plaso.parsers.sqlite_plugins package

Submodules

plaso.parsers.sqlite_plugins.android_calls module

SQLite parser plugin for Android call history database files.

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData[source]

Bases: plaso.containers.events.EventData

Android Call event data.

call_type

type of call, such as: Incoming, Outgoing, or Missed.

Type

str

duration

number of seconds the call lasted.

Type

int

name

name associated to the remote party.

Type

str

number

phone number associated to the remote party.

Type

str

DATA_TYPE = 'android:event:call'
class plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Android call history database files.

The Android call history database file is typically stored in: contacts2.db

CALL_TYPE = {1: 'INCOMING', 2: 'OUTGOING', 3: 'MISSED'}
DATA_FORMAT = 'Android call history SQLite database (contacts2.db) file'
NAME = 'android_calls'
ParseCallsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Call record row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, date, number, name, duration, type FROM calls', 'ParseCallsRow')]
REQUIRED_STRUCTURE = {'calls': frozenset({'_id', 'date', 'duration', 'name', 'number', 'type'})}
SCHEMAS = [{'_sync_state': 'CREATE TABLE _sync_state (_id INTEGER PRIMARY KEY, account_name TEXT NOT NULL, account_type TEXT NOT NULL, data TEXT, UNIQUE(account_name, account_type))', '_sync_state_metadata': 'CREATE TABLE _sync_state_metadata (version INTEGER)', 'accounts': 'CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT, account_name TEXT, account_type TEXT, data_set TEXT)', 'agg_exceptions': 'CREATE TABLE agg_exceptions (_id INTEGER PRIMARY KEY AUTOINCREMENT, type INTEGER NOT NULL, raw_contact_id1 INTEGER REFERENCES raw_contacts(_id), raw_contact_id2 INTEGER REFERENCES raw_contacts(_id))', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'calls': 'CREATE TABLE calls (_id INTEGER PRIMARY KEY AUTOINCREMENT, number TEXT, date INTEGER, duration INTEGER, type INTEGER, new INTEGER, name TEXT, numbertype INTEGER, numberlabel TEXT, countryiso TEXT, voicemail_uri TEXT, is_read INTEGER, geocoded_location TEXT, lookup_uri TEXT, matched_number TEXT, normalized_number TEXT, photo_id INTEGER NOT NULL DEFAULT 0, formatted_number TEXT, _data TEXT, has_content INTEGER, mime_type TEXT, source_data TEXT, source_package TEXT, state INTEGER)', 'contacts': 'CREATE TABLE contacts (_id INTEGER PRIMARY KEY AUTOINCREMENT, name_raw_contact_id INTEGER REFERENCES raw_contacts(_id), photo_id INTEGER REFERENCES data(_id), photo_file_id INTEGER REFERENCES photo_files(_id), custom_ringtone TEXT, send_to_voicemail INTEGER NOT NULL DEFAULT 0, times_contacted INTEGER NOT NULL DEFAULT 0, last_time_contacted INTEGER, starred INTEGER NOT NULL DEFAULT 0, has_phone_number INTEGER NOT NULL DEFAULT 0, lookup TEXT, status_update_id INTEGER REFERENCES data(_id), contact_last_updated_timestamp INTEGER)', 'data': 'CREATE TABLE data (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), mimetype_id INTEGER REFERENCES mimetype(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, is_read_only INTEGER NOT NULL DEFAULT 0, is_primary INTEGER NOT NULL DEFAULT 0, is_super_primary INTEGER NOT NULL DEFAULT 0, data_version INTEGER NOT NULL DEFAULT 0, data1 TEXT, data2 TEXT, data3 TEXT, data4 TEXT, data5 TEXT, data6 TEXT, data7 TEXT, data8 TEXT, data9 TEXT, data10 TEXT, data11 TEXT, data12 TEXT, data13 TEXT, data14 TEXT, data15 TEXT, data_sync1 TEXT, data_sync2 TEXT, data_sync3 TEXT, data_sync4 TEXT )', 'data_usage_stat': 'CREATE TABLE data_usage_stat(stat_id INTEGER PRIMARY KEY AUTOINCREMENT, data_id INTEGER NOT NULL, usage_type INTEGER NOT NULL DEFAULT 0, times_used INTEGER NOT NULL DEFAULT 0, last_time_used INTEGER NOT NULL DEFAULT 0, FOREIGN KEY(data_id) REFERENCES data(_id))', 'default_directory': 'CREATE TABLE default_directory (_id INTEGER PRIMARY KEY)', 'deleted_contacts': 'CREATE TABLE deleted_contacts (contact_id INTEGER PRIMARY KEY, contact_deleted_timestamp INTEGER NOT NULL default 0)', 'directories': 'CREATE TABLE directories(_id INTEGER PRIMARY KEY AUTOINCREMENT, packageName TEXT NOT NULL, authority TEXT NOT NULL, typeResourceId INTEGER, typeResourceName TEXT, accountType TEXT, accountName TEXT, displayName TEXT, exportSupport INTEGER NOT NULL DEFAULT 0, shortcutSupport INTEGER NOT NULL DEFAULT 0, photoSupport INTEGER NOT NULL DEFAULT 0)', 'groups': 'CREATE TABLE groups (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), account_name STRING DEFAULT NULL, account_type STRING DEFAULT NULL, data_set STRING DEFAULT NULL, sourceid TEXT, version INTEGER NOT NULL DEFAULT 1, dirty INTEGER NOT NULL DEFAULT 0, title TEXT, title_res INTEGER, notes TEXT, system_id TEXT, deleted INTEGER NOT NULL DEFAULT 0, group_visible INTEGER NOT NULL DEFAULT 0, should_sync INTEGER NOT NULL DEFAULT 1, auto_add INTEGER NOT NULL DEFAULT 0, favorites INTEGER NOT NULL DEFAULT 0, group_is_read_only INTEGER NOT NULL DEFAULT 0, sync1 TEXT, sync2 TEXT, sync3 TEXT, sync4 TEXT , account_id INTEGER REFERENCES accounts(_id))', 'mimetypes': 'CREATE TABLE mimetypes (_id INTEGER PRIMARY KEY AUTOINCREMENT, mimetype TEXT NOT NULL)', 'name_lookup': 'CREATE TABLE name_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_name TEXT NOT NULL, name_type INTEGER NOT NULL, PRIMARY KEY (data_id, normalized_name, name_type))', 'nickname_lookup': 'CREATE TABLE nickname_lookup (name TEXT, cluster TEXT)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL)', 'phone_lookup': 'CREATE TABLE phone_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_number TEXT NOT NULL, min_match TEXT NOT NULL)', 'photo_files': 'CREATE TABLE photo_files (_id INTEGER PRIMARY KEY AUTOINCREMENT, height INTEGER NOT NULL, width INTEGER NOT NULL, filesize INTEGER NOT NULL)', 'properties': 'CREATE TABLE properties (property_key TEXT PRIMARY KEY, property_value TEXT )'}]

plaso.parsers.sqlite_plugins.android_sms module

SQLite parser plugin for Android text messages (SMS) database files.

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData[source]

Bases: plaso.containers.events.EventData

Android SMS event data.

address

phone number associated to the sender or receiver.

Type

str

body

content of the SMS text message.

Type

str

sms_read

message read status, either Read or Unread.

Type

str

sms_type

message type, either Sent or Received.

Type

str

DATA_TYPE = 'android:messaging:sms'
class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Android text messages (SMS) database files.

The Android text messages (SMS) database file is typically stored in: mmssms.dbs

DATA_FORMAT = 'Android text messages (SMS) SQLite database (mmssms.dbs) file'
NAME = 'android_sms'
ParseSmsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an SMS row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, address, date, read, type, body FROM sms', 'ParseSmsRow')]
REQUIRED_STRUCTURE = {'sms': frozenset({'_id', 'address', 'body', 'date', 'read', 'type'})}
SCHEMAS = [{'addr': 'CREATE TABLE addr (_id INTEGER PRIMARY KEY, msg_id INTEGER, contact_id INTEGER, address TEXT, type INTEGER, charset INTEGER)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'attachments': 'CREATE TABLE attachments (sms_id INTEGER, content_url TEXT, offset INTEGER)', 'canonical_addresses': 'CREATE TABLE canonical_addresses (_id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT)', 'drm': 'CREATE TABLE drm (_id INTEGER PRIMARY KEY, _data TEXT)', 'part': 'CREATE TABLE part (_id INTEGER PRIMARY KEY AUTOINCREMENT, mid INTEGER, seq INTEGER DEFAULT 0, ct TEXT, name TEXT, chset INTEGER, cd TEXT, fn TEXT, cid TEXT, cl TEXT, ctt_s INTEGER, ctt_t TEXT, _data TEXT, text TEXT)', 'pd': 'CREATE TABLE pdu (_id INTEGER PRIMARY KEY AUTOINCREMENT, thread_id INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, msg_box INTEGER, read INTEGER DEFAULT 0, m_id TEXT, sub TEXT, sub_cs INTEGER, ct_t TEXT, ct_l TEXT, exp INTEGER, m_cls TEXT, m_type INTEGER, v INTEGER, m_size INTEGER, pri INTEGER, rr INTEGER, rpt_a INTEGER, resp_st INTEGER, st INTEGER, tr_id TEXT, retr_st INTEGER, retr_txt TEXT, retr_txt_cs INTEGER, read_status INTEGER, ct_cls INTEGER, resp_txt TEXT, d_tm INTEGER, d_rpt INTEGER, locked INTEGER DEFAULT 0, seen INTEGER DEFAULT 0, text_only INTEGER DEFAULT 0)', 'pending_msgs': 'CREATE TABLE pending_msgs (_id INTEGER PRIMARY KEY, proto_type INTEGER, msg_id INTEGER, msg_type INTEGER, err_type INTEGER, err_code INTEGER, retry_index INTEGER NOT NULL DEFAULT 0, due_time INTEGER, last_try INTEGER)', 'rate': 'CREATE TABLE rate (sent_time INTEGER)', 'raw': 'CREATE TABLE raw (_id INTEGER PRIMARY KEY, date INTEGER, reference_number INTEGER, count INTEGER, sequence INTEGER, destination_port INTEGER, address TEXT, pdu TEXT)', 'sms': 'CREATE TABLE sms (_id INTEGER PRIMARY KEY, thread_id INTEGER, address TEXT, person INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, protocol INTEGER, read INTEGER DEFAULT 0, status INTEGER DEFAULT -1, type INTEGER, reply_path_present INTEGER, subject TEXT, body TEXT, service_center TEXT, locked INTEGER DEFAULT 0, error_code INTEGER DEFAULT 0, seen INTEGER DEFAULT 0)', 'sr_pending': 'CREATE TABLE sr_pending (reference_number INTEGER, action TEXT, data TEXT)', 'threads': 'CREATE TABLE threads (_id INTEGER PRIMARY KEY AUTOINCREMENT, date INTEGER DEFAULT 0, message_count INTEGER DEFAULT 0, recipient_ids TEXT, snippet TEXT, snippet_cs INTEGER DEFAULT 0, read INTEGER DEFAULT 1, type INTEGER DEFAULT 0, error INTEGER DEFAULT 0, has_attachment INTEGER DEFAULT 0)', 'words': 'CREATE VIRTUAL TABLE words USING FTS3 (_id INTEGER PRIMARY KEY, index_text TEXT, source_id INTEGER, table_to_use INTEGER)', 'words_content': "CREATE TABLE 'words_content'(docid INTEGER PRIMARY KEY, 'c0_id', 'c1index_text', 'c2source_id', 'c3table_to_use')", 'words_segdir': "CREATE TABLE 'words_segdir'(level INTEGER, idx INTEGER, start_block INTEGER, leaves_end_block INTEGER, end_block INTEGER, root BLOB, PRIMARY KEY(level, idx))", 'words_segments': "CREATE TABLE 'words_segments'(blockid INTEGER PRIMARY KEY, block BLOB)"}]
SMS_READ = {0: 'UNREAD', 1: 'READ'}
SMS_TYPE = {1: 'RECEIVED', 2: 'SENT'}

plaso.parsers.sqlite_plugins.android_webview module

SQLite parser plugin for Android WebView database files.

class plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData[source]

Bases: plaso.containers.events.EventData

Android WebView cookie event data.

cookie_name

name of the cookie.

Type

str

data

data stored in the cookie.

Type

str

domain

host that set the cookie.

Type

str

path

path for which the cookie was set.

Type

str

secure

True if the cookie should only be transmitted over a secure channel.

Type

bool

url

URL of the cookie.

Type

str

DATA_TYPE = 'webview:cookie'
class plaso.parsers.sqlite_plugins.android_webview.WebViewPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Android WebView database files.

DATA_FORMAT = 'Android WebView SQLite database file'
NAME = 'android_webview'
ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT _id, name, value, domain, expires, path, secure FROM cookies', 'ParseCookieRow')})
REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cookies': frozenset({'_id', 'domain', 'expires', 'name', 'path', 'secure', 'value'})}
SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cookies': 'CREATE TABLE cookies (_id INTEGER PRIMARY KEY, name TEXT, value TEXT, domain TEXT, path TEXT, expires INTEGER, secure INTEGER)', 'formdata': 'CREATE TABLE formdata (_id INTEGER PRIMARY KEY, urlid INTEGER, name TEXT, value TEXT, UNIQUE (urlid, name, value) ON CONFLICT IGNORE)', 'formurl': 'CREATE TABLE formurl (_id INTEGER PRIMARY KEY, url TEXT)', 'httpauth': 'CREATE TABLE httpauth (_id INTEGER PRIMARY KEY, host TEXT, realm TEXT, username TEXT, password TEXT, UNIQUE (host, realm) ON CONFLICT REPLACE)', 'password': 'CREATE TABLE password (_id INTEGER PRIMARY KEY, host TEXT, username TEXT, password TEXT, UNIQUE (host, username) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.android_webviewcache module

SQLite parser plugin for Android WebviewCache database files.

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData[source]

Bases: plaso.containers.events.EventData

Android WebViewCache event data.

content_length

size of the cached content.

Type

int

url

URL the content was retrieved from.

Type

str

DATA_TYPE = 'android:webviewcache'
class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Android WebviewCache database files.

DATA_FORMAT = 'Android WebViewCache SQLite database file'
NAME = 'android_webviewcache'
ParseRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT url, contentlength, expires, lastmodify FROM cache', 'ParseRow')})
REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cache': frozenset({'contentlength', 'expires', 'lastmodify', 'url'})}
SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cache': 'CREATE TABLE cache (_id INTEGER PRIMARY KEY, url TEXT, filepath TEXT, lastmodify TEXT, etag TEXT, expires INTEGER, expiresstring TEXT, mimetype TEXT, encoding TEXT, httpstatus INTEGER, location TEXT, contentlength INTEGER, contentdisposition TEXT, UNIQUE (url) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.appusage module

SQLite parser plugin for MacOS application usage database files.

class plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS application usage database files.

The MacOS application usage database is typlically stored in: /var/db/application_usage.sqlite

Application usage is a SQLite database that logs down entries triggered by NSWorkspaceWillLaunchApplicationNotification and NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by crankd.

More information can be found here: https://github.com/google/macops/blob/master/crankd/ApplicationUsage.py

DATA_FORMAT = 'MacOS application usage SQLite database (application_usage.sqlite) file'
NAME = 'appusage'
ParseApplicationUsageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an application usage row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT last_time, event, bundle_id, app_version, app_path, number_times FROM application_usage ORDER BY last_time', 'ParseApplicationUsageRow')]
REQUIRED_STRUCTURE = {'application_usage': frozenset({'app_path', 'app_version', 'bundle_id', 'event', 'last_time', 'number_times'})}
SCHEMAS = [{'application_usage': 'CREATE TABLE application_usage (event TEXT, bundle_id TEXT, app_version TEXT, app_path TEXT, last_time INTEGER DEFAULT 0, number_times INTEGER DEFAULT 0, PRIMARY KEY (event, bundle_id))'}]
class plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData[source]

Bases: plaso.containers.events.EventData

MacOS application usage event data.

application

name of the application.

Type

str

app_version

version of the application.

Type

str

bundle_id

bundle identifier of the application.

Type

str

count

TODO: number of times what?

Type

int

DATA_TYPE = 'macosx:application_usage'

plaso.parsers.sqlite_plugins.chrome module

SQLite parser plugin for Google Chrome history database files.

class plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Chrome history database files.

The Google Chrome history database file is typically stored in: Archived History History

Note that the Archived History database does not contain the downloads table.

ParseLastVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a last visited row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.

  • database (Optional[SQLiteDatabase]) – database.

class plaso.parsers.sqlite_plugins.chrome.ChromeHistoryFileDownloadedEventData[source]

Bases: plaso.containers.events.EventData

Chrome History file downloaded event data.

full_path

full path where the file was downloaded to.

Type

str

received_bytes

number of bytes received while downloading.

Type

int

total_bytes

total number of bytes to download.

Type

int

url

URL of the downloaded file.

Type

str

DATA_TYPE = 'chrome:history:file_downloaded'
class plaso.parsers.sqlite_plugins.chrome.ChromeHistoryPageVisitedEventData[source]

Bases: plaso.containers.events.EventData

Chrome History page visited event data.

from_visit

URL where the visit originated from.

Type

str

page_transition_type

type of transitions between pages.

Type

int

title

title of the visited page.

Type

str

typed_count

number of characters of the URL that were typed.

Type

int

url

URL of the visited page.

Type

str

url_hidden

True if the URL is hidden.

Type

bool

visit_source

source of the page visit.

Type

int

DATA_TYPE = 'chrome:history:page_visited'
class plaso.parsers.sqlite_plugins.chrome.GoogleChrome27HistoryPlugin[source]

Bases: plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin

SQLite parser plugin for Google Chrome 27+ history database files.

DATA_FORMAT = 'Google Chrome 27 and later history SQLite database file'
NAME = 'chrome_27_history'
ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a file downloaded row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT downloads.id AS id, downloads.start_time,downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id', 'ParseFileDownloadedRow')]
REQUIRED_STRUCTURE = {'downloads': frozenset({'id', 'received_bytes', 'start_time', 'target_path', 'total_bytes'}), 'downloads_url_chains': frozenset({'id', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}
SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL, mime_type VARCHAR(255) NOT NULL DEFAULT "", original_mime_type VARCHAR(255) NOT NULL DEFAULT "", guid VARCHAR NOT NULL DEFAULT \'\', hash BLOB NOT NULL DEFAULT X\'\', http_method VARCHAR NOT NULL DEFAULT \'\', tab_url VARCHAR NOT NULL DEFAULT \'\', tab_referrer_url VARCHAR NOT NULL DEFAULT \'\', site_url VARCHAR NOT NULL DEFAULT \'\', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]
class plaso.parsers.sqlite_plugins.chrome.GoogleChrome8HistoryPlugin[source]

Bases: plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin

SQLite parser plugin for Google Chrome 8 - 25 history database files.

DATA_FORMAT = 'Google Chrome 8 - 25 history SQLite database file'
NAME = 'chrome_8_history'
ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a file downloaded row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT id, full_path, url, start_time, received_bytes, total_bytes FROM downloads', 'ParseFileDownloadedRow')]
REQUIRED_STRUCTURE = {'downloads': frozenset({'full_path', 'id', 'received_bytes', 'start_time', 'total_bytes', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}
SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]

plaso.parsers.sqlite_plugins.chrome_autofill module

SQLite parser plugin for Google Chrome autofill database (Web Data) files.

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData[source]

Bases: plaso.containers.events.EventData

Chrome Autofill event data.

field_name

name of form field.

Type

str

value

value populated in form field.

Type

str

usage_count

count of times value has been used in field_name.

Type

int

DATA_TYPE = 'chrome:autofill:entry'
class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Chrome autofill database (Web Data) files.

The Google Chrome autofill database (Web Data) file is typically stored in: Web Data

DATA_FORMAT = 'Google Chrome autofill SQLite database (Web Data) file'
NAME = 'chrome_autofill'
ParseAutofillRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an autofill entry row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT autofill.date_created, autofill.date_last_used, autofill.name, autofill.value, autofill.count FROM autofill ORDER BY date_created', 'ParseAutofillRow')]
REQUIRED_STRUCTURE = {'autofill': frozenset({'count', 'date_created', 'date_last_used', 'name', 'value'})}
SCHEMAS = [{'autofill': 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value));)'}]

plaso.parsers.sqlite_plugins.chrome_cookies module

SQLite parser plugin for Google Chrome cookies database files.

class plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Chrome cookies database files.

GA_UTMZ_TRANSLATION = {'utmccn': 'Ad campaign information.', 'utmcct': 'Path to the page of referring link.', 'utmcmd': 'Last type of visit.', 'utmcsr': 'Last source used to access.', 'utmctr': 'Keywords used to find site.'}
ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a cookie row.

Parameters
  • parser_mediator (ParserMediator) – parser mediator.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from the query.

URLS = ['http://src.chromium.org/svn/trunk/src/net/cookies/', 'http://www.dfinews.com/articles/2012/02/google-analytics-cookies-and-forensic-implications']
class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin[source]

Bases: plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin

SQLite parser plugin for Google Chrome 17 - 65 cookies database files.

DATA_FORMAT = 'Google Chrome 17 - 65 cookies SQLite database file'
NAME = 'chrome_17_cookies'
QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent FROM cookies', 'ParseCookieRow')]
REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'httponly', 'last_access_utc', 'name', 'path', 'persistent', 'secure', 'value'}), 'meta': frozenset({})}
SCHEMAS = [{'cookies': 'CREATE TABLE cookies (creation_utc INTEGER NOT NULL UNIQUE PRIMARY KEY, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, secure INTEGER NOT NULL, httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER DEFAULT 1, persistent INTEGER DEFAULT 1)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]
class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin[source]

Bases: plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin

SQLite parser plugin for Google Chrome 66+ cookies database files.

DATA_FORMAT = 'Google Chrome 66 and later cookies SQLite database file'
NAME = 'chrome_66_cookies'
QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, is_secure AS secure, is_httponly AS httponly, last_access_utc, has_expires, is_persistent AS persistent FROM cookies', 'ParseCookieRow')]
REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'is_httponly', 'is_persistent', 'is_secure', 'last_access_utc', 'name', 'path', 'value'}), 'meta': frozenset({})}
SCHEMAS = [{'cookies': "CREATE TABLE cookies (creation_utc INTEGER NOT NULL, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, is_secure INTEGER NOT NULL, is_httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER NOT NULL DEFAULT 1, is_persistent INTEGER NOT NULL DEFAULT 1, priority INTEGER NOT NULL DEFAULT 1, encrypted_value BLOB DEFAULT '', firstpartyonly INTEGER NOT NULL DEFAULT 0, UNIQUE (host_key, name, path))", 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]
class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData[source]

Bases: plaso.containers.events.EventData

Chrome Cookie event data.

cookie_name

name of the cookie.

Type

str

host

hostname of host that set the cookie value.

Type

str

httponly

True if the cookie cannot be accessed through client side script.

Type

bool

path

path where the cookie got set.

Type

str

persistent

True if the cookie is persistent.

Type

bool

secure

True if the cookie should only be transmitted over a secure channel.

Type

bool

url

URL or path where the cookie got set.

Type

str

data

value of the cookie.

Type

str

DATA_TYPE = 'chrome:cookie:entry'

plaso.parsers.sqlite_plugins.chrome_extension_activity module

SQLite parser plugin for Google Chrome extension activity database files.

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData[source]

Bases: plaso.containers.events.EventData

Chrome Extension Activity event data.

action_type

action type.

Type

str

activity_id

activity identifier.

Type

str

api_name

name of API.

Type

str

arg_url

URL argument.

Type

str

args

arguments.

Type

str

extension_id

extension identifier.

Type

str

other

other.

Type

str

page_title

title of webpage.

Type

str

page_url

URL of webpage.

Type

str

DATA_TYPE = 'chrome:extension_activity:activity_log'
class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Chrome extension activity database files.

The Google Chrome extension activity database file is typically stored in: Extension Activity

DATA_FORMAT = 'Google Chrome extension activity SQLite database file'
NAME = 'chrome_extension_activity'
ParseActivityLogUncompressedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an activity log row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT time, extension_id, action_type, api_name, args, page_url, page_title, arg_url, other, activity_id FROM activitylog_uncompressed ORDER BY time', 'ParseActivityLogUncompressedRow')]
REQUIRED_STRUCTURE = {'activitylog_compressed': frozenset({'action_type', 'activity_id', 'api_name', 'arg_url', 'args', 'extension_id', 'other', 'page_title', 'page_url', 'time'})}
SCHEMAS = [{'activitylog_compressed': 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, action_type INTEGER, api_name_x INTEGER, args_x INTEGER, page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, other_x INTEGER)', 'string_ids': 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)', 'url_ids': 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)'}]

plaso.parsers.sqlite_plugins.firefox module

SQLite parser plugin for Mozilla Firefox history database files.

class plaso.parsers.sqlite_plugins.firefox.FirefoxDownloadEventData[source]

Bases: plaso.containers.events.EventData

Firefox download event data.

full_path

full path of the target of the download.

Type

str

mime_type

mime type of the download.

Type

str

name

name of the download.

Type

str

received_bytes

number of bytes received.

Type

int

referrer

referrer URL of the download.

Type

str

temporary_location

temporary location of the download.

Type

str

total_bytes

total number of bytes of the download.

Type

int

url

source URL of the download.

Type

str

DATA_TYPE = 'firefox:downloads:download'
class plaso.parsers.sqlite_plugins.firefox.FirefoxDownloadsPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Mozilla Firefox downloads database files.

The Mozilla Firefox downloads database file is typically stored in: downloads.sqlite

DATA_FORMAT = 'Mozilla Firefox downloads SQLite database (downloads.sqlite) file'
NAME = 'firefox_downloads'
ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a downloads row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT moz_downloads.id, moz_downloads.name, moz_downloads.source, moz_downloads.target, moz_downloads.tempPath, moz_downloads.startTime, moz_downloads.endTime, moz_downloads.state, moz_downloads.referrer, moz_downloads.currBytes, moz_downloads.maxBytes, moz_downloads.mimeType FROM moz_downloads', 'ParseDownloadsRow')]
REQUIRED_STRUCTURE = {'moz_downloads': frozenset({'currBytes', 'endTime', 'id', 'maxBytes', 'mimeType', 'name', 'referrer', 'source', 'startTime', 'state', 'target', 'tempPath'})}
SCHEMAS = [{'moz_downloads': 'CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)'}]
class plaso.parsers.sqlite_plugins.firefox.FirefoxHistoryPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Mozilla Firefox history database files.

The Mozilla Firefox history database file is typically stored in: places.sqlite

DATA_FORMAT = 'Mozilla Firefox history SQLite database (places.sqlite) file'
NAME = 'firefox_history'
ParseBookmarkAnnotationRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark annotation row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

ParseBookmarkFolderRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark folder row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

ParseBookmarkRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

ParsePageVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a page visited row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (Optional[SQLiteCache]) – cache.

  • database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.from_visit, moz_places.rev_host, moz_places.hidden, moz_places.typed, moz_historyvisits.visit_type FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id', 'ParsePageVisitedRow'), ('SELECT moz_bookmarks.type, moz_bookmarks.title AS bookmark_title, moz_bookmarks.dateAdded, moz_bookmarks.lastModified, moz_places.url, moz_places.title AS places_title, moz_places.rev_host, moz_places.visit_count, moz_bookmarks.id FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3', 'ParseBookmarkRow'), ('SELECT moz_items_annos.content, moz_items_annos.dateAdded, moz_items_annos.lastModified, moz_bookmarks.title, moz_places.url, moz_places.rev_host, moz_items_annos.id FROM moz_items_annos, moz_bookmarks, moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id', 'ParseBookmarkAnnotationRow'), ('SELECT moz_bookmarks.id, moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2', 'ParseBookmarkFolderRow')]
REQUIRED_STRUCTURE = {'moz_bookmarks': frozenset({'dateAdded', 'fk', 'id', 'lastModified', 'title', 'type'}), 'moz_historyvisits': frozenset({'from_visit', 'id', 'place_id', 'visit_date', 'visit_type'}), 'moz_items_annos': frozenset({'content', 'dateAdded', 'id', 'item_id', 'lastModified'}), 'moz_places': frozenset({'hidden', 'id', 'rev_host', 'title', 'typed', 'url', 'visit_count'})}
SCHEMAS = [{'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER )'}, {'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER, guid TEXT)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG, guid TEXT)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_hosts': 'CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY, host TEXT NOT NULL UNIQUE, frecency INTEGER, typed INTEGER NOT NULL DEFAULT 0, prefix TEXT)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)', 'sqlite_stat1': 'CREATE TABLE sqlite_stat1(tbl, idx, stat)'}]
URL_CACHE_QUERY = 'SELECT h.id AS id, p.url, p.rev_host FROM moz_places p, moz_historyvisits h WHERE p.id = h.place_id'
class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkAnnotationEventData[source]

Bases: plaso.containers.events.EventData

Firefox bookmark annotation event data.

content

annotation content.

Type

str

title

title of the bookmark folder.

Type

str

url

bookmarked URL.

Type

str

DATA_TYPE = 'firefox:places:bookmark_annotation'
class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkEventData[source]

Bases: plaso.containers.events.EventData

Firefox bookmark event data.

host

visited hostname.

Type

str

places_title

places title.

Type

str

title

title of the bookmark folder.

Type

str

type

bookmark type.

Type

int

url

bookmarked URL.

Type

str

visit_count

visit count.

Type

int

DATA_TYPE = 'firefox:places:bookmark'
class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkFolderEventData[source]

Bases: plaso.containers.events.EventData

Firefox bookmark folder event data.

title

title of the bookmark folder.

Type

str

DATA_TYPE = 'firefox:places:bookmark_folder'
class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesPageVisitedEventData[source]

Bases: plaso.containers.events.EventData

Firefox page visited event data.

extra

extra event data.

Type

list[object]

host

visited hostname.

Type

str

title

title of the visited page.

Type

str

url

URL of the visited page.

Type

str

visit_count

visit count.

Type

int

visit_type

transition type for the event.

Type

str

DATA_TYPE = 'firefox:places:page_visited'

plaso.parsers.sqlite_plugins.firefox_cookies module

SQLite parser plugin for Mozilla Firefox cookies database files.

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData[source]

Bases: plaso.containers.events.EventData

Firefox Cookie event data.

cookie_name

name field of the cookie.

Type

str

data

cookie data.

Type

str

httponly

True if the cookie cannot be accessed through client side script.

Type

bool

host

hostname of host that set the cookie value.

Type

str

path

URI of the page that set the cookie.

Type

str

secure

True if the cookie should only be transmitted over a secure channel.

Type

bool

DATA_TYPE = 'firefox:cookie:entry'
class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Mozilla Firefox cookies database files.

DATA_FORMAT = 'Mozilla Firefox cookies SQLite database file'
NAME = 'firefox_cookies'
ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a cookie row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT id, baseDomain, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')]
REQUIRED_STRUCTURE = {'moz_cookies': frozenset({'baseDomain', 'creationTime', 'expiry', 'host', 'id', 'isHttpOnly', 'isSecure', 'lastAccessed', 'name', 'path', 'value'})}
SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}]
URLS = ['https://hg.mozilla.org/mozilla-central/file/349a2f003529/netwerk/cookie/nsCookie.h']

plaso.parsers.sqlite_plugins.gdrive module

SQLite parser plugin for Google Drive snapshot database files.

class plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Drive snapshot database files.

The Google Drive snapshot database file is typically stored in: snapshot.db

CLOUD_PATH_CACHE_QUERY = 'SELECT cloud_entry.filename, cloud_entry.resource_id, cloud_relations.parent_resource_id AS parent FROM cloud_entry, cloud_relations WHERE cloud_entry.doc_type = 0 AND cloud_entry.resource_id = cloud_relations.child_resource_id'
DATA_FORMAT = 'Google Drive snapshot SQLite database (snapshot.db) file'
GetCloudPath(resource_id, cache, database)[source]

Return cloud path given a resource id.

Parameters
  • resource_id (str) – resource identifier for the file.

  • cache (SQLiteCache) – cache.

  • database (SQLiteDatabase) – database.

Returns

full path to the resource value.

Return type

str

GetLocalPath(inode, cache, database)[source]

Return local path for a given inode.

Parameters
Returns

full path, including the filename of the given inode value.

Return type

str

LOCAL_PATH_CACHE_QUERY = 'SELECT local_relations.child_inode_number, local_relations.parent_inode_number, local_entry.filename FROM local_relations, local_entry WHERE local_relations.child_inode_number = local_entry.inode_number'
NAME = 'google_drive'
ParseCloudEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a cloud entry row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (SQLiteCache) – cache.

  • database (SQLiteDatabase) – database.

ParseLocalEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a local entry row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (Optional[SQLiteCache]) – cache.

  • database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT cloud_entry.resource_id, cloud_entry.filename, cloud_entry.modified, cloud_entry.created, cloud_entry.size, cloud_entry.doc_type, cloud_entry.shared, cloud_entry.checksum, cloud_entry.url, cloud_relations.parent_resource_id FROM cloud_entry, cloud_relations WHERE cloud_relations.child_resource_id = cloud_entry.resource_id AND cloud_entry.modified IS NOT NULL;', 'ParseCloudEntryRow'), ('SELECT inode_number, filename, modified, checksum, size FROM local_entry WHERE modified IS NOT NULL;', 'ParseLocalEntryRow')]
REQUIRED_STRUCTURE = {'cloud_entry': frozenset({'checksum', 'created', 'doc_type', 'filename', 'modified', 'resource_id', 'shared', 'size', 'url'}), 'cloud_relations': frozenset({'child_resource_id', 'parent', 'parent_resource_id'}), 'local_entry': frozenset({'checksum', 'filename', 'inode_number', 'modified', 'size'}), 'local_relations': frozenset({'child_inode_number', 'parent_inode_number'})}
SCHEMAS = [{'cloud_entry': 'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared INTEGER, PRIMARY KEY (resource_id))', 'cloud_relations': 'CREATE TABLE cloud_relations (child_resource_id TEXT, parent_resource_id TEXT, UNIQUE (child_resource_id, parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) REFERENCES cloud_entry(resource_id))', 'local_entry': 'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY (inode_number))', 'local_relations': 'CREATE TABLE local_relations (child_inode_number INTEGER, parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN KEY (parent_inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (child_inode_number) REFERENCES local_entry(inode_number))', 'mapping': 'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES cloud_entry(resource_id))', 'overlay_status': 'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, PRIMARY KEY (path))'}]
class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData[source]

Bases: plaso.containers.events.EventData

Google Drive snapshot cloud entry event data.

doc_type

document type.

Type

int

path

path of the file.

Type

str

shared

True if the file is shared, False if the file is private.

Type

bool

size

size of the file.

Type

int

url

URL of the file.

Type

str

DATA_TYPE = 'gdrive:snapshot:cloud_entry'
class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData[source]

Bases: plaso.containers.events.EventData

Google Drive snapshot local entry event data.

path

path of the file.

Type

str

size

size of the file.

Type

int

DATA_TYPE = 'gdrive:snapshot:local_entry'

plaso.parsers.sqlite_plugins.hangouts_messages module

SQLite parser plugin for Google Hangouts conversations database files.

class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData[source]

Bases: plaso.containers.events.EventData

GoogleHangouts Message event data.

sender

Name with the sender.

Type

str

body

content of the SMS text message.

Type

str

message_status

message status.

Type

int

message_type

message type.

Type

int

DATA_TYPE = 'android:messaging:hangouts'
class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Hangouts conversations database files.

The Google Hangouts conversations database file is typically stored in: /data/com.google.android.talk/databases/babel.db

This SQLite database is the conversation database for conversations, participant names, messages, and information about the Google Hangout event. There can be multiple babel.db databases, and each database name will be followed by an integer starting with 0, for example: “babel0.db,babel1.db,babel3.db”.

DATA_FORMAT = 'Google Hangouts conversations SQLite database (babel.db) file'
NAME = 'hangouts_messages'
ParseMessagesRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an Messages row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT messages._id, participants.full_name, text, messages.timestamp,status, type FROM messages INNER JOIN participants ON messages.author_chat_id=participants.chat_id;', 'ParseMessagesRow')]
REQUIRED_STRUCTURE = {'blocked_people': frozenset({}), 'messages': frozenset({'_id', 'author_chat_id', 'status', 'text', 'timestamp', 'type'}), 'participants': frozenset({'chat_id', 'full_name'})}
SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'blocked_people': 'CREATE TABLE blocked_people (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY, participant_row_id INT, participant_type INT, conversation_id TEXT, sequence INT, active INT, invitation_status INT DEFAULT(0), UNIQUE (conversation_id,participant_row_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, FOREIGN KEY (participant_row_id) REFERENCES participants(_id))', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY, conversation_id TEXT, conversation_type INT, latest_message_timestamp INT DEFAULT(0), latest_message_expiration_timestamp INT, metadata_present INT,notification_level INT, name TEXT, generated_name TEXT, snippet_type INT, snippet_text TEXT, snippet_image_url TEXT, snippet_author_gaia_id TEXT, snippet_author_chat_id TEXT, snippet_message_row_id INT, snippet_selector INT, snippet_status INT, snippet_new_conversation_name TEXT, snippet_participant_keys TEXT, snippet_sms_type TEXT, previous_latest_timestamp INT, status INT, view INT, inviter_gaia_id TEXT, inviter_chat_id TEXT, inviter_affinity INT, is_pending_leave INT, account_id INT, is_otr INT, packed_avatar_urls TEXT, self_avatar_url TEXT, self_watermark INT DEFAULT(0), chat_watermark INT DEFAULT(0), hangout_watermark INT DEFAULT(0), is_draft INT, sequence_number INT, call_media_type INT DEFAULT(0), has_joined_hangout INT, has_chat_notifications DEFAULT(0),has_video_notifications DEFAULT(0),last_hangout_event_time INT, draft TEXT, otr_status INT, otr_toggle INT, last_otr_modification_time INT, continuation_token BLOB, continuation_event_timestamp INT, has_oldest_message INT DEFAULT(0), sort_timestamp INT, first_peak_scroll_time INT, first_peak_scroll_to_message_timestamp INT, second_peak_scroll_time INT, second_peak_scroll_to_message_timestamp INT, conversation_hash BLOB, disposition INT DEFAULT(0), has_persistent_events INT DEFAULT(-1), transport_type INT DEFAULT(1), default_transport_phone TEXT, sms_service_center TEXT, is_temporary INT DEFAULT (0), sms_thread_id INT DEFAULT (-1), chat_ringtone_uri TEXT, hangout_ringtone_uri TEXT, snippet_voicemail_duration INT DEFAULT (0), share_count INT DEFAULT(0), has_unobserved TEXT, last_share_timestamp INT DEFAULT(0), gls_status INT DEFAULT(0), gls_link TEXT, is_guest INT DEFAULT(0), UNIQUE (conversation_id ))', 'dismissed_contacts': 'CREATE TABLE dismissed_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'event_suggestions': 'CREATE TABLE event_suggestions (_id INTEGER PRIMARY KEY, conversation_id TEXT, event_id TEXT, suggestion_id TEXT, timestamp INT, expiration_time_usec INT, type INT, gem_asset_url STRING, gem_horizontal_alignment INT, matched_message_substring TEXT, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,suggestion_id) ON CONFLICT REPLACE)', 'merge_keys': 'CREATE TABLE merge_keys (_id INTEGER PRIMARY KEY, conversation_id TEXT, merge_key TEXT, UNIQUE (conversation_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE )', 'merged_contact_details': 'CREATE TABLE merged_contact_details (_id INTEGER PRIMARY KEY, merged_contact_id INT, lookup_data_type INT, lookup_data TEXT, lookup_data_standardized TEXT, lookup_data_search TEXT, lookup_data_label TEXT, needs_gaia_ids_resolved INT DEFAULT (1), is_hangouts_user INT DEFAULT (0), gaia_id TEXT, avatar_url TEXT, display_name TEXT, last_checked_ts INT DEFAULT (0), lookup_data_display TEXT, detail_affinity_score REAL DEFAULT (0.0), detail_logging_id TEXT, is_in_viewer_dasher_domain INT DEFAULT (0), FOREIGN KEY (merged_contact_id) REFERENCES merged_contacts(_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'merged_contacts': 'CREATE TABLE merged_contacts (_id INTEGER PRIMARY KEY, contact_lookup_key TEXT, contact_id INT, raw_contact_id INT, display_name TEXT, avatar_url TEXT, is_frequent INT DEFAULT (0), is_favorite INT DEFAULT (0), contact_source INT DEFAULT(0), frequent_order INT, person_logging_id TEXT, person_affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'messages': 'CREATE TABLE messages (_id INTEGER PRIMARY KEY, message_id TEXT, message_type INT, conversation_id TEXT, author_chat_id TEXT, author_gaia_id TEXT, text TEXT, timestamp INT, delete_after_read_timetamp INT, status INT, type INT, local_url TEXT, remote_url TEXT, attachment_content_type TEXT, width_pixels INT, height_pixels INT, stream_id TEXT, image_id TEXT, album_id TEXT, latitude DOUBLE, longitude DOUBLE, address ADDRESS, notification_level INT, expiration_timestamp INT, notified_for_failure INT DEFAULT(0), off_the_record INT DEFAULT(0), transport_type INT NOT NULL DEFAULT(1), transport_phone TEXT, external_ids TEXT, sms_timestamp_sent INT DEFAULT(0), sms_priority INT DEFAULT(0), sms_message_size INT DEFAULT(0), mms_subject TEXT, sms_raw_sender TEXT, sms_raw_recipients TEXT, persisted INT DEFAULT(1), sms_message_status INT DEFAULT(-1), sms_type INT DEFAULT(-1), stream_url TEXT, attachment_target_url TEXT, attachment_name TEXT, image_rotation INT DEFAULT (0), new_conversation_name TEXT, participant_keys TEXT, forwarded_mms_url TEXT, forwarded_mms_count INT DEFAULT(0), attachment_description TEXT, attachment_target_url_description TEXT, attachment_target_url_name TEXT, attachment_blob_data BLOB,attachment_uploading_progress INT DEFAULT(0), sending_error INT DEFAULT(0), stream_expiration INT, voicemail_length INT DEFAULT (0), call_media_type INT DEFAULT(0), last_seen_timestamp INT DEFAULT(0), observed_status INT DEFAULT(2), receive_type INT DEFAULT(0), init_timestamp INT DEFAULT(0), in_app_msg_latency INT DEFAULT(0), notified INT DEFAULT(0), alert_in_conversation_list INT DEFAULT(0), attachments BLOB, is_user_mentioned INT DEFAULT(0), local_id TEXT, request_task_row_id INT DEFAULT(-1), FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,message_id) ON CONFLICT REPLACE)', 'mms_notification_inds': 'CREATE TABLE mms_notification_inds (_id INTEGER PRIMARY KEY, content_location TEXT, transaction_id TEXT, from_address TEXT, message_size INT DEFAULT(0), expiry INT)', 'multipart_attachments': 'CREATE TABLE multipart_attachments (_id INTEGER PRIMARY KEY, message_id TEXT, conversation_id TEXT, url TEXT, content_type TEXT, width INT, height INT, FOREIGN KEY (message_id, conversation_id) REFERENCES messages(message_id, conversation_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participant_email_fts': 'CREATE VIRTUAL TABLE participant_email_fts USING fts4(content="merged_contact_details", gaia_id,lookup_data)', 'participant_email_fts_docsize': "CREATE TABLE 'participant_email_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participant_email_fts_segdir': "CREATE TABLE 'participant_email_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participant_email_fts_segments': "CREATE TABLE 'participant_email_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participant_email_fts_stat': "CREATE TABLE 'participant_email_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'participants': "CREATE TABLE participants (_id INTEGER PRIMARY KEY, participant_type INT DEFAULT 1, gaia_id TEXT, chat_id TEXT, phone_id TEXT, circle_id TEXT, first_name TEXT, full_name TEXT, fallback_name TEXT, profile_photo_url TEXT, batch_gebi_tag STRING DEFAULT('-1'), blocked INT DEFAULT(0), in_users_domain BOOLEAN, UNIQUE (circle_id) ON CONFLICT REPLACE, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)", 'participants_fts': 'CREATE VIRTUAL TABLE participants_fts USING fts4(content="participants",gaia_id,full_name)', 'participants_fts_docsize': "CREATE TABLE 'participants_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participants_fts_segdir': "CREATE TABLE 'participants_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participants_fts_segments': "CREATE TABLE 'participants_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participants_fts_stat': "CREATE TABLE 'participants_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'presence': 'CREATE TABLE presence (_id INTEGER PRIMARY KEY, gaia_id TEXT NOT NULL, reachable INT DEFAULT(0), reachable_time INT DEFAULT(0), available INT DEFAULT(0), available_time INT DEFAULT(0), status_message TEXT, status_message_time INT DEFAULT(0), call_type INT DEFAULT(0), call_type_time INT DEFAULT(0), device_status INT DEFAULT(0), device_status_time INT DEFAULT(0), last_seen INT DEFAULT(0), last_seen_time INT DEFAULT(0), location BLOB, location_time INT DEFAULT(0), UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'recent_calls': 'CREATE TABLE recent_calls (_id INTEGER PRIMARY KEY, normalized_number TEXT NOT NULL, phone_number TEXT, contact_id TEXT, call_timestamp INT, call_type INT, contact_type INT, call_rate TEXT, is_free_call BOOLEAN)', 'search': 'CREATE TABLE search (search_key TEXT NOT NULL,continuation_token TEXT,PRIMARY KEY (search_key))', 'sticker_albums': 'CREATE TABLE sticker_albums (album_id TEXT NOT NULL, title TEXT, cover_photo_id TEXT, last_used INT DEFAULT(0), PRIMARY KEY (album_id))', 'sticker_photos': 'CREATE TABLE sticker_photos (photo_id TEXT NOT NULL, album_id TEXT NOT NULL, url TEXT NOT NULL, file_name TEXT, last_used INT DEFAULT(0), PRIMARY KEY (photo_id), FOREIGN KEY (album_id) REFERENCES sticker_albums(album_id) ON DELETE CASCADE)', 'suggested_contacts': 'CREATE TABLE suggested_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, first_name TEXT, packed_circle_ids TEXT, profile_photo_url TEXT, sequence INT, suggestion_type INT, logging_id TEXT, affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))'}]

plaso.parsers.sqlite_plugins.imessage module

SQLite parser plugin for MacOS and iOS iMessage database files.

class plaso.parsers.sqlite_plugins.imessage.IMessageEventData[source]

Bases: plaso.containers.events.EventData

iMessage and SMS event data.

attachment_location

location of the attachment.

Type

str

imessage_id

mobile number or email address the message was sent to or received from.

Type

str

message_type

value to indicate the message was sent (1) or received (0).

Type

int

read_receipt

True if the message read receipt was received.

Type

bool

service

service, which is either SMS or iMessage.

Type

str

text

content of the message.

Type

str

DATA_TYPE = 'imessage:event:chat'
class plaso.parsers.sqlite_plugins.imessage.IMessagePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS and iOS iMessage database files.

The iMessage database file is typically stored in: chat.db sms.db

DATA_FORMAT = 'MacOS and iOS iMessage database (chat.db, sms.db) file'
NAME = 'imessage'
ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT m.date, m.ROWID, h.id AS imessage_id, m.is_read AS read_receipt, m.is_from_me AS message_type, m.service, a.filename AS"attachment_location", m.text FROM message AS m JOIN handle AS h ON h.ROWID = m.handle_id LEFT OUTER JOIN message_attachment_join AS maj ON m.ROWID = maj.message_id LEFT OUTER JOIN attachment AS a ON maj.attachment_id = a.ROWID', 'ParseMessageRow')]
REQUIRED_STRUCTURE = {'attachment': frozenset({'ROWID', 'filename'}), 'handle': frozenset({'ROWID', 'id'}), 'message': frozenset({'ROWID', 'date', 'handle_id', 'is_from_me', 'is_read', 'service', 'text'}), 'message_attachment_join': frozenset({'attachment_id', 'message_id'})}
SCHEMAS = [{'_SqliteDatabaseProperties': 'CREATE TABLE _SqliteDatabaseProperties (key TEXT, value TEXT, UNIQUE(key))', 'attachment': 'CREATE TABLE attachment (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, created_date INTEGER DEFAULT 0, start_date INTEGER DEFAULT 0, filename TEXT, uti TEXT, mime_type TEXT, transfer_state INTEGER DEFAULT 0, is_outgoing INTEGER DEFAULT 0, user_info BLOB, transfer_name TEXT, total_bytes INTEGER DEFAULT 0)', 'chat': 'CREATE TABLE chat (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, style INTEGER, state INTEGER, account_id TEXT, properties BLOB, chat_identifier TEXT, service_name TEXT, room_name TEXT, account_login TEXT, is_archived INTEGER DEFAULT 0, last_addressed_handle TEXT, display_name TEXT, group_id TEXT, is_filtered INTEGER, successful_query INTEGER)', 'chat_handle_join': 'CREATE TABLE chat_handle_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, handle_id INTEGER REFERENCES handle (ROWID) ON DELETE CASCADE, UNIQUE(chat_id, handle_id))', 'chat_message_join': 'CREATE TABLE chat_message_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, PRIMARY KEY (chat_id, message_id))', 'deleted_messages': 'CREATE TABLE deleted_messages (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, guid TEXT NOT NULL)', 'handle': 'CREATE TABLE handle (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, id TEXT NOT NULL, country TEXT, service TEXT NOT NULL, uncanonicalized_id TEXT, UNIQUE (id, service) )', 'message': 'CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, text TEXT, replace INTEGER DEFAULT 0, service_center TEXT, handle_id INTEGER DEFAULT 0, subject TEXT, country TEXT, attributedBody BLOB, version INTEGER DEFAULT 0, type INTEGER DEFAULT 0, service TEXT, account TEXT, account_guid TEXT, error INTEGER DEFAULT 0, date INTEGER, date_read INTEGER, date_delivered INTEGER, is_delivered INTEGER DEFAULT 0, is_finished INTEGER DEFAULT 0, is_emote INTEGER DEFAULT 0, is_from_me INTEGER DEFAULT 0, is_empty INTEGER DEFAULT 0, is_delayed INTEGER DEFAULT 0, is_auto_reply INTEGER DEFAULT 0, is_prepared INTEGER DEFAULT 0, is_read INTEGER DEFAULT 0, is_system_message INTEGER DEFAULT 0, is_sent INTEGER DEFAULT 0, has_dd_results INTEGER DEFAULT 0, is_service_message INTEGER DEFAULT 0, is_forward INTEGER DEFAULT 0, was_downgraded INTEGER DEFAULT 0, is_archive INTEGER DEFAULT 0, cache_has_attachments INTEGER DEFAULT 0, cache_roomnames TEXT, was_data_detected INTEGER DEFAULT 0, was_deduplicated INTEGER DEFAULT 0, is_audio_message INTEGER DEFAULT 0, is_played INTEGER DEFAULT 0, date_played INTEGER, item_type INTEGER DEFAULT 0, other_handle INTEGER DEFAULT 0, group_title TEXT, group_action_type INTEGER DEFAULT 0, share_status INTEGER DEFAULT 0, share_direction INTEGER DEFAULT 0, is_expirable INTEGER DEFAULT 0, expire_state INTEGER DEFAULT 0, message_action_type INTEGER DEFAULT 0, message_source INTEGER DEFAULT 0)', 'message_attachment_join': 'CREATE TABLE message_attachment_join (message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, attachment_id INTEGER REFERENCES attachment (ROWID) ON DELETE CASCADE, UNIQUE(message_id, attachment_id))'}]

plaso.parsers.sqlite_plugins.interface module

Interface for SQLite database file parser plugins.

class plaso.parsers.sqlite_plugins.interface.SQLitePlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

SQLite parser plugin.

CheckSchema(database)[source]

Checks the schema of a database with that defined in the plugin.

Parameters

database (SQLiteDatabase) – database.

Returns

True if the schema of the database matches that defined by

the plugin, or False if the schemas do not match or no schema is defined by the plugin.

Return type

bool

DATA_FORMAT = 'SQLite database file'
NAME = 'sqlite_plugin'
Process(parser_mediator, cache=None, database=None, **unused_kwargs)[source]

Determine if this is the right plugin for this database.

This function takes a SQLiteDatabase object and compares the list of required tables against the available tables in the database. If all the tables defined in REQUIRED_TABLES are present in the database then this plugin is considered to be the correct plugin and the function will return back a generator that yields event objects.

Parameters
Raises

ValueError – If the database or cache value are missing.

QUERIES = []
REQUIRED_STRUCTURE = {}
REQUIRES_SCHEMA_MATCH = False
SCHEMAS = []

plaso.parsers.sqlite_plugins.kik_ios module

SQLite parser plugin for iOS Kik messenger database files.

class plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData[source]

Bases: plaso.containers.events.EventData

Kik message event data.

body

content of the message.

Type

str

message_status

message status, such as: read, unread, not sent, delivered, etc.

Type

str

message_type

message type, either Sent or Received.

Type

str

username

unique username of the sender or receiver.

Type

str

DATA_TYPE = 'ios:kik:messaging'
class plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for iOS Kik messenger database files.

The OS Kik messenger database file is typically stored in: kik.sqlite

DATA_FORMAT = 'iOS Kik messenger SQLite database (kik.sqlite) file'
NAME = 'kik_messenger'
ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', 'ParseMessageRow')]
REQUIRED_STRUCTURE = {'ZKIKMESSAGE': frozenset({'ZBODY', 'ZRECEIVEDTIMESTAMP', 'ZSTATE', 'ZTYPE', 'ZUSER', 'Z_PK'}), 'ZKIKUSER': frozenset({'ZDISPLAYNAME', 'ZEXTRA', 'ZUSERNAME'})}
SCHEMAS = [{'Z_3MESSAGES': 'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', 'Z_6ADMINSINVERSE': 'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', 'Z_6BANSINVERSE': 'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', 'Z_6MEMBERS': 'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)', 'ZKIKATTACHMENT': 'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )', 'ZKIKATTACHMENTEXTRA': 'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', 'ZKIKCHAT': 'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED TIMESTAMP )', 'ZKIKCHATEXTRA': 'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ZMUTEDTIMESTAMP TIMESTAMP )', 'ZKIKMESSAGE': 'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ZRENDERINSTRUCTIONSET BLOB )', 'ZKIKUSER': 'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ZCONTENTLINKSPROTODATA BLOB )', 'ZKIKUSEREXTRA': 'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ZPUBLICMESSAGINGKEY BLOB )'}]

plaso.parsers.sqlite_plugins.kodi module

SQLite parser plugin for Kodi videos database files.

class plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Kodi videos database files.

The Kodi videos database file is typically stored in: MyVideos.db

DATA_FORMAT = 'Kodi videos SQLite database (MyVideos.db) file'
NAME = 'kodi'
ParseVideoRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Video row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT idFile, strFilename, playCount, lastPlayed FROM files', 'ParseVideoRow')]
REQUIRED_STRUCTURE = {'files': frozenset({'idFile', 'lastPlayed', 'playCount', 'strFilename'})}
SCHEMAS = [{'actor': 'CREATE TABLE actor ( actor_id INTEGER PRIMARY KEY, name TEXT, art_urls TEXT )', 'actor_link': 'CREATE TABLE actor_link(actor_id INTEGER, media_id INTEGER, media_type TEXT, role TEXT, cast_order INTEGER)', 'art': 'CREATE TABLE art(art_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, type TEXT, url TEXT)', 'bookmark': 'CREATE TABLE bookmark ( idBookmark integer primary key, idFile integer, timeInSeconds double, totalTimeInSeconds double, thumbNailImage text, player text, playerState text, type integer)', 'country': 'CREATE TABLE country ( country_id integer primary key, name TEXT)', 'country_link': 'CREATE TABLE country_link (country_id integer, media_id integer, media_type TEXT)', 'director_link': 'CREATE TABLE director_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'episode': 'CREATE TABLE episode ( idEpisode integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 varchar(24),c13 varchar(24),c14 text,c15 text,c16 text,c17 varchar(24),c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idShow integer, userrating integer, idSeason integer)', 'files': 'CREATE TABLE files ( idFile integer primary key, idPath integer, strFilename text, playCount integer, lastPlayed text, dateAdded text)', 'genre': 'CREATE TABLE genre ( genre_id integer primary key, name TEXT)', 'genre_link': 'CREATE TABLE genre_link (genre_id integer, media_id integer, media_type TEXT)', 'movie': 'CREATE TABLE movie ( idMovie integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idSet integer, userrating integer, premiered text)', 'movielinktvshow': 'CREATE TABLE movielinktvshow ( idMovie integer, IdShow integer)', 'musicvideo': 'CREATE TABLE musicvideo ( idMVideo integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, premiered text)', 'path': 'CREATE TABLE path ( idPath integer primary key, strPath text, strContent text, strScraper text, strHash text, scanRecursive integer, useFolderNames bool, strSettings text, noUpdate bool, exclude bool, dateAdded text, idParentPath integer)', 'rating': 'CREATE TABLE rating (rating_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, rating_type TEXT, rating FLOAT, votes INTEGER)', 'seasons': 'CREATE TABLE seasons ( idSeason integer primary key, idShow integer, season integer, name text, userrating integer)', 'sets': 'CREATE TABLE sets ( idSet integer primary key, strSet text, strOverview text)', 'settings': 'CREATE TABLE settings ( idFile integer, Deinterlace bool,ViewMode integer,ZoomAmount float, PixelRatio float, VerticalShift float, AudioStream integer, SubtitleStream integer,SubtitleDelay float, SubtitlesOn bool, Brightness float, Contrast float, Gamma float,VolumeAmplification float, AudioDelay float, OutputToAllSpeakers bool, ResumeTime integer,Sharpness float, NoiseReduction float, NonLinStretch bool, PostProcess bool,ScalingMethod integer, DeinterlaceMode integer, StereoMode integer, StereoInvert bool, VideoStream integer)', 'stacktimes': 'CREATE TABLE stacktimes (idFile integer, times text)', 'streamdetails': 'CREATE TABLE streamdetails (idFile integer, iStreamType integer, strVideoCodec text, fVideoAspect float, iVideoWidth integer, iVideoHeight integer, strAudioCodec text, iAudioChannels integer, strAudioLanguage text, strSubtitleLanguage text, iVideoDuration integer, strStereoMode text, strVideoLanguage text)', 'studio': 'CREATE TABLE studio ( studio_id integer primary key, name TEXT)', 'studio_link': 'CREATE TABLE studio_link (studio_id integer, media_id integer, media_type TEXT)', 'tag': 'CREATE TABLE tag (tag_id integer primary key, name TEXT)', 'tag_link': 'CREATE TABLE tag_link (tag_id integer, media_id integer, media_type TEXT)', 'tvshow': 'CREATE TABLE tvshow ( idShow integer primary key,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, duration INTEGER)', 'tvshowlinkpath': 'CREATE TABLE tvshowlinkpath (idShow integer, idPath integer)', 'uniqueid': 'CREATE TABLE uniqueid (uniqueid_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, value TEXT, type TEXT)', 'version': 'CREATE TABLE version (idVersion integer, iCompressCount integer)', 'writer_link': 'CREATE TABLE writer_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)'}]
class plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData[source]

Bases: plaso.containers.events.EventData

Kodi video event data.

filename

video filename.

Type

str

play_count

number of times the video has been played.

Type

int

DATA_TYPE = 'kodi:videos:viewing'

plaso.parsers.sqlite_plugins.ls_quarantine module

SQLite parser plugin for MacOS LS quarantine events database files.

class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData[source]

Bases: plaso.containers.events.EventData

MacOS launch services quarantine event data.

data

data.

Type

bytes

url

original URL of the file.

Type

str

user_agent

user agent that was used to download the file.

Type

str

DATA_TYPE = 'macosx:lsquarantine'
class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS LS quarantine events database files.

The MacOS launch services (LS) quarantine database file is typically stored in: /Users/<username>/Library/Preferences/

QuarantineEvents.com.apple.LaunchServices

DATA_FORMAT = 'MacOS launch services quarantine events database SQLite database file'
NAME = 'ls_quarantine'
ParseLSQuarantineRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a launch services quarantine event row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT LSQuarantineTimestamp AS Time, LSQuarantineAgentName AS Agent, LSQuarantineOriginURLString AS URL, LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ORDER BY Time', 'ParseLSQuarantineRow')]
REQUIRED_STRUCTURE = {'LSQuarantineEvent': frozenset({'LSQuarantineAgentName', 'LSQuarantineDataURLString', 'LSQuarantineOriginURLString', 'LSQuarantineTimestamp'})}
SCHEMAS = [{'LSQuarantineEvent': 'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, LSQuarantineOriginAlias BLOB )'}]

plaso.parsers.sqlite_plugins.mac_document_versions module

SQLite parser plugin for MacOS document revision database files.

class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventData[source]

Bases: plaso.containers.events.EventData

MacOS document revision event data.

name

name of the original file.

Type

str

path

path from the original file.

Type

str

version_path

path to the version copy of the original file.

Type

str

last_time

the system user ID of the user that opened the file.

Type

str

user_sid

identification user ID that open the file.

Type

str

DATA_TYPE = 'mac:document_versions:file'
class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS document revision database files.

DATA_FORMAT = 'MacOS document revisions SQLite database file'
DocumentVersionsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a document versions row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

NAME = 'mac_document_versions'
QUERIES = [('SELECT f.file_name AS name, f.file_path AS path, f.file_last_seen AS last_time, g.generation_path AS version_path, g.generation_add_time AS version_time FROM files f, generations g WHERE f.file_storage_id = g.generation_storage_id;', 'DocumentVersionsRow')]
REQUIRED_STRUCTURE = {'files': frozenset({'file_last_seen', 'file_name', 'file_path', 'file_storage_id'}), 'generations': frozenset({'generation_add_time', 'generation_path', 'generation_storage_id'})}
ROOT_VERSION_PATH = '/.DocumentRevisions-V100/'
SCHEMAS = [{'files': 'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)', 'generations': 'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)', 'storage': 'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1)'}]

plaso.parsers.sqlite_plugins.mac_knowledgec module

SQLite parser plugin for MacOS Duet/KnowledgeC database files.

class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventData[source]

Bases: plaso.containers.events.EventData

KnowledgeC application execution event data.

bundle_identifier

bundle identifier of the application.

Type

str

duration

duration of the activity.

Type

int

DATA_TYPE = 'mac:knowledgec:application'
class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS Duet/KnowledgeC database files.

DATA_FORMAT = 'MacOS Duet / KnowledgeC SQLites database file'
KnowledgeCRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses KnowledgeC application activity

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

NAME = 'mac_knowledgec'
QUERIES = [('\n SELECT\n ZOBJECT.ZCREATIONDATE AS "entry_creation", \n ZOBJECT.ZSTARTDATE AS "start", \n ZOBJECT.ZENDDATE AS "end",\n ZOBJECT.ZSTREAMNAME AS "action",\n ZOBJECT.ZVALUESTRING AS "zvaluestring",\n ZSTRUCTUREDMETADATA.Z_DKSAFARIHISTORYMETADATAKEY__TITLE AS "title"\n FROM ZOBJECT\n LEFT JOIN ZSTRUCTUREDMETADATA \n ON ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK\n ', 'KnowledgeCRow')]
REQUIRED_TABLES = frozenset({'ZOBJECT', 'ZSTRUCTUREDMETADATA'})
SCHEMAS = [{'ACHANGE': 'CREATE TABLE ACHANGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHANGETYPE INTEGER, ZENTITY INTEGER, ZENTITYPK INTEGER, ZTRANSACTIONID INTEGER, ZCOLUMNS BLOB, ZTOMBSTONE0 BLOB, ZTOMBSTONE1 BLOB, ZTOMBSTONE2 BLOB )', 'ATRANSACTION': 'CREATE TABLE ATRANSACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTIMESTAMP FLOAT, ZAUTHOR VARCHAR, ZBUNDLEID VARCHAR, ZCONTEXTNAME VARCHAR, ZPROCESSID VARCHAR, ZQUERYGEN BLOB )', 'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCOUNT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZSTRINGVALUE VARCHAR )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z8_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZSUBJECT INTEGER, Z8_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_DKSUNRISESUNSETMETADATAKEY__ISDAYLIGHT INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNSET TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR UNIQUE, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_10EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_10EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}, {'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCUSTOMIDENTIFIER VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZCOUNT FLOAT, ZSTRINGVALUE VARCHAR )', 'ZKEYVALUE': 'CREATE TABLE ZKEYVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDOMAIN VARCHAR, ZKEY VARCHAR, ZVALUE BLOB )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z9_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZSUBJECT INTEGER, Z9_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZLOCALCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISELIGIBLEFORPREDICTION INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKDIGITALHEALTHMETADATAKEY__USAGETYPE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKINTENTMETADATAKEY__INTENTTYPE INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__CONTENTDESCRIPTION VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__SUGGESTEDINVOCATIONPHRASE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKDIGITALHEALTHMETADATAKEY__WEBDOMAIN VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOTIFICATIONUSAGEMETADATAKEY__BUNDLEID VARCHAR, Z_DKNOTIFICATIONUSAGEMETADATAKEY__IDENTIFIER VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKRELEVANTSHORTCUTMETADATAKEY__KEYIMAGEPROXYIDENTIFIER VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_DKTOMBSTONEMETADATAKEY__EVENTSOURCEDEVICEID VARCHAR, Z_DKTOMBSTONEMETADATAKEY__EVENTSTREAMNAME VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKDIGITALHEALTHMETADATAKEY__WEBPAGEURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_DKRELEVANTSHORTCUTMETADATAKEY__SERIALIZEDRELEVANTSHORTCUT BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'ZSYNCPEER': 'CREATE TABLE ZSYNCPEER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCLOUDID VARCHAR, ZDEVICEID VARCHAR, ZRAPPORTID VARCHAR, ZUUID BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_11EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_11EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]
class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventData[source]

Bases: plaso.containers.events.EventData

MacOS Duet / KnowledgeC database event data for Safari.

bundle_identifier

bundle identifier of the application.

Type

str

duration

duration of the activity.

Type

int

title

title of the webpage visited.

Type

str

url

URL visited.

Type

str

DATA_TYPE = 'mac:knowledgec:safari'

plaso.parsers.sqlite_plugins.mac_notes module

SQLite parser plugin for MacOS Notes database files.

class plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventData[source]

Bases: plaso.containers.events.EventData

Mac Notes event data.

text

note text.

Type

str

title

note title.

Type

str

DATA_TYPE = 'mac:notes:note'
class plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS notes database files.

The MacOS Notes database file is typically stored in: test_data/NotesV7.storedata

DATA_FORMAT = 'MacOS Notes SQLite database (NotesV7.storedata) file'
NAME = 'mac_notes'
ParseZHTMLSTRINGRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT nb.ZHTMLSTRING AS zhtmlstring, n.ZDATECREATED AS timestamp, n.ZDATEEDITED AS last_modified_time, n.ZTITLE as title FROM ZNOTEBODY nb, ZNOTE n WHERE nb.Z_PK = n.Z_PK', 'ParseZHTMLSTRINGRow')]
REQUIRED_TABLES = frozenset({'ZNOTE', 'ZNOTEBODY'})
SCHEMAS = [{'ZACCOUNT': 'CREATE TABLE ZACCOUNT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZALLOWINSECUREAUTHENTICATION INTEGER,ZDIDCHOOSETOMIGRATE INTEGER, ZENABLED INTEGER, ZROOTFOLDERINTEGER, Z6_ROOTFOLDER INTEGER, ZTRASHFOLDER INTEGER,ZGMAILCAPABILITIESSUPPORT INTEGER, ZPORT INTEGER,ZSECURITYLAYERTYPE INTEGER, ZMIGRATIONOFFERED INTEGER,ZACCOUNTDESCRIPTION VARCHAR, ZEMAILADDRESS VARCHAR, ZFULLNAMEVARCHAR, ZPARENTACACCOUNTIDENTIFIER VARCHAR, ZUSERNAME VARCHAR,ZFOLDERHIERARCHYSYNCSTATE VARCHAR, ZAUTHENTICATION VARCHAR,ZHOSTNAME VARCHAR, ZSERVERPATHPREFIX VARCHAR, ZEXTERNALURL BLOB,ZINTERNALURL BLOB, ZLASTUSEDAUTODISCOVERURL BLOB,ZTLSCERTIFICATE BLOB )', 'ZATTACHMENT': 'CREATE TABLE ZATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZNOTE INTEGER, Z10_NOTE INTEGER,ZCONTENTID VARCHAR, ZFILEURL BLOB )', 'ZFOLDER': 'CREATE TABLE ZFOLDER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZACCOUNT INTEGER, Z1_ACCOUNT INTEGER, ZPARENTINTEGER, Z6_PARENT INTEGER, ZISDISTINGUISHED INTEGER,ZALLEGEDHIGHESTMODIFICATIONSEQUENCE INTEGER,ZCOMPUTEDHIGHESTMODIFICATIONSEQUENCE INTEGER, ZUIDNEXT INTEGER,ZUIDVALIDITY INTEGER, ZTRASHACCOUNT INTEGER, Z1_TRASHACCOUNTINTEGER, ZNAME VARCHAR, ZCHANGEKEY VARCHAR, ZFOLDERID VARCHAR,ZSYNCSTATE VARCHAR, ZSERVERNAME VARCHAR )', 'ZNOTE': 'CREATE TABLE ZNOTE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZBODY INTEGER, ZFOLDER INTEGER, Z6_FOLDERINTEGER, ZMIMEDATASIZE INTEGER, ZDATECREATED TIMESTAMP,ZDATEEDITED TIMESTAMP, ZREMOTEID VARCHAR, ZTITLE VARCHAR,ZCHANGEKEY VARCHAR, ZUNIVERSALLYUNIQUEID BLOB )', 'ZNOTEBODY': 'CREATE TABLE ZNOTEBODY ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZNOTE INTEGER, Z10_NOTE INTEGER,ZHTMLSTRING VARCHAR )', 'ZOFFLINEACTION': 'CREATE TABLE ZOFFLINEACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZACCOUNTINTEGER, Z1_ACCOUNT INTEGER, ZFOLDER INTEGER, Z6_FOLDER INTEGER,ZPARENT INTEGER, Z6_PARENT INTEGER, ZORIGINALPARENT INTEGER,Z6_ORIGINALPARENT INTEGER, ZFOLDER1 INTEGER, Z6_FOLDER1 INTEGER,ZNOTE INTEGER, Z10_NOTE INTEGER, ZORIGINALFOLDER INTEGER,Z6_ORIGINALFOLDER INTEGER )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUIDVARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAMEVARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]

plaso.parsers.sqlite_plugins.mac_notificationcenter module

SQLite parser plugin for MacOS Notification Center database files.

class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventData[source]

Bases: plaso.containers.events.EventData

MacOS NotificationCenter event data.

body

body of the notification message.

Type

str

bundle_name

name of the application’s bundle that generated the notification.

Type

str

presented

either 1 or 0 if the notification has been shown to the user.

Type

int

subtitle

optional. Subtitle of the notification message.

Type

str

title

title of the message. Usually the name of the application that generated the notification. Occasionally the name of the sender of the notification for example, in case of chat messages.

Type

str

DATA_TYPE = 'mac:notificationcenter:db'
class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS Notification Center database files.

The MacOS Notification Center database file is typically stored in: /private/var/folders/<W><d>/../0/com.apple.notificationcenter/db2/db

At the moment it takes into consideration only the main table, ‘record’. Currently supported tables and related content:

Record: contains historical records Requests: contain pending requests Delivered: delivered requests Displayed: displayed requests, by app_id Snoozed: snoozed by user requests

DATA_FORMAT = 'MacOS Notification Center SQLite database file'
NAME = 'mac_notificationcenter'
ParseNotificationcenterRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT a.identifier AS bundle_name, r.data AS dataBlob, r.delivered_date AS timestamp,r.presented AS presented FROM app a, record r WHERE a.app_id = r.app_id', 'ParseNotificationcenterRow')]
REQUIRED_STRUCTURE = {'app': frozenset({'app_id', 'identifier'}), 'record': frozenset({'app_id', 'data', 'delivered_date', 'presented'})}
SCHEMAS = [{'app': 'CREATE TABLE app (app_id INTEGER PRIMARY KEY, identifier VARCHAR)', 'dbinfo': 'CREATE TABLE dbinfo (key VARCHAR, value VARCHAR)', 'delivered': 'CREATE TABLE delivered (app_id INTEGER PRIMARY KEY, list BLOB)', 'displayed': 'CREATE TABLE displayed (app_id INTEGER PRIMARY KEY, list BLOB)', 'record': 'CREATE TABLE record (rec_id INTEGER PRIMARY KEY, app_id INTEGER, uuid BLOB, data BLOB, request_date REAL, request_last_date REAL, delivered_date REAL, presented Bool, style INTEGER, snooze_fire_date REAL)', 'requests': 'CREATE TABLE requests (app_id INTEGER PRIMARY KEY, list BLOB)', 'snoozed': 'CREATE TABLE snoozed (app_id INTEGER PRIMARY KEY, list BLOB)'}]

plaso.parsers.sqlite_plugins.mackeeper_cache module

SQLite parser plugin for MacOS MacKeeper cache database files.

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData[source]

Bases: plaso.containers.events.EventData

MacKeeper Cache event data.

description

description.

Type

str

event_type

event type.

Type

str

record_id

record identifier.

Type

int

room

room.

Type

str

text

text.

Type

str

url

URL.

Type

str

user_name

user name.

Type

str

user_sid

user security identifier (SID).

Type

str

DATA_TYPE = 'mackeeper:cache'
class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS MacKeeper cache database files.

DATA_FORMAT = 'MacOS MacKeeper cache SQLite database file'
NAME = 'mackeeper_cache'
ParseReceiverData(parser_mediator, query, row, **unused_kwargs)[source]

Parses a single row from the receiver and cache response table.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT d.entry_ID AS id, d.receiver_data AS data, r.request_key, r.time_stamp AS time_string FROM cfurl_cache_receiver_data d, cfurl_cache_response r WHERE r.entry_ID = d.entry_ID', 'ParseReceiverData')]
REQUIRED_STRUCTURE = {'cfurl_cache_blob_data': frozenset({}), 'cfurl_cache_receiver_data': frozenset({'entry_ID', 'receiver_data'}), 'cfurl_cache_response': frozenset({'entry_ID', 'request_key', 'time_stamp'})}
SCHEMAS = [{'cfurl_cache_blob_data': 'CREATE TABLE cfurl_cache_blob_data(entry_ID INTEGER PRIMARY KEY, response_object BLOB, request_object BLOB, proto_props BLOB, user_info BLOB)', 'cfurl_cache_receiver_data': 'CREATE TABLE cfurl_cache_receiver_data(entry_ID INTEGER PRIMARY KEY, receiver_data BLOB)', 'cfurl_cache_response': 'CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, version INTEGER, hash_value INTEGER, storage_policy INTEGER, request_key TEXT UNIQUE, time_stamp NOT NULL DEFAULT CURRENT_TIMESTAMP, partition TEXT)', 'cfurl_cache_schema_version': 'CREATE TABLE cfurl_cache_schema_version(schema_version INTEGER)'}]

plaso.parsers.sqlite_plugins.macos_tcc module

SQLite parser plugin for MacOS TCC database files.

class plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntry[source]

Bases: plaso.containers.events.EventData

macOS TCC event data.

allowed

whether access to the service was allowed.

Type

bool

client

name of the client requesting access to the service.

Type

str

prompt_count

number of times an appplication prompted the user for access to a service.

Type

int

service

name of the service.

Type

str

DATA_TYPE = 'macos:tcc_entry'
class plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS TCC database files.

The MacOS Transaprency, Consent, Control (TCC) database file is typically stored in: /Library/Application Support/com.apple.TCC/TCC.db /Users/<username>/Library/Application Support/com.apple.TCC/TCC.db

DATA_FORMAT = 'MacOS Transaprency, Consent, Control (TCC) SQLite database (TCC.db) file'
NAME = 'macostcc'
ParseTCCEntry(parser_mediator, query, row, **unused_kwargs)[source]

Parses an application usage row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [("SELECT service, client, allowed, prompt_count, last_modified, DATETIME(last_modified, 'UNIXEPOCH', 'LOCALTIME') AS timestamp FROM access;", 'ParseTCCEntry')]
REQUIRED_STRUCTURE = {'access': frozenset({'access', 'access_overrides', 'active_policy', 'admin', 'expired', 'policies'})}
SCHEMAS = [{'access': 'CREATE TABLE IF NOT EXISTS "access" (\n service TEXT NOT NULL,\n client TEXT NOT NULL,\n client_type INTEGER NOT NULL,\n allowed INTEGER NOT NULL,\n prompt_count INTEGER NOT NULL,\n csreq BLOB,\n policy_id INTEGER,\n indirect_object_identifier_type INTEGER,\n indirect_object_identifier TEXT DEFAULT \'UNUSED\',\n indirect_object_code_identity BLOB,\n flags INTEGER,\n last_modified INTEGER NOT NULL\n DEFAULT (CAST(strftime(\'%s\',\'now\') AS INTEGER)),\n PRIMARY KEY\n (service, client, client_type, indirect_object_identifier),\n FOREIGN KEY (policy_id)\n REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE);'}]

plaso.parsers.sqlite_plugins.safari module

SQLite parser plugin for Safari history database files.

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData[source]

Bases: plaso.containers.events.EventData

Safari history event data.

host

hostname of the server.

Type

str

title

title of the webpage visited.

Type

str

url

URL visited.

Type

str

visit_count

number of times the website was visited.

Type

int

was_http_non_get

True if the webpage was visited using a non-GET HTTP request.

Type

bool

DATA_TYPE = 'safari:history:visit_sqlite'
class plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Safari history database files.

The Safari history database file is typically stored in: History.db

DATA_FORMAT = 'Safari history SQLite database (History.db) file'
NAME = 'safari_historydb'
ParsePageVisitRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a visited row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT history_items.id, history_items.url, history_items.visit_count, history_visits.id AS visit_id, history_visits.history_item,history_visits.visit_time, history_visits.redirect_destination, history_visits.title, history_visits.http_non_get, history_visits.redirect_source FROM history_items, history_visits WHERE history_items.id = history_visits.history_item ORDER BY history_visits.visit_time', 'ParsePageVisitRow')]
REQUIRED_STRUCTURE = {'history_items': frozenset({'id', 'url', 'visit_count'}), 'history_visits': frozenset({'history_item', 'http_non_get', 'id', 'redirect_destination', 'redirect_source', 'title', 'visit_time'})}
SCHEMAS = [{'history_client_versions': 'CREATE TABLE history_client_versions (client_version INTEGER PRIMARY KEY,last_seen REAL NOT NULL)', 'history_event_listeners': 'CREATE TABLE history_event_listeners (listener_name TEXT PRIMARY KEY NOT NULL UNIQUE,last_seen REAL NOT NULL)', 'history_events': 'CREATE TABLE history_events (id INTEGER PRIMARY KEY AUTOINCREMENT,event_type TEXT NOT NULL,event_time REAL NOT NULL,pending_listeners TEXT NOT NULL,value BLOB)', 'history_items': 'CREATE TABLE history_items (id INTEGER PRIMARY KEY AUTOINCREMENT,url TEXT NOT NULL UNIQUE,domain_expansion TEXT NULL,visit_count INTEGER NOT NULL,daily_visit_counts BLOB NOT NULL,weekly_visit_counts BLOB NULL,autocomplete_triggers BLOB NULL,should_recompute_derived_visit_counts INTEGER NOT NULL,visit_count_score INTEGER NOT NULL)', 'history_tombstones': 'CREATE TABLE history_tombstones (id INTEGER PRIMARY KEY AUTOINCREMENT,start_time REAL NOT NULL,end_time REAL NOT NULL,url TEXT,generation INTEGER NOT NULL DEFAULT 0)', 'history_visits': 'CREATE TABLE history_visits (id INTEGER PRIMARY KEY AUTOINCREMENT,history_item INTEGER NOT NULL REFERENCES history_items(id) ON DELETE CASCADE,visit_time REAL NOT NULL,title TEXT NULL,load_successful BOOLEAN NOT NULL DEFAULT 1,http_non_get BOOLEAN NOT NULL DEFAULT 0,synthesized BOOLEAN NOT NULL DEFAULT 0,redirect_source INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,redirect_destination INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,origin INTEGER NOT NULL DEFAULT 0,generation INTEGER NOT NULL DEFAULT 0,attributes INTEGER NOT NULL DEFAULT 0,score INTEGER NOT NULL DEFAULT 0)', 'metadata': 'CREATE TABLE metadata (key TEXT NOT NULL UNIQUE, value)'}]

plaso.parsers.sqlite_plugins.skype module

SQLite parser plugin for Skype database files.

class plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData[source]

Bases: plaso.containers.events.EventData

Skype account event data.

country

home country of the account holder.

Type

str

display_name

display name of the account holder.

Type

str

email

registered email address of the account holder.

Type

str

username

full name of the Skype account holder and display name.

Type

str

DATA_TYPE = 'skype:event:account'
class plaso.parsers.sqlite_plugins.skype.SkypeCallEventData[source]

Bases: plaso.containers.events.EventData

Skype call event data.

call_type

call type, such as: WAITING, STARTED, FINISHED.

Type

str

dst_call

account which received the call.

Type

str

src_call

account which started the call.

Type

str

user_start_call

True if the owner account started the call.

Type

bool

video_conference

True if the call was a video conference.

Type

bool

DATA_TYPE = 'skype:event:call'
class plaso.parsers.sqlite_plugins.skype.SkypeChatEventData[source]

Bases: plaso.containers.events.EventData

Skype chat event data.

from_account

from display name and the author.

Type

str

text

body XML.

Type

str

title

title.

Type

str

to_account

accounts, excluding the author, of the conversation.

Type

str

DATA_TYPE = 'skype:event:chat'
class plaso.parsers.sqlite_plugins.skype.SkypePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Skype database files.

DATA_FORMAT = 'Skype SQLite database (main.db) file'
NAME = 'skype'
ParseAccountInformation(parser_mediator, query, row, **unused_kwargs)[source]

Parses account information.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row with account information.

ParseCall(parser_mediator, query, row, **unused_kwargs)[source]

Parses a call.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (Optional[str]) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

  • query – query.

ParseChat(parser_mediator, query, row, **unused_kwargs)[source]

Parses a chat message.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseFileTransfer(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a file transfer.

There is no direct relationship between who sends the file and who accepts the file.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

  • cache (Optional[SQLiteCache]) – cache.

  • database (Optional[SQLiteDatabase]) – database.

ParseSMS(parser_mediator, query, row, **unused_kwargs)[source]

Parses an SMS.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT c.id, c.participants, c.friendlyname AS title, m.author AS author, m.from_dispname AS from_displayname, m.body_xml, m.timestamp, c.dialog_partner FROM Chats c, Messages m WHERE c.name = m.chatname', 'ParseChat'), ('SELECT id, fullname, given_displayname, emails, country, profile_timestamp, authreq_timestamp, lastonline_timestamp, mood_timestamp, sent_authrequest_time, lastused_timestamp FROM Accounts', 'ParseAccountInformation'), ('SELECT id, target_numbers AS dstnum_sms, timestamp AS time_sms, body AS msg_sms FROM SMSes', 'ParseSMS'), ('SELECT id, partner_handle, partner_dispname, offer_send_list, starttime, accepttime, finishtime, filepath, filename, filesize, status, parent_id, pk_id FROM Transfers', 'ParseFileTransfer'), ('SELECT c.id, cm.guid, c.is_incoming, cm.call_db_id, cm.videostatus, c.begin_timestamp AS try_call, cm.start_timestamp AS accept_call, cm.call_duration FROM Calls c, CallMembers cm WHERE c.id = cm.call_db_id;', 'ParseCall')]
QUERY_DEST_FROM_TRANSFER = 'SELECT parent_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'
QUERY_SOURCE_FROM_TRANSFER = 'SELECT pk_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'
REQUIRED_STRUCTURE = {'Accounts': frozenset({'authreq_timestamp', 'country', 'emails', 'fullname', 'given_displayname', 'id', 'lastonline_timestamp', 'mood_timestamp', 'profile_timestamp', 'sent_authrequest_time'}), 'CallMembers': frozenset({'call_db_id', 'call_duration', 'guid', 'start_timestamp', 'videostatus'}), 'Calls': frozenset({'begin_timestamp', 'id', 'is_incoming'}), 'Chats': frozenset({'dialog_partner', 'friendlyname', 'id', 'name', 'participants'}), 'Messages': frozenset({'author', 'body_xml', 'chatname', 'from_dispname', 'timestamp'}), 'SMSes': frozenset({'body', 'id', 'target_numbers', 'timestamp'}), 'Transfers': frozenset({'accepttime', 'filename', 'filepath', 'filesize', 'finishtime', 'id', 'offer_send_list', 'parent_id', 'partner_dispname', 'partner_handle', 'pk_id', 'starttime', 'status'})}
SCHEMAS = [{'Accounts': 'CREATE TABLE Accounts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, pwdchangestatus INTEGER, logoutreason INTEGER, commitstatus INTEGER, suggested_skypename TEXT, skypeout_balance_currency TEXT, skypeout_balance INTEGER, skypeout_precision INTEGER, skypein_numbers TEXT, subscriptions TEXT, cblsyncstatus INTEGER, offline_callforward TEXT, chat_policy INTEGER, skype_call_policy INTEGER, pstn_call_policy INTEGER, avatar_policy INTEGER, buddycount_policy INTEGER, timezone_policy INTEGER, webpresence_policy INTEGER, phonenumbers_policy INTEGER, voicemail_policy INTEGER, authrequest_policy INTEGER, ad_policy INTEGER, partner_optedout TEXT, service_provider_info TEXT, registration_timestamp INTEGER, nr_of_other_instances INTEGER, partner_channel_status TEXT, flamingo_xmpp_status INTEGER, federated_presence_policy INTEGER, liveid_membername TEXT, roaming_history_enabled INTEGER, cobrand_id INTEGER, owner_under_legal_age INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, homepage TEXT, about TEXT, profile_timestamp INTEGER, received_authrequest TEXT, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, aliases TEXT, authreq_timestamp INTEGER, mood_text TEXT, timezone INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, given_displayname TEXT, availability INTEGER, lastonline_timestamp INTEGER, capabilities BLOB, avatar_image BLOB, assigned_speeddial TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_comment TEXT, alertstring TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, rich_mood_text TEXT, synced_email BLOB, set_availability INTEGER, options_change_future BLOB, cbl_profile_blob BLOB, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, node_capabilities_and INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, verified_email BLOB, verified_company BLOB, uses_jcs INTEGER)', 'Alerts': 'CREATE TABLE Alerts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, timestamp INTEGER, partner_name TEXT, is_unseen INTEGER, partner_id INTEGER, partner_event TEXT, partner_history TEXT, partner_header TEXT, partner_logo TEXT, meta_expiry INTEGER, message_header_caption TEXT, message_header_title TEXT, message_header_subject TEXT, message_header_cancel TEXT, message_header_later TEXT, message_content TEXT, message_footer TEXT, message_button_caption TEXT, message_button_uri TEXT, message_type INTEGER, window_size INTEGER, chatmsg_guid BLOB, notification_id INTEGER, event_flags INTEGER, extprop_hide_from_history INTEGER)', 'AppSchemaVersion': 'CREATE TABLE AppSchemaVersion (ClientVersion TEXT NOT NULL, SQLiteSchemaVersion INTEGER NOT NULL, SchemaUpdateType INTEGER NOT NULL)', 'CallMembers': 'CREATE TABLE CallMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, dispname TEXT, languages TEXT, call_duration INTEGER, price_per_minute INTEGER, price_precision INTEGER, price_currency TEXT, payment_category TEXT, type INTEGER, status INTEGER, failurereason INTEGER, sounderror_code INTEGER, soundlevel INTEGER, pstn_statustext TEXT, pstn_feedback TEXT, forward_targets TEXT, forwarded_by TEXT, debuginfo TEXT, videostatus INTEGER, target_identity TEXT, mike_status INTEGER, is_read_only INTEGER, quality_status INTEGER, call_name TEXT, transfer_status INTEGER, transfer_active INTEGER, transferred_by TEXT, transferred_to TEXT, guid TEXT, next_redial_time INTEGER, nrof_redials_done INTEGER, nrof_redials_left INTEGER, transfer_topic TEXT, real_identity TEXT, start_timestamp INTEGER, is_conference INTEGER, quality_problems TEXT, identity_type INTEGER, country TEXT, creation_timestamp INTEGER, stats_xml TEXT, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, recovery_in_progress INTEGER, nonse_word TEXT, nr_of_delivered_push_notifications INTEGER, call_session_guid TEXT, version_string TEXT, pk_status INTEGER, call_db_id INTEGER, prime_status INTEGER)', 'Calls': 'CREATE TABLE Calls (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, begin_timestamp INTEGER, topic TEXT, is_muted INTEGER, is_unseen_missed INTEGER, host_identity TEXT, mike_status INTEGER, duration INTEGER, soundlevel INTEGER, access_token TEXT, active_members INTEGER, is_active INTEGER, name TEXT, video_disabled INTEGER, joined_existing INTEGER, server_identity TEXT, vaa_input_status INTEGER, is_incoming INTEGER, is_conference INTEGER, is_on_hold INTEGER, start_timestamp INTEGER, quality_problems TEXT, current_video_audience TEXT, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, is_premium_video_sponsor INTEGER, premium_video_sponsor_list TEXT, old_members BLOB, partner_handle TEXT, partner_dispname TEXT, type INTEGER, status INTEGER, failurereason INTEGER, failurecode INTEGER, pstn_number TEXT, old_duration INTEGER, conf_participants BLOB, pstn_status TEXT, members BLOB, conv_dbid INTEGER)', 'ChatMembers': 'CREATE TABLE ChatMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, chatname TEXT, identity TEXT, role INTEGER, is_active INTEGER, cur_activities INTEGER, adder TEXT)', 'Chats': 'CREATE TABLE Chats (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, name TEXT, options INTEGER, friendlyname TEXT, description TEXT, timestamp INTEGER, activity_timestamp INTEGER, dialog_partner TEXT, adder TEXT, type INTEGER, mystatus INTEGER, myrole INTEGER, posters TEXT, participants TEXT, applicants TEXT, banned_users TEXT, name_text TEXT, topic TEXT, topic_xml TEXT, guidelines TEXT, picture BLOB, alertstring TEXT, is_bookmarked INTEGER, passwordhint TEXT, unconsumed_suppressed_msg INTEGER, unconsumed_normal_msg INTEGER, unconsumed_elevated_msg INTEGER, unconsumed_msg_voice INTEGER, activemembers TEXT, state_data BLOB, lifesigns INTEGER, last_change INTEGER, first_unread_message INTEGER, pk_type INTEGER, dbpath TEXT, split_friendlyname TEXT, conv_dbid INTEGER)', 'ContactGroups': 'CREATE TABLE ContactGroups (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, custom_group_id INTEGER, given_displayname TEXT, nrofcontacts INTEGER, nrofcontacts_online INTEGER, given_sortorder INTEGER, type_old INTEGER, proposer TEXT, description TEXT, associated_chat TEXT, members TEXT, cbl_id INTEGER, cbl_blob BLOB, fixed INTEGER, keep_sharedgroup_contacts INTEGER, chats TEXT, extprop_is_hidden INTEGER, extprop_sortorder_value INTEGER, extprop_is_expanded INTEGER)', 'Contacts': 'CREATE TABLE Contacts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, aliases TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, hashed_emails TEXT, homepage TEXT, about TEXT, avatar_image BLOB, mood_text TEXT, rich_mood_text TEXT, timezone INTEGER, capabilities BLOB, profile_timestamp INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, received_authrequest TEXT, authreq_timestamp INTEGER, lastonline_timestamp INTEGER, availability INTEGER, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, given_displayname TEXT, assigned_speeddial TEXT, assigned_comment TEXT, alertstring TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_phone1 TEXT, assigned_phone1_label TEXT, assigned_phone2 TEXT, assigned_phone2_label TEXT, assigned_phone3 TEXT, assigned_phone3_label TEXT, buddystatus INTEGER, isauthorized INTEGER, popularity_ord INTEGER, external_id TEXT, external_system_id TEXT, isblocked INTEGER, authorization_certificate BLOB, certificate_send_count INTEGER, account_modification_serial_nr INTEGER, saved_directory_blob BLOB, nr_of_buddies INTEGER, server_synced INTEGER, contactlist_track INTEGER, last_used_networktime INTEGER, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, node_capabilities_and INTEGER, authreq_crc INTEGER, authreq_src INTEGER, pop_score INTEGER, authreq_nodeinfo BLOB, main_phone TEXT, unified_servants TEXT, phone_home_normalized TEXT, phone_office_normalized TEXT, phone_mobile_normalized TEXT, sent_authrequest_initmethod INTEGER, authreq_initmethod INTEGER, verified_email BLOB, verified_company BLOB, sent_authrequest_extrasbitmask INTEGER, liveid_cid TEXT, extprop_seen_birthday INTEGER, extprop_sms_target INTEGER, extprop_external_data TEXT, extprop_must_hide_avatar INTEGER)', 'Conversations': 'CREATE TABLE Conversations (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, type INTEGER, live_host TEXT, live_start_timestamp INTEGER, live_is_muted INTEGER, alert_string TEXT, is_bookmarked INTEGER, given_displayname TEXT, displayname TEXT, local_livestatus INTEGER, inbox_timestamp INTEGER, inbox_message_id INTEGER, unconsumed_suppressed_messages INTEGER, unconsumed_normal_messages INTEGER, unconsumed_elevated_messages INTEGER, unconsumed_messages_voice INTEGER, active_vm_id INTEGER, context_horizon INTEGER, consumption_horizon INTEGER, last_activity_timestamp INTEGER, active_invoice_message INTEGER, spawned_from_convo_id INTEGER, pinned_order INTEGER, creator TEXT, creation_timestamp INTEGER, my_status INTEGER, opt_joining_enabled INTEGER, opt_access_token TEXT, opt_entry_level_rank INTEGER, opt_disclose_history INTEGER, opt_history_limit_in_days INTEGER, opt_admin_only_activities INTEGER, passwordhint TEXT, meta_name TEXT, meta_topic TEXT, meta_guidelines TEXT, meta_picture BLOB, picture TEXT, is_p2p_migrated INTEGER, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, guid TEXT, dialog_partner TEXT, meta_description TEXT, premium_video_sponsor_list TEXT, mcr_caller TEXT, chat_dbid INTEGER, history_horizon INTEGER, history_sync_state TEXT, thread_version TEXT, consumption_horizon_set_at INTEGER, alt_identity TEXT, extprop_profile_height INTEGER, extprop_chat_width INTEGER, extprop_chat_left_margin INTEGER, extprop_chat_right_margin INTEGER, extprop_entry_height INTEGER, extprop_windowpos_x INTEGER, extprop_windowpos_y INTEGER, extprop_windowpos_w INTEGER, extprop_windowpos_h INTEGER, extprop_window_maximized INTEGER, extprop_window_detached INTEGER, extprop_pinned_order INTEGER, extprop_new_in_inbox INTEGER, extprop_tab_order INTEGER, extprop_video_layout INTEGER, extprop_video_chat_height INTEGER, extprop_chat_avatar INTEGER, extprop_consumption_timestamp INTEGER, extprop_form_visible INTEGER, extprop_recovery_mode INTEGER)', 'DbMeta': 'CREATE TABLE DbMeta (key TEXT NOT NULL PRIMARY KEY, value TEXT)', 'LegacyMessages': 'CREATE TABLE LegacyMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER)', 'Messages': 'CREATE TABLE Messages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, chatname TEXT, author TEXT, from_dispname TEXT, author_was_live INTEGER, guid BLOB, dialog_partner TEXT, timestamp INTEGER, type INTEGER, sending_status INTEGER, consumption_status INTEGER, edited_by TEXT, edited_timestamp INTEGER, param_key INTEGER, param_value INTEGER, body_xml TEXT, identities TEXT, reason TEXT, leavereason INTEGER, participant_count INTEGER, error_code INTEGER, chatmsg_type INTEGER, chatmsg_status INTEGER, body_is_rawxml INTEGER, oldoptions INTEGER, newoptions INTEGER, newrole INTEGER, pk_id INTEGER, crc INTEGER, remote_id INTEGER, call_guid TEXT, extprop_contact_review_date TEXT, extprop_contact_received_stamp INTEGER, extprop_contact_reviewed INTEGER)', 'Participants': 'CREATE TABLE Participants (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, identity TEXT, rank INTEGER, requested_rank INTEGER, text_status INTEGER, voice_status INTEGER, video_status INTEGER, live_identity TEXT, live_price_for_me TEXT, live_fwd_identities TEXT, live_start_timestamp INTEGER, sound_level INTEGER, debuginfo TEXT, next_redial_time INTEGER, nrof_redials_left INTEGER, last_voice_error TEXT, quality_problems TEXT, live_type INTEGER, live_country TEXT, transferred_by TEXT, transferred_to TEXT, adder TEXT, last_leavereason INTEGER, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, live_identity_to_use TEXT, livesession_recovery_in_progress INTEGER, is_multiparty_video_updatable INTEGER, real_identity TEXT, extprop_default_identity INTEGER)', 'SMSes': 'CREATE TABLE SMSes (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, outgoing_reply_type INTEGER, status INTEGER, failurereason INTEGER, is_failed_unseen INTEGER, timestamp INTEGER, price INTEGER, price_precision INTEGER, price_currency TEXT, reply_to_number TEXT, target_numbers TEXT, target_statuses BLOB, body TEXT, chatmsg_id INTEGER, identity TEXT, notification_id INTEGER, event_flags INTEGER, reply_id_number TEXT, convo_name TEXT, extprop_hide_from_history INTEGER, extprop_extended INTEGER)', 'Transfers': 'CREATE TABLE Transfers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, starttime INTEGER, finishtime INTEGER, filepath TEXT, filename TEXT, filesize TEXT, bytestransferred TEXT, bytespersecond INTEGER, chatmsg_guid BLOB, chatmsg_index INTEGER, convo_id INTEGER, pk_id INTEGER, nodeid BLOB, last_activity INTEGER, flags INTEGER, old_status INTEGER, old_filepath INTEGER, accepttime INTEGER, parent_id INTEGER, offer_send_list TEXT, extprop_localfilename TEXT, extprop_hide_from_history INTEGER, extprop_window_visible INTEGER, extprop_handled_by_chat INTEGER)', 'VideoMessages': 'CREATE TABLE VideoMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, qik_id BLOB, attached_msg_ids TEXT, sharing_id TEXT, status INTEGER, vod_status INTEGER, vod_path TEXT, local_path TEXT, public_link TEXT, progress INTEGER, title TEXT, description TEXT, author TEXT, creation_timestamp INTEGER)', 'Videos': 'CREATE TABLE Videos (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, error TEXT, debuginfo TEXT, dimensions TEXT, media_type INTEGER, duration_1080 INTEGER, duration_720 INTEGER, duration_hqv INTEGER, duration_vgad2 INTEGER, duration_ltvgad2 INTEGER, timestamp INTEGER, hq_present INTEGER, duration_ss INTEGER, ss_timestamp INTEGER, convo_id INTEGER, device_path TEXT)', 'Voicemails': 'CREATE TABLE Voicemails (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, subject TEXT, timestamp INTEGER, duration INTEGER, allowed_duration INTEGER, playback_progress INTEGER, convo_id INTEGER, chatmsg_guid BLOB, notification_id INTEGER, flags INTEGER, size INTEGER, path TEXT, failures INTEGER, vflags INTEGER, xmsg TEXT, extprop_hide_from_history INTEGER)'}]
class plaso.parsers.sqlite_plugins.skype.SkypeSMSEventData[source]

Bases: plaso.containers.events.EventData

Skype SMS event data.

number

phone number where the SMS was sent.

Type

str

text

text (SMS body) that was sent.

Type

str

DATA_TYPE = 'skype:event:sms'
class plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventData[source]

Bases: plaso.containers.events.EventData

Skype file transfer event data.

action_type

action type such as: “GETSOLICITUDE”, “SENDSOLICITUDE”, “ACCEPTED” or “FINISHED”.

Type

str

destination

account that received the file.

Type

str

source

account that sent the file.

Type

str

transferred_filename

name of the file transferred.

Type

str

transferred_filepath

path of the file transferred.

Type

str

transferred_filesize

size of the file transferred.

Type

int

DATA_TYPE = 'skype:event:transferfile'

plaso.parsers.sqlite_plugins.tango_android module

SQLite parser plugin for Tango on Android database files.

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData[source]

Bases: plaso.containers.events.EventData

Tango on Android contact event data.

first_name

contact profile first name.

Type

str

last_name

contact profile last name.

Type

str

birthday

contact profile birthday.

Type

str

gender

contact profile gender.

Type

str

status

contact status message.

Type

str

distance

contact profile distance.

Type

int

is_friend

True if the contact is considered a friend.

Type

bool

friend_request_type

flag indicating the type of friend request sent for example outRequest for request sent or noRequest for no request.

Type

str

friend_request_message

message sent on friend request.

Type

str

DATA_TYPE = 'tango:android:contact'
class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventData[source]

Bases: plaso.containers.events.EventData

Tango on Android conversation event data.

conversation_identifier

conversation identifier.

Type

int

DATA_TYPE = 'tango:android:conversation'
class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventData[source]

Bases: plaso.containers.events.EventData

Tango on Android message event data.

message_identifier

message identifier.

Type

int

direction

flag indicating direction of the message.

Type

int

DATA_TYPE = 'tango:android:message'
class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Tango on Android profile database files.

DATA_FORMAT = 'Tango on Android profile SQLite database file'
NAME = 'tango_android_profile'
ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT itemLastActiveTime AS last_active_time, itemLastLocalAccessTime AS last_access_time, itemFriendRequestTime AS friend_request_time, itemFirstName AS first_name, itemLastName AS last_name, itemBirthday AS birthday, itemGender AS gender, itemStatus AS status, itemDistance AS distance, itemIsFriend AS friend, itemFriendRequestType AS friend_request_type, itemFriendRequestMessage AS friend_request_message FROM profiletable', 'ParseContactRow')]
REQUIRED_STRUCTURE = {'profiletable': frozenset({'itemBirthday', 'itemDistance', 'itemFirstName', 'itemFriendRequestMessage', 'itemFriendRequestTime', 'itemFriendRequestType', 'itemGender', 'itemIsFriend', 'itemLastActiveTime', 'itemLastLocalAccessTime', 'itemLastName', 'itemStatus'})}
SCHEMAS = [{'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'profiletable': 'CREATE TABLE `profiletable` (`itemUserId` TEXT PRIMARY KEY, `itemFirstName` TEXT NOT NULL, `itemLastName` TEXT NOT NULL, `itemBirthday` TEXT NOT NULL, `itemGender` TEXT NOT NULL, `itemStatus` TEXT NOT NULL, `itemLastActiveTime` BIGINT NOT NULL, `itemDistance` DOUBLE NOT NULL, `itemCity` TEXT NOT NULL, `itemGeoCountryCode` TEXT NOT NULL, `itemAvatarUrl` TEXT NOT NULL, `itemThumbnailUrl` TEXT NOT NULL, `itemVideoUrl` TEXT NOT NULL, `itemVideoThumbnailUrl` TEXT NOT NULL, `itemBackgroundUrl` TEXT NOT NULL, `itemIsFriend` INTEGER NOT NULL, `itemIsBlocked` INTEGER NOT NULL, `itemFriendRequestType` TEXT NOT NULL, `itemReverseRelationships` TEXT NOT NULL, `itemFavoriterCount` INTEGER NOT NULL, `itemFavoritingCount` INTEGER NOT NULL, `itemFeedCount` INTEGER NOT NULL, `itemRefereneCount` INTEGER NOT NULL, `itemLevel1DataSyncTime` BIGINT NOT NULL, `itemLevel2DataSyncTime` BIGINT NOT NULL, `itemLevel3DataSyncTime` BIGINT NOT NULL, `itemLevel4DataSyncTime` BIGINT NOT NULL, `itemLevel5DataSyncTime` BIGINT NOT NULL, `itemLastLocalAccessTime` BIGINT NOT NULL, `itemFriendRequestId` TEXT NOT NULL, `itemFriendRequestMessage` TEXT NOT NULL, `itemFriendRequestTime` BIGINT NOT NULL, `itemIsNewFriendRequest` INTEGER NOT NULL, `itemFriendRequestTCMessageId` INTEGER NOT NULL, `itemFriendRequestContext` TEXT NOT NULL, `itemFriendRequestAttachedPostType` INTEGER NOT NULL, `itemFriendRequestAttachedPostContent` TEXT NOT NULL, `itemFriendRequestHasBeenForwardedToTc` INTEGER NOT NULL, `itemProfileType` TEXT NOT NULL, `itemDatingAge` INTEGER NOT NULL, `itemDatingLocationString` TEXT NOT NULL, `itemDatingSeekingString` TEXT NOT NULL, `itemDatingEssayText` TEXT NOT NULL, `itemDatingBodyType` TEXT NOT NULL, `itemDatingLastActive` TEXT NOT NULL, `itemDatingProfileUrl` TEXT NOT NULL, `itemLastTimeOfLikeProfile` BIGINT NOT NULL, `itemIsHidden` INTEGER NOT NULL, `itemPrivacy` INTEGER NOT NULL, `itemCanSeeMyPost` INTEGER NOT NULL, `itemCanShareMyPost` INTEGER NOT NULL, `itemCanContactMe` INTEGER NOT NULL)'}]
class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Tango on Android TC database files.

DATA_FORMAT = 'Tango on Android TC SQLite database file'
NAME = 'tango_android_tc'
ParseConversationRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a conversation row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT conversations.conv_id AS conv_id, conversations.payload AS payload FROM conversations', 'ParseConversationRow'), ('SELECT messages.create_time AS create_time, messages.send_time AS send_time, messages.msg_id AS msg_id, messages.payload AS payload, messages.direction AS direction FROM messages LEFT JOIN likes ON messages.msg_id = likes.msg_id', 'ParseMessageRow')]
REQUIRED_STRUCTURE = {'conversations': frozenset({'conv_id', 'payload'}), 'likes': frozenset({'msg_id'}), 'messages': frozenset({'create_time', 'direction', 'msg_id', 'payload', 'send_time'})}
SCHEMAS = [{'conversations': 'CREATE TABLE `conversations` (`conv_id` TEXT PRIMARY KEY, `conv_type` INTEGER DEFAULT 0, `payload` BLOB, `last_msg_id` INTEGER, `unread_count` INTEGER, `last_read_sent_msg_id` INTEGER, `conv_del_status` INTEGER DEFAULT 0, `deleting_ts` BIGINT DEFAULT 0, `conv_restore_status` INTEGER DEFAULT 0, `peers_read` TEXT, `total_received_msg_count` INTEGER DEFAULT -1, `communication_context` INTEGER DEFAULT 0)', 'games': 'CREATE TABLE `games` (`game_session_id` TEXT PRIMARY KEY, `message_id` INTEGER, `conversation_id` TEXT, `game_id` TEXT, `game_state` INTEGER, `action_timestamp` BIGINT, `current_player_account_id` TEXT)', 'likes': 'CREATE TABLE `likes` (`msg_id` INTEGER PRIMARY KEY, `global_msg_id` TEXT, `conv_id` TEXT, `liker_aid` TEXT, `act_type` INTEGER, `status` INTEGER, `act_ts` BIGINT, `payload` BLOB)', 'messages': 'CREATE TABLE `messages` (`msg_id` INTEGER PRIMARY KEY, `conv_id` TEXT, `type` INTEGER, `media_id` TEXT, `share_id` TEXT, `create_time` BIGINT, `send_time` BIGINT, `direction` INTEGER, `status` INTEGER, `payload` BLOB, `del_status` INTEGER)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'receipts': 'CREATE TABLE `receipts` (`conv_id` TEXT PRIMARY KEY, `msg_id` INTEGER, `sender_msg_id` INTEGER, `sender_aids` TEXT, `type` INTEGER, `create_time` BIGINT, `status` INTEGER, `payload` BLOB)', 'sms': 'CREATE TABLE `sms` (`msg_id` INTEGER PRIMARY KEY, `phonenumber` TEXT, `text` TEXT)'}]

plaso.parsers.sqlite_plugins.twitter_android module

SQLite parser plugin for Twitter on Android database files.

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData[source]

Bases: plaso.containers.events.EventData

Twitter on Android contact event data.

identifier

contact row id.

Type

int

user_identifier

twitter account id.

Type

int

username

twitter account handler.

Type

str

name

twitter account name.

Type

str

description

twitter account profile description.

Type

str

web_url

twitter account profile url content.

Type

str

location

twitter account profile location content.

Type

str

followers

number of followers.

Type

int

friends

number of following.

Type

int

statuses

twitter account number of tweets.

Type

int

image_url

profile picture url.

Type

str

DATA_TYPE = 'twitter:android:contact'
class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Twitter on Android database files.

DATA_FORMAT = 'Twitter on Android SQLite database file'
NAME = 'twitter_android'
ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a status row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseSearchRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a search row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a status row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT name, query, time FROM search_queries', 'ParseSearchRow'), ('SELECT statuses._id AS _id, statuses.author_id AS author_id, users.username AS username, statuses.content AS content, statuses.created AS time, statuses.favorited AS favorited, statuses.retweeted AS retweeted FROM statuses LEFT JOIN users ON statuses.author_id = users.user_id', 'ParseStatusRow'), ('SELECT _id, user_id, username, name, profile_created, description, web_url, location, followers, friends, statuses, image_url, updated, friendship_time FROM users', 'ParseContactRow')]
REQUIRED_STRUCTURE = {'search_queries': frozenset({'name', 'query', 'time'}), 'statuses': frozenset({'_id', 'author_id', 'content', 'created', 'favorited', 'retweeted'}), 'users': frozenset({'_id', 'description', 'followers', 'friends', 'friendship_time', 'image_url', 'location', 'name', 'profile_created', 'statuses', 'updated', 'user_id', 'username', 'web_url'})}
SCHEMAS = [{'activities': 'CREATE TABLE activities (_id INTEGER PRIMARY KEY,type INT,event INT,created_at INT,hash INT,max_position INT,min_position INT,sources_size INT,source_type INT,sources BLOB,targets_size INT,target_type INT,targets BLOB,target_objects_size INT,target_object_type INT,target_objects BLOB,is_last INT,tag INT,magic_rec_id INT,UNIQUE (type, max_position) ON CONFLICT REPLACE)', 'ads_account_permissions': 'CREATE TABLE ads_account_permissions (_id INTEGER PRIMARY KEY,promotable_users BLOB,last_synced INT NOT NULL)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'business_profiles': 'CREATE TABLE business_profiles (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,business_profile BLOB,last_synced INT NOT NULL)', 'card_state': 'CREATE TABLE card_state (_id INTEGER PRIMARY KEY AUTOINCREMENT,card_status_id INT,card_id INT, card_state BLOB)', 'category_timestamp': 'CREATE TABLE category_timestamp (_id INTEGER PRIMARY KEY,cat_status_id INT NOT NULL,cat_tag INT NOT NULL,cat_timestamp INT NOT NULL)', 'clusters': 'CREATE TABLE clusters (_id INTEGER PRIMARY KEY,cl_cluster_id TEXT UNIQUE NOT NULL,cl_type INT,cl_title TEXT,cl_subtitle TEXT,cl_size INT,cl_timestamp INT,cl_content BLOB)', 'conversation_entries': 'CREATE TABLE conversation_entries (_id INTEGER PRIMARY KEY,entry_id INT UNIQUE NOT NULL,sort_entry_id INT UNIQUE NOT NULL,conversation_id TEXT,user_id INT,created INT,entry_type INT,data BLOB,request_id TEXT)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY,conversation_id TEXT NOT NULL,user_id TEXT NOT NULL,join_time INT NOT NULL,participant_type INT NOT NULL)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY,conversation_id TEXT UNIQUE NOT NULL,title TEXT,avatar_url TEXT,type INT,sort_event_id BIGINT,last_readable_event_id BIGINT,last_read_event_id BIGINT,sort_timestamp BIGINT,is_muted INT,min_event_id BIGINT,is_hidden INT,has_more INT,read_only INT)', 'cursors': 'CREATE TABLE cursors (_id INTEGER PRIMARY KEY,kind INT,type INT,owner_id INT,ref_id TEXT,next TEXT)', 'dismiss_info': 'CREATE TABLE dismiss_info(timeline_id INTEGER REFERENCES timeline(_id),feedback_action_id INTEGER REFERENCES feedback_action(_id),UNIQUE(timeline_id,feedback_action_id))', 'feedback_action': 'CREATE TABLE feedback_action(_id INTEGER PRIMARY KEY AUTOINCREMENT,feedback_type TEXT,prompt TEXT,confirmation TEXT,UNIQUE(feedback_type,prompt,confirmation))', 'list_mapping': 'CREATE TABLE list_mapping (_id INTEGER PRIMARY KEY,list_mapping_list_id TEXT,list_mapping_type INT,list_mapping_user_id INT,list_is_last INT)', 'locations': 'CREATE TABLE locations (_id INTEGER PRIMARY KEY,name TEXT,woeid INT,country TEXT,country_code TEXT)', 'moments': 'CREATE TABLE moments (_id INTEGER PRIMARY KEY,title TEXT NOT NULL,can_subscribe INT,is_live INT,is_sensitive INT,subcategory_string TEXT,subcategory_favicon_url TEXT,time_string TEXT,duration_string TEXT,is_subscribed INT,description TEXT NOT NULL,moment_url TEXT,num_subscribers INT,author_info BLOB,promoted_content BLOB)', 'moments_guide': 'CREATE TABLE moments_guide (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,section_id INT NOT NULL,tweet_id INT NOT NULL, crop_data BLOB,media_id INT,media_url TEXT,media_size BLOB,FOREIGN KEY(section_id) REFERENCES moments_sections(_id) ON DELETE CASCADE)', 'moments_guide_categories': 'CREATE TABLE moments_guide_categories (_id INTEGER PRIMARY KEY,category_id TEXT NOT NULL,is_default_category INT NOT NULL,category_name TEXT NOT NULL,fetch_timestamp INT NOT NULL)', 'moments_guide_user_states': 'CREATE TABLE moments_guide_user_states (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,is_read INT,is_updated INT,FOREIGN KEY(moment_id) REFERENCES moments(_id) ON DELETE CASCADE)', 'moments_pages': 'CREATE TABLE moments_pages (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,page_id TEXT,type BLOB,tweet_id INT,display_mode BLOB,page_number INT,crop_data BLOB,theme_data BLOB,media_id INT,media_size BLOB,media_url TEXT,last_read_timestamp INT,FOREIGN KEY(moment_id) REFERENCES moments(_id))', 'moments_sections': 'CREATE TABLE moments_sections (_id INTEGER PRIMARY KEY,section_title TEXT,section_type BLOB NOT NULL,section_group_id TEXT,section_group_type INT NOT NULL)', 'moments_visit_badge': 'CREATE TABLE moments_visit_badge (_id INTEGER PRIMARY KEY,moment_id INT UNIQUE NOT NULL,is_new_since_visit INT,is_updated_since_visit INT)', 'news': 'CREATE TABLE news (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,topic_id INT,news_id TEXT,title TEXT,image_url TEXT,author_name TEXT,article_description TEXT,article_url TEXT,tweet_count INT,start_time INT,news_id_hash INT)', 'notifications': 'CREATE TABLE notifications (_id INTEGER PRIMARY KEY,type INT,notif_id INT,source_user_name TEXT,s_name TEXT,s_id INT,notif_txt TEXT,aggregation_data TEXT,notif_extra_data BLOB)', 'one_click': 'CREATE TABLE one_click (_id INTEGER PRIMARY KEY,topic TEXT,filter_name TEXT,filter_location TEXT,filter_follow INT)', 'order_history': 'CREATE TABLE order_history (_id INTEGER PRIMARY KEY,ordered_at INT ,order_id INT ,data BLOB)', 'promoted_retry': 'CREATE TABLE promoted_retry(impression_id TEXT,event INT NOT NULL,is_earned INT NOT NULL,trend_id INT,num_retries INT NOT NULL,url TEXT,video_playlist_url TEXT,video_content_uuid TEXT,video_content_type TEXT,video_cta_url TEXT,video_cta_app_id TEXT,video_cta_app_name TEXT,card_event TEXT,PRIMARY KEY(impression_id,event,is_earned,trend_id))', 'prompts': 'CREATE TABLE prompts (_id INTEGER PRIMARY KEY,p_id INT,p_format TEXT,p_template TEXT,p_header TEXT,p_text TEXT,p_action_text TEXT,p_action_url TEXT,p_icon TEXT,p_background_image_url TEXT,p_persistence TEXT,p_entities BLOB,p_header_entities BLOB,p_status_id LONG,p_insertion_index INT,p_trigger TEXT)', 'rankings': 'CREATE TABLE rankings (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,granularity TEXT,category TEXT,date INT)', 'search_queries': 'CREATE TABLE search_queries (_id INTEGER PRIMARY KEY,type INT,name TEXT NOT NULL,query TEXT NOT NULL,query_id INT,time INT,latitude REAL,longitude REAL,radius REAL,location TEXT,pc BLOB,cluster_titles BLOB)', 'search_results': 'CREATE TABLE search_results (_id INTEGER PRIMARY KEY,search_id INT,s_type INT,data_type INT,type_id INT,polled INT,data_id INT,related_data BLOB,cluster_id INT)', 'search_suggestion_metadata': 'CREATE TABLE search_suggestion_metadata (_id INTEGER PRIMARY KEY,type INT,last_update LONG)', 'status_groups': 'CREATE TABLE status_groups (_id INTEGER PRIMARY KEY,tweet_type INT DEFAULT 0,type INT,sender_id INT,owner_id INT,ref_id INT,tag INT,g_status_id INT,is_read INT,page INT,is_last INT,updated_at INT,timeline INT,pc BLOB,g_flags INT,preview_draft_id INT,preview_media BLOB,tweet_pivots BLOB)', 'status_metadata': 'CREATE TABLE status_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,status_id INT NOT NULL,status_group INT NOT NULL,status_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_second_name TEXT,soc_others_count INT,soc_fav_count INT,soc_rt_count INT,reason_icon_type TEXT,reason_text TEXT,scribe_component TEXT,scribe_data BLOB,highlights TEXT)', 'statuses': 'CREATE TABLE statuses (_id INTEGER PRIMARY KEY,status_id INT UNIQUE NOT NULL,author_id INT,content TEXT,source TEXT,created INT,in_r_user_id INT,in_r_status_id INT,favorited INT,latitude TEXT,longitude TEXT,place_data BLOB,entities TEXT,retweet_count INT,r_content TEXT,cards BLOB,flags INT,favorite_count INT,lang TEXT,supplemental_language TEXT,view_count INT,quoted_tweet_data BLOB,quoted_tweet_id INT,retweeted INT)', 'stories': 'CREATE TABLE stories ( _id INTEGER PRIMARY KEY,story_id TEXT,story_order INT,story_type INT,story_proof_type INT,story_proof_addl_count INT,data_type INT,data_id INT,story_is_read INT,story_meta_title TEXT,story_meta_subtitle TEXT,story_meta_query TEXT,story_meta_header_img_url TEXT,story_source TEXT,story_impression_info TEXT,story_tag INT)', 'timeline': 'CREATE TABLE timeline (_id INTEGER PRIMARY KEY AUTOINCREMENT,owner_id INT,type INT,sort_index INT,entity_id INT,entity_type INT,data_type INT,data_type_group INT,data_type_tag INT,timeline_tag TEXT,timeline_group_id INT,timeline_scribe_group_id INT,data_id INT,data BLOB,flags INT,updated_at INT,data_origin_id TEXT,is_last INT,is_read INT,scribe_content BLOB,timeline_moment_info BLOB,dismissed INT NOT NULL DEFAULT 0,dismiss_actions INT NOT NULL DEFAULT 0)', 'tokens': 'CREATE TABLE tokens (_id INTEGER PRIMARY KEY,text TEXT,weight INT,type INT,ref_id INT)', 'topics': 'CREATE TABLE topics (_id INTEGER PRIMARY KEY,ev_id TEXT UNIQUE NOT NULL,ev_type INT,ev_query TEXT NOT NULL,ev_seed_hashtag TEXT,ev_title STRING,ev_subtitle STRING,ev_view_url STRING,ev_status STRING,ev_image_url TEXT,ev_explanation TEXT,ev_tweet_count INT,ev_start_time INT,ev_owner_id INT,ev_pc BLOB,ev_content BLOB,ev_hash INT)', 'user_groups': 'CREATE TABLE user_groups (_id INTEGER PRIMARY KEY,type INT,tag INT,rank INT,owner_id INT,user_id INT,is_last INT,pc BLOB,g_flags INT)', 'user_metadata': 'CREATE TABLE user_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,user_id INT NOT NULL,user_group_type INT NOT NULL,user_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_follow_count INT,user_title TEXT,token TEXT)', 'users': 'CREATE TABLE users (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,username TEXT,name TEXT,description TEXT,web_url TEXT,bg_color INT,location TEXT,structured_location BLOB,user_flags INT,followers INT,fast_followers INT DEFAULT 0,friends INT,statuses INT,profile_created INT,image_url TEXT,hash INT,updated INT,friendship INT,friendship_time INT,favorites INT DEFAULT 0,header_url TEXT,description_entities BLOB,url_entities BLOB,media_count INT,extended_profile_fields BLOB,pinned_tweet_id INT,link_color INT,advertiser_type TEXT,business_profile_state TEXT)'}]
class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventData[source]

Bases: plaso.containers.events.EventData

Twitter on Android search event data.

name

twitter name handler.

Type

str

search_query

search query.

Type

str

DATA_TYPE = 'twitter:android:search'
class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData[source]

Bases: plaso.containers.events.EventData

Twitter on Android status event data.

identifier

status row identifier.

Type

int

author_identifier

twitter account identifier.

Type

int

username

twitter account handler.

Type

str

content

status content.

Type

str

favorited

favorited flag as 0/1 value.

Type

int

retweeted

retweeted flag as 0/1 value.

Type

int

DATA_TYPE = 'twitter:android:status'

plaso.parsers.sqlite_plugins.twitter_ios module

SQLite parser plugin for Twitter on iOS 8+ database files.

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData[source]

Bases: plaso.containers.events.EventData

Twitter on iOS 8+ contact event data.

description

description of the profile.

Type

str

followers_count

number of accounts following the contact.

Type

int

following_count

number of accounts the contact is following.

Type

int

following

1 if the contact is following the user’s account, 0 if not.

Type

int

location

location of the profile.

Type

str

name

name of the profile.

Type

str

profile_url

URL of the profile picture.

Type

str

screen_name

screen name.

Type

str

url

URL of the profile.

Type

str

DATA_TYPE = 'twitter:ios:contact'
class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Twitter on iOS 8+ database files.

The Twitter on iOS 8+ database file is typically stored in: /private/var/mobile/Containers/Data/Application/Library/Caches/databases/ twitter.db

DATA_FORMAT = 'Twitter on iOS 8 and later SQLite database (twitter.db) file'
NAME = 'twitter_ios'
ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT createdDate, updatedAt, screenName, name, profileImageUrl,location, description, url, following, followersCount, followingCount FROM Users ORDER BY createdDate', 'ParseContactRow'), ('SELECT Statuses.date AS date, Statuses.text AS text, Statuses.userId AS user_id, Users.name AS name, Statuses.retweetCount AS retweetCount, Statuses.favoriteCount AS favoriteCount, Statuses.favorited AS favorited, Statuses.updatedAt AS updatedAt FROM Statuses LEFT join Users ON Statuses.userId = Users.id ORDER BY date', 'ParseStatusRow')]
REQUIRED_STRUCTURE = {'Statuses': frozenset({'date', 'favoriteCount', 'favorited', 'retweetCount', 'text', 'updatedAt', 'userId'}), 'Users': frozenset({'createdDate', 'description', 'followersCount', 'following', 'followingCount', 'id', 'location', 'name', 'profileImageUrl', 'screenName', 'updatedAt', 'url'})}
SCHEMAS = [{'Lists': "CREATE TABLE Lists ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'ListsShadow': "CREATE TABLE ListsShadow ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'MyRetweets': "CREATE TABLE MyRetweets ( 'statusId' INTEGER PRIMARY KEY, 'myRetweetId' INTEGER )", 'Statuses': "CREATE TABLE Statuses ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplmentalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'StatusesShadow': "CREATE TABLE StatusesShadow ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplementalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'Users': "CREATE TABLE Users ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )", 'UsersShadow': "CREATE TABLE UsersShadow ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )"}]
class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData[source]

Bases: plaso.containers.events.EventData

Parent class for Twitter on iOS 8+ status events.

favorite_count

number of times the status message has been favorited.

Type

int

favorited

value to mark status as favorite by the account.

Type

int

name

user’s profile name.

Type

str

retweet_count

number of times the status message has been retweeted.

Type

str

text

content of the status message.

Type

str

user_id

user unique identifier.

Type

int

DATA_TYPE = 'twitter:ios:status'

plaso.parsers.sqlite_plugins.windows_timeline module

SQLite parser plugin for Windows 10 Timeline database files.

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData[source]

Bases: plaso.containers.events.EventData

Windows Timeline database generic event data.

package_identifier

the package ID or path to the executable run. Depending on the program, this either looks like a path (for example, c:python34python.exe) or like a package name (for example Docker.DockerForWindows.Settings).

Type

str

description

this is an optional field, used to describe the action in the timeline view, and is usually populated with the path of the file currently open in the program described by package_identifier. Otherwise None.

Type

str

application_display_name

a more human-friendly version of the package_identifier, such as ‘Docker for Windows’ or ‘Microsoft Store’.

Type

str

DATA_TYPE = 'windows:timeline:generic'
class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Windows 10 Timeline database files.

The Windows 10 Timeline database file is typically stored in: %APPDATA%LocalConnectedDevicesPlatformL.<username>ActivitiesCache.db

DATA_FORMAT = 'Windows 10 Timeline SQLite database (ActivitiesCache.db) file'
NAME = 'windows_timeline'
ParseGenericRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a generic windows timeline row.

Args: parser_mediator (ParserMediator): mediates interactions between parsers

and other components, such as storage and dfvfs.

query (str): query that created the row. row (sqlite3.Row): row.

ParseUserEngagedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a timeline row that describes a user interacting with an app.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT StartTime, Payload, PackageName FROM Activity INNER JOIN Activity_PackageId ON Activity.Id = Activity_PackageId.ActivityId WHERE instr(Payload, "UserEngaged") > 0 AND Platform = "packageid"', 'ParseUserEngagedRow'), ('SELECT StartTime, Payload, AppId FROM Activity WHERE instr(Payload, "UserEngaged") = 0', 'ParseGenericRow')]
REQUIRED_STRUCTURE = {'Activity': frozenset({'AppId', 'Id', 'PackageName', 'Payload', 'StartTime'}), 'Activity_PackageId': frozenset({'ActivityId'})}
SCHEMAS = [{'Activity': 'CREATE TABLE [Activity]([Id] GUID PRIMARY KEY NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ActivityStatus] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [IsLocalOnly] INT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'ActivityAssetCache': 'CREATE TABLE [ActivityAssetCache]([ResourceId] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, [AppId] TEXT NOT NULL, [AssetHash] TEXT NOT NULL, [TimeToLive] DATETIME NOT NULL, [AssetUri] TEXT, [AssetId] TEXT, [AssetKey] TEXT, [Contents] BLOB)', 'ActivityOperation': 'CREATE TABLE [ActivityOperation]([OperationOrder] INTEGER PRIMARY KEY ASC NOT NULL, [Id] GUID NOT NULL, [OperationType] INT NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [CreatedTime] DATETIME, [Attachments] TEXT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME NOT NULL, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME NOT NULL, [CorrelationVector] TEXT, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'Activity_PackageId': 'CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL, [PackageName] TEXT NOT NULL, [ExpirationTime] DATETIME NOT NULL)', 'AppSettings': 'CREATE TABLE [AppSettings]([AppId] TEXT PRIMARY KEY NOT NULL, [SettingsPropertyBag] BLOB, [AppTitle] TEXT, [Logo4141] TEXT)', 'ManualSequence': 'CREATE TABLE [ManualSequence]([Key] TEXT PRIMARY KEY NOT NULL, [Value] INT NOT NULL)', 'Metadata': 'CREATE TABLE [Metadata]([Key] TEXT PRIMARY KEY NOT NULL, [Value] TEXT)'}]
class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventData[source]

Bases: plaso.containers.events.EventData

Windows Timeline database User Engaged event data.

Contains information describing how long a user interacted with an application for.

package_identifier

the package ID or location of the executable the user interacted with.

Type

str

reporting_app

the name of the application that reported the user’s interaction. This is the name of a monitoring tool, for example “ShellActivityMonitor”.

Type

str

active_duration_seconds

the number of seconds the user spent interacting with the program.

Type

int

DATA_TYPE = 'windows:timeline:user_engaged'

plaso.parsers.sqlite_plugins.zeitgeist module

SQLite parser plugin for Zeitgeist activity database files.

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin[source]

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Zeitgeist activity database files.

Zeitgeist is a service which logs the user activities and events, anywhere from files opened to websites visited and conversations.

DATA_FORMAT = 'Zeitgeist activity SQLite database file'
NAME = 'zeitgeist'
ParseZeitgeistEventRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a zeitgeist event row.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT id, timestamp, subj_uri FROM event_view', 'ParseZeitgeistEventRow')]
REQUIRED_STRUCTURE = {'actor': frozenset({}), 'event': frozenset({'id', 'timestamp'}), 'event_view': frozenset({'id', 'subj_uri', 'timestamp'})}
SCHEMAS = [{'actor': 'CREATE TABLE actor ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'event': 'CREATE TABLE event ( id INTEGER, timestamp INTEGER, interpretation INTEGER, manifestation INTEGER, actor INTEGER, payload INTEGER, subj_id INTEGER, subj_interpretation INTEGER, subj_manifestation INTEGER, subj_origin INTEGER, subj_mimetype INTEGER, subj_text INTEGER, subj_storage INTEGER, origin INTEGER, subj_id_current INTEGER, CONSTRAINT interpretation_fk FOREIGN KEY(interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT manifestation_fk FOREIGN KEY(manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT actor_fk FOREIGN KEY(actor) REFERENCES actor(id) ON DELETE CASCADE, CONSTRAINT origin_fk FOREIGN KEY(origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT payload_fk FOREIGN KEY(payload) REFERENCES payload(id) ON DELETE CASCADE, CONSTRAINT subj_id_fk FOREIGN KEY(subj_id) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_id_current_fk FOREIGN KEY(subj_id_current) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_interpretation_fk FOREIGN KEY(subj_interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT subj_manifestation_fk FOREIGN KEY(subj_manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT subj_origin_fk FOREIGN KEY(subj_origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_mimetype_fk FOREIGN KEY(subj_mimetype) REFERENCES mimetype(id) ON DELETE CASCADE, CONSTRAINT subj_text_fk FOREIGN KEY(subj_text) REFERENCES text(id) ON DELETE CASCADE, CONSTRAINT subj_storage_fk FOREIGN KEY(subj_storage) REFERENCES storage(id) ON DELETE CASCADE, CONSTRAINT unique_event UNIQUE (timestamp, interpretation, manifestation, actor, subj_id) )', 'extensions_conf': 'CREATE TABLE extensions_conf ( extension VARCHAR, key VARCHAR, value BLOB, CONSTRAINT unique_extension UNIQUE (extension, key) )', 'interpretation': 'CREATE TABLE interpretation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'manifestation': 'CREATE TABLE manifestation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'mimetype': 'CREATE TABLE mimetype ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'payload': 'CREATE TABLE payload (id INTEGER PRIMARY KEY, value BLOB)', 'schema_version': 'CREATE TABLE schema_version ( schema VARCHAR PRIMARY KEY ON CONFLICT REPLACE, version INT )', 'storage': 'CREATE TABLE storage ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE, state INTEGER, icon VARCHAR, display_name VARCHAR )', 'text': 'CREATE TABLE text ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )', 'uri': 'CREATE TABLE uri ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )'}]
class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventData[source]

Bases: plaso.containers.events.EventData

Zeitgeist activity event data.

subject_uri

subject URI.

Type

str

DATA_TYPE = 'zeitgeist:activity'

Module contents

Imports for the SQLite database parser plugins.