was last used.

Type:: dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:: str

usage_count

count of times value has been used in field_name.

Type:: int

value

value populated in form field.

Type:: str

DATA_TYPE = 'chrome:autofill:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Chrome autofill database (Web Data) files.

The Google Chrome autofill database (Web Data) file is typically stored in: Web Data

DATA_FORMAT = 'Google Chrome autofill SQLite database (Web Data) file'

NAME = 'chrome_autofill'

ParseAutofillRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an autofill entry row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT autofill.date_created, autofill.date_last_used, autofill.name, autofill.value, autofill.count FROM autofill ORDER BY date_created', 'ParseAutofillRow')]

REQUIRED_STRUCTURE = {'autofill': frozenset({'count', 'date_created', 'date_last_used', 'name', 'value'})}

SCHEMAS = [{'autofill': 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value));)'}]

plaso.parsers.sqlite_plugins.chrome_cookies module

SQLite parser plugin for Google Chrome cookies database files.

class plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin[source]

Bases: SQLitePlugin, CookiePluginsHelper

SQLite parser plugin for Google Chrome cookies database files.

GA_UTMZ_TRANSLATION = {'utmccn': 'Ad campaign information.', 'utmcct': 'Path to the page of referring link.', 'utmcmd': 'Last type of visit.', 'utmcsr': 'Last source used to access.', 'utmctr': 'Keywords used to find site.'}

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a cookie row.

Parameters:

parser_mediator (ParserMediator) – parser mediator.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from the query.

class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin[source]

Bases: BaseChromeCookiePlugin

SQLite parser plugin for Google Chrome 17 - 65 cookies database files.

DATA_FORMAT = 'Google Chrome 17 - 65 cookies SQLite database file'

NAME = 'chrome_17_cookies'

QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent FROM cookies', 'ParseCookieRow')]

REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'httponly', 'last_access_utc', 'name', 'path', 'persistent', 'secure', 'value'}), 'meta': frozenset({})}

SCHEMAS = [{'cookies': 'CREATE TABLE cookies (creation_utc INTEGER NOT NULL UNIQUE PRIMARY KEY, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, secure INTEGER NOT NULL, httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER DEFAULT 1, persistent INTEGER DEFAULT 1)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]

class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin[source]

Bases: BaseChromeCookiePlugin

SQLite parser plugin for Google Chrome 66+ cookies database files.

DATA_FORMAT = 'Google Chrome 66 and later cookies SQLite database file'

NAME = 'chrome_66_cookies'

QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, is_secure AS secure, is_httponly AS httponly, last_access_utc, has_expires, is_persistent AS persistent FROM cookies', 'ParseCookieRow')]

REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'is_httponly', 'is_persistent', 'is_secure', 'last_access_utc', 'name', 'path', 'value'}), 'meta': frozenset({})}

SCHEMAS = [{'cookies': "CREATE TABLE cookies (creation_utc INTEGER NOT NULL, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, is_secure INTEGER NOT NULL, is_httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER NOT NULL DEFAULT 1, is_persistent INTEGER NOT NULL DEFAULT 1, priority INTEGER NOT NULL DEFAULT 1, encrypted_value BLOB DEFAULT '', firstpartyonly INTEGER NOT NULL DEFAULT 0, UNIQUE (host_key, name, path))", 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]

class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Cookie event data.

access_time

date and time the cookie was last accessed.

Type:: dfdatetime.DateTimeValues

cookie_name

name of the cookie.

Type:: str

creation_time

date and time the cookie was created.

Type:: dfdatetime.DateTimeValues

data

value of the cookie.

Type:: str

expiration_time

date and time the cookie expires.

Type:: dfdatetime.DateTimeValues

host

hostname of host that set the cookie value.

Type:: str

httponly

True if the cookie cannot be accessed through client side script.

Type:: bool

path

path where the cookie got set.

Type:: str

persistent

True if the cookie is persistent.

Type:: bool

query

SQL query that was used to obtain the event data.

Type:: str

secure

True if the cookie should only be transmitted over a secure channel.

Type:: bool

url

URL or path where the cookie got set.

Type:: str

DATA_TYPE = 'chrome:cookie:entry'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.chrome_extension_activity module

SQLite parser plugin for Google Chrome extension activity database files.

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Extension Activity event data.

action_type

action type.

Type:: str

activity_id

activity identifier.

Type:: str

api_name

name of API.

Type:: str

arg_url

URL argument.

Type:: str

args

arguments.

Type:: str

extension_id

extension identifier.

Type:: str

other

other.

Type:: str

page_title

title of webpage.

Type:: str

page_url

URL of webpage.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

recorded_time

date and time the entry was recorded.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'chrome:extension_activity:activity_log'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Chrome extension activity database files.

The Google Chrome extension activity database file is typically stored in: Extension Activity

DATA_FORMAT = 'Google Chrome extension activity SQLite database file'

NAME = 'chrome_extension_activity'

ParseActivityLogUncompressedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an activity log row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT time, extension_id, action_type, api_name, args, page_url, page_title, arg_url, other, activity_id FROM activitylog_uncompressed ORDER BY time', 'ParseActivityLogUncompressedRow')]

REQUIRED_STRUCTURE = {'activitylog_compressed': frozenset({'action_type', 'api_name_x', 'arg_url_x', 'args_x', 'extension_id_x', 'other_x', 'page_title_x', 'page_url_x', 'time'})}

SCHEMAS = [{'activitylog_compressed': 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, action_type INTEGER, api_name_x INTEGER, args_x INTEGER, page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, other_x INTEGER)', 'string_ids': 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)', 'url_ids': 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)'}]

plaso.parsers.sqlite_plugins.chrome_history module

SQLite parser plugin for Google Chrome history database files.

class plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Chrome history database files.

The Google Chrome history database file is typically stored in: Archived History History

Note that the Archived History database does not contain the downloads table.

ParseLastVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a last visited row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.
database (Optional[SQLiteDatabase]) – database.

class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome History file downloaded event data.

danger_type

assessment by Safe Browsing of the danger of the downloaded content.

Type:: int

end_time

date and time the download was finished.

Type:: dfdatetime.DateTimeValues

full_path

full path where the file was downloaded to.

Type:: str

interrupt_reason

indication why the download was interrupted.

Type:: int

offset

identifier of the row, from which the event data was extracted.

Type:: str

opened

value to indicate if the downloaded file was opened from the browser.

Type:: int

query

SQL query that was used to obtain the event data.

Type:: str

received_bytes

number of bytes received while downloading.

Type:: int

start_time

date and time the download was started.

Type:: dfdatetime.DateTimeValues

state

state of the download, such as finished or cancelled.

Type:: int

total_bytes

total number of bytes to download.

Type:: int

url

URL of the downloaded file.

Type:: str

DATA_TYPE = 'chrome:history:file_downloaded'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome History page visited event data.

from_visit

URL where the visit originated from.

Type:: str

last_visited_time

date and time the URL was last visited.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

page_transition_type

type of transitions between pages.

Type:: int

query

SQL query that was used to obtain the event data.

Type:: str

title

title of the visited page.

Type:: str

typed_count

number of times the user has navigated to the page by typing in the address.

Type:: int

url

URL of the visited page.

Type:: str

url_hidden

True if the URL is hidden.

Type:: bool

visit_count

number of times the user has navigated to this page.

Type:: int

visit_source

source of the page visit.

Type:: int

DATA_TYPE = 'chrome:history:page_visited'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin[source]

Bases: BaseGoogleChromeHistoryPlugin

SQLite parser plugin for Google Chrome 27+ history database files.

DATA_FORMAT = 'Google Chrome 27 and later history SQLite database file'

NAME = 'chrome_27_history'

ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a file downloaded row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT downloads.id AS id, downloads.start_time,downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes, downloads.end_time, downloads.state, downloads.danger_type, downloads.interrupt_reason, downloads.opened FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id', 'ParseFileDownloadedRow')]

REQUIRED_STRUCTURE = {'downloads': frozenset({'danger_type', 'end_time', 'id', 'interrupt_reason', 'opened', 'received_bytes', 'start_time', 'state', 'target_path', 'total_bytes'}), 'downloads_url_chains': frozenset({'id', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}

SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL, mime_type VARCHAR(255) NOT NULL DEFAULT "", original_mime_type VARCHAR(255) NOT NULL DEFAULT "", guid VARCHAR NOT NULL DEFAULT \'\', hash BLOB NOT NULL DEFAULT X\'\', http_method VARCHAR NOT NULL DEFAULT \'\', tab_url VARCHAR NOT NULL DEFAULT \'\', tab_referrer_url VARCHAR NOT NULL DEFAULT \'\', site_url VARCHAR NOT NULL DEFAULT \'\', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]

class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin[source]

Bases: BaseGoogleChromeHistoryPlugin

SQLite parser plugin for Google Chrome 8 - 25 history database files.

DATA_FORMAT = 'Google Chrome 8 - 25 history SQLite database file'

NAME = 'chrome_8_history'

ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a file downloaded row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT id, full_path, url, start_time, received_bytes, total_bytes, state FROM downloads', 'ParseFileDownloadedRow')]

REQUIRED_STRUCTURE = {'downloads': frozenset({'full_path', 'id', 'received_bytes', 'start_time', 'state', 'total_bytes', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}

SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]

plaso.parsers.sqlite_plugins.dropbox module

SQLite parser plugin for Dropbox sync_history database files.

class plaso.parsers.sqlite_plugins.dropbox.DropboxSyncDatabasePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Dropbox sync_history.db database files.

The Linux sync_history.db database is typically stored in: $HOME/.dropbox/instance1/sync_history.db

The Windows 10 sync_history.db database is typically stored in: $HOME/AppData/Local/Dropbox/instance1/sync_history.db

DATA_FORMAT = 'Dropbox sync history database (sync_history.db) file'

NAME = 'dropbox'

ParseSyncHistoryRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a sync_history row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT timestamp, event_type, file_event_type, direction, file_id, local_path FROM sync_history;', 'ParseSyncHistoryRow')]

REQUIRED_STRUCTURE = {'sync_history': frozenset({'direction', 'event_type', 'file_event_type', 'file_id', 'local_path', 'timestamp'})}

SCHEMAS = [{'sync_history': 'CREATE TABLE sync_history (event_type TEXT NOT NULL, file_event_type TEXT, direction TEXT, file_id TEXT, local_path TEXT, timestamp INTEGER NOT NULL, other_user INTEGER'}]

class plaso.parsers.sqlite_plugins.dropbox.DropboxSyncHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Dropbox Sync History Database event data.

event_type

the event type

Type:: str

file_event_type

the file event type

Type:: str

direction

the source of the synchronisation event

Type:: str

file_identifier

the Dropbox identifier of the file.

Type:: str

local_path

the local path of the file.

Type:: str

recorded_time

date and time the log entry was recorded.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'dropbox:sync_history:entry'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.edge_load_statistics module

Parser for Microsoft Edge load statistics database.

class plaso.parsers.sqlite_plugins.edge_load_statistics.EdgeLoadStatisticsPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Microsoft Edge load statistics database.

DESCRIPTION = 'Parser for Microsoft Edge load_statistics.db'

NAME = 'edge_load_statistics'

ParseResourceRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT top_level_hostname, resource_hostname, resource_type, last_update FROM load_statistics', 'ParseResourceRow')]

REQUIRED_STRUCTURE = {'load_statistics': frozenset({'last_update', 'resource_hostname', 'resource_type', 'resource_url_hash', 'top_level_hostname'}), 'meta': frozenset({'key', 'value'}), 'redirect_statistics': frozenset({'destination_hostname', 'is_top_level_document', 'last_update', 'source_hostname'})}

SCHEMAS = [{'load_statistics': 'CREATE TABLE load_statistics(top_level_hostname TEXT,resource_hostname TEXT, resource_url_hash TEXT, resource_typeINTEGER, last_update INTEGER NOT NULL,UNIQUE(top_level_hostname,resource_url_hash))', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'redirect_statistics': 'CREATE TABLE redirect_statistics(source_hostname TEXT,destination_hostname TEXT, is_top_level_document INTEGER NOTNULL, last_update INTEGER NOT NULL, UNIQUE(source_hostname,destination_hostname,is_top_level_document))'}]

class plaso.parsers.sqlite_plugins.edge_load_statistics.EdgeLoadStatisticsResourceEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Microsoft Edge load statistics resource event data.

last_update: Last update time of resource, cached or not.

query

query that created the event data.

Type:: str

resource_hostname: External domain of the resource that was loaded

resource_type: Integer descriptor of resource type

top_level_hostname: Source domain that initiated resource load

DATA_TYPE = 'edge:resources:load_statistics'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.firefox_cookies module

SQLite parser plugin for Mozilla Firefox cookies database files.

class plaso.parsers.sqlite_plugins.firefox_cookies.BaseFirefoxCookiePlugin[source]

Bases: SQLitePlugin, CookiePluginsHelper

Shared SQLite parser plugin for Mozilla Firefox cookies database files.

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a cookie row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookie10Plugin[source]

Bases: BaseFirefoxCookiePlugin

SQLite parser plugin for Mozilla Firefox cookies schema 10 databases.

In schema 10 baseDomain was removed.

Also see:: https://searchfox.org/mozilla-central/source/netwerk/cookie/CookiePersistentStorage.cpp

DATA_FORMAT = 'Mozilla Firefox cookies SQLite database file version 10'

NAME = 'firefox_10_cookies'

QUERIES = [('SELECT id, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')]

REQUIRED_STRUCTURE = {'moz_cookies': frozenset({'creationTime', 'expiry', 'host', 'id', 'isHttpOnly', 'isSecure', 'lastAccessed', 'name', 'path', 'value'})}

SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}]

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookie2Plugin[source]

Bases: BaseFirefoxCookiePlugin

SQLite parser plugin for Mozilla Firefox cookies schema 2 databases.

Also see:: https://hg.mozilla.org/mozilla-central/file/349a2f003529/netwerk/cookie/nsCookie.h

DATA_FORMAT = 'Mozilla Firefox cookies SQLite database file version 2'

NAME = 'firefox_2_cookies'

QUERIES = [('SELECT id, baseDomain, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')]

REQUIRED_STRUCTURE = {'moz_cookies': frozenset({'baseDomain', 'creationTime', 'expiry', 'host', 'id', 'isHttpOnly', 'isSecure', 'lastAccessed', 'name', 'path', 'value'})}

SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}]

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox Cookie event data.

access_time

date and time the cookie was last accessed.

Type:: dfdatetime.DateTimeValues

cookie_name

name field of the cookie.

Type:: str

creation_time

date and time the cookie was created.

Type:: dfdatetime.DateTimeValues

data

cookie data.

Type:: str

expiration_time

date and time the cookie expires.

Type:: dfdatetime.DateTimeValues

httponly

True if the cookie cannot be accessed through client side script.

Type:: bool

host

hostname of host that set the cookie value.

Type:: str

offset

identifier of the row, from which the event data was extracted.

Type:: str

path

URI of the page that set the cookie.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

secure

True if the cookie should only be transmitted over a secure channel.

Type:: bool

DATA_TYPE = 'firefox:cookie:entry'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.firefox_downloads module

SQLite parser plugin for Mozilla Firefox downloads database files.

class plaso.parsers.sqlite_plugins.firefox_downloads.Firefox118DownloadEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox download event data.

deleted

deleted state.

Type:: int

download_state

state of the download.

Type:: int

end_time

date and time the download was finished.

Type:: dfdatetime.DateTimeValues

expiration

expiration.

Type:: int

flags

flags associated with this download

Type:: int

full_path

full path of the target of the download.

Type:: str

mime_type

mime type of the download.

Type:: str

name

name of the download.

Type:: str

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

received_bytes

number of bytes received.

Type:: int

referrer

referrer URL of the download.

Type:: str

start_time

date and time the download was started.

Type:: dfdatetime.DateTimeValues

temporary_location

temporary location of the download.

Type:: str

total_bytes

total number of bytes of the download.

Type:: int

type

type field.

Type:: int

url

source URL of the download.

Type:: str

DATA_TYPE = 'firefox:downloads:download'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_downloads.Firefox118DownloadsPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for version 118 Firefox downloads database files.

The version 118 Firefox downloads database file is typically stored in: places.sql

DATA_FORMAT = 'Mozilla Firefox 118 downloads SQLite database (downloads.sqlite) file'

NAME = 'firefox_118_downloads'

ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a downloads row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT annos1.content, annos2.flags, annos2.expiration, annos2.type, annos2.dateAdded, annos2.lastModified, annos2.content as dest_fpath, places.url, places.title, places.last_visit_date from moz_annos annos1, moz_annos annos2, moz_places places WHERE annos1.anno_attribute_id == annos2.anno_attribute_id+1 AND annos1.place_id == annos2.place_id AND annos1.place_id == places.id', 'ParseDownloadsRow')]

REQUIRED_STRUCTURE = {'moz_annos': frozenset({'anno_attribute_id', 'content', 'dateAdded', 'expiration', 'flags', 'id', 'lastModified', 'place_id', 'type'}), 'moz_places': frozenset({'id', 'last_visit_date', 'title', 'url'})}

SCHEMAS = [{'moz_annos': 'CREATE TABLE moz_annos (id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)'}, {'moz_places': 'CREATE TABLE moz_places (id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER, guid TEXT, foreign_count INTEGER DEFAULT 0 NOT NULL, url_hash INTEGER DEFAULT 0 NOT NULL , description TEXT, preview_image_url TEXT, site_name TEXT, origin_id INTEGER REFERENCES moz_origins(id), recalc_frecency INTEGER NOT NULL DEFAULT 0, alt_frecency INTEGER, recalc_alt_frecency INTEGER NOT NULL DEFAULT 0)'}]

class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox download event data.

end_time

date and time the download was finished.

Type:: dfdatetime.DateTimeValues

full_path

full path of the target of the download.

Type:: str

mime_type

mime type of the download.

Type:: str

name

name of the download.

Type:: str

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

received_bytes

number of bytes received.

Type:: int

referrer

referrer URL of the download.

Type:: str

start_time

date and time the download was started.

Type:: dfdatetime.DateTimeValues

temporary_location

temporary location of the download.

Type:: str

total_bytes

total number of bytes of the download.

Type:: int

url

source URL of the download.

Type:: str

DATA_TYPE = 'firefox:downloads:download'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Mozilla Firefox downloads database files.

The Mozilla Firefox downloads database file is typically stored in: downloads.sqlite

DATA_FORMAT = 'Mozilla Firefox downloads SQLite database (downloads.sqlite) file'

NAME = 'firefox_downloads'

ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a downloads row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT moz_downloads.id, moz_downloads.name, moz_downloads.source, moz_downloads.target, moz_downloads.tempPath, moz_downloads.startTime, moz_downloads.endTime, moz_downloads.state, moz_downloads.referrer, moz_downloads.currBytes, moz_downloads.maxBytes, moz_downloads.mimeType FROM moz_downloads', 'ParseDownloadsRow')]

REQUIRED_STRUCTURE = {'moz_downloads': frozenset({'currBytes', 'endTime', 'id', 'maxBytes', 'mimeType', 'name', 'referrer', 'source', 'startTime', 'state', 'target', 'tempPath'})}

SCHEMAS = [{'moz_downloads': 'CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)'}]

plaso.parsers.sqlite_plugins.firefox_history module

SQLite parser plugin for Mozilla Firefox history database files.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Mozilla Firefox history database files.

The Mozilla Firefox history database file is typically stored in: places.sqlite

DATA_FORMAT = 'Mozilla Firefox history SQLite database (places.sqlite) file'

NAME = 'firefox_history'

ParseBookmarkAnnotationRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark annotation row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

ParseBookmarkFolderRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark folder row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

ParseBookmarkRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

ParsePageVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a page visited row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (Optional[SQLiteCache]) – cache.
database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.from_visit, moz_places.rev_host, moz_places.hidden, moz_places.typed, moz_historyvisits.visit_type FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id', 'ParsePageVisitedRow'), ('SELECT moz_bookmarks.type, moz_bookmarks.title AS bookmark_title, moz_bookmarks.dateAdded, moz_bookmarks.lastModified, moz_places.url, moz_places.title AS places_title, moz_places.rev_host, moz_places.visit_count, moz_bookmarks.id FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3', 'ParseBookmarkRow'), ('SELECT moz_items_annos.content, moz_items_annos.dateAdded, moz_items_annos.lastModified, moz_bookmarks.title, moz_places.url, moz_places.rev_host, moz_items_annos.id FROM moz_items_annos, moz_bookmarks, moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id', 'ParseBookmarkAnnotationRow'), ('SELECT moz_bookmarks.id, moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2', 'ParseBookmarkFolderRow')]

REQUIRED_STRUCTURE = {'moz_bookmarks': frozenset({'dateAdded', 'fk', 'id', 'lastModified', 'title', 'type'}), 'moz_historyvisits': frozenset({'from_visit', 'id', 'place_id', 'visit_date', 'visit_type'}), 'moz_items_annos': frozenset({'content', 'dateAdded', 'id', 'item_id', 'lastModified'}), 'moz_places': frozenset({'hidden', 'id', 'rev_host', 'title', 'typed', 'url', 'visit_count'})}

SCHEMAS = [{'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER )'}, {'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER, guid TEXT)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG, guid TEXT)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_hosts': 'CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY, host TEXT NOT NULL UNIQUE, frecency INTEGER, typed INTEGER NOT NULL DEFAULT 0, prefix TEXT)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)', 'sqlite_stat1': 'CREATE TABLE sqlite_stat1(tbl, idx, stat)'}]

URL_CACHE_QUERY = 'SELECT h.id AS id, p.url, p.rev_host FROM moz_places p, moz_historyvisits h WHERE p.id = h.place_id'

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox bookmark annotation event data.

added_time

date and time the bookmark annotation was added.

Type:: dfdatetime.DateTimeValues

content

annotation content.

Type:: str

modification_time

date and time the bookmark annotation was last modified.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

title

title of the bookmark folder.

Type:: str

url

bookmarked URL.

Type:: str

DATA_TYPE = 'firefox:places:bookmark_annotation'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox bookmark event data.

added_time

date and time the bookmark was added.

Type:: dfdatetime.DateTimeValues

host

visited hostname.

Type:: str

modification_time

date and time the bookmark was last modified.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

places_title

places title.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

title

title of the bookmark folder.

Type:: str

type

bookmark type.

Type:: int

url

bookmarked URL.

Type:: str

visit_count

visit count.

Type:: int

DATA_TYPE = 'firefox:places:bookmark'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox bookmark folder event data.

added_time

date and time the bookmark folder was added.

Type:: dfdatetime.DateTimeValues

modification_time

date and time the bookmark folder was last modified.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

title

title of the bookmark folder.

Type:: str

DATA_TYPE = 'firefox:places:bookmark_folder'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox page visited event data.

from_visit

URL that referred to the visited page.

Type:: str

hidden

value to indicated if the URL was hidden.

Type:: str

host

visited hostname.

Type:: str

last_visited_time

date and time the URL was last visited.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

title

title of the visited page.

Type:: str

typed

value to indicated if the URL was typed.

Type:: str

url

URL of the visited page.

Type:: str

visit_count

visit count.

Type:: int

visit_type

transition type for the event.

Type:: str

DATA_TYPE = 'firefox:places:page_visited'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.gdrive module

SQLite parser plugin for Google Drive snapshot database files.

class plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Drive snapshot database files.

The Google Drive snapshot database file is typically stored in: snapshot.db

CLOUD_PATH_CACHE_QUERY = 'SELECT cloud_entry.filename, cloud_entry.resource_id, cloud_relations.parent_resource_id AS parent FROM cloud_entry, cloud_relations WHERE cloud_entry.doc_type = 0 AND cloud_entry.resource_id = cloud_relations.child_resource_id'

DATA_FORMAT = 'Google Drive snapshot SQLite database (snapshot.db) file'

GetCloudPath(resource_id, cache, database)[source]

Return cloud path given a resource id.

Parameters:

resource_id (str) – resource identifier for the file.
cache (SQLiteCache) – cache.
database (SQLiteDatabase) – database.

Returns:

full path to the resource value.

Return type:

str

GetLocalPath(inode, cache, database)[source]

Return local path for a given inode.

Parameters:

inode (int) – inode number for the file.
cache (SQLiteCache) – cache.
database (SQLiteDatabase) – database.

Returns:

full path, including the filename of the given inode value.

Return type:

str

LOCAL_PATH_CACHE_QUERY = 'SELECT local_relations.child_inode_number, local_relations.parent_inode_number, local_entry.filename FROM local_relations, local_entry WHERE local_relations.child_inode_number = local_entry.inode_number'

NAME = 'google_drive'

ParseCloudEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a cloud entry row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (SQLiteCache) – cache.
database (SQLiteDatabase) – database.

ParseLocalEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a local entry row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (Optional[SQLiteCache]) – cache.
database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT cloud_entry.resource_id, cloud_entry.filename, cloud_entry.modified, cloud_entry.created, cloud_entry.size, cloud_entry.doc_type, cloud_entry.shared, cloud_entry.checksum, cloud_entry.url, cloud_relations.parent_resource_id FROM cloud_entry, cloud_relations WHERE cloud_relations.child_resource_id = cloud_entry.resource_id AND cloud_entry.modified IS NOT NULL;', 'ParseCloudEntryRow'), ('SELECT inode_number, filename, modified, checksum, size FROM local_entry WHERE modified IS NOT NULL;', 'ParseLocalEntryRow')]

REQUIRED_STRUCTURE = {'cloud_entry': frozenset({'checksum', 'created', 'doc_type', 'filename', 'modified', 'resource_id', 'shared', 'size', 'url'}), 'cloud_relations': frozenset({'child_resource_id', 'parent_resource_id'}), 'local_entry': frozenset({'checksum', 'filename', 'inode_number', 'modified', 'size'}), 'local_relations': frozenset({'child_inode_number', 'parent_inode_number'})}

SCHEMAS = [{'cloud_entry': 'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared INTEGER, PRIMARY KEY (resource_id))', 'cloud_relations': 'CREATE TABLE cloud_relations (child_resource_id TEXT, parent_resource_id TEXT, UNIQUE (child_resource_id, parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) REFERENCES cloud_entry(resource_id))', 'local_entry': 'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY (inode_number))', 'local_relations': 'CREATE TABLE local_relations (child_inode_number INTEGER, parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN KEY (parent_inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (child_inode_number) REFERENCES local_entry(inode_number))', 'mapping': 'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES cloud_entry(resource_id))', 'overlay_status': 'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, PRIMARY KEY (path))'}]

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Google Drive snapshot cloud entry event data.

creation_time

date and time the snapshot cloud entry was created.

Type:: dfdatetime.DateTimeValues

doc_type

document type.

Type:: int

modification_time

date and time the snapshot cloud entry was last modified.

Type:: dfdatetime.DateTimeValues

path

path of the file.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

shared

True if the file is shared, False if the file is private.

Type:: bool

size

size of the file.

Type:: int

url

URL of the file.

Type:: str

DATA_TYPE = 'gdrive:snapshot:cloud_entry'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Google Drive snapshot local entry event data.

modification_time

date and time the snapshot local entry was last modified.

Type:: dfdatetime.DateTimeValues

path

path of the file.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

size

size of the file.

Type:: int

DATA_TYPE = 'gdrive:snapshot:local_entry'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.imessage module

SQLite parser plugin for MacOS and iOS iMessage database files.

class plaso.parsers.sqlite_plugins.imessage.IMessageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iMessage and SMS event data.

attachment_location

location of the attachment.

Type:: str

client_version

client version.

Type:: int

creation_time

date and time the message was created.

Type:: dfdatetime.DateTimeValues

imessage_id

mobile number or email address the message was sent to or received from.

Type:: str

message_type

value to indicate the message was sent (1) or received (0).

Type:: int

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

read_receipt

True if the message read receipt was received.

Type:: bool

service

service, which is either SMS or iMessage.

Type:: str

text

content of the message.

Type:: str

DATA_TYPE = 'imessage:event:chat'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.imessage.IMessagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS and iOS iMessage database files.

The iMessage database file is typically stored in chat.db or sms.db.

DATA_FORMAT = 'MacOS and iOS iMessage database (chat.db, sms.db) file'

NAME = 'imessage'

ParseMessageRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a message row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.
database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT message.date, message.ROWID, handle.id AS imessage_id, message.is_read AS read_receipt, message.is_from_me AS message_type, message.service, attachment.filename AS attachment_location, message.text FROM message JOIN handle ON handle.ROWID = message.handle_id LEFT OUTER JOIN message_attachment_join AS maj ON message.ROWID = maj.message_id LEFT OUTER JOIN attachment ON maj.attachment_id = attachment.ROWID', 'ParseMessageRow')]

REQUIRED_STRUCTURE = {'_SqliteDatabaseProperties': frozenset({'key', 'value'}), 'attachment': frozenset({'ROWID', 'filename'}), 'handle': frozenset({'ROWID', 'id'}), 'message': frozenset({'ROWID', 'date', 'handle_id', 'is_from_me', 'is_read', 'service', 'text'}), 'message_attachment_join': frozenset({'attachment_id', 'message_id'})}

plaso.parsers.sqlite_plugins.interface module

Interface for SQLite database file parser plugins.

class plaso.parsers.sqlite_plugins.interface.SQLitePlugin[source]

Bases: BasePlugin

SQLite parser plugin.

CheckRequiredTablesAndColumns(database)[source]

Check if the database has the minimal structure required by the plugin.

Parameters:

database (SQLiteDatabase) – the database who’s structure is being checked.

Returns:

True if the database has the required tables and columns defined by: the plugin, or False if it does not or if the plugin does not define required tables and columns. The database can have more tables and/or columns than specified by the plugin and still return True.

Return type:

bool

CheckSchema(database)[source]

Checks the schema of a database with that defined in the plugin.

Parameters:

database (SQLiteDatabase) – SQLite database to check.

Returns:

True if the schema of the database matches that defined by: the plugin, or False if the schemas do not match or no schema is defined by the plugin.

Return type:

bool

DATA_FORMAT = 'SQLite database file'

NAME = 'sqlite_plugin'

Process(parser_mediator, cache=None, database=None, **unused_kwargs)[source]

Extracts events from a SQLite database.

Parameters:

parser_mediator (ParserMediator) – parser mediator.
cache (Optional[SQLiteCache]) – cache.
database (Optional[SQLiteDatabase]) – database.

Raises:

ValueError – If the database or cache value are missing.

QUERIES = []

REQUIRED_STRUCTURE = {}

REQUIRES_SCHEMA_MATCH = False

SCHEMAS = []

__init__()[source]: Initializes a SQLite parser plugin.

plaso.parsers.sqlite_plugins.ios_datausage module

SQLite parser plugin for iOS datausage.sqlite database files.

class plaso.parsers.sqlite_plugins.ios_datausage.IOSDatausageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS datausage event data.

bundle_identifier

bundle identifier.

Type:: str

process_name

name of the process.

Type:: str

start_time

date and time the start of the network connection was established.

Type:: dfdatetime.DateTimeValues

wifi_in

number of bytes received over Wi-Fi.

Type:: int

wifi_out

number of bytes sent over Wi-Fi.

Type:: int

wireless_wan_in

number of bytes received over cellular.

Type:: int

wireless_wan_out

number of bytes sent over cellular.

Type:: int

DATA_TYPE = 'ios:datausage:event'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.ios_datausage.IOSDatausagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS DataUsage database.

DATA_FORMAT = 'iOS data usage SQLite databse (DataUsage.sqlite) file.'

NAME = 'ios_datausage'

ParseDatausageEventRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the Datausage sqlite file.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT ZLIVEUSAGE.ZTIMESTAMP, ZLIVEUSAGE.ZWIFIIN, ZLIVEUSAGE.ZWIFIOUT, ZLIVEUSAGE.ZWWANIN, ZLIVEUSAGE.ZWWANOUT, ZPROCESS.ZBUNDLENAME, ZPROCESS.ZPROCNAME FROM ZLIVEUSAGE LEFT JOIN ZPROCESS ON ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS', 'ParseDatausageEventRow')]

REQUIRED_STRUCTURE = {'ZLIVEUSAGE': frozenset({'ZHASPROCESS', 'ZKIND', 'ZMETADATA', 'ZTAG', 'ZTIMESTAMP', 'ZWIFIIN', 'ZWIFIOUT', 'ZWWANIN', 'ZWWANOUT', 'Z_ENT', 'Z_OPT', 'Z_PK'}), 'ZPROCESS': frozenset({'ZBUNDLENAME', 'ZFIRSTTIMESTAMP', 'ZPROCNAME', 'ZTIMESTAMP', 'Z_ENT', 'Z_OPT', 'Z_PK'})}

REQUIRES_SCHEMA_MATCH = False

SCHEMAS = {'ZLIVEUSAGE': 'CREATE TABLE ZLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZMETADATA INTEGER, ZTAG INTEGER, ZHASPROCESS INTEGER, ZBILLCYCLEEND TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZWIFIIN FLOAT, ZWIFIOUT FLOAT, ZWWANIN FLOAT, ZWWANOUT FLOAT )', 'ZPROCESS': 'CREATE TABLE ZPROCESS ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBUNDLENAME VARCHAR, ZPROCNAME VARCHAR )'}

plaso.parsers.sqlite_plugins.ios_kik module

SQLite parser plugin for iOS Kik messenger database files.

class plaso.parsers.sqlite_plugins.ios_kik.IOSKikMessageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Kik message event data.

body

content of the message.

Type:: str

message_status

message status, such as: read, unread, not sent, delivered, etc.

Type:: str

message_type

message type, either Sent or Received.

Type:: str

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

received_time

date and time the message was received.

Type:: dfdatetime.DateTimeValues

username

unique username of the sender or receiver.

Type:: str

DATA_TYPE = 'ios:kik:messaging'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.ios_kik.IOSKikPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS Kik messenger database files.

The OS Kik messenger database file is typically stored in: kik.sqlite

DATA_FORMAT = 'iOS Kik messenger SQLite database (kik.sqlite) file'

NAME = 'kik_ios'

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', 'ParseMessageRow')]

REQUIRED_STRUCTURE = {'ZKIKMESSAGE': frozenset({'ZBODY', 'ZRECEIVEDTIMESTAMP', 'ZSTATE', 'ZTYPE', 'ZUSER', 'Z_PK'}), 'ZKIKUSER': frozenset({'ZDISPLAYNAME', 'ZEXTRA', 'ZUSERNAME'})}

SCHEMAS = [{'ZKIKATTACHMENT': 'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )', 'ZKIKATTACHMENTEXTRA': 'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', 'ZKIKCHAT': 'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED TIMESTAMP )', 'ZKIKCHATEXTRA': 'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ZMUTEDTIMESTAMP TIMESTAMP )', 'ZKIKMESSAGE': 'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ZRENDERINSTRUCTIONSET BLOB )', 'ZKIKUSER': 'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ZCONTENTLINKSPROTODATA BLOB )', 'ZKIKUSEREXTRA': 'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ZPUBLICMESSAGINGKEY BLOB )', 'Z_3MESSAGES': 'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', 'Z_6ADMINSINVERSE': 'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', 'Z_6BANSINVERSE': 'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', 'Z_6MEMBERS': 'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]

plaso.parsers.sqlite_plugins.ios_netusage module

SQLite parser plugin for iOS netusage.sqlite database files.

class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS netusage database.

DATA_FORMAT = 'iOS network usage SQLite database (netusage.sqlite) file'

NAME = 'ios_netusage'

ParseNetusageProcessRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Netusage process row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

ParseNetusageRouteRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Netusage route row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('\n SELECT \n ZLIVEROUTEPERF.ZTIMESTAMP, \n ZLIVEROUTEPERF.ZKIND, \n ZLIVEROUTEPERF.ZBYTESIN, \n ZLIVEROUTEPERF.ZBYTESOUT, \n ZNETWORKATTACHMENT.ZIDENTIFIER, \n HEX(ZNETWORKATTACHMENT.ZNETSIGNATURE) as ZNETSIGNATURE\n FROM ZLIVEROUTEPERF\n LEFT JOIN ZNETWORKATTACHMENT \n ON ZLIVEROUTEPERF.ZHASNETWORKATTACHMENT = ZNETWORKATTACHMENT.Z_PK', 'ParseNetusageRouteRow'), ('\n SELECT\n ZLIVEUSAGE.ZTIMESTAMP,\n ZPROCESS.ZPROCNAME,\n ZLIVEUSAGE.ZWIFIIN,\n ZLIVEUSAGE.ZWIFIOUT,\n ZLIVEUSAGE.ZWWANIN,\n ZLIVEUSAGE.ZWWANOUT,\n ZLIVEUSAGE.ZWIREDIN,\n ZLIVEUSAGE.ZWIREDOUT\n FROM ZLIVEUSAGE \n LEFT JOIN ZPROCESS \n ON ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS', 'ParseNetusageProcessRow')]

REQUIRED_STRUCTURE = {'ZLIVEROUTEPERF': frozenset({'ZBYTESIN', 'ZBYTESOUT', 'ZHASNETWORKATTACHMENT', 'ZKIND', 'ZTIMESTAMP'}), 'ZLIVEUSAGE': frozenset({'ZHASPROCESS', 'ZTIMESTAMP', 'ZWIFIIN', 'ZWIFIOUT', 'ZWIREDIN', 'ZWIREDOUT', 'ZWWANIN', 'ZWWANOUT'}), 'ZNETWORKATTACHMENT': frozenset({'ZIDENTIFIER', 'ZNETSIGNATURE', 'Z_PK'}), 'ZPROCESS': frozenset({'ZPROCNAME', 'Z_PK'})}

REQUIRES_SCHEMA_MATCH = False

SCHEMAS = {'ZLIVEROUTEPERF': 'CREATE TABLE ZLIVEROUTEPERF (Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZHASNETWORKATTACHMENT INTEGER, ZADMINDISABLES FLOAT, ZBYTESIN FLOAT, ZBYTESOUT FLOAT, ZCAPTIVITYREDIRECTS FLOAT, ZCERTERRORS FLOAT, ZCONNATTEMPTS FLOAT, ZCONNSUCCESSES FLOAT, ZDATASTALLS FLOAT, ZEPOCHS FLOAT, ZFAULTYSTAY FLOAT, ZLOWLQMSTAY FLOAT, ZLOWQSTAY FLOAT, ZLQMTRANSITIONCOUNT FLOAT, ZOVERALLSTAY FLOAT, ZOVERALLSTAYM2 FLOAT, ZPACKETSIN FLOAT, ZPACKETSOUT FLOAT, ZRETXBYTES FLOAT, ZRTTAVG FLOAT, ZRTTMIN FLOAT, ZRTTVAR FLOAT, ZRXDUPEBYTES FLOAT, ZRXOOOBYTES FLOAT, ZTIMESTAMP TIMESTAMP, ZTOPDOWNLOADRATE FLOAT )', 'ZLIVEUSAGE': 'CREATE TABLE ZLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZMETADATA INTEGER, ZTAG INTEGER, ZHASPROCESS INTEGER, Z15_HASPROCESS INTEGER, ZALLFLOWS FLOAT, ZBILLCYCLEEND TIMESTAMP, ZJUMBOFLOWS FLOAT, ZTIMESTAMP TIMESTAMP, ZWIFIIN FLOAT, ZWIFIOUT FLOAT, ZWIREDIN FLOAT, ZWIREDOUT FLOAT, ZWWANIN FLOAT, ZWWANOUT FLOAT, ZXIN FLOAT, ZXOUT FLOAT )', 'ZNETWORKATTACHMENT': 'CREATE TABLE ZNETWORKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTRS INTEGER, ZISHOTSPOT INTEGER, ZISKNOWNGOOD INTEGER, ZISLOWINTERNETDL INTEGER, ZISLOWINTERNETUL INTEGER, ZKIND INTEGER, ZWASLASTFAILED INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZOVERALLSTAYMEAN FLOAT, ZOVERALLSTAYVAR FLOAT, ZTIMESTAMP TIMESTAMP, ZVELO FLOAT, ZIDENTIFIER VARCHAR, ZSERVICE VARCHAR, ZNETSIGNATURE BLOB )', 'ZPROCESS': 'CREATE TABLE ZPROCESS ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBUNDLENAME VARCHAR, ZPROCNAME VARCHAR )'}

class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusageProcessEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS netusage process event data.

process_name

name of the process.

Type:: str

start_time

date and time the start of the network connection was established.

Type:: dfdatetime.DateTimeValues

wifi_in

bytes received via wifi.

Type:: int

wifi_out

bytes sent via wifi.

Type:: int

wired_in

bytes received via wired connection.

Type:: int

wired_out

bytes sent via wired connection.

Type:: int

wireless_wan_in

bytes received via cellular connection.

Type:: int

wireless_wan_out

bytes sent via cellular connection.

Type:: int

DATA_TYPE = 'ios:netusage:process'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusageRouteEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS netusage connection event data.

bytes_in

number of bytes received.

Type:: int

bytes_out

number of bytes sent.

Type:: int

network_identifier

name of network.

Type:: str

network_signature

signature of network.

Type:: str

network_type

integer indicating network type.

Type:: int

start_time

date and time the start of the network connection was established.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'ios:netusage:route'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.ios_powerlog module

SQLite parser plugin for iOS powerlog database files.

class plaso.parsers.sqlite_plugins.ios_powerlog.IOSPowerlogApplicationUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS powerlog file application usage event data.

background_time

Number of seconds that the application ran in the background.

Type:: str

bundle_identifier

Name of the application.

Type:: str

screen_on_time

Number of seconds that the application ran in the foreground.

Type:: str

start_time

date and time the start of the application.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'ios:powerlog:application_usage'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.ios_powerlog.IOSPowerlogApplicationUsagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS powerlog database files.

DATA_FORMAT = 'iOS powerlog SQLite database (CurrentPowerlog.PLSQL) file'

NAME = 'ios_powerlog'

ParseApplicationRunTime(parser_mediator, query, row, **unused_kwargs)[source]

Parses an Application Run Time row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT timestamp, BackgroundTime, ScreenOnTime, BundleID FROM PLAppTimeService_Aggregate_AppRunTime', 'ParseApplicationRunTime')]

REQUIRED_STRUCTURE = {'PLAppTimeService_Aggregate_AppRunTime': frozenset({'BackgroundTime', 'BundleID', 'ScreenOnTime', 'timestamp'})}

REQUIRES_SCHEMA_MATCH = False

SCHEMAS = {'PLAppTimeService_Aggregate_AppRunTime': 'CREATE TABLE PLAppTimeService_Aggregate_AppRunTime (id INTEGER PRIMARY KEY AUTOINCREMENT, timestamp REAL, timeInterval REAL, BackgroundAudioNowPlayingPluggedInTime REAL, BackgroundAudioNowPlayingTime REAL, BackgroundAudioPlayingTime REAL, BackgroundAudioPlayingTimePluggedIn REAL, BackgroundLocationAudioPluggedInTime REAL, BackgroundLocationAudioTime REAL, BackgroundLocationPluggedInTime REAL, BackgroundLocationTime REAL, BackgroundPluggedInTime REAL, BackgroundTime REAL, BundleID TEXT, ScreenOnPluggedInTime REAL, ScreenOnTime REAL)'}

plaso.parsers.sqlite_plugins.ios_screentime module

SQLite parser plugin for iOS Screen Time database files.

class plaso.parsers.sqlite_plugins.ios_screentime.IOSScreenTimeEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS Screen Time file usage event data.

bundle_identifier

Bundle Identifier of the application.

Type:: str

device_identifier

GUID for the device.

Type:: str

device_name

Name of the device in use (when available).

Type:: str

domain

Domain of the website visited.

Type:: str

start_time

date and time the start of the application.

Type:: dfdatetime.DateTimeValues

total_time

Number of seconds where the application was in the foreground.

Type:: int

user_family_name

Family name of the user.

Type:: str

user_given_name

Given name of the user.

Type:: str

DATA_TYPE = 'ios:screentime:event'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.ios_screentime.IOSScreenTimePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS Screen Time database files.

The Screen Time database is typically stored in: RMAdminStore-Local.sqlite

DATA_FORMAT = 'iOS Screen Time SQLite database (RMAdminStore-Local.sqlite)'

NAME = 'ios_screentime'

ParseScreenTimeRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Screen Time row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('\n SELECT ZUSAGETIMEDITEM.ZTOTALTIMEINSECONDS,\n ZUSAGETIMEDITEM.ZBUNDLEIDENTIFIER,\n ZUSAGETIMEDITEM.ZDOMAIN,\n ZUSAGEBLOCK.ZSTARTDATE,\n ZCOREDEVICE.ZIDENTIFIER,\n ZCOREDEVICE.ZNAME,\n ZCOREUSER.ZFAMILYNAME,\n ZCOREUSER.ZGIVENNAME\n FROM ZUSAGETIMEDITEM\n LEFT JOIN ZUSAGECATEGORY\n ON ZUSAGETIMEDITEM.ZCATEGORY = ZUSAGECATEGORY.Z_PK\n LEFT JOIN ZUSAGEBLOCK ON ZUSAGECATEGORY.ZBLOCK = ZUSAGEBLOCK.Z_PK\n LEFT JOIN ZUSAGE ON ZUSAGEBLOCK.ZUSAGE = ZUSAGE.Z_PK\n LEFT JOIN ZCOREDEVICE ON ZUSAGE.ZDEVICE = ZCOREDEVICE.Z_PK\n LEFT JOIN ZCOREUSER ON ZUSAGE.ZUSER = ZCOREUSER.Z_PK\n ', 'ParseScreenTimeRow')]

REQUIRED_STRUCTURE = {'ZCOREDEVICE': frozenset({'ZIDENTIFIER', 'ZNAME', 'Z_PK'}), 'ZCOREUSER': frozenset({'ZFAMILYNAME', 'ZGIVENNAME', 'Z_PK'}), 'ZUSAGE': frozenset({'ZDEVICE', 'ZUSER', 'Z_PK'}), 'ZUSAGEBLOCK': frozenset({'ZSTARTDATE', 'ZUSAGE', 'Z_PK'}), 'ZUSAGECATEGORY': frozenset({'ZBLOCK', 'Z_PK'}), 'ZUSAGETIMEDITEM': frozenset({'ZBUNDLEIDENTIFIER', 'ZCATEGORY', 'ZDOMAIN', 'ZTOTALTIMEINSECONDS'})}

REQUIRES_SCHEMA_MATCH = False

SCHEMAS = {'ZCOREDEVICE': 'CREATE TABLE ZCOREDEVICE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZPLATFORM INTEGER, ZLOCALUSERDEVICESTATE INTEGER, ZIDENTIFIER VARCHAR, ZNAME VARCHAR )', 'ZCOREUSER': 'CREATE TABLE ZCOREUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDSID INTEGER, ZISFAMILYORGANIZER INTEGER, ZISPARENT INTEGER, ZPASSCODEENTRYATTEMPTCOUNT INTEGER, ZPASSCODERECOVERYATTEMPTCOUNT INTEGER, ZSUPPORTSENCRYPTION INTEGER, ZCLOUDSETTINGS INTEGER, ZFAMILYSETTINGS INTEGER, ZLOCALSETTINGS INTEGER, ZLOCALUSERDEVICESTATE INTEGER, ZPASSCODEENTRYTIMEOUTENDDATE TIMESTAMP, ZALTDSID VARCHAR, ZAPPLEID VARCHAR, ZFAMILYMEMBERTYPE VARCHAR, ZFAMILYNAME VARCHAR, ZGIVENNAME VARCHAR, ZPHONETICFAMILYNAME VARCHAR, ZPHONETICGIVENNAME VARCHAR )', 'ZUSAGE': 'CREATE TABLE ZUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICE INTEGER, ZUSER INTEGER, ZLASTEVENTDATE TIMESTAMP, ZLASTUPDATEDDATE TIMESTAMP )', 'ZUSAGEBLOCK': 'CREATE TABLE ZUSAGEBLOCK ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDURATIONINMINUTES INTEGER, ZNUMBEROFPICKUPSWITHOUTAPPLICATIONUSAGE INTEGER, ZSCREENTIMEINSECONDS INTEGER, ZUSAGE INTEGER, ZFIRSTPICKUPDATE TIMESTAMP, ZLASTEVENTDATE TIMESTAMP, ZLONGESTSESSIONENDDATE TIMESTAMP, ZLONGESTSESSIONSTARTDATE TIMESTAMP, ZSTARTDATE TIMESTAMP )', 'ZUSAGECATEGORY': 'CREATE TABLE ZUSAGECATEGORY ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTOTALTIMEINSECONDS INTEGER, ZBLOCK INTEGER, ZIDENTIFIER VARCHAR )', 'ZUSAGETIMEDITEM': 'CREATE TABLE ZUSAGETIMEDITEM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTOTALTIMEINSECONDS INTEGER, ZUSAGETRUSTED INTEGER, ZCATEGORY INTEGER, ZBUNDLEIDENTIFIER VARCHAR, ZDOMAIN VARCHAR )'}

plaso.parsers.sqlite_plugins.ios_twitter module

SQLite parser plugin for Twitter on iOS 8+ database files.

class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterContactEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Twitter on iOS 8+ contact event data.

creation_time

date and time the contact was created.

Type:: dfdatetime.DateTimeValues

description

description of the profile.

Type:: str

followers_count

number of accounts following the contact.

Type:: int

following_count

number of accounts the contact is following.

Type:: int

following

1 if the contact is following the user’s account, 0 if not.

Type:: int

location

location of the profile.

Type:: str

modification_time

date and time the contact was last modified.

Type:: dfdatetime.DateTimeValues

name

name of the profile.

Type:: str

profile_url

URL of the profile picture.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

screen_name

screen name.

Type:: str

url

URL of the profile.

Type:: str

DATA_TYPE = 'ios:twitter:contact'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Twitter on iOS 8+ database files.

The Twitter on iOS 8+ database file is typically stored in: /private/var/mobile/Containers/Data/Application/Library/Caches/databases/ twitter.db

DATA_FORMAT = 'Twitter on iOS 8 and later SQLite database (twitter.db) file'

NAME = 'twitter_ios'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT createdDate, updatedAt, screenName, name, profileImageUrl,location, description, url, following, followersCount, followingCount FROM Users ORDER BY createdDate', 'ParseContactRow'), ('SELECT Statuses.date AS date, Statuses.text AS text, Statuses.userId AS user_id, Users.name AS name, Statuses.retweetCount AS retweetCount, Statuses.favoriteCount AS favoriteCount, Statuses.favorited AS favorited, Statuses.updatedAt AS updatedAt FROM Statuses LEFT join Users ON Statuses.userId = Users.id ORDER BY date', 'ParseStatusRow')]

REQUIRED_STRUCTURE = {'Statuses': frozenset({'date', 'favoriteCount', 'favorited', 'retweetCount', 'text', 'updatedAt', 'userId'}), 'Users': frozenset({'createdDate', 'description', 'followersCount', 'following', 'followingCount', 'id', 'location', 'name', 'profileImageUrl', 'screenName', 'updatedAt', 'url'})}

SCHEMAS = [{'Lists': "CREATE TABLE Lists ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'ListsShadow': "CREATE TABLE ListsShadow ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'MyRetweets': "CREATE TABLE MyRetweets ( 'statusId' INTEGER PRIMARY KEY, 'myRetweetId' INTEGER )", 'Statuses': "CREATE TABLE Statuses ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplmentalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'StatusesShadow': "CREATE TABLE StatusesShadow ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplementalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'Users': "CREATE TABLE Users ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )", 'UsersShadow': "CREATE TABLE UsersShadow ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )"}]

class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterStatusEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Parent class for Twitter on iOS 8+ status events.

creation_time

date and time the status was created.

Type:: dfdatetime.DateTimeValues

favorite_count

number of times the status message has been favorited.

Type:: int

favorited

value to mark status as favorite by the account.

Type:: int

modification_time

date and time the status was last modified.

Type:: dfdatetime.DateTimeValues

name

user’s profile name.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

retweet_count

number of times the status message has been retweeted.

Type:: str

text

content of the status message.

Type:: str

user_identifier

user identifier.

Type:: int

DATA_TYPE = 'ios:twitter:status'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.kodi module

SQLite parser plugin for Kodi videos database files.

class plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Kodi videos database files.

The Kodi videos database file is typically stored in: MyVideos.db

DATA_FORMAT = 'Kodi videos SQLite database (MyVideos.db) file'

NAME = 'kodi'

ParseVideoRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Video row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT idFile, strFilename, playCount, lastPlayed FROM files', 'ParseVideoRow')]

REQUIRED_STRUCTURE = {'files': frozenset({'idFile', 'lastPlayed', 'playCount', 'strFilename'})}

SCHEMAS = [{'actor': 'CREATE TABLE actor ( actor_id INTEGER PRIMARY KEY, name TEXT, art_urls TEXT )', 'actor_link': 'CREATE TABLE actor_link(actor_id INTEGER, media_id INTEGER, media_type TEXT, role TEXT, cast_order INTEGER)', 'art': 'CREATE TABLE art(art_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, type TEXT, url TEXT)', 'bookmark': 'CREATE TABLE bookmark ( idBookmark integer primary key, idFile integer, timeInSeconds double, totalTimeInSeconds double, thumbNailImage text, player text, playerState text, type integer)', 'country': 'CREATE TABLE country ( country_id integer primary key, name TEXT)', 'country_link': 'CREATE TABLE country_link (country_id integer, media_id integer, media_type TEXT)', 'director_link': 'CREATE TABLE director_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'episode': 'CREATE TABLE episode ( idEpisode integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 varchar(24),c13 varchar(24),c14 text,c15 text,c16 text,c17 varchar(24),c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idShow integer, userrating integer, idSeason integer)', 'files': 'CREATE TABLE files ( idFile integer primary key, idPath integer, strFilename text, playCount integer, lastPlayed text, dateAdded text)', 'genre': 'CREATE TABLE genre ( genre_id integer primary key, name TEXT)', 'genre_link': 'CREATE TABLE genre_link (genre_id integer, media_id integer, media_type TEXT)', 'movie': 'CREATE TABLE movie ( idMovie integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idSet integer, userrating integer, premiered text)', 'movielinktvshow': 'CREATE TABLE movielinktvshow ( idMovie integer, IdShow integer)', 'musicvideo': 'CREATE TABLE musicvideo ( idMVideo integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, premiered text)', 'path': 'CREATE TABLE path ( idPath integer primary key, strPath text, strContent text, strScraper text, strHash text, scanRecursive integer, useFolderNames bool, strSettings text, noUpdate bool, exclude bool, dateAdded text, idParentPath integer)', 'rating': 'CREATE TABLE rating (rating_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, rating_type TEXT, rating FLOAT, votes INTEGER)', 'seasons': 'CREATE TABLE seasons ( idSeason integer primary key, idShow integer, season integer, name text, userrating integer)', 'sets': 'CREATE TABLE sets ( idSet integer primary key, strSet text, strOverview text)', 'settings': 'CREATE TABLE settings ( idFile integer, Deinterlace bool,ViewMode integer,ZoomAmount float, PixelRatio float, VerticalShift float, AudioStream integer, SubtitleStream integer,SubtitleDelay float, SubtitlesOn bool, Brightness float, Contrast float, Gamma float,VolumeAmplification float, AudioDelay float, OutputToAllSpeakers bool, ResumeTime integer,Sharpness float, NoiseReduction float, NonLinStretch bool, PostProcess bool,ScalingMethod integer, DeinterlaceMode integer, StereoMode integer, StereoInvert bool, VideoStream integer)', 'stacktimes': 'CREATE TABLE stacktimes (idFile integer, times text)', 'streamdetails': 'CREATE TABLE streamdetails (idFile integer, iStreamType integer, strVideoCodec text, fVideoAspect float, iVideoWidth integer, iVideoHeight integer, strAudioCodec text, iAudioChannels integer, strAudioLanguage text, strSubtitleLanguage text, iVideoDuration integer, strStereoMode text, strVideoLanguage text)', 'studio': 'CREATE TABLE studio ( studio_id integer primary key, name TEXT)', 'studio_link': 'CREATE TABLE studio_link (studio_id integer, media_id integer, media_type TEXT)', 'tag': 'CREATE TABLE tag (tag_id integer primary key, name TEXT)', 'tag_link': 'CREATE TABLE tag_link (tag_id integer, media_id integer, media_type TEXT)', 'tvshow': 'CREATE TABLE tvshow ( idShow integer primary key,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, duration INTEGER)', 'tvshowlinkpath': 'CREATE TABLE tvshowlinkpath (idShow integer, idPath integer)', 'uniqueid': 'CREATE TABLE uniqueid (uniqueid_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, value TEXT, type TEXT)', 'version': 'CREATE TABLE version (idVersion integer, iCompressCount integer)', 'writer_link': 'CREATE TABLE writer_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)'}]

class plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Kodi video event data.

filename

video filename.

Type:: str

last_played_time

date and time of the last occurrence the video was played.

Type:: dfdatetime.DateTimeValues

play_count

number of times the video has been played.

Type:: int

query

SQL query that was used to obtain the event data.

Type:: str

DATA_TYPE = 'kodi:videos:viewing'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.ls_quarantine module

SQLite parser plugin for MacOS LS quarantine events database files.

class plaso.parsers.sqlite_plugins.ls_quarantine.MacOSLSQuarantineEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS launch services quarantine event data.

agent

user agent that was used to download the file.

Type:: str

data

data.

Type:: bytes

downloaded_time

date and time the file was downloaded.

Type:: dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:: str

url

original URL of the file.

Type:: str

DATA_TYPE = 'macos:lsquarantine:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.ls_quarantine.MacOSLSQuarantinePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS LS quarantine events database files.

The MacOS launch services (LS) quarantine database file is typically stored in: /Users/<username>/Library/Preferences/

QuarantineEvents.com.apple.LaunchServices

DATA_FORMAT = 'MacOS launch services quarantine events database SQLite database file'

NAME = 'ls_quarantine'

ParseLSQuarantineRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a launch services quarantine event row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT LSQuarantineTimeStamp AS Time, LSQuarantineAgentName AS Agent, LSQuarantineOriginURLString AS URL, LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ORDER BY Time', 'ParseLSQuarantineRow')]

REQUIRED_STRUCTURE = {'LSQuarantineEvent': frozenset({'LSQuarantineAgentName', 'LSQuarantineDataURLString', 'LSQuarantineOriginURLString', 'LSQuarantineTimeStamp'})}

SCHEMAS = [{'LSQuarantineEvent': 'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, LSQuarantineOriginAlias BLOB )'}]

plaso.parsers.sqlite_plugins.mackeeper_cache module

SQLite parser plugin for MacOS MacKeeper cache database files.

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacKeeper Cache event data.

added_time

date and time the cache entry was added.

Type:: dfdatetime.DateTimeValues

description

description.

Type:: str

event_type

event type.

Type:: str

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

record_id

record identifier.

Type:: int

room

room.

Type:: str

text

text.

Type:: str

url

URL.

Type:: str

user_name

user name.

Type:: str

user_sid

user security identifier (SID).

Type:: str

DATA_TYPE = 'mackeeper:cache'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS MacKeeper cache database files.

DATA_FORMAT = 'MacOS MacKeeper cache SQLite database file'

NAME = 'mackeeper_cache'

ParseReceiverData(parser_mediator, query, row, **unused_kwargs)[source]

Parses a single row from the receiver and cache response table.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT d.entry_ID AS id, d.receiver_data AS data, r.request_key, r.time_stamp AS time_string FROM cfurl_cache_receiver_data d, cfurl_cache_response r WHERE r.entry_ID = d.entry_ID', 'ParseReceiverData')]

REQUIRED_STRUCTURE = {'cfurl_cache_blob_data': frozenset({}), 'cfurl_cache_receiver_data': frozenset({'entry_ID', 'receiver_data'}), 'cfurl_cache_response': frozenset({'entry_ID', 'request_key', 'time_stamp'})}

SCHEMAS = [{'cfurl_cache_blob_data': 'CREATE TABLE cfurl_cache_blob_data(entry_ID INTEGER PRIMARY KEY, response_object BLOB, request_object BLOB, proto_props BLOB, user_info BLOB)', 'cfurl_cache_receiver_data': 'CREATE TABLE cfurl_cache_receiver_data(entry_ID INTEGER PRIMARY KEY, receiver_data BLOB)', 'cfurl_cache_response': 'CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, version INTEGER, hash_value INTEGER, storage_policy INTEGER, request_key TEXT UNIQUE, time_stamp NOT NULL DEFAULT CURRENT_TIMESTAMP, partition TEXT)', 'cfurl_cache_schema_version': 'CREATE TABLE cfurl_cache_schema_version(schema_version INTEGER)'}]

plaso.parsers.sqlite_plugins.macos_appusage module

SQLite parser plugin for MacOS application usage database files.

class plaso.parsers.sqlite_plugins.macos_appusage.MacOSApplicationUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS application usage event data.

application

name of the application.

Type:: str

application_version

version of the application.

Type:: str

bundle_identifier

bundle identifier of the application.

Type:: str

count

number of occurances of the event.

Type:: int

event

event.

Type:: str

last_used_time

last date and time the application was last used.

Type:: dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:: str

DATA_TYPE = 'macos:application_usage:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.macos_appusage.MacOSApplicationUsagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS application usage database files.

The MacOS application usage database is typically stored in: /var/db/application_usage.sqlite

Application usage is a SQLite database that logs down entries triggered by NSWorkspaceWillLaunchApplicationNotification and NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by crankd.

More information can be found here: https://github.com/google/macops/blob/master/crankd/ApplicationUsage.py

DATA_FORMAT = 'MacOS application usage SQLite database (application_usage.sqlite) file'

NAME = 'appusage'

ParseApplicationUsageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an application usage row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT last_time, event, bundle_id, app_version, app_path, number_times FROM application_usage ORDER BY last_time', 'ParseApplicationUsageRow')]

REQUIRED_STRUCTURE = {'application_usage': frozenset({'app_path', 'app_version', 'bundle_id', 'event', 'last_time', 'number_times'})}

SCHEMAS = [{'application_usage': 'CREATE TABLE application_usage (event TEXT, bundle_id TEXT, app_version TEXT, app_path TEXT, last_time INTEGER DEFAULT 0, number_times INTEGER DEFAULT 0, PRIMARY KEY (event, bundle_id))'}]

plaso.parsers.sqlite_plugins.macos_document_versions module

SQLite parser plugin for MacOS document revision database files.

class plaso.parsers.sqlite_plugins.macos_document_versions.MacOSDocumentVersionsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS document revision event data.

creation_time

date and time the version information was created.

Type:: dfdatetime.DateTimeValues

last_seen_time

date and time and the original file was last seen (replicated).

Type:: dfdatetime.DateTimeValues

name

name of the original file.

Type:: str

path

path from the original file.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

user_sid

user identifier that open the file.

Type:: str

version_path

path to the version copy of the original file.

Type:: str

DATA_TYPE = 'macos:document_versions:file'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.macos_document_versions.MacOSDocumentVersionsPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS document revision database files.

DATA_FORMAT = 'MacOS document revisions SQLite database file'

DocumentVersionsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a document versions row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

NAME = 'mac_document_versions'

QUERIES = [('SELECT f.file_name AS name, f.file_path AS path, f.file_last_seen AS last_time, g.generation_path AS version_path, g.generation_add_time AS version_time FROM files f, generations g WHERE f.file_storage_id = g.generation_storage_id;', 'DocumentVersionsRow')]

REQUIRED_STRUCTURE = {'files': frozenset({'file_last_seen', 'file_name', 'file_path', 'file_storage_id'}), 'generations': frozenset({'generation_add_time', 'generation_path', 'generation_storage_id'})}

ROOT_VERSION_PATH = '/.DocumentRevisions-V100/'

SCHEMAS = [{'files': 'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)', 'generations': 'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)', 'storage': 'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1)'}]

plaso.parsers.sqlite_plugins.macos_knowledgec module

SQLite parser plugin for MacOS Duet/KnowledgeC database files.

class plaso.parsers.sqlite_plugins.macos_knowledgec.MacOSKnowledgeCApplicationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

KnowledgeC application execution event data.

bundle_identifier

bundle identifier of the application.

Type:: str

creation_time

creation date and time of the KnowledgeC record.

Type:: dfdatetime.DateTimeValues

duration

duration of the activity.

Type:: int

end_time

date and time the activity ended.

Type:: dfdatetime.DateTimeValues

start_time

date and time the activity started.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:knowledgec:application'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.macos_knowledgec.MacOSKnowledgeCPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS Duet/KnowledgeC database files.

DATA_FORMAT = 'MacOS Duet/KnowledgeC SQLites database file'

KnowledgeCRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses KnowledgeC application activity.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

NAME = 'mac_knowledgec'

QUERIES = [('\n SELECT\n ZOBJECT.ZCREATIONDATE AS "entry_creation", \n ZOBJECT.ZSTARTDATE AS "start", \n ZOBJECT.ZENDDATE AS "end",\n ZOBJECT.ZSTREAMNAME AS "action",\n ZOBJECT.ZVALUESTRING AS "zvaluestring",\n ZSTRUCTUREDMETADATA.Z_DKSAFARIHISTORYMETADATAKEY__TITLE AS "title"\n FROM ZOBJECT\n LEFT JOIN ZSTRUCTUREDMETADATA \n ON ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK\n ', 'KnowledgeCRow')]

REQUIRED_STRUCTURE = {'ZOBJECT': frozenset({'ZCREATIONDATE', 'ZENDDATE', 'ZSTARTDATE', 'ZSTREAMNAME', 'ZVALUESTRING'}), 'ZSTRUCTUREDMETADATA': frozenset({'Z_DKSAFARIHISTORYMETADATAKEY__TITLE'})}

SCHEMAS = [{'ACHANGE': 'CREATE TABLE ACHANGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHANGETYPE INTEGER, ZENTITY INTEGER, ZENTITYPK INTEGER, ZTRANSACTIONID INTEGER, ZCOLUMNS BLOB, ZTOMBSTONE0 BLOB, ZTOMBSTONE1 BLOB, ZTOMBSTONE2 BLOB )', 'ATRANSACTION': 'CREATE TABLE ATRANSACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTIMESTAMP FLOAT, ZAUTHOR VARCHAR, ZBUNDLEID VARCHAR, ZCONTEXTNAME VARCHAR, ZPROCESSID VARCHAR, ZQUERYGEN BLOB )', 'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCOUNT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZSTRINGVALUE VARCHAR )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z8_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZSUBJECT INTEGER, Z8_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_DKSUNRISESUNSETMETADATAKEY__ISDAYLIGHT INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNSET TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR UNIQUE, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_10EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_10EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}, {'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCUSTOMIDENTIFIER VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZCOUNT FLOAT, ZSTRINGVALUE VARCHAR )', 'ZKEYVALUE': 'CREATE TABLE ZKEYVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDOMAIN VARCHAR, ZKEY VARCHAR, ZVALUE BLOB )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z9_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZSUBJECT INTEGER, Z9_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZLOCALCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISELIGIBLEFORPREDICTION INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKDIGITALHEALTHMETADATAKEY__USAGETYPE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKINTENTMETADATAKEY__INTENTTYPE INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__CONTENTDESCRIPTION VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__SUGGESTEDINVOCATIONPHRASE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKDIGITALHEALTHMETADATAKEY__WEBDOMAIN VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOTIFICATIONUSAGEMETADATAKEY__BUNDLEID VARCHAR, Z_DKNOTIFICATIONUSAGEMETADATAKEY__IDENTIFIER VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKRELEVANTSHORTCUTMETADATAKEY__KEYIMAGEPROXYIDENTIFIER VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_DKTOMBSTONEMETADATAKEY__EVENTSOURCEDEVICEID VARCHAR, Z_DKTOMBSTONEMETADATAKEY__EVENTSTREAMNAME VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKDIGITALHEALTHMETADATAKEY__WEBPAGEURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_DKRELEVANTSHORTCUTMETADATAKEY__SERIALIZEDRELEVANTSHORTCUT BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'ZSYNCPEER': 'CREATE TABLE ZSYNCPEER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCLOUDID VARCHAR, ZDEVICEID VARCHAR, ZRAPPORTID VARCHAR, ZUUID BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_11EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_11EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]

class plaso.parsers.sqlite_plugins.macos_knowledgec.MacOSKnowledgeCSafariEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS Duet/KnowledgeC database event data for Safari.

bundle_identifier

bundle identifier of the application.

Type:: str

creation_time

creation date and time of the KnowledgeC record.

Type:: dfdatetime.DateTimeValues

duration

duration of the activity.

Type:: int

end_time

date and time the activity ended.

Type:: dfdatetime.DateTimeValues

start_time

date and time the activity started.

Type:: dfdatetime.DateTimeValues

title

title of the webpage visited.

Type:: str

url

URL visited.

Type:: str

DATA_TYPE = 'macos:knowledgec:safari'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.macos_notes module

SQLite parser plugin for MacOS Notes database files.

class plaso.parsers.sqlite_plugins.macos_notes.MacOSNotesEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS Notes event data.

creation_time

date and time the notes database entry was created.

Type:: dfdatetime.DateTimeValues

modification_time

date and time the notes database entry was last modified.

Type:: dfdatetime.DateTimeValues

text

note text.

Type:: str

title

note title.

Type:: str

DATA_TYPE = 'macos:notes:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.macos_notes.MacOSNotesPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS notes database files.

The MacOS Notes database file is typically stored in: test_data/NotesV7.storedata

DATA_FORMAT = 'MacOS Notes SQLite database (NotesV7.storedata) file'

NAME = 'mac_notes'

ParseZHTMLSTRINGRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT ZNOTEBODY.ZHTMLSTRING AS zhtmlstring, ZNOTE.ZDATECREATED AS timestamp, ZNOTE.ZDATEEDITED AS last_modified_time, ZNOTE.ZTITLE as title FROM ZNOTEBODY, ZNOTE WHERE ZNOTEBODY.Z_PK = ZNOTE.Z_PK', 'ParseZHTMLSTRINGRow')]

REQUIRED_STRUCTURE = {'ZNOTE': frozenset({'ZDATECREATED', 'ZDATEEDITED', 'ZTITLE'}), 'ZNOTEBODY': frozenset({'ZHTMLSTRING'})}

SCHEMAS = [{'ZACCOUNT': 'CREATE TABLE ZACCOUNT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZALLOWINSECUREAUTHENTICATION INTEGER,ZDIDCHOOSETOMIGRATE INTEGER, ZENABLED INTEGER, ZROOTFOLDERINTEGER, Z6_ROOTFOLDER INTEGER, ZTRASHFOLDER INTEGER,ZGMAILCAPABILITIESSUPPORT INTEGER, ZPORT INTEGER,ZSECURITYLAYERTYPE INTEGER, ZMIGRATIONOFFERED INTEGER,ZACCOUNTDESCRIPTION VARCHAR, ZEMAILADDRESS VARCHAR, ZFULLNAMEVARCHAR, ZPARENTACACCOUNTIDENTIFIER VARCHAR, ZUSERNAME VARCHAR,ZFOLDERHIERARCHYSYNCSTATE VARCHAR, ZAUTHENTICATION VARCHAR,ZHOSTNAME VARCHAR, ZSERVERPATHPREFIX VARCHAR, ZEXTERNALURL BLOB,ZINTERNALURL BLOB, ZLASTUSEDAUTODISCOVERURL BLOB,ZTLSCERTIFICATE BLOB )', 'ZATTACHMENT': 'CREATE TABLE ZATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZNOTE INTEGER, Z10_NOTE INTEGER,ZCONTENTID VARCHAR, ZFILEURL BLOB )', 'ZFOLDER': 'CREATE TABLE ZFOLDER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZACCOUNT INTEGER, Z1_ACCOUNT INTEGER, ZPARENTINTEGER, Z6_PARENT INTEGER, ZISDISTINGUISHED INTEGER,ZALLEGEDHIGHESTMODIFICATIONSEQUENCE INTEGER,ZCOMPUTEDHIGHESTMODIFICATIONSEQUENCE INTEGER, ZUIDNEXT INTEGER,ZUIDVALIDITY INTEGER, ZTRASHACCOUNT INTEGER, Z1_TRASHACCOUNTINTEGER, ZNAME VARCHAR, ZCHANGEKEY VARCHAR, ZFOLDERID VARCHAR,ZSYNCSTATE VARCHAR, ZSERVERNAME VARCHAR )', 'ZNOTE': 'CREATE TABLE ZNOTE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZBODY INTEGER, ZFOLDER INTEGER, Z6_FOLDERINTEGER, ZMIMEDATASIZE INTEGER, ZDATECREATED TIMESTAMP,ZDATEEDITED TIMESTAMP, ZREMOTEID VARCHAR, ZTITLE VARCHAR,ZCHANGEKEY VARCHAR, ZUNIVERSALLYUNIQUEID BLOB )', 'ZNOTEBODY': 'CREATE TABLE ZNOTEBODY ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZNOTE INTEGER, Z10_NOTE INTEGER,ZHTMLSTRING VARCHAR )', 'ZOFFLINEACTION': 'CREATE TABLE ZOFFLINEACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZACCOUNTINTEGER, Z1_ACCOUNT INTEGER, ZFOLDER INTEGER, Z6_FOLDER INTEGER,ZPARENT INTEGER, Z6_PARENT INTEGER, ZORIGINALPARENT INTEGER,Z6_ORIGINALPARENT INTEGER, ZFOLDER1 INTEGER, Z6_FOLDER1 INTEGER,ZNOTE INTEGER, Z10_NOTE INTEGER, ZORIGINALFOLDER INTEGER,Z6_ORIGINALFOLDER INTEGER )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUIDVARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAMEVARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]

plaso.parsers.sqlite_plugins.macos_notification_center module

SQLite parser plugin for MacOS Notification Center database files.

class plaso.parsers.sqlite_plugins.macos_notification_center.MacOSNotificationCenterEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS NotificationCenter event data.

body

body of the notification message.

Type:: str

bundle_name

name of the application’s bundle that generated the notification.

Type:: str

creation_time

date and time the entry was created.

Type:: dfdatetime.DateTimeValues

presented

either 1 or 0 if the notification has been shown to the user.

Type:: int

subtitle

optional. Subtitle of the notification message.

Type:: str

title

title of the message. Usually the name of the application that generated the notification. Occasionally the name of the sender of the notification for example, in case of chat messages.

Type:: str

DATA_TYPE = 'macos:notification_center:entry'

__init__()[source]: Initialize event data.

class plaso.parsers.sqlite_plugins.macos_notification_center.MacOSNotificationCenterPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS Notification Center database files.

The MacOS Notification Center database file is typically stored in: /private/var/folders/<W><d>/../0/com.apple.notificationcenter/db2/db

At the moment it takes into consideration only the main table, ‘record’. Currently supported tables and related content:

Record: contains historical records Requests: contain pending requests Delivered: delivered requests Displayed: displayed requests, by app_id Snoozed: snoozed by user requests

DATA_FORMAT = 'MacOS Notification Center SQLite database file'

NAME = 'mac_notificationcenter'

ParseNotificationcenterRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT a.identifier AS bundle_name, r.data AS dataBlob, r.delivered_date AS timestamp,r.presented AS presented FROM app a, record r WHERE a.app_id = r.app_id', 'ParseNotificationcenterRow')]

REQUIRED_STRUCTURE = {'app': frozenset({'app_id', 'identifier'}), 'record': frozenset({'app_id', 'data', 'delivered_date', 'presented'})}

SCHEMAS = [{'app': 'CREATE TABLE app (app_id INTEGER PRIMARY KEY, identifier VARCHAR)', 'dbinfo': 'CREATE TABLE dbinfo (key VARCHAR, value VARCHAR)', 'delivered': 'CREATE TABLE delivered (app_id INTEGER PRIMARY KEY, list BLOB)', 'displayed': 'CREATE TABLE displayed (app_id INTEGER PRIMARY KEY, list BLOB)', 'record': 'CREATE TABLE record (rec_id INTEGER PRIMARY KEY, app_id INTEGER, uuid BLOB, data BLOB, request_date REAL, request_last_date REAL, delivered_date REAL, presented Bool, style INTEGER, snooze_fire_date REAL)', 'requests': 'CREATE TABLE requests (app_id INTEGER PRIMARY KEY, list BLOB)', 'snoozed': 'CREATE TABLE snoozed (app_id INTEGER PRIMARY KEY, list BLOB)'}]

plaso.parsers.sqlite_plugins.macos_tcc module

SQLite parser plugin for MacOS TCC database files.

class plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntry(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS TCC event data.

allowed

whether access to the service was allowed.

Type:: bool

client

name of the client requesting access to the service.

Type:: str

modification_time

date and time of the entry last modification.

Type:: dfdatetime.DateTimeValues

prompt_count

number of times an application prompted the user for access to a service.

Type:: int

query

SQL query that was used to obtain the event data.

Type:: str

service

name of the service.

Type:: str

DATA_TYPE = 'macos:tcc_entry'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS TCC database files.

The MacOS Transparency, Consent, Control (TCC) database file is typically stored in: /Library/Application Support/com.apple.TCC/TCC.db /Users/<username>/Library/Application Support/com.apple.TCC/TCC.db

DATA_FORMAT = 'MacOS Transparency, Consent, Control (TCC) SQLite database (TCC.db) file'

NAME = 'macostcc'

ParseTCCEntry(parser_mediator, query, row, **unused_kwargs)[source]

Parses an application usage row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT service, client, allowed, prompt_count, last_modified FROM access;', 'ParseTCCEntry')]

REQUIRED_STRUCTURE = {'access': frozenset({'allowed', 'client', 'last_modified', 'prompt_count', 'service'}), 'access_overrides': frozenset({}), 'active_policy': frozenset({}), 'admin': frozenset({}), 'expired': frozenset({}), 'policies': frozenset({})}

SCHEMAS = [{'access': "CREATE TABLE access ( service TEXT NOT NULL, client TEXT NOT NULL, client_type INTEGER NOT NULL, allowed INTEGER NOT NULL, prompt_count INTEGER NOT NULL, csreq BLOB, policy_id INTEGER, indirect_object_identifier_type INTEGER, indirect_object_identifier TEXT, indirect_object_code_identity BLOB, flags INTEGER, last_modified INTEGER NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER)), PRIMARY KEY (service, client, client_type, indirect_object_identifier), FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE)", 'access_overrides': 'CREATE TABLE access_overrides ( service TEXT NOT NULL PRIMARY KEY)', 'active_policy': 'CREATE TABLE active_policy ( client TEXT NOT NULL, client_type INTEGER NOT NULL, policy_id INTEGER NOT NULL, PRIMARY KEY (client, client_type), FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE)', 'admin': 'CREATE TABLE admin (key TEXT PRIMARY KEY NOT NULL, value INTEGER NOT NULL)', 'expired': "CREATE TABLE expired ( service TEXT NOT NULL, client TEXT NOT NULL, client_type INTEGER NOT NULL, csreq BLOB, last_modified INTEGER NOT NULL , expired_at INTEGER NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER)), PRIMARY KEY (service, client, client_type))", 'policies': 'CREATE TABLE policies ( id INTEGER NOT NULL PRIMARY KEY, bundle_id TEXT NOT NULL, uuid TEXT NOT NULL, display TEXT NOT NULL, UNIQUE (bundle_id, uuid))'}]

plaso.parsers.sqlite_plugins.safari module

SQLite parser plugin for Safari history database files.

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Safari history event data.

host

hostname of the server.

Type:: str

last_visited_time

date and time the URL was last visited.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

title

title of the webpage visited.

Type:: str

url

URL visited.

Type:: str

visit_count

number of times the website was visited.

Type:: int

was_http_non_get

True if the webpage was visited using a non-GET HTTP request.

Type:: bool

DATA_TYPE = 'safari:history:visit_sqlite'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite[source]

Bases: SQLitePlugin

SQLite parser plugin for Safari history database files.

The Safari history database file is typically stored in: History.db

DATA_FORMAT = 'Safari history SQLite database (History.db) file'

NAME = 'safari_historydb'

ParsePageVisitRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a visited row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT history_items.id, history_items.url, history_items.visit_count, history_visits.id AS visit_id, history_visits.history_item,history_visits.visit_time, history_visits.redirect_destination, history_visits.title, history_visits.http_non_get, history_visits.redirect_source FROM history_items, history_visits WHERE history_items.id = history_visits.history_item ORDER BY history_visits.visit_time', 'ParsePageVisitRow')]

REQUIRED_STRUCTURE = {'history_items': frozenset({'id', 'url', 'visit_count'}), 'history_visits': frozenset({'history_item', 'http_non_get', 'id', 'redirect_destination', 'redirect_source', 'title', 'visit_time'})}

SCHEMAS = [{'history_client_versions': 'CREATE TABLE history_client_versions (client_version INTEGER PRIMARY KEY,last_seen REAL NOT NULL)', 'history_event_listeners': 'CREATE TABLE history_event_listeners (listener_name TEXT PRIMARY KEY NOT NULL UNIQUE,last_seen REAL NOT NULL)', 'history_events': 'CREATE TABLE history_events (id INTEGER PRIMARY KEY AUTOINCREMENT,event_type TEXT NOT NULL,event_time REAL NOT NULL,pending_listeners TEXT NOT NULL,value BLOB)', 'history_items': 'CREATE TABLE history_items (id INTEGER PRIMARY KEY AUTOINCREMENT,url TEXT NOT NULL UNIQUE,domain_expansion TEXT NULL,visit_count INTEGER NOT NULL,daily_visit_counts BLOB NOT NULL,weekly_visit_counts BLOB NULL,autocomplete_triggers BLOB NULL,should_recompute_derived_visit_counts INTEGER NOT NULL,visit_count_score INTEGER NOT NULL)', 'history_tombstones': 'CREATE TABLE history_tombstones (id INTEGER PRIMARY KEY AUTOINCREMENT,start_time REAL NOT NULL,end_time REAL NOT NULL,url TEXT,generation INTEGER NOT NULL DEFAULT 0)', 'history_visits': 'CREATE TABLE history_visits (id INTEGER PRIMARY KEY AUTOINCREMENT,history_item INTEGER NOT NULL REFERENCES history_items(id) ON DELETE CASCADE,visit_time REAL NOT NULL,title TEXT NULL,load_successful BOOLEAN NOT NULL DEFAULT 1,http_non_get BOOLEAN NOT NULL DEFAULT 0,synthesized BOOLEAN NOT NULL DEFAULT 0,redirect_source INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,redirect_destination INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,origin INTEGER NOT NULL DEFAULT 0,generation INTEGER NOT NULL DEFAULT 0,attributes INTEGER NOT NULL DEFAULT 0,score INTEGER NOT NULL DEFAULT 0)', 'metadata': 'CREATE TABLE metadata (key TEXT NOT NULL UNIQUE, value)'}]

plaso.parsers.sqlite_plugins.skype module

SQLite parser plugin for Skype database files.

class plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Skype account event data.

authentication_request_time

date and time the account was last requested to authenticate.

Type:: dfdatetime.DateTimeValues

authentication_request_sent_time

date and time the last authentication request was sent.

Type:: dfdatetime.DateTimeValues

country

home country of the account holder.

Type:: str

display_name

display name of the account holder.

Type:: str

email

registered email address of the account holder.

Type:: str

last_online_time

date and time the account was last online.

Type:: dfdatetime.DateTimeValues

last_used_time

date and time the account was last used.

Type:: dfdatetime.DateTimeValues

mood_change_time

date and time the mood was last changed.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

profile_change_time

date and time the profile was last changed.

Type:: dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:: str

username

full name of the Skype account holder and display name.

Type:: str

DATA_TYPE = 'skype:event:account'

__init__()[source]: Initialize event data.

class plaso.parsers.sqlite_plugins.skype.SkypeCallEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Skype call event data.

attempt_time

date and time the call was attempted.

Type:: dfdatetime.DateTimeValues

call_type

call type, such as: WAITING, STARTED, FINISHED.

Type:: str

dst_call

account which received the call.

Type:: str

duration

number of seconds the call lasted.

Type:: int

end_time

date and time the call was stopped.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

src_call

account which started the call.

Type:: str

start_time

date and time the call was started.

Type:: dfdatetime.DateTimeValues

user_start_call

True if the owner account started the call.

Type:: bool

video_conference

True if the call was a video conference.

Type:: bool

DATA_TYPE = 'skype:event:call'

__init__()[source]: Initialize event data.

class plaso.parsers.sqlite_plugins.skype.SkypeChatEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Skype chat event data.

from_account

from display name and the author.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

recorded_time

date and time the chat was recorded.

Type:: dfdatetime.DateTimeValues

text

body XML.

Type:: str

title

title.

Type:: str

to_account

accounts, excluding the author, of the conversation.

Type:: str

DATA_TYPE = 'skype:event:chat'

__init__()[source]: Initializes event data.

class plaso.parsers.sqlite_plugins.skype.SkypePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Skype database files.

DATA_FORMAT = 'Skype SQLite database (main.db) file'

NAME = 'skype'

ParseAccountInformation(parser_mediator, query, row, **unused_kwargs)[source]

Parses account information.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row with account information.

ParseCall(parser_mediator, query, row, **unused_kwargs)[source]

Parses a call.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (Optional[str]) – query that created the row.
row (sqlite3.Row) – row resulting from query.
query – query.

ParseChat(parser_mediator, query, row, **unused_kwargs)[source]

Parses a chat message.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

ParseFileTransfer(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a file transfer.

There is no direct relationship between who sends the file and who accepts the file.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
cache (Optional[SQLiteCache]) – cache.
database (Optional[SQLiteDatabase]) – database.

ParseSMS(parser_mediator, query, row, **unused_kwargs)[source]

Parses a SMS.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT c.id, c.participants, c.friendlyname AS title, m.author AS author, m.from_dispname AS from_displayname, m.body_xml, m.timestamp, c.dialog_partner FROM Chats c, Messages m WHERE c.name = m.chatname', 'ParseChat'), ('SELECT id, fullname, given_displayname, emails, country, profile_timestamp, authreq_timestamp, lastonline_timestamp, mood_timestamp, sent_authrequest_time, lastused_timestamp FROM Accounts', 'ParseAccountInformation'), ('SELECT id, target_numbers AS dstnum_sms, timestamp AS time_sms, body AS msg_sms FROM SMSes', 'ParseSMS'), ('SELECT id, partner_handle, partner_dispname, offer_send_list, starttime, accepttime, finishtime, filepath, filename, filesize, status, parent_id, pk_id FROM Transfers', 'ParseFileTransfer'), ('SELECT c.id, cm.guid, c.is_incoming, cm.call_db_id, cm.videostatus, c.begin_timestamp AS try_call, cm.start_timestamp AS accept_call, cm.call_duration FROM Calls c, CallMembers cm WHERE c.id = cm.call_db_id;', 'ParseCall')]

QUERY_DEST_FROM_TRANSFER = 'SELECT parent_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'

QUERY_SOURCE_FROM_TRANSFER = 'SELECT pk_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'

REQUIRED_STRUCTURE = {'Accounts': frozenset({'authreq_timestamp', 'country', 'emails', 'fullname', 'given_displayname', 'id', 'lastonline_timestamp', 'mood_timestamp', 'profile_timestamp', 'sent_authrequest_time'}), 'CallMembers': frozenset({'call_db_id', 'call_duration', 'guid', 'start_timestamp', 'videostatus'}), 'Calls': frozenset({'begin_timestamp', 'id', 'is_incoming'}), 'Chats': frozenset({'dialog_partner', 'friendlyname', 'id', 'name', 'participants'}), 'Messages': frozenset({'author', 'body_xml', 'chatname', 'from_dispname', 'timestamp'}), 'SMSes': frozenset({'body', 'id', 'target_numbers', 'timestamp'}), 'Transfers': frozenset({'accepttime', 'filename', 'filepath', 'filesize', 'finishtime', 'id', 'offer_send_list', 'parent_id', 'partner_dispname', 'partner_handle', 'pk_id', 'starttime', 'status'})}

SCHEMAS = [{'Accounts': 'CREATE TABLE Accounts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, pwdchangestatus INTEGER, logoutreason INTEGER, commitstatus INTEGER, suggested_skypename TEXT, skypeout_balance_currency TEXT, skypeout_balance INTEGER, skypeout_precision INTEGER, skypein_numbers TEXT, subscriptions TEXT, cblsyncstatus INTEGER, offline_callforward TEXT, chat_policy INTEGER, skype_call_policy INTEGER, pstn_call_policy INTEGER, avatar_policy INTEGER, buddycount_policy INTEGER, timezone_policy INTEGER, webpresence_policy INTEGER, phonenumbers_policy INTEGER, voicemail_policy INTEGER, authrequest_policy INTEGER, ad_policy INTEGER, partner_optedout TEXT, service_provider_info TEXT, registration_timestamp INTEGER, nr_of_other_instances INTEGER, partner_channel_status TEXT, flamingo_xmpp_status INTEGER, federated_presence_policy INTEGER, liveid_membername TEXT, roaming_history_enabled INTEGER, cobrand_id INTEGER, owner_under_legal_age INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, homepage TEXT, about TEXT, profile_timestamp INTEGER, received_authrequest TEXT, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, aliases TEXT, authreq_timestamp INTEGER, mood_text TEXT, timezone INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, given_displayname TEXT, availability INTEGER, lastonline_timestamp INTEGER, capabilities BLOB, avatar_image BLOB, assigned_speeddial TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_comment TEXT, alertstring TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, rich_mood_text TEXT, synced_email BLOB, set_availability INTEGER, options_change_future BLOB, cbl_profile_blob BLOB, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, node_capabilities_and INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, verified_email BLOB, verified_company BLOB, uses_jcs INTEGER)', 'Alerts': 'CREATE TABLE Alerts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, timestamp INTEGER, partner_name TEXT, is_unseen INTEGER, partner_id INTEGER, partner_event TEXT, partner_history TEXT, partner_header TEXT, partner_logo TEXT, meta_expiry INTEGER, message_header_caption TEXT, message_header_title TEXT, message_header_subject TEXT, message_header_cancel TEXT, message_header_later TEXT, message_content TEXT, message_footer TEXT, message_button_caption TEXT, message_button_uri TEXT, message_type INTEGER, window_size INTEGER, chatmsg_guid BLOB, notification_id INTEGER, event_flags INTEGER, extprop_hide_from_history INTEGER)', 'AppSchemaVersion': 'CREATE TABLE AppSchemaVersion (ClientVersion TEXT NOT NULL, SQLiteSchemaVersion INTEGER NOT NULL, SchemaUpdateType INTEGER NOT NULL)', 'CallMembers': 'CREATE TABLE CallMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, dispname TEXT, languages TEXT, call_duration INTEGER, price_per_minute INTEGER, price_precision INTEGER, price_currency TEXT, payment_category TEXT, type INTEGER, status INTEGER, failurereason INTEGER, sounderror_code INTEGER, soundlevel INTEGER, pstn_statustext TEXT, pstn_feedback TEXT, forward_targets TEXT, forwarded_by TEXT, debuginfo TEXT, videostatus INTEGER, target_identity TEXT, mike_status INTEGER, is_read_only INTEGER, quality_status INTEGER, call_name TEXT, transfer_status INTEGER, transfer_active INTEGER, transferred_by TEXT, transferred_to TEXT, guid TEXT, next_redial_time INTEGER, nrof_redials_done INTEGER, nrof_redials_left INTEGER, transfer_topic TEXT, real_identity TEXT, start_timestamp INTEGER, is_conference INTEGER, quality_problems TEXT, identity_type INTEGER, country TEXT, creation_timestamp INTEGER, stats_xml TEXT, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, recovery_in_progress INTEGER, nonse_word TEXT, nr_of_delivered_push_notifications INTEGER, call_session_guid TEXT, version_string TEXT, pk_status INTEGER, call_db_id INTEGER, prime_status INTEGER)', 'Calls': 'CREATE TABLE Calls (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, begin_timestamp INTEGER, topic TEXT, is_muted INTEGER, is_unseen_missed INTEGER, host_identity TEXT, mike_status INTEGER, duration INTEGER, soundlevel INTEGER, access_token TEXT, active_members INTEGER, is_active INTEGER, name TEXT, video_disabled INTEGER, joined_existing INTEGER, server_identity TEXT, vaa_input_status INTEGER, is_incoming INTEGER, is_conference INTEGER, is_on_hold INTEGER, start_timestamp INTEGER, quality_problems TEXT, current_video_audience TEXT, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, is_premium_video_sponsor INTEGER, premium_video_sponsor_list TEXT, old_members BLOB, partner_handle TEXT, partner_dispname TEXT, type INTEGER, status INTEGER, failurereason INTEGER, failurecode INTEGER, pstn_number TEXT, old_duration INTEGER, conf_participants BLOB, pstn_status TEXT, members BLOB, conv_dbid INTEGER)', 'ChatMembers': 'CREATE TABLE ChatMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, chatname TEXT, identity TEXT, role INTEGER, is_active INTEGER, cur_activities INTEGER, adder TEXT)', 'Chats': 'CREATE TABLE Chats (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, name TEXT, options INTEGER, friendlyname TEXT, description TEXT, timestamp INTEGER, activity_timestamp INTEGER, dialog_partner TEXT, adder TEXT, type INTEGER, mystatus INTEGER, myrole INTEGER, posters TEXT, participants TEXT, applicants TEXT, banned_users TEXT, name_text TEXT, topic TEXT, topic_xml TEXT, guidelines TEXT, picture BLOB, alertstring TEXT, is_bookmarked INTEGER, passwordhint TEXT, unconsumed_suppressed_msg INTEGER, unconsumed_normal_msg INTEGER, unconsumed_elevated_msg INTEGER, unconsumed_msg_voice INTEGER, activemembers TEXT, state_data BLOB, lifesigns INTEGER, last_change INTEGER, first_unread_message INTEGER, pk_type INTEGER, dbpath TEXT, split_friendlyname TEXT, conv_dbid INTEGER)', 'ContactGroups': 'CREATE TABLE ContactGroups (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, custom_group_id INTEGER, given_displayname TEXT, nrofcontacts INTEGER, nrofcontacts_online INTEGER, given_sortorder INTEGER, type_old INTEGER, proposer TEXT, description TEXT, associated_chat TEXT, members TEXT, cbl_id INTEGER, cbl_blob BLOB, fixed INTEGER, keep_sharedgroup_contacts INTEGER, chats TEXT, extprop_is_hidden INTEGER, extprop_sortorder_value INTEGER, extprop_is_expanded INTEGER)', 'Contacts': 'CREATE TABLE Contacts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, aliases TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, hashed_emails TEXT, homepage TEXT, about TEXT, avatar_image BLOB, mood_text TEXT, rich_mood_text TEXT, timezone INTEGER, capabilities BLOB, profile_timestamp INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, received_authrequest TEXT, authreq_timestamp INTEGER, lastonline_timestamp INTEGER, availability INTEGER, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, given_displayname TEXT, assigned_speeddial TEXT, assigned_comment TEXT, alertstring TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_phone1 TEXT, assigned_phone1_label TEXT, assigned_phone2 TEXT, assigned_phone2_label TEXT, assigned_phone3 TEXT, assigned_phone3_label TEXT, buddystatus INTEGER, isauthorized INTEGER, popularity_ord INTEGER, external_id TEXT, external_system_id TEXT, isblocked INTEGER, authorization_certificate BLOB, certificate_send_count INTEGER, account_modification_serial_nr INTEGER, saved_directory_blob BLOB, nr_of_buddies INTEGER, server_synced INTEGER, contactlist_track INTEGER, last_used_networktime INTEGER, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, node_capabilities_and INTEGER, authreq_crc INTEGER, authreq_src INTEGER, pop_score INTEGER, authreq_nodeinfo BLOB, main_phone TEXT, unified_servants TEXT, phone_home_normalized TEXT, phone_office_normalized TEXT, phone_mobile_normalized TEXT, sent_authrequest_initmethod INTEGER, authreq_initmethod INTEGER, verified_email BLOB, verified_company BLOB, sent_authrequest_extrasbitmask INTEGER, liveid_cid TEXT, extprop_seen_birthday INTEGER, extprop_sms_target INTEGER, extprop_external_data TEXT, extprop_must_hide_avatar INTEGER)', 'Conversations': 'CREATE TABLE Conversations (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, type INTEGER, live_host TEXT, live_start_timestamp INTEGER, live_is_muted INTEGER, alert_string TEXT, is_bookmarked INTEGER, given_displayname TEXT, displayname TEXT, local_livestatus INTEGER, inbox_timestamp INTEGER, inbox_message_id INTEGER, unconsumed_suppressed_messages INTEGER, unconsumed_normal_messages INTEGER, unconsumed_elevated_messages INTEGER, unconsumed_messages_voice INTEGER, active_vm_id INTEGER, context_horizon INTEGER, consumption_horizon INTEGER, last_activity_timestamp INTEGER, active_invoice_message INTEGER, spawned_from_convo_id INTEGER, pinned_order INTEGER, creator TEXT, creation_timestamp INTEGER, my_status INTEGER, opt_joining_enabled INTEGER, opt_access_token TEXT, opt_entry_level_rank INTEGER, opt_disclose_history INTEGER, opt_history_limit_in_days INTEGER, opt_admin_only_activities INTEGER, passwordhint TEXT, meta_name TEXT, meta_topic TEXT, meta_guidelines TEXT, meta_picture BLOB, picture TEXT, is_p2p_migrated INTEGER, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, guid TEXT, dialog_partner TEXT, meta_description TEXT, premium_video_sponsor_list TEXT, mcr_caller TEXT, chat_dbid INTEGER, history_horizon INTEGER, history_sync_state TEXT, thread_version TEXT, consumption_horizon_set_at INTEGER, alt_identity TEXT, extprop_profile_height INTEGER, extprop_chat_width INTEGER, extprop_chat_left_margin INTEGER, extprop_chat_right_margin INTEGER, extprop_entry_height INTEGER, extprop_windowpos_x INTEGER, extprop_windowpos_y INTEGER, extprop_windowpos_w INTEGER, extprop_windowpos_h INTEGER, extprop_window_maximized INTEGER, extprop_window_detached INTEGER, extprop_pinned_order INTEGER, extprop_new_in_inbox INTEGER, extprop_tab_order INTEGER, extprop_video_layout INTEGER, extprop_video_chat_height INTEGER, extprop_chat_avatar INTEGER, extprop_consumption_timestamp INTEGER, extprop_form_visible INTEGER, extprop_recovery_mode INTEGER)', 'DbMeta': 'CREATE TABLE DbMeta (key TEXT NOT NULL PRIMARY KEY, value TEXT)', 'LegacyMessages': 'CREATE TABLE LegacyMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER)', 'Messages': 'CREATE TABLE Messages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, chatname TEXT, author TEXT, from_dispname TEXT, author_was_live INTEGER, guid BLOB, dialog_partner TEXT, timestamp INTEGER, type INTEGER, sending_status INTEGER, consumption_status INTEGER, edited_by TEXT, edited_timestamp INTEGER, param_key INTEGER, param_value INTEGER, body_xml TEXT, identities TEXT, reason TEXT, leavereason INTEGER, participant_count INTEGER, error_code INTEGER, chatmsg_type INTEGER, chatmsg_status INTEGER, body_is_rawxml INTEGER, oldoptions INTEGER, newoptions INTEGER, newrole INTEGER, pk_id INTEGER, crc INTEGER, remote_id INTEGER, call_guid TEXT, extprop_contact_review_date TEXT, extprop_contact_received_stamp INTEGER, extprop_contact_reviewed INTEGER)', 'Participants': 'CREATE TABLE Participants (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, identity TEXT, rank INTEGER, requested_rank INTEGER, text_status INTEGER, voice_status INTEGER, video_status INTEGER, live_identity TEXT, live_price_for_me TEXT, live_fwd_identities TEXT, live_start_timestamp INTEGER, sound_level INTEGER, debuginfo TEXT, next_redial_time INTEGER, nrof_redials_left INTEGER, last_voice_error TEXT, quality_problems TEXT, live_type INTEGER, live_country TEXT, transferred_by TEXT, transferred_to TEXT, adder TEXT, last_leavereason INTEGER, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, live_identity_to_use TEXT, livesession_recovery_in_progress INTEGER, is_multiparty_video_updatable INTEGER, real_identity TEXT, extprop_default_identity INTEGER)', 'SMSes': 'CREATE TABLE SMSes (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, outgoing_reply_type INTEGER, status INTEGER, failurereason INTEGER, is_failed_unseen INTEGER, timestamp INTEGER, price INTEGER, price_precision INTEGER, price_currency TEXT, reply_to_number TEXT, target_numbers TEXT, target_statuses BLOB, body TEXT, chatmsg_id INTEGER, identity TEXT, notification_id INTEGER, event_flags INTEGER, reply_id_number TEXT, convo_name TEXT, extprop_hide_from_history INTEGER, extprop_extended INTEGER)', 'Transfers': 'CREATE TABLE Transfers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, starttime INTEGER, finishtime INTEGER, filepath TEXT, filename TEXT, filesize TEXT, bytestransferred TEXT, bytespersecond INTEGER, chatmsg_guid BLOB, chatmsg_index INTEGER, convo_id INTEGER, pk_id INTEGER, nodeid BLOB, last_activity INTEGER, flags INTEGER, old_status INTEGER, old_filepath INTEGER, accepttime INTEGER, parent_id INTEGER, offer_send_list TEXT, extprop_localfilename TEXT, extprop_hide_from_history INTEGER, extprop_window_visible INTEGER, extprop_handled_by_chat INTEGER)', 'VideoMessages': 'CREATE TABLE VideoMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, qik_id BLOB, attached_msg_ids TEXT, sharing_id TEXT, status INTEGER, vod_status INTEGER, vod_path TEXT, local_path TEXT, public_link TEXT, progress INTEGER, title TEXT, description TEXT, author TEXT, creation_timestamp INTEGER)', 'Videos': 'CREATE TABLE Videos (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, error TEXT, debuginfo TEXT, dimensions TEXT, media_type INTEGER, duration_1080 INTEGER, duration_720 INTEGER, duration_hqv INTEGER, duration_vgad2 INTEGER, duration_ltvgad2 INTEGER, timestamp INTEGER, hq_present INTEGER, duration_ss INTEGER, ss_timestamp INTEGER, convo_id INTEGER, device_path TEXT)', 'Voicemails': 'CREATE TABLE Voicemails (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, subject TEXT, timestamp INTEGER, duration INTEGER, allowed_duration INTEGER, playback_progress INTEGER, convo_id INTEGER, chatmsg_guid BLOB, notification_id INTEGER, flags INTEGER, size INTEGER, path TEXT, failures INTEGER, vflags INTEGER, xmsg TEXT, extprop_hide_from_history INTEGER)'}]

class plaso.parsers.sqlite_plugins.skype.SkypeSMSEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Skype SMS event data.

number

phone number where the SMS was sent.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

recorded_time

date and time the SMS was recorded.

Type:: dfdatetime.DateTimeValues

text

text (SMS body) that was sent.

Type:: str

DATA_TYPE = 'skype:event:sms'

__init__()[source]: Initialize event data.

class plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Skype file transfer event data.

accept_time

date and time the file transfer was accepted.

Type:: dfdatetime.DateTimeValues

destination

account that received the file.

Type:: str

end_time

date and time the file transfer was stopped.

Type:: dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

source

account that sent the file.

Type:: str

start_time

date and time the file transfer was started.

Type:: dfdatetime.DateTimeValues

transfer_status

file transfer status.

Type:: int

transferred_filename

name of the file transferred.

Type:: str

transferred_filepath

path of the file transferred.

Type:: str

transferred_filesize

size of the file transferred.

Type:: int

DATA_TYPE = 'skype:event:transferfile'

__init__()[source]: Initialize event data.

plaso.parsers.sqlite_plugins.windows_eventtranscript module

SQLite parser plugin for Windows Diagnosis EventTranscript database file.

class plaso.parsers.sqlite_plugins.windows_eventtranscript.EventTranscriptPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Windows diagnosis EventTranscript database files.

The Windows diagnosis EventTranscript database file is typically stored in: EventTranscript.db

DATA_FORMAT = 'Windows diagnosis EventTranscript SQLite database (EventTranscript.db) file'

NAME = 'windows_eventtranscript'

ParseEventTranscriptRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses EventTranscript row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT events_persisted.sid,events_persisted.timestamp,events_persisted.payload,events_persisted.full_event_name,events_persisted.full_event_name_hash,events_persisted.event_keywords,events_persisted.is_core,events_persisted.provider_group_id,events_persisted.logging_binary_name,events_persisted.friendly_logging_binary_name,events_persisted.compressed_payload_size,events_persisted.producer_id from events_persisted', 'ParseEventTranscriptRow')]

REQUIRED_STRUCTURE = {'events_persisted': frozenset({'compressed_payload_size', 'event_keywords', 'friendly_logging_binary_name', 'full_event_name', 'full_event_name_hash', 'is_core', 'logging_binary_name', 'payload', 'producer_id', 'provider_group_id', 'sid', 'timestamp'})}

SCHEMAS = [{'events_persisted': 'CREATE TABLE events_persisted (sid TEXT,timestamp INTEGER,payload TEXT,full_event_name TEXT,full_event_name_hash INTEGER,event_keywords INTEGER,is_core INTEGER, provider_group_id INTEGER,logging_binary_name TEXT,friendly_logging_binary_name TEXT, compressed_payload_size INTEGER,producer_id INTEGER,extra1 TEXT, extra2 TEXT,extra3 TEXT,FOREIGN KEY(provider_group_id) REFERENCES provider_groups(group_id), CONSTRAINT fk_producer_id FOREIGN KEY(producer_id) REFERENCES producers(producer_id) ON DELETE CASCADE)'}]

class plaso.parsers.sqlite_plugins.windows_eventtranscript.WindowsEventTranscriptEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows diagnosis EventTranscript event data.

application_name

Application name.

Type:: str

application_root_directory

Application root directory.

Type:: str

application_version

Application version.

Type:: str

compressed_payload_size

Size of the compressed payload.

Type:: int

event_keywords

Event keywords

Type:: int

event_name_hash

Hash of full event name.

Type:: int

event_name

Diagnosis full event name.

Type:: str

friendly_logging_binary_name

Friendly name for logging binary.

Type:: str

ikey

iKey

Type:: str

is_core

Boolean value represented as an integer.

Type:: int

logging_binary_name

Binary that generated the event.

Type:: str

name

Name of the payload, similar to event name.

Type:: str

producer_identifier

Identifier of the EventTranscript event producer. provider group.

Type:: int

provider_group_identifier

Identifier of the EventTranscript event

Type:: int

recorded_time

date and time the entry was recorded.

Type:: dfdatetime.DateTimeValues

user_identifier

Windows Security identifier (SID) of a user account.

Type:: str

version

Payload version

Type:: str

DATA_TYPE = 'windows:diagnosis:eventtranscript'

__init__()[source]: Initializes event data.

plaso.parsers.sqlite_plugins.windows_push_notification module

SQLite parser plugin for Windows 10 push notification database files.

class plaso.parsers.sqlite_plugins.windows_push_notification.WindowsPushNotificationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows push notification event data.

arrival_time

date and time the push notification was received.

Type:: dfdatetime.DateTimeValues

boot_time

date and time the of the last boot.

Type:: dfdatetime.DateTimeValues

expiration_time

date and time the push notification expires.

Type:: dfdatetime.DateTimeValues

handler_identifier

identifier of the corresponding notification handler.

Type:: str

notification_type

notification type.

Type:: str

payload

payload.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:wpndatabase:notification'

__init__()[source]: Initialize event data.

class plaso.parsers.sqlite_plugins.windows_push_notification.WindowsPushNotificationHandlerEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows push notification handler event data.

creation_time

date and time the push notification handler was created.

Type:: dfdatetime.DateTimeValues

handler_type

handler type.

Type:: str

identifier

identifier.

Type:: str

modification_time

date and time the push notification handler was last modified.

Type:: dfdatetime.DateTimeValues

service_identifier

Windows Push Notification Service (WNS) identifier.

Type:: str

DATA_TYPE = 'windows:wpndatabase:notification_handler'

__init__()[source]: Initialize event data.

class plaso.parsers.sqlite_plugins.windows_push_notification.WindowsPushNotificationPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Windows 10 push notification database files.

The Windows 10 push notification database file is typically stored in: %APPDATA%LocalMicrosoftWindowsNotificationswpndatabase.db

DATA_FORMAT = 'Windows 10 push notification SQLite database (wpndatabase.db) file'

NAME = 'windows_push_notification'

ParseNotificationHandlerRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row of the NotificationHandler table.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

ParseNotificationRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row of the Notification table.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT RecordId, PrimaryId, WNSId, HandlerType, WNFEventName, SystemDataPropertySet, CreatedTime, ModifiedTime, ParentId, ContainerSid FROM NotificationHandler', 'ParseNotificationHandlerRow'), ('SELECT "Order", Id, ActivityId, Type, Payload, Tag, "Group", ExpiryTime, ArrivalTime, DataVersion, PayloadType, BootId, ExpiresOnReboot, PrimaryId FROM Notification, NotificationHandler WHERE Notification.HandlerId == NotificationHandler.RecordId', 'ParseNotificationRow')]

REQUIRED_STRUCTURE = {'Metadata': frozenset({'Key', 'Value'}), 'Notification': frozenset({'ActivityId', 'ArrivalTime', 'BootId', 'DataVersion', 'ExpiresOnReboot', 'ExpiryTime', 'Group', 'HandlerId', 'Id', 'Order', 'Payload', 'PayloadType', 'Tag', 'Type'}), 'NotificationHandler': frozenset({'ContainerSid', 'CreatedTime', 'HandlerType', 'ModifiedTime', 'ParentId', 'PrimaryId', 'RecordId', 'SystemDataPropertySet', 'WNFEventName', 'WNSId'})}

SCHEMAS = [{'HandlerAssets': 'CREATE TABLE [HandlerAssets]( [HandlerId] INTEGER CONSTRAINT[AssetsToHandler] REFERENCES[NotificationHandler]([RecordId]) ON DELETE CASCADE ON UPDATE CASCADE, [AssetKey] TEXT NOT NULL, [AssetValue] TEXT, CONSTRAINT[] PRIMARY KEY([AssetKey], [HandlerId]) ON CONFLICT REPLACE)', 'HandlerSettings': 'CREATE TABLE [HandlerSettings]( [HandlerId] INTEGER CONSTRAINT[SettingsToHandler] REFERENCES[NotificationHandler]([RecordId]) ON DELETE CASCADE ON UPDATE CASCADE, [SettingKey] TEXT NOT NULL, [Value] INT, CONSTRAINT[] PRIMARY KEY([SettingKey], [HandlerId]) ON CONFLICT REPLACE)', 'Metadata': 'CREATE TABLE [Metadata]( [Key] TEXT, [Value] INT64, CONSTRAINT[] PRIMARY KEY([Key]) ON CONFLICT REPLACE)', 'Notification': "CREATE TABLE [Notification]( [Order] INTEGER NOT NULL PRIMARY KEY, [Id] INTEGER NOT NULL, [HandlerId] INTEGER CONSTRAINT[NotificationToHandler] REFERENCES[NotificationHandler]([RecordId]) ON DELETE CASCADE ON UPDATE CASCADE, [ActivityId] GUID,[Type] TEXT NOT NULL, [Payload] BLOB, [Tag] TEXT, [Group] TEXT, [ExpiryTime] INT64, [ArrivalTime] INT64, [DataVersion] INT64 DEFAULT '0', [PayloadType] TEXT NOT NULL, [BootId] INT64 DEFAULT '0', [ExpiresOnReboot] BOOLEAN DEFAULT 'FALSE', UNIQUE([Id]) ON CONFLICT REPLACE)", 'NotificationData': 'CREATE TABLE [NotificationData]( [NotificationId] INTEGER CONSTRAINT[DataToNotification] REFERENCES[Notification]([Id]) ON DELETE CASCADE ON UPDATE CASCADE, [Key] TEXT NOT NULL, [Value] TEXT, CONSTRAINT[] PRIMARY KEY([Key], [NotificationId]) ON CONFLICT REPLACE)', 'NotificationHandler': 'CREATE TABLE [NotificationHandler] ( [RecordId] INTEGER PRIMARY KEY, [PrimaryId] TEXT NOT NULL COLLATE NOCASE, [WNSId] TEXT COLLATE NOCASE, [HandlerType] TEXT, [WNFEventName] INT64, [SystemDataPropertySet] BLOB, [CreatedTime] DATETIME, [ModifiedTime] DATETIME, [ParentId] TEXT COLLATE NOCASE, [ContainerSid] TEXT COLLATE NOCASE)', 'TransientTable': "CREATE TABLE [TransientTable]( [OfflineCacheCount] INTEGER, [NotificationId] INTEGER CONSTRAINT[TransientToNotification] REFERENCES[Notification]([Id]) ON DELETE CASCADE ON UPDATE CASCADE, [OfflineBundleId] TEXT, [ServerCacheRollover] BOOLEAN DEFAULT 'FALSE', [CrossDeviceMatchId] TEXT, [SuppressPopup] BOOLEAN DEFAULT 'FALSE', [IsMirroringDisabled] BOOLEAN DEFAULT 'FALSE', [RecurrenceId] GUID, [MessageId] GUID, [Priority] INTEGER NOT NULL, [CV] TEXT)", 'WNSPushChannel': "CREATE TABLE [WNSPushChannel]( [ChannelId] TEXT NOT NULL, [HandlerId] INTEGER REFERENCES[NotificationHandler]([RecordId]) ON DELETE CASCADE ON UPDATE CASCADE, [Uri] TEXT, [ExpiryTime] INT64, [CreatedTime] INT64, [DeviceVersion] INT64 DEFAULT '0', CONSTRAINT[] PRIMARY KEY([ChannelId]) ON CONFLICT REPLACE)"}]

plaso.parsers.sqlite_plugins.windows_timeline module

SQLite parser plugin for Windows 10 timeline database files.

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows 10 timeline database generic event data.

application_display_name

a more human-friendly version of the package_identifier, such as ‘Docker for Windows’ or ‘Microsoft Store’.

Type:: str

description

this is an optional field, used to describe the action in the timeline view, and is usually populated with the path of the file currently open in the program described by package_identifier. Otherwise None.

Type:: str

package_identifier

the package ID or path to the executable run. Depending on the program, this either looks like a path (for example, c:python34python.exe) or like a package name (for example Docker.DockerForWindows.Settings).

Type:: str

start_time

date and time the start of the activity.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:timeline:generic'

__init__()[source]: Initialize event data.

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Windows 10 timeline database files.

The Windows 10 timeline database file is typically stored in: %APPDATA%LocalConnectedDevicesPlatformL.<username>ActivitiesCache.db

DATA_FORMAT = 'Windows 10 timeline SQLite database (ActivitiesCache.db) file'

NAME = 'windows_timeline'

ParseGenericRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a generic Windows timeline row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

ParseUserEngagedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a timeline row that describes a user interacting with an app.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT StartTime, Payload, PackageName FROM Activity INNER JOIN Activity_PackageId ON Activity.Id = Activity_PackageId.ActivityId WHERE instr(Payload, "UserEngaged") > 0 AND Platform = "packageid"', 'ParseUserEngagedRow'), ('SELECT StartTime, Payload, AppId FROM Activity WHERE instr(Payload, "UserEngaged") = 0', 'ParseGenericRow')]

REQUIRED_STRUCTURE = {'Activity': frozenset({'AppId', 'Id', 'Payload', 'StartTime'}), 'Activity_PackageId': frozenset({'ActivityId', 'PackageName'})}

SCHEMAS = [{'Activity': 'CREATE TABLE [Activity]([Id] GUID PRIMARY KEY NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ActivityStatus] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [IsLocalOnly] INT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'ActivityAssetCache': 'CREATE TABLE [ActivityAssetCache]([ResourceId] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, [AppId] TEXT NOT NULL, [AssetHash] TEXT NOT NULL, [TimeToLive] DATETIME NOT NULL, [AssetUri] TEXT, [AssetId] TEXT, [AssetKey] TEXT, [Contents] BLOB)', 'ActivityOperation': 'CREATE TABLE [ActivityOperation]([OperationOrder] INTEGER PRIMARY KEY ASC NOT NULL, [Id] GUID NOT NULL, [OperationType] INT NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [CreatedTime] DATETIME, [Attachments] TEXT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME NOT NULL, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME NOT NULL, [CorrelationVector] TEXT, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'Activity_PackageId': 'CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL, [PackageName] TEXT NOT NULL, [ExpirationTime] DATETIME NOT NULL)', 'AppSettings': 'CREATE TABLE [AppSettings]([AppId] TEXT PRIMARY KEY NOT NULL, [SettingsPropertyBag] BLOB, [AppTitle] TEXT, [Logo4141] TEXT)', 'ManualSequence': 'CREATE TABLE [ManualSequence]([Key] TEXT PRIMARY KEY NOT NULL, [Value] INT NOT NULL)', 'Metadata': 'CREATE TABLE [Metadata]([Key] TEXT PRIMARY KEY NOT NULL, [Value] TEXT)'}, {'Activity': 'CREATE TABLE [Activity]([Id] GUID PRIMARY KEY NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ActivityStatus] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [IsLocalOnly] INT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [UserActionState] INT,[IsRead] INT,[OriginalLastModifiedOnClient] DATETIME, [GroupItems] TEXT, [ETag] INT NOT NULL)', 'ActivityAssetCache': 'CREATE TABLE [ActivityAssetCache]([ResourceId] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, [AppId] TEXT NOT NULL, [AssetHash] TEXT NOT NULL, [TimeToLive] DATETIME NOT NULL, [AssetUri] TEXT, [AssetId] TEXT, [AssetKey] TEXT, [Contents] BLOB)', 'ActivityOperation': 'CREATE TABLE [ActivityOperation]([OperationOrder] INTEGER PRIMARY KEY ASC NOT NULL, [Id] GUID NOT NULL, [OperationType] INT NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [CreatedTime] DATETIME, [OperationExpirationTime] DATETIME,[Attachments] TEXT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME NOT NULL, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME NOT NULL, [CorrelationVector] TEXT, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [UserActionState] INT,[IsRead] INT,[OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [UploadAllowedByPolicy] INT NOT NULL DEFAULT 1, [PatchFields] BLOB, [GroupItems] TEXT, [ETag] INT NOT NULL)', 'Activity_PackageId': 'CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL COLLATE NOCASE, [PackageName] TEXT NOT NULL COLLATE NOCASE, [ExpirationTime] DATETIME NOT NULL)', 'AppSettings': 'CREATE TABLE [AppSettings]([AppId] TEXT PRIMARY KEY NOT NULL, [SettingsPropertyBag] BLOB, [AppTitle] TEXT, [Logo4141] TEXT)', 'DataEncryptionKeys': 'CREATE TABLE [DataEncryptionKeys]([KeyVersion] INTEGER PRIMARY KEY NOT NULL, [KeyValue] TEXT NOT NULL COLLATE NOCASE, [CreatedInCloudTime] DATETIME NOT NULL)', 'ManualSequence': 'CREATE TABLE [ManualSequence]([Key] TEXT PRIMARY KEY NOT NULL, [Value] INT NOT NULL)', 'Metadata': 'CREATE TABLE [Metadata]([Key] TEXT PRIMARY KEY NOT NULL, [Value] TEXT)'}]

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows 10 timeline database User Engaged event data.

Contains information describing how long a user interacted with an application for.

active_duration_seconds

the number of seconds the user spent interacting with the program.

Type:: int

package_identifier

the package ID or location of the executable the user interacted with.

Type:: str

reporting_app

the name of the application that reported the user’s interaction. This is the name of a monitoring tool, for example “ShellActivityMonitor”.

Type:: str

start_time

date and time the start of the activity.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:timeline:user_engaged'

__init__()[source]: Initialize event data.

plaso.parsers.sqlite_plugins.zeitgeist module

SQLite parser plugin for Zeitgeist activity database files.

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Zeitgeist activity database files.

Zeitgeist is a service which logs the user activities and events, anywhere from files opened to websites visited and conversations.

DATA_FORMAT = 'Zeitgeist activity SQLite database file'

NAME = 'zeitgeist'

ParseZeitgeistEventRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a zeitgeist event row.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.

QUERIES = [('SELECT id, timestamp, subj_uri FROM event_view', 'ParseZeitgeistEventRow')]

REQUIRED_STRUCTURE = {'actor': frozenset({}), 'event': frozenset({'id', 'subj_id', 'timestamp'}), 'uri': frozenset({'id'})}

SCHEMAS = [{'actor': 'CREATE TABLE actor ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'event': 'CREATE TABLE event ( id INTEGER, timestamp INTEGER, interpretation INTEGER, manifestation INTEGER, actor INTEGER, payload INTEGER, subj_id INTEGER, subj_interpretation INTEGER, subj_manifestation INTEGER, subj_origin INTEGER, subj_mimetype INTEGER, subj_text INTEGER, subj_storage INTEGER, origin INTEGER, subj_id_current INTEGER, CONSTRAINT interpretation_fk FOREIGN KEY(interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT manifestation_fk FOREIGN KEY(manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT actor_fk FOREIGN KEY(actor) REFERENCES actor(id) ON DELETE CASCADE, CONSTRAINT origin_fk FOREIGN KEY(origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT payload_fk FOREIGN KEY(payload) REFERENCES payload(id) ON DELETE CASCADE, CONSTRAINT subj_id_fk FOREIGN KEY(subj_id) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_id_current_fk FOREIGN KEY(subj_id_current) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_interpretation_fk FOREIGN KEY(subj_interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT subj_manifestation_fk FOREIGN KEY(subj_manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT subj_origin_fk FOREIGN KEY(subj_origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_mimetype_fk FOREIGN KEY(subj_mimetype) REFERENCES mimetype(id) ON DELETE CASCADE, CONSTRAINT subj_text_fk FOREIGN KEY(subj_text) REFERENCES text(id) ON DELETE CASCADE, CONSTRAINT subj_storage_fk FOREIGN KEY(subj_storage) REFERENCES storage(id) ON DELETE CASCADE, CONSTRAINT unique_event UNIQUE (timestamp, interpretation, manifestation, actor, subj_id) )', 'extensions_conf': 'CREATE TABLE extensions_conf ( extension VARCHAR, key VARCHAR, value BLOB, CONSTRAINT unique_extension UNIQUE (extension, key) )', 'interpretation': 'CREATE TABLE interpretation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'manifestation': 'CREATE TABLE manifestation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'mimetype': 'CREATE TABLE mimetype ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'payload': 'CREATE TABLE payload (id INTEGER PRIMARY KEY, value BLOB)', 'schema_version': 'CREATE TABLE schema_version ( schema VARCHAR PRIMARY KEY ON CONFLICT REPLACE, version INT )', 'storage': 'CREATE TABLE storage ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE, state INTEGER, icon VARCHAR, display_name VARCHAR )', 'text': 'CREATE TABLE text ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )', 'uri': 'CREATE TABLE uri ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )'}]

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Zeitgeist activity event data.

offset

identifier of the row, from which the event data was extracted.

Type:: str

query

SQL query that was used to obtain the event data.

Type:: str

recorded_time

date and time the entry was recorded.

Type:: dfdatetime.DateTimeValues

subject_uri

subject URI.

Type:: str

DATA_TYPE = 'zeitgeist:activity'

__init__()[source]: Initializes event data.

Module contents

Imports for the SQLite database parser plugins.