Source code for plaso.parsers.sqlite_plugins.chrome_autofill

# -*- coding: utf-8 -*-
"""SQLite parser plugin for Google Chrome autofill database (Web Data) files."""

from dfdatetime import posix_time as dfdatetime_posix_time

from plaso.containers import events
from plaso.parsers import sqlite
from plaso.parsers.sqlite_plugins import interface

[docs] class ChromeAutofillEventData(events.EventData): """Chrome Autofill event data. Attributes: creation_time (dfdatetime.DateTimeValues): creation date and time of the autofill entry. field_name (str): name of form field. last_used_time (dfdatetime.DateTimeValues): last date and time the autofill entry was last used. query (str): SQL query that was used to obtain the event data. usage_count (int): count of times value has been used in field_name. value (str): value populated in form field. """ DATA_TYPE = 'chrome:autofill:entry'
[docs] def __init__(self): """Initializes event data.""" super(ChromeAutofillEventData, self).__init__(data_type=self.DATA_TYPE) self.creation_time = None self.field_name = None self.last_used_time = None self.query = None self.usage_count = None self.value = None
[docs] class ChromeAutofillPlugin(interface.SQLitePlugin): """SQLite parser plugin for Google Chrome autofill database (Web Data) files. The Google Chrome autofill database (Web Data) file is typically stored in: Web Data """ NAME = 'chrome_autofill' DATA_FORMAT = 'Google Chrome autofill SQLite database (Web Data) file' REQUIRED_STRUCTURE = { 'autofill': frozenset([ 'date_created', 'date_last_used', 'name', 'value', 'count'])} QUERIES = [ (('SELECT autofill.date_created, autofill.date_last_used,, ' 'autofill.value, autofill.count FROM autofill ORDER BY date_created'), 'ParseAutofillRow')] SCHEMAS = [{ 'autofill': ( 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, ' 'value_lower VARCHAR, date_created INTEGER DEFAULT 0, ' 'date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, ' 'PRIMARY KEY (name, value));)')}] def _GetDateTimeRowValue(self, query_hash, row, value_name): """Retrieves a date and time value from the row. Args: query_hash (int): hash of the query, that uniquely identifies the query that produced the row. row (sqlite3.Row): row. value_name (str): name of the value. Returns: dfdatetime.PosixTime: date and time value or None if not available. """ timestamp = self._GetRowValue(query_hash, row, value_name) if timestamp is None: return None return dfdatetime_posix_time.PosixTime(timestamp=timestamp)
[docs] def ParseAutofillRow( self, parser_mediator, query, row, **unused_kwargs): """Parses an autofill entry row. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfVFS. query (str): query that created the row. row (sqlite3.Row): row. """ query_hash = hash(query) event_data = ChromeAutofillEventData() event_data.creation_time = self._GetDateTimeRowValue( query_hash, row, 'date_created') event_data.field_name = self._GetRowValue(query_hash, row, 'name') event_data.last_used_time = self._GetDateTimeRowValue( query_hash, row, 'date_last_used') event_data.value = self._GetRowValue(query_hash, row, 'value') event_data.usage_count = self._GetRowValue(query_hash, row, 'count') event_data.query = query parser_mediator.ProduceEventData(event_data)