plaso.parsers.sqlite_plugins package

Submodules

plaso.parsers.sqlite_plugins.android_app_usage module

SQLite parser plugin for Android app_usage database files.

class plaso.parsers.sqlite_plugins.android_app_usage.AndroidAppUsage(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android app usage event data.

package_name

name of the launched package.

Type:

str

start_time

date and time when the application was launched.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'android:sqlite:app_usage'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_app_usage.AndroidSQLiteAppUsage[source]

Bases: SQLitePlugin

SQLite parser plugin for Android application usage database files.

DATA_FORMAT = 'Android app_usage SQLite database (app_usage) file'
NAME = 'android_app_usage'
ParseAppUsageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an event record row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT events.timestamp, packages.package_name FROM events JOIN packages ON packages._id = events.package_id', 'ParseAppUsageRow')]
REQUIRED_STRUCTURE = {'events': frozenset({'_id', 'package_id', 'timestamp'}), 'packages': frozenset({'_id', 'package_name'})}
SCHEMAS = [{'events': 'CREATE TABLE "events" (_id INTEGER PRIMARY KEY,timestamp INTEGER NOT NULL,type INTEGER NOT NULL,package_id INTEGER NOT NULL REFERENCES packages(_id) ON UPDATE CASCADE ON DELETE CASCADE, instance_id INTEGER DEFAULT NULL, task_root_package_id INTEGER DEFAULT NULL REFERENCES packages(_id) ON UPDATE CASCADE ON DELETE CASCADE)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY,package_name TEXT, UNIQUE(package_name) ON CONFLICT ABORT)'}]

plaso.parsers.sqlite_plugins.android_calls module

SQLite parser plugin for Android call history database files.

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android Call event data.

call_type

type of call, such as: Incoming, Outgoing, or Missed.

Type:

int

duration

number of seconds the call lasted.

Type:

int

end_time

date and time the call was stopped.

Type:

dfdatetime.DateTimeValues

name

name associated to the remote party.

Type:

str

number

phone number associated to the remote party.

Type:

str

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

start_time

date and time the call was started.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'android:event:call'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Android call history database files.

The Android call history database file is typically stored in: contacts2.db

DATA_FORMAT = 'Android call history SQLite database (contacts2.db) file'
NAME = 'android_calls'
ParseCallsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Call record row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, date, number, name, duration, type FROM calls', 'ParseCallsRow')]
REQUIRED_STRUCTURE = {'calls': frozenset({'_id', 'date', 'duration', 'name', 'number', 'type'})}
SCHEMAS = [{'_sync_state': 'CREATE TABLE _sync_state (_id INTEGER PRIMARY KEY, account_name TEXT NOT NULL, account_type TEXT NOT NULL, data TEXT, UNIQUE(account_name, account_type))', '_sync_state_metadata': 'CREATE TABLE _sync_state_metadata (version INTEGER)', 'accounts': 'CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT, account_name TEXT, account_type TEXT, data_set TEXT)', 'agg_exceptions': 'CREATE TABLE agg_exceptions (_id INTEGER PRIMARY KEY AUTOINCREMENT, type INTEGER NOT NULL, raw_contact_id1 INTEGER REFERENCES raw_contacts(_id), raw_contact_id2 INTEGER REFERENCES raw_contacts(_id))', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'calls': 'CREATE TABLE calls (_id INTEGER PRIMARY KEY AUTOINCREMENT, number TEXT, date INTEGER, duration INTEGER, type INTEGER, new INTEGER, name TEXT, numbertype INTEGER, numberlabel TEXT, countryiso TEXT, voicemail_uri TEXT, is_read INTEGER, geocoded_location TEXT, lookup_uri TEXT, matched_number TEXT, normalized_number TEXT, photo_id INTEGER NOT NULL DEFAULT 0, formatted_number TEXT, _data TEXT, has_content INTEGER, mime_type TEXT, source_data TEXT, source_package TEXT, state INTEGER)', 'contacts': 'CREATE TABLE contacts (_id INTEGER PRIMARY KEY AUTOINCREMENT, name_raw_contact_id INTEGER REFERENCES raw_contacts(_id), photo_id INTEGER REFERENCES data(_id), photo_file_id INTEGER REFERENCES photo_files(_id), custom_ringtone TEXT, send_to_voicemail INTEGER NOT NULL DEFAULT 0, times_contacted INTEGER NOT NULL DEFAULT 0, last_time_contacted INTEGER, starred INTEGER NOT NULL DEFAULT 0, has_phone_number INTEGER NOT NULL DEFAULT 0, lookup TEXT, status_update_id INTEGER REFERENCES data(_id), contact_last_updated_timestamp INTEGER)', 'data': 'CREATE TABLE data (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), mimetype_id INTEGER REFERENCES mimetype(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, is_read_only INTEGER NOT NULL DEFAULT 0, is_primary INTEGER NOT NULL DEFAULT 0, is_super_primary INTEGER NOT NULL DEFAULT 0, data_version INTEGER NOT NULL DEFAULT 0, data1 TEXT, data2 TEXT, data3 TEXT, data4 TEXT, data5 TEXT, data6 TEXT, data7 TEXT, data8 TEXT, data9 TEXT, data10 TEXT, data11 TEXT, data12 TEXT, data13 TEXT, data14 TEXT, data15 TEXT, data_sync1 TEXT, data_sync2 TEXT, data_sync3 TEXT, data_sync4 TEXT )', 'data_usage_stat': 'CREATE TABLE data_usage_stat(stat_id INTEGER PRIMARY KEY AUTOINCREMENT, data_id INTEGER NOT NULL, usage_type INTEGER NOT NULL DEFAULT 0, times_used INTEGER NOT NULL DEFAULT 0, last_time_used INTEGER NOT NULL DEFAULT 0, FOREIGN KEY(data_id) REFERENCES data(_id))', 'default_directory': 'CREATE TABLE default_directory (_id INTEGER PRIMARY KEY)', 'deleted_contacts': 'CREATE TABLE deleted_contacts (contact_id INTEGER PRIMARY KEY, contact_deleted_timestamp INTEGER NOT NULL default 0)', 'directories': 'CREATE TABLE directories(_id INTEGER PRIMARY KEY AUTOINCREMENT, packageName TEXT NOT NULL, authority TEXT NOT NULL, typeResourceId INTEGER, typeResourceName TEXT, accountType TEXT, accountName TEXT, displayName TEXT, exportSupport INTEGER NOT NULL DEFAULT 0, shortcutSupport INTEGER NOT NULL DEFAULT 0, photoSupport INTEGER NOT NULL DEFAULT 0)', 'groups': 'CREATE TABLE groups (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), account_name STRING DEFAULT NULL, account_type STRING DEFAULT NULL, data_set STRING DEFAULT NULL, sourceid TEXT, version INTEGER NOT NULL DEFAULT 1, dirty INTEGER NOT NULL DEFAULT 0, title TEXT, title_res INTEGER, notes TEXT, system_id TEXT, deleted INTEGER NOT NULL DEFAULT 0, group_visible INTEGER NOT NULL DEFAULT 0, should_sync INTEGER NOT NULL DEFAULT 1, auto_add INTEGER NOT NULL DEFAULT 0, favorites INTEGER NOT NULL DEFAULT 0, group_is_read_only INTEGER NOT NULL DEFAULT 0, sync1 TEXT, sync2 TEXT, sync3 TEXT, sync4 TEXT , account_id INTEGER REFERENCES accounts(_id))', 'mimetypes': 'CREATE TABLE mimetypes (_id INTEGER PRIMARY KEY AUTOINCREMENT, mimetype TEXT NOT NULL)', 'name_lookup': 'CREATE TABLE name_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_name TEXT NOT NULL, name_type INTEGER NOT NULL, PRIMARY KEY (data_id, normalized_name, name_type))', 'nickname_lookup': 'CREATE TABLE nickname_lookup (name TEXT, cluster TEXT)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL)', 'phone_lookup': 'CREATE TABLE phone_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_number TEXT NOT NULL, min_match TEXT NOT NULL)', 'photo_files': 'CREATE TABLE photo_files (_id INTEGER PRIMARY KEY AUTOINCREMENT, height INTEGER NOT NULL, width INTEGER NOT NULL, filesize INTEGER NOT NULL)', 'properties': 'CREATE TABLE properties (property_key TEXT PRIMARY KEY, property_value TEXT )'}]

plaso.parsers.sqlite_plugins.android_hangouts module

SQLite parser plugin for Google Hangouts conversations database files.

class plaso.parsers.sqlite_plugins.android_hangouts.AndroidHangoutsMessageData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Google Hangouts Message event data.

body

content of the SMS text message.

Type:

str

creation_time

date and time the Google Hangouts message was created.

Type:

dfdatetime.DateTimeValues

message_status

message status.

Type:

int

message_type

message type.

Type:

int

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

sender

Name with the sender.

Type:

str

DATA_TYPE = 'android:messaging:hangouts'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_hangouts.AndroidHangoutsMessagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Hangouts conversations database files.

The Google Hangouts conversations database file is typically stored in: /data/com.google.android.talk/databases/babel.db

This SQLite database is the conversation database for conversations, participant names, messages, and information about the Google Hangout event. There can be multiple babel.db databases, and each database name will be followed by an integer starting with 0, for example: “babel0.db,babel1.db,babel3.db”.

DATA_FORMAT = 'Google Hangouts conversations SQLite database (babel.db) file'
NAME = 'hangouts_messages'
ParseMessagesRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an Messages row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT messages._id, participants.full_name, text, messages.timestamp,status, type FROM messages INNER JOIN participants ON messages.author_chat_id=participants.chat_id;', 'ParseMessagesRow')]
REQUIRED_STRUCTURE = {'blocked_people': frozenset({}), 'messages': frozenset({'_id', 'author_chat_id', 'status', 'text', 'timestamp', 'type'}), 'participants': frozenset({'chat_id', 'full_name'})}
SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'blocked_people': 'CREATE TABLE blocked_people (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY, participant_row_id INT, participant_type INT, conversation_id TEXT, sequence INT, active INT, invitation_status INT DEFAULT(0), UNIQUE (conversation_id,participant_row_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, FOREIGN KEY (participant_row_id) REFERENCES participants(_id))', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY, conversation_id TEXT, conversation_type INT, latest_message_timestamp INT DEFAULT(0), latest_message_expiration_timestamp INT, metadata_present INT,notification_level INT, name TEXT, generated_name TEXT, snippet_type INT, snippet_text TEXT, snippet_image_url TEXT, snippet_author_gaia_id TEXT, snippet_author_chat_id TEXT, snippet_message_row_id INT, snippet_selector INT, snippet_status INT, snippet_new_conversation_name TEXT, snippet_participant_keys TEXT, snippet_sms_type TEXT, previous_latest_timestamp INT, status INT, view INT, inviter_gaia_id TEXT, inviter_chat_id TEXT, inviter_affinity INT, is_pending_leave INT, account_id INT, is_otr INT, packed_avatar_urls TEXT, self_avatar_url TEXT, self_watermark INT DEFAULT(0), chat_watermark INT DEFAULT(0), hangout_watermark INT DEFAULT(0), is_draft INT, sequence_number INT, call_media_type INT DEFAULT(0), has_joined_hangout INT, has_chat_notifications DEFAULT(0),has_video_notifications DEFAULT(0),last_hangout_event_time INT, draft TEXT, otr_status INT, otr_toggle INT, last_otr_modification_time INT, continuation_token BLOB, continuation_event_timestamp INT, has_oldest_message INT DEFAULT(0), sort_timestamp INT, first_peak_scroll_time INT, first_peak_scroll_to_message_timestamp INT, second_peak_scroll_time INT, second_peak_scroll_to_message_timestamp INT, conversation_hash BLOB, disposition INT DEFAULT(0), has_persistent_events INT DEFAULT(-1), transport_type INT DEFAULT(1), default_transport_phone TEXT, sms_service_center TEXT, is_temporary INT DEFAULT (0), sms_thread_id INT DEFAULT (-1), chat_ringtone_uri TEXT, hangout_ringtone_uri TEXT, snippet_voicemail_duration INT DEFAULT (0), share_count INT DEFAULT(0), has_unobserved TEXT, last_share_timestamp INT DEFAULT(0), gls_status INT DEFAULT(0), gls_link TEXT, is_guest INT DEFAULT(0), UNIQUE (conversation_id ))', 'dismissed_contacts': 'CREATE TABLE dismissed_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'event_suggestions': 'CREATE TABLE event_suggestions (_id INTEGER PRIMARY KEY, conversation_id TEXT, event_id TEXT, suggestion_id TEXT, timestamp INT, expiration_time_usec INT, type INT, gem_asset_url STRING, gem_horizontal_alignment INT, matched_message_substring TEXT, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,suggestion_id) ON CONFLICT REPLACE)', 'merge_keys': 'CREATE TABLE merge_keys (_id INTEGER PRIMARY KEY, conversation_id TEXT, merge_key TEXT, UNIQUE (conversation_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE )', 'merged_contact_details': 'CREATE TABLE merged_contact_details (_id INTEGER PRIMARY KEY, merged_contact_id INT, lookup_data_type INT, lookup_data TEXT, lookup_data_standardized TEXT, lookup_data_search TEXT, lookup_data_label TEXT, needs_gaia_ids_resolved INT DEFAULT (1), is_hangouts_user INT DEFAULT (0), gaia_id TEXT, avatar_url TEXT, display_name TEXT, last_checked_ts INT DEFAULT (0), lookup_data_display TEXT, detail_affinity_score REAL DEFAULT (0.0), detail_logging_id TEXT, is_in_viewer_dasher_domain INT DEFAULT (0), FOREIGN KEY (merged_contact_id) REFERENCES merged_contacts(_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'merged_contacts': 'CREATE TABLE merged_contacts (_id INTEGER PRIMARY KEY, contact_lookup_key TEXT, contact_id INT, raw_contact_id INT, display_name TEXT, avatar_url TEXT, is_frequent INT DEFAULT (0), is_favorite INT DEFAULT (0), contact_source INT DEFAULT(0), frequent_order INT, person_logging_id TEXT, person_affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'messages': 'CREATE TABLE messages (_id INTEGER PRIMARY KEY, message_id TEXT, message_type INT, conversation_id TEXT, author_chat_id TEXT, author_gaia_id TEXT, text TEXT, timestamp INT, delete_after_read_timetamp INT, status INT, type INT, local_url TEXT, remote_url TEXT, attachment_content_type TEXT, width_pixels INT, height_pixels INT, stream_id TEXT, image_id TEXT, album_id TEXT, latitude DOUBLE, longitude DOUBLE, address ADDRESS, notification_level INT, expiration_timestamp INT, notified_for_failure INT DEFAULT(0), off_the_record INT DEFAULT(0), transport_type INT NOT NULL DEFAULT(1), transport_phone TEXT, external_ids TEXT, sms_timestamp_sent INT DEFAULT(0), sms_priority INT DEFAULT(0), sms_message_size INT DEFAULT(0), mms_subject TEXT, sms_raw_sender TEXT, sms_raw_recipients TEXT, persisted INT DEFAULT(1), sms_message_status INT DEFAULT(-1), sms_type INT DEFAULT(-1), stream_url TEXT, attachment_target_url TEXT, attachment_name TEXT, image_rotation INT DEFAULT (0), new_conversation_name TEXT, participant_keys TEXT, forwarded_mms_url TEXT, forwarded_mms_count INT DEFAULT(0), attachment_description TEXT, attachment_target_url_description TEXT, attachment_target_url_name TEXT, attachment_blob_data BLOB,attachment_uploading_progress INT DEFAULT(0), sending_error INT DEFAULT(0), stream_expiration INT, voicemail_length INT DEFAULT (0), call_media_type INT DEFAULT(0), last_seen_timestamp INT DEFAULT(0), observed_status INT DEFAULT(2), receive_type INT DEFAULT(0), init_timestamp INT DEFAULT(0), in_app_msg_latency INT DEFAULT(0), notified INT DEFAULT(0), alert_in_conversation_list INT DEFAULT(0), attachments BLOB, is_user_mentioned INT DEFAULT(0), local_id TEXT, request_task_row_id INT DEFAULT(-1), FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,message_id) ON CONFLICT REPLACE)', 'mms_notification_inds': 'CREATE TABLE mms_notification_inds (_id INTEGER PRIMARY KEY, content_location TEXT, transaction_id TEXT, from_address TEXT, message_size INT DEFAULT(0), expiry INT)', 'multipart_attachments': 'CREATE TABLE multipart_attachments (_id INTEGER PRIMARY KEY, message_id TEXT, conversation_id TEXT, url TEXT, content_type TEXT, width INT, height INT, FOREIGN KEY (message_id, conversation_id) REFERENCES messages(message_id, conversation_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participant_email_fts': 'CREATE VIRTUAL TABLE participant_email_fts USING fts4(content="merged_contact_details", gaia_id,lookup_data)', 'participant_email_fts_docsize': "CREATE TABLE 'participant_email_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participant_email_fts_segdir': "CREATE TABLE 'participant_email_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participant_email_fts_segments': "CREATE TABLE 'participant_email_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participant_email_fts_stat': "CREATE TABLE 'participant_email_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'participants': "CREATE TABLE participants (_id INTEGER PRIMARY KEY, participant_type INT DEFAULT 1, gaia_id TEXT, chat_id TEXT, phone_id TEXT, circle_id TEXT, first_name TEXT, full_name TEXT, fallback_name TEXT, profile_photo_url TEXT, batch_gebi_tag STRING DEFAULT('-1'), blocked INT DEFAULT(0), in_users_domain BOOLEAN, UNIQUE (circle_id) ON CONFLICT REPLACE, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)", 'participants_fts': 'CREATE VIRTUAL TABLE participants_fts USING fts4(content="participants",gaia_id,full_name)', 'participants_fts_docsize': "CREATE TABLE 'participants_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participants_fts_segdir': "CREATE TABLE 'participants_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participants_fts_segments': "CREATE TABLE 'participants_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participants_fts_stat': "CREATE TABLE 'participants_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'presence': 'CREATE TABLE presence (_id INTEGER PRIMARY KEY, gaia_id TEXT NOT NULL, reachable INT DEFAULT(0), reachable_time INT DEFAULT(0), available INT DEFAULT(0), available_time INT DEFAULT(0), status_message TEXT, status_message_time INT DEFAULT(0), call_type INT DEFAULT(0), call_type_time INT DEFAULT(0), device_status INT DEFAULT(0), device_status_time INT DEFAULT(0), last_seen INT DEFAULT(0), last_seen_time INT DEFAULT(0), location BLOB, location_time INT DEFAULT(0), UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'recent_calls': 'CREATE TABLE recent_calls (_id INTEGER PRIMARY KEY, normalized_number TEXT NOT NULL, phone_number TEXT, contact_id TEXT, call_timestamp INT, call_type INT, contact_type INT, call_rate TEXT, is_free_call BOOLEAN)', 'search': 'CREATE TABLE search (search_key TEXT NOT NULL,continuation_token TEXT,PRIMARY KEY (search_key))', 'sticker_albums': 'CREATE TABLE sticker_albums (album_id TEXT NOT NULL, title TEXT, cover_photo_id TEXT, last_used INT DEFAULT(0), PRIMARY KEY (album_id))', 'sticker_photos': 'CREATE TABLE sticker_photos (photo_id TEXT NOT NULL, album_id TEXT NOT NULL, url TEXT NOT NULL, file_name TEXT, last_used INT DEFAULT(0), PRIMARY KEY (photo_id), FOREIGN KEY (album_id) REFERENCES sticker_albums(album_id) ON DELETE CASCADE)', 'suggested_contacts': 'CREATE TABLE suggested_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, first_name TEXT, packed_circle_ids TEXT, profile_photo_url TEXT, sequence INT, suggestion_type INT, logging_id TEXT, affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))'}]

plaso.parsers.sqlite_plugins.android_sms module

SQLite parser plugin for Android text messages (SMS) database files.

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android SMS event data.

address

phone number associated to the sender or receiver.

Type:

str

body

content of the SMS text message.

Type:

str

creation_time

creation date and time of the message.

Type:

dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

sms_read

message read status, either Read or Unread.

Type:

int

sms_type

message type, either Sent or Received.

Type:

int

DATA_TYPE = 'android:messaging:sms'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Android text messages (SMS) database files.

The Android text messages (SMS) database file is typically stored in: mmssms.dbs

DATA_FORMAT = 'Android text messages (SMS) SQLite database (mmssms.dbs) file'
NAME = 'android_sms'
ParseSmsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an SMS row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, address, date, read, type, body FROM sms', 'ParseSmsRow')]
REQUIRED_STRUCTURE = {'sms': frozenset({'_id', 'address', 'body', 'date', 'read', 'type'})}
SCHEMAS = [{'addr': 'CREATE TABLE addr (_id INTEGER PRIMARY KEY, msg_id INTEGER, contact_id INTEGER, address TEXT, type INTEGER, charset INTEGER)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'attachments': 'CREATE TABLE attachments (sms_id INTEGER, content_url TEXT, offset INTEGER)', 'canonical_addresses': 'CREATE TABLE canonical_addresses (_id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT)', 'drm': 'CREATE TABLE drm (_id INTEGER PRIMARY KEY, _data TEXT)', 'part': 'CREATE TABLE part (_id INTEGER PRIMARY KEY AUTOINCREMENT, mid INTEGER, seq INTEGER DEFAULT 0, ct TEXT, name TEXT, chset INTEGER, cd TEXT, fn TEXT, cid TEXT, cl TEXT, ctt_s INTEGER, ctt_t TEXT, _data TEXT, text TEXT)', 'pd': 'CREATE TABLE pdu (_id INTEGER PRIMARY KEY AUTOINCREMENT, thread_id INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, msg_box INTEGER, read INTEGER DEFAULT 0, m_id TEXT, sub TEXT, sub_cs INTEGER, ct_t TEXT, ct_l TEXT, exp INTEGER, m_cls TEXT, m_type INTEGER, v INTEGER, m_size INTEGER, pri INTEGER, rr INTEGER, rpt_a INTEGER, resp_st INTEGER, st INTEGER, tr_id TEXT, retr_st INTEGER, retr_txt TEXT, retr_txt_cs INTEGER, read_status INTEGER, ct_cls INTEGER, resp_txt TEXT, d_tm INTEGER, d_rpt INTEGER, locked INTEGER DEFAULT 0, seen INTEGER DEFAULT 0, text_only INTEGER DEFAULT 0)', 'pending_msgs': 'CREATE TABLE pending_msgs (_id INTEGER PRIMARY KEY, proto_type INTEGER, msg_id INTEGER, msg_type INTEGER, err_type INTEGER, err_code INTEGER, retry_index INTEGER NOT NULL DEFAULT 0, due_time INTEGER, last_try INTEGER)', 'rate': 'CREATE TABLE rate (sent_time INTEGER)', 'raw': 'CREATE TABLE raw (_id INTEGER PRIMARY KEY, date INTEGER, reference_number INTEGER, count INTEGER, sequence INTEGER, destination_port INTEGER, address TEXT, pdu TEXT)', 'sms': 'CREATE TABLE sms (_id INTEGER PRIMARY KEY, thread_id INTEGER, address TEXT, person INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, protocol INTEGER, read INTEGER DEFAULT 0, status INTEGER DEFAULT -1, type INTEGER, reply_path_present INTEGER, subject TEXT, body TEXT, service_center TEXT, locked INTEGER DEFAULT 0, error_code INTEGER DEFAULT 0, seen INTEGER DEFAULT 0)', 'sr_pending': 'CREATE TABLE sr_pending (reference_number INTEGER, action TEXT, data TEXT)', 'threads': 'CREATE TABLE threads (_id INTEGER PRIMARY KEY AUTOINCREMENT, date INTEGER DEFAULT 0, message_count INTEGER DEFAULT 0, recipient_ids TEXT, snippet TEXT, snippet_cs INTEGER DEFAULT 0, read INTEGER DEFAULT 1, type INTEGER DEFAULT 0, error INTEGER DEFAULT 0, has_attachment INTEGER DEFAULT 0)', 'words': 'CREATE VIRTUAL TABLE words USING FTS3 (_id INTEGER PRIMARY KEY, index_text TEXT, source_id INTEGER, table_to_use INTEGER)', 'words_content': "CREATE TABLE 'words_content'(docid INTEGER PRIMARY KEY, 'c0_id', 'c1index_text', 'c2source_id', 'c3table_to_use')", 'words_segdir': "CREATE TABLE 'words_segdir'(level INTEGER, idx INTEGER, start_block INTEGER, leaves_end_block INTEGER, end_block INTEGER, root BLOB, PRIMARY KEY(level, idx))", 'words_segments': "CREATE TABLE 'words_segments'(blockid INTEGER PRIMARY KEY, block BLOB)"}]

plaso.parsers.sqlite_plugins.android_tango module

SQLite parser plugin for Tango on Android database files.

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoContactEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Tango on Android contact event data.

access_time

date and time the contact was last accessed.

Type:

dfdatetime.DateTimeValues

birthday

contact profile birthday.

Type:

str

distance

contact profile distance.

Type:

int

first_name

contact profile first name.

Type:

str

friend_request_message

message sent on friend request.

Type:

str

friend_request_time

date and time a friend request was sent.

Type:

dfdatetime.DateTimeValues

friend_request_type

flag indicating the type of friend request sent for example outRequest for request sent or noRequest for no request.

Type:

str

gender

contact profile gender.

Type:

str

is_friend

True if the contact is considered a friend.

Type:

bool

last_active_time

date and time the contact was last active.

Type:

dfdatetime.DateTimeValues

last_name

contact profile last name.

Type:

str

status

contact status message.

Type:

str

DATA_TYPE = 'android:tango:contact'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoConversationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Tango on Android conversation event data.

conversation_identifier

conversation identifier.

Type:

int

DATA_TYPE = 'android:tango:conversation'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoMessageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Tango on Android message event data.

creation_time

date and time the message was created.

Type:

dfdatetime.DateTimeValues

direction

flag indicating direction of the message.

Type:

int

message_identifier

message identifier.

Type:

int

sent_time

date and time the message was sent.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'android:tango:message'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoProfilePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Tango on Android profile database files.

DATA_FORMAT = 'Tango on Android profile SQLite database file'
NAME = 'tango_android_profile'
ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT itemLastActiveTime AS last_active_time, itemLastLocalAccessTime AS last_access_time, itemFriendRequestTime AS friend_request_time, itemFirstName AS first_name, itemLastName AS last_name, itemBirthday AS birthday, itemGender AS gender, itemStatus AS status, itemDistance AS distance, itemIsFriend AS friend, itemFriendRequestType AS friend_request_type, itemFriendRequestMessage AS friend_request_message FROM profiletable', 'ParseContactRow')]
REQUIRED_STRUCTURE = {'profiletable': frozenset({'itemBirthday', 'itemDistance', 'itemFirstName', 'itemFriendRequestMessage', 'itemFriendRequestTime', 'itemFriendRequestType', 'itemGender', 'itemIsFriend', 'itemLastActiveTime', 'itemLastLocalAccessTime', 'itemLastName', 'itemStatus'})}
SCHEMAS = [{'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'profiletable': 'CREATE TABLE `profiletable` (`itemUserId` TEXT PRIMARY KEY, `itemFirstName` TEXT NOT NULL, `itemLastName` TEXT NOT NULL, `itemBirthday` TEXT NOT NULL, `itemGender` TEXT NOT NULL, `itemStatus` TEXT NOT NULL, `itemLastActiveTime` BIGINT NOT NULL, `itemDistance` DOUBLE NOT NULL, `itemCity` TEXT NOT NULL, `itemGeoCountryCode` TEXT NOT NULL, `itemAvatarUrl` TEXT NOT NULL, `itemThumbnailUrl` TEXT NOT NULL, `itemVideoUrl` TEXT NOT NULL, `itemVideoThumbnailUrl` TEXT NOT NULL, `itemBackgroundUrl` TEXT NOT NULL, `itemIsFriend` INTEGER NOT NULL, `itemIsBlocked` INTEGER NOT NULL, `itemFriendRequestType` TEXT NOT NULL, `itemReverseRelationships` TEXT NOT NULL, `itemFavoriterCount` INTEGER NOT NULL, `itemFavoritingCount` INTEGER NOT NULL, `itemFeedCount` INTEGER NOT NULL, `itemRefereneCount` INTEGER NOT NULL, `itemLevel1DataSyncTime` BIGINT NOT NULL, `itemLevel2DataSyncTime` BIGINT NOT NULL, `itemLevel3DataSyncTime` BIGINT NOT NULL, `itemLevel4DataSyncTime` BIGINT NOT NULL, `itemLevel5DataSyncTime` BIGINT NOT NULL, `itemLastLocalAccessTime` BIGINT NOT NULL, `itemFriendRequestId` TEXT NOT NULL, `itemFriendRequestMessage` TEXT NOT NULL, `itemFriendRequestTime` BIGINT NOT NULL, `itemIsNewFriendRequest` INTEGER NOT NULL, `itemFriendRequestTCMessageId` INTEGER NOT NULL, `itemFriendRequestContext` TEXT NOT NULL, `itemFriendRequestAttachedPostType` INTEGER NOT NULL, `itemFriendRequestAttachedPostContent` TEXT NOT NULL, `itemFriendRequestHasBeenForwardedToTc` INTEGER NOT NULL, `itemProfileType` TEXT NOT NULL, `itemDatingAge` INTEGER NOT NULL, `itemDatingLocationString` TEXT NOT NULL, `itemDatingSeekingString` TEXT NOT NULL, `itemDatingEssayText` TEXT NOT NULL, `itemDatingBodyType` TEXT NOT NULL, `itemDatingLastActive` TEXT NOT NULL, `itemDatingProfileUrl` TEXT NOT NULL, `itemLastTimeOfLikeProfile` BIGINT NOT NULL, `itemIsHidden` INTEGER NOT NULL, `itemPrivacy` INTEGER NOT NULL, `itemCanSeeMyPost` INTEGER NOT NULL, `itemCanShareMyPost` INTEGER NOT NULL, `itemCanContactMe` INTEGER NOT NULL)'}]
class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoTCPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Tango on Android TC database files.

DATA_FORMAT = 'Tango on Android TC SQLite database file'
NAME = 'tango_android_tc'
ParseConversationRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a conversation row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT conversations.conv_id AS conv_id, conversations.payload AS payload FROM conversations', 'ParseConversationRow'), ('SELECT messages.create_time AS create_time, messages.send_time AS send_time, messages.msg_id AS msg_id, messages.payload AS payload, messages.direction AS direction FROM messages LEFT JOIN likes ON messages.msg_id = likes.msg_id', 'ParseMessageRow')]
REQUIRED_STRUCTURE = {'conversations': frozenset({'conv_id', 'payload'}), 'likes': frozenset({'msg_id'}), 'messages': frozenset({'create_time', 'direction', 'msg_id', 'payload', 'send_time'})}
SCHEMAS = [{'conversations': 'CREATE TABLE `conversations` (`conv_id` TEXT PRIMARY KEY, `conv_type` INTEGER DEFAULT 0, `payload` BLOB, `last_msg_id` INTEGER, `unread_count` INTEGER, `last_read_sent_msg_id` INTEGER, `conv_del_status` INTEGER DEFAULT 0, `deleting_ts` BIGINT DEFAULT 0, `conv_restore_status` INTEGER DEFAULT 0, `peers_read` TEXT, `total_received_msg_count` INTEGER DEFAULT -1, `communication_context` INTEGER DEFAULT 0)', 'games': 'CREATE TABLE `games` (`game_session_id` TEXT PRIMARY KEY, `message_id` INTEGER, `conversation_id` TEXT, `game_id` TEXT, `game_state` INTEGER, `action_timestamp` BIGINT, `current_player_account_id` TEXT)', 'likes': 'CREATE TABLE `likes` (`msg_id` INTEGER PRIMARY KEY, `global_msg_id` TEXT, `conv_id` TEXT, `liker_aid` TEXT, `act_type` INTEGER, `status` INTEGER, `act_ts` BIGINT, `payload` BLOB)', 'messages': 'CREATE TABLE `messages` (`msg_id` INTEGER PRIMARY KEY, `conv_id` TEXT, `type` INTEGER, `media_id` TEXT, `share_id` TEXT, `create_time` BIGINT, `send_time` BIGINT, `direction` INTEGER, `status` INTEGER, `payload` BLOB, `del_status` INTEGER)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'receipts': 'CREATE TABLE `receipts` (`conv_id` TEXT PRIMARY KEY, `msg_id` INTEGER, `sender_msg_id` INTEGER, `sender_aids` TEXT, `type` INTEGER, `create_time` BIGINT, `status` INTEGER, `payload` BLOB)', 'sms': 'CREATE TABLE `sms` (`msg_id` INTEGER PRIMARY KEY, `phonenumber` TEXT, `text` TEXT)'}]

plaso.parsers.sqlite_plugins.android_turbo module

SQLite parser plugin for Android turbo database files.

class plaso.parsers.sqlite_plugins.android_turbo.AndroidTurboBatteryEvent(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android turbo battery event data.

battery_level

Remaining battery level, expressed as a percentage.

Type:

int

battery_saver

Indicates if battery saver is turn on.

Type:

int

charge_type

Indicates that the device is charging.

Type:

int

recorded_time

date and time the battery event was recorded.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'android:event:battery'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_turbo.AndroidTurboPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Android’s turbo.db database files.

DATA_FORMAT = 'Android turbo SQLite database (turbo.db) file'
NAME = 'android_turbo'
ParseBatteryEventRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the battery_event table.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT timestamp_millis, battery_level, charge_type, battery_saver FROM battery_event', 'ParseBatteryEventRow')]
REQUIRED_STRUCTURE = {'battery_event': frozenset({'battery_level', 'battery_saver', 'charge_type', 'timestamp_millis'})}
SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'battery_event': 'CREATE TABLE battery_event(timestamp_millis INTEGER PRIMARY KEY DESC, battery_level INTEGER, charge_type INTEGER, battery_saver INTEGER, timezone TEXT, place_key INTEGER, FOREIGN KEY(place_key) REFERENCES charging_places(_id))', 'charging_places': 'CREATE TABLE charging_places(_id INTEGER PRIMARY KEY, place_name TEXT, place_api_id TEXT, UNIQUE(place_api_id) ON CONFLICT IGNORE)'}]

plaso.parsers.sqlite_plugins.android_twitter module

SQLite parser plugin for Twitter on Android database files.

class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterContactEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Twitter on Android contact event data.

creation_time

date and time the contact was created.

Type:

dfdatetime.DateTimeValues

description

twitter account profile description.

Type:

str

followers

number of followers.

Type:

int

friends

number of following.

Type:

int

friendship_time

date and time the contact was befriended.

Type:

dfdatetime.DateTimeValues

identifier

contact row id.

Type:

int

image_url

profile picture url.

Type:

str

location

twitter account profile location content.

Type:

str

modification_time

date and time the contact was last modified.

Type:

dfdatetime.DateTimeValues

name

twitter account name.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

statuses

twitter account number of tweets.

Type:

int

user_identifier

twitter account id.

Type:

int

username

twitter account handler.

Type:

str

web_url

twitter account profile url content.

Type:

str

DATA_TYPE = 'android:twitter:contact'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Twitter on Android database files.

DATA_FORMAT = 'Twitter on Android SQLite database file'
NAME = 'twitter_android'
ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a status row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseSearchRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a search row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a status row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT name, query, time FROM search_queries', 'ParseSearchRow'), ('SELECT statuses._id AS _id, statuses.author_id AS author_id, users.username AS username, statuses.content AS content, statuses.created AS time, statuses.favorited AS favorited, statuses.retweeted AS retweeted FROM statuses LEFT JOIN users ON statuses.author_id = users.user_id', 'ParseStatusRow'), ('SELECT _id, user_id, username, name, profile_created, description, web_url, location, followers, friends, statuses, image_url, updated, friendship_time FROM users', 'ParseContactRow')]
REQUIRED_STRUCTURE = {'search_queries': frozenset({'name', 'query', 'time'}), 'statuses': frozenset({'_id', 'author_id', 'content', 'created', 'favorited', 'retweeted'}), 'users': frozenset({'_id', 'description', 'followers', 'friends', 'friendship_time', 'image_url', 'location', 'name', 'profile_created', 'statuses', 'updated', 'user_id', 'username', 'web_url'})}
SCHEMAS = [{'activities': 'CREATE TABLE activities (_id INTEGER PRIMARY KEY,type INT,event INT,created_at INT,hash INT,max_position INT,min_position INT,sources_size INT,source_type INT,sources BLOB,targets_size INT,target_type INT,targets BLOB,target_objects_size INT,target_object_type INT,target_objects BLOB,is_last INT,tag INT,magic_rec_id INT,UNIQUE (type, max_position) ON CONFLICT REPLACE)', 'ads_account_permissions': 'CREATE TABLE ads_account_permissions (_id INTEGER PRIMARY KEY,promotable_users BLOB,last_synced INT NOT NULL)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'business_profiles': 'CREATE TABLE business_profiles (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,business_profile BLOB,last_synced INT NOT NULL)', 'card_state': 'CREATE TABLE card_state (_id INTEGER PRIMARY KEY AUTOINCREMENT,card_status_id INT,card_id INT, card_state BLOB)', 'category_timestamp': 'CREATE TABLE category_timestamp (_id INTEGER PRIMARY KEY,cat_status_id INT NOT NULL,cat_tag INT NOT NULL,cat_timestamp INT NOT NULL)', 'clusters': 'CREATE TABLE clusters (_id INTEGER PRIMARY KEY,cl_cluster_id TEXT UNIQUE NOT NULL,cl_type INT,cl_title TEXT,cl_subtitle TEXT,cl_size INT,cl_timestamp INT,cl_content BLOB)', 'conversation_entries': 'CREATE TABLE conversation_entries (_id INTEGER PRIMARY KEY,entry_id INT UNIQUE NOT NULL,sort_entry_id INT UNIQUE NOT NULL,conversation_id TEXT,user_id INT,created INT,entry_type INT,data BLOB,request_id TEXT)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY,conversation_id TEXT NOT NULL,user_id TEXT NOT NULL,join_time INT NOT NULL,participant_type INT NOT NULL)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY,conversation_id TEXT UNIQUE NOT NULL,title TEXT,avatar_url TEXT,type INT,sort_event_id BIGINT,last_readable_event_id BIGINT,last_read_event_id BIGINT,sort_timestamp BIGINT,is_muted INT,min_event_id BIGINT,is_hidden INT,has_more INT,read_only INT)', 'cursors': 'CREATE TABLE cursors (_id INTEGER PRIMARY KEY,kind INT,type INT,owner_id INT,ref_id TEXT,next TEXT)', 'dismiss_info': 'CREATE TABLE dismiss_info(timeline_id INTEGER REFERENCES timeline(_id),feedback_action_id INTEGER REFERENCES feedback_action(_id),UNIQUE(timeline_id,feedback_action_id))', 'feedback_action': 'CREATE TABLE feedback_action(_id INTEGER PRIMARY KEY AUTOINCREMENT,feedback_type TEXT,prompt TEXT,confirmation TEXT,UNIQUE(feedback_type,prompt,confirmation))', 'list_mapping': 'CREATE TABLE list_mapping (_id INTEGER PRIMARY KEY,list_mapping_list_id TEXT,list_mapping_type INT,list_mapping_user_id INT,list_is_last INT)', 'locations': 'CREATE TABLE locations (_id INTEGER PRIMARY KEY,name TEXT,woeid INT,country TEXT,country_code TEXT)', 'moments': 'CREATE TABLE moments (_id INTEGER PRIMARY KEY,title TEXT NOT NULL,can_subscribe INT,is_live INT,is_sensitive INT,subcategory_string TEXT,subcategory_favicon_url TEXT,time_string TEXT,duration_string TEXT,is_subscribed INT,description TEXT NOT NULL,moment_url TEXT,num_subscribers INT,author_info BLOB,promoted_content BLOB)', 'moments_guide': 'CREATE TABLE moments_guide (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,section_id INT NOT NULL,tweet_id INT NOT NULL, crop_data BLOB,media_id INT,media_url TEXT,media_size BLOB,FOREIGN KEY(section_id) REFERENCES moments_sections(_id) ON DELETE CASCADE)', 'moments_guide_categories': 'CREATE TABLE moments_guide_categories (_id INTEGER PRIMARY KEY,category_id TEXT NOT NULL,is_default_category INT NOT NULL,category_name TEXT NOT NULL,fetch_timestamp INT NOT NULL)', 'moments_guide_user_states': 'CREATE TABLE moments_guide_user_states (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,is_read INT,is_updated INT,FOREIGN KEY(moment_id) REFERENCES moments(_id) ON DELETE CASCADE)', 'moments_pages': 'CREATE TABLE moments_pages (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,page_id TEXT,type BLOB,tweet_id INT,display_mode BLOB,page_number INT,crop_data BLOB,theme_data BLOB,media_id INT,media_size BLOB,media_url TEXT,last_read_timestamp INT,FOREIGN KEY(moment_id) REFERENCES moments(_id))', 'moments_sections': 'CREATE TABLE moments_sections (_id INTEGER PRIMARY KEY,section_title TEXT,section_type BLOB NOT NULL,section_group_id TEXT,section_group_type INT NOT NULL)', 'moments_visit_badge': 'CREATE TABLE moments_visit_badge (_id INTEGER PRIMARY KEY,moment_id INT UNIQUE NOT NULL,is_new_since_visit INT,is_updated_since_visit INT)', 'news': 'CREATE TABLE news (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,topic_id INT,news_id TEXT,title TEXT,image_url TEXT,author_name TEXT,article_description TEXT,article_url TEXT,tweet_count INT,start_time INT,news_id_hash INT)', 'notifications': 'CREATE TABLE notifications (_id INTEGER PRIMARY KEY,type INT,notif_id INT,source_user_name TEXT,s_name TEXT,s_id INT,notif_txt TEXT,aggregation_data TEXT,notif_extra_data BLOB)', 'one_click': 'CREATE TABLE one_click (_id INTEGER PRIMARY KEY,topic TEXT,filter_name TEXT,filter_location TEXT,filter_follow INT)', 'order_history': 'CREATE TABLE order_history (_id INTEGER PRIMARY KEY,ordered_at INT ,order_id INT ,data BLOB)', 'promoted_retry': 'CREATE TABLE promoted_retry(impression_id TEXT,event INT NOT NULL,is_earned INT NOT NULL,trend_id INT,num_retries INT NOT NULL,url TEXT,video_playlist_url TEXT,video_content_uuid TEXT,video_content_type TEXT,video_cta_url TEXT,video_cta_app_id TEXT,video_cta_app_name TEXT,card_event TEXT,PRIMARY KEY(impression_id,event,is_earned,trend_id))', 'prompts': 'CREATE TABLE prompts (_id INTEGER PRIMARY KEY,p_id INT,p_format TEXT,p_template TEXT,p_header TEXT,p_text TEXT,p_action_text TEXT,p_action_url TEXT,p_icon TEXT,p_background_image_url TEXT,p_persistence TEXT,p_entities BLOB,p_header_entities BLOB,p_status_id LONG,p_insertion_index INT,p_trigger TEXT)', 'rankings': 'CREATE TABLE rankings (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,granularity TEXT,category TEXT,date INT)', 'search_queries': 'CREATE TABLE search_queries (_id INTEGER PRIMARY KEY,type INT,name TEXT NOT NULL,query TEXT NOT NULL,query_id INT,time INT,latitude REAL,longitude REAL,radius REAL,location TEXT,pc BLOB,cluster_titles BLOB)', 'search_results': 'CREATE TABLE search_results (_id INTEGER PRIMARY KEY,search_id INT,s_type INT,data_type INT,type_id INT,polled INT,data_id INT,related_data BLOB,cluster_id INT)', 'search_suggestion_metadata': 'CREATE TABLE search_suggestion_metadata (_id INTEGER PRIMARY KEY,type INT,last_update LONG)', 'status_groups': 'CREATE TABLE status_groups (_id INTEGER PRIMARY KEY,tweet_type INT DEFAULT 0,type INT,sender_id INT,owner_id INT,ref_id INT,tag INT,g_status_id INT,is_read INT,page INT,is_last INT,updated_at INT,timeline INT,pc BLOB,g_flags INT,preview_draft_id INT,preview_media BLOB,tweet_pivots BLOB)', 'status_metadata': 'CREATE TABLE status_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,status_id INT NOT NULL,status_group INT NOT NULL,status_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_second_name TEXT,soc_others_count INT,soc_fav_count INT,soc_rt_count INT,reason_icon_type TEXT,reason_text TEXT,scribe_component TEXT,scribe_data BLOB,highlights TEXT)', 'statuses': 'CREATE TABLE statuses (_id INTEGER PRIMARY KEY,status_id INT UNIQUE NOT NULL,author_id INT,content TEXT,source TEXT,created INT,in_r_user_id INT,in_r_status_id INT,favorited INT,latitude TEXT,longitude TEXT,place_data BLOB,entities TEXT,retweet_count INT,r_content TEXT,cards BLOB,flags INT,favorite_count INT,lang TEXT,supplemental_language TEXT,view_count INT,quoted_tweet_data BLOB,quoted_tweet_id INT,retweeted INT)', 'stories': 'CREATE TABLE stories ( _id INTEGER PRIMARY KEY,story_id TEXT,story_order INT,story_type INT,story_proof_type INT,story_proof_addl_count INT,data_type INT,data_id INT,story_is_read INT,story_meta_title TEXT,story_meta_subtitle TEXT,story_meta_query TEXT,story_meta_header_img_url TEXT,story_source TEXT,story_impression_info TEXT,story_tag INT)', 'timeline': 'CREATE TABLE timeline (_id INTEGER PRIMARY KEY AUTOINCREMENT,owner_id INT,type INT,sort_index INT,entity_id INT,entity_type INT,data_type INT,data_type_group INT,data_type_tag INT,timeline_tag TEXT,timeline_group_id INT,timeline_scribe_group_id INT,data_id INT,data BLOB,flags INT,updated_at INT,data_origin_id TEXT,is_last INT,is_read INT,scribe_content BLOB,timeline_moment_info BLOB,dismissed INT NOT NULL DEFAULT 0,dismiss_actions INT NOT NULL DEFAULT 0)', 'tokens': 'CREATE TABLE tokens (_id INTEGER PRIMARY KEY,text TEXT,weight INT,type INT,ref_id INT)', 'topics': 'CREATE TABLE topics (_id INTEGER PRIMARY KEY,ev_id TEXT UNIQUE NOT NULL,ev_type INT,ev_query TEXT NOT NULL,ev_seed_hashtag TEXT,ev_title STRING,ev_subtitle STRING,ev_view_url STRING,ev_status STRING,ev_image_url TEXT,ev_explanation TEXT,ev_tweet_count INT,ev_start_time INT,ev_owner_id INT,ev_pc BLOB,ev_content BLOB,ev_hash INT)', 'user_groups': 'CREATE TABLE user_groups (_id INTEGER PRIMARY KEY,type INT,tag INT,rank INT,owner_id INT,user_id INT,is_last INT,pc BLOB,g_flags INT)', 'user_metadata': 'CREATE TABLE user_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,user_id INT NOT NULL,user_group_type INT NOT NULL,user_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_follow_count INT,user_title TEXT,token TEXT)', 'users': 'CREATE TABLE users (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,username TEXT,name TEXT,description TEXT,web_url TEXT,bg_color INT,location TEXT,structured_location BLOB,user_flags INT,followers INT,fast_followers INT DEFAULT 0,friends INT,statuses INT,profile_created INT,image_url TEXT,hash INT,updated INT,friendship INT,friendship_time INT,favorites INT DEFAULT 0,header_url TEXT,description_entities BLOB,url_entities BLOB,media_count INT,extended_profile_fields BLOB,pinned_tweet_id INT,link_color INT,advertiser_type TEXT,business_profile_state TEXT)'}]
class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterSearchEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Twitter on Android search event data.

creation_time

date and time the search was created.

Type:

dfdatetime.DateTimeValues

name

twitter name handler.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

search_query

search query.

Type:

str

DATA_TYPE = 'android:twitter:search'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterStatusEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Twitter on Android status event data.

author_identifier

twitter account identifier.

Type:

int

content

status content.

Type:

str

creation_time

date and time the status was created.

Type:

dfdatetime.DateTimeValues

favorited

favorited flag as 0/1 value.

Type:

int

identifier

status row identifier.

Type:

int

query

SQL query that was used to obtain the event data.

Type:

str

retweeted

retweeted flag as 0/1 value.

Type:

int

username

twitter account handler.

Type:

str

DATA_TYPE = 'android:twitter:status'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.android_webview module

SQLite parser plugin for Android WebView database files.

class plaso.parsers.sqlite_plugins.android_webview.AndroidWebViewCookieEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android WebView cookie event data.

cookie_name

name of the cookie.

Type:

str

data

data stored in the cookie.

Type:

str

expiration_time

date and time the cache entry expires.

Type:

dfdatetime.DateTimeValues

host

host that set the cookie.

Type:

str

offset

identifier of the row, from which the event data was extracted.

Type:

str

path

path for which the cookie was set.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

secure

True if the cookie should only be transmitted over a secure channel.

Type:

bool

url

URL of the cookie.

Type:

str

DATA_TYPE = 'android:webview:cookie'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_webview.AndroidWebViewPlugin[source]

Bases: SQLitePlugin, CookiePluginsHelper

SQLite parser plugin for Android WebView database files.

DATA_FORMAT = 'Android WebView SQLite database file'
NAME = 'android_webview'
ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT _id, name, value, domain, expires, path, secure FROM cookies', 'ParseCookieRow')})
REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cookies': frozenset({'_id', 'domain', 'expires', 'name', 'path', 'secure', 'value'})}
SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cookies': 'CREATE TABLE cookies (_id INTEGER PRIMARY KEY, name TEXT, value TEXT, domain TEXT, path TEXT, expires INTEGER, secure INTEGER)', 'formdata': 'CREATE TABLE formdata (_id INTEGER PRIMARY KEY, urlid INTEGER, name TEXT, value TEXT, UNIQUE (urlid, name, value) ON CONFLICT IGNORE)', 'formurl': 'CREATE TABLE formurl (_id INTEGER PRIMARY KEY, url TEXT)', 'httpauth': 'CREATE TABLE httpauth (_id INTEGER PRIMARY KEY, host TEXT, realm TEXT, username TEXT, password TEXT, UNIQUE (host, realm) ON CONFLICT REPLACE)', 'password': 'CREATE TABLE password (_id INTEGER PRIMARY KEY, host TEXT, username TEXT, password TEXT, UNIQUE (host, username) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.android_webviewcache module

SQLite parser plugin for Android WebviewCache database files.

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android WebViewCache event data.

content_length

size of the cached content.

Type:

int

expiration_time

date and time the cache entry expires.

Type:

dfdatetime.DateTimeValues

last_modified_time

date and time the cache entry was last modified.

Type:

dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:

str

url

URL the content was retrieved from.

Type:

str

DATA_TYPE = 'android:webviewcache'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Android WebviewCache database files.

DATA_FORMAT = 'Android WebViewCache SQLite database file'
NAME = 'android_webviewcache'
ParseRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT url, contentlength, expires, lastmodify FROM cache', 'ParseRow')})
REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cache': frozenset({'contentlength', 'expires', 'lastmodify', 'url'})}
SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cache': 'CREATE TABLE cache (_id INTEGER PRIMARY KEY, url TEXT, filepath TEXT, lastmodify TEXT, etag TEXT, expires INTEGER, expiresstring TEXT, mimetype TEXT, encoding TEXT, httpstatus INTEGER, location TEXT, contentlength INTEGER, contentdisposition TEXT, UNIQUE (url) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.chrome_autofill module

SQLite parser plugin for Google Chrome autofill database (Web Data) files.

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Autofill event data.

creation_time

creation date and time of the autofill entry.

Type:

dfdatetime.DateTimeValues

field_name

name of form field.

Type:

str

last_used_time

last date and time the autofill entry was last used.

Type:

dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:

str

usage_count

count of times value has been used in field_name.

Type:

int

value

value populated in form field.

Type:

str

DATA_TYPE = 'chrome:autofill:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Chrome autofill database (Web Data) files.

The Google Chrome autofill database (Web Data) file is typically stored in: Web Data

DATA_FORMAT = 'Google Chrome autofill SQLite database (Web Data) file'
NAME = 'chrome_autofill'
ParseAutofillRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an autofill entry row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT autofill.date_created, autofill.date_last_used, autofill.name, autofill.value, autofill.count FROM autofill ORDER BY date_created', 'ParseAutofillRow')]
REQUIRED_STRUCTURE = {'autofill': frozenset({'count', 'date_created', 'date_last_used', 'name', 'value'})}
SCHEMAS = [{'autofill': 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value));)'}]

plaso.parsers.sqlite_plugins.chrome_cookies module

SQLite parser plugin for Google Chrome cookies database files.

class plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin[source]

Bases: SQLitePlugin, CookiePluginsHelper

SQLite parser plugin for Google Chrome cookies database files.

GA_UTMZ_TRANSLATION = {'utmccn': 'Ad campaign information.', 'utmcct': 'Path to the page of referring link.', 'utmcmd': 'Last type of visit.', 'utmcsr': 'Last source used to access.', 'utmctr': 'Keywords used to find site.'}
ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a cookie row.

Parameters:
  • parser_mediator (ParserMediator) – parser mediator.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from the query.

class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin[source]

Bases: BaseChromeCookiePlugin

SQLite parser plugin for Google Chrome 17 - 65 cookies database files.

DATA_FORMAT = 'Google Chrome 17 - 65 cookies SQLite database file'
NAME = 'chrome_17_cookies'
QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent FROM cookies', 'ParseCookieRow')]
REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'httponly', 'last_access_utc', 'name', 'path', 'persistent', 'secure', 'value'}), 'meta': frozenset({})}
SCHEMAS = [{'cookies': 'CREATE TABLE cookies (creation_utc INTEGER NOT NULL UNIQUE PRIMARY KEY, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, secure INTEGER NOT NULL, httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER DEFAULT 1, persistent INTEGER DEFAULT 1)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]
class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin[source]

Bases: BaseChromeCookiePlugin

SQLite parser plugin for Google Chrome 66+ cookies database files.

DATA_FORMAT = 'Google Chrome 66 and later cookies SQLite database file'
NAME = 'chrome_66_cookies'
QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, is_secure AS secure, is_httponly AS httponly, last_access_utc, has_expires, is_persistent AS persistent FROM cookies', 'ParseCookieRow')]
REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'is_httponly', 'is_persistent', 'is_secure', 'last_access_utc', 'name', 'path', 'value'}), 'meta': frozenset({})}
SCHEMAS = [{'cookies': "CREATE TABLE cookies (creation_utc INTEGER NOT NULL, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, is_secure INTEGER NOT NULL, is_httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER NOT NULL DEFAULT 1, is_persistent INTEGER NOT NULL DEFAULT 1, priority INTEGER NOT NULL DEFAULT 1, encrypted_value BLOB DEFAULT '', firstpartyonly INTEGER NOT NULL DEFAULT 0, UNIQUE (host_key, name, path))", 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]
class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Cookie event data.

access_time

date and time the cookie was last accessed.

Type:

dfdatetime.DateTimeValues

cookie_name

name of the cookie.

Type:

str

creation_time

date and time the cookie was created.

Type:

dfdatetime.DateTimeValues

data

value of the cookie.

Type:

str

expiration_time

date and time the cookie expires.

Type:

dfdatetime.DateTimeValues

host

hostname of host that set the cookie value.

Type:

str

httponly

True if the cookie cannot be accessed through client side script.

Type:

bool

path

path where the cookie got set.

Type:

str

persistent

True if the cookie is persistent.

Type:

bool

query

SQL query that was used to obtain the event data.

Type:

str

secure

True if the cookie should only be transmitted over a secure channel.

Type:

bool

url

URL or path where the cookie got set.

Type:

str

DATA_TYPE = 'chrome:cookie:entry'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.chrome_extension_activity module

SQLite parser plugin for Google Chrome extension activity database files.

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Extension Activity event data.

action_type

action type.

Type:

str

activity_id

activity identifier.

Type:

str

api_name

name of API.

Type:

str

arg_url

URL argument.

Type:

str

args

arguments.

Type:

str

extension_id

extension identifier.

Type:

str

other

other.

Type:

str

page_title

title of webpage.

Type:

str

page_url

URL of webpage.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

recorded_time

date and time the entry was recorded.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'chrome:extension_activity:activity_log'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Chrome extension activity database files.

The Google Chrome extension activity database file is typically stored in: Extension Activity

DATA_FORMAT = 'Google Chrome extension activity SQLite database file'
NAME = 'chrome_extension_activity'
ParseActivityLogUncompressedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an activity log row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT time, extension_id, action_type, api_name, args, page_url, page_title, arg_url, other, activity_id FROM activitylog_uncompressed ORDER BY time', 'ParseActivityLogUncompressedRow')]
REQUIRED_STRUCTURE = {'activitylog_compressed': frozenset({'action_type', 'api_name_x', 'arg_url_x', 'args_x', 'extension_id_x', 'other_x', 'page_title_x', 'page_url_x', 'time'})}
SCHEMAS = [{'activitylog_compressed': 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, action_type INTEGER, api_name_x INTEGER, args_x INTEGER, page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, other_x INTEGER)', 'string_ids': 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)', 'url_ids': 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)'}]

plaso.parsers.sqlite_plugins.chrome_history module

SQLite parser plugin for Google Chrome history database files.

class plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Chrome history database files.

The Google Chrome history database file is typically stored in: Archived History History

Note that the Archived History database does not contain the downloads table.

ParseLastVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a last visited row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.

  • database (Optional[SQLiteDatabase]) – database.

class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome History file downloaded event data.

danger_type

assessment by Safe Browsing of the danger of the downloaded content.

Type:

int

end_time

date and time the download was finished.

Type:

dfdatetime.DateTimeValues

full_path

full path where the file was downloaded to.

Type:

str

interrupt_reason

indication why the download was interrupted.

Type:

int

offset

identifier of the row, from which the event data was extracted.

Type:

str

opened

value to indicate if the downloaded file was opened from the browser.

Type:

int

query

SQL query that was used to obtain the event data.

Type:

str

received_bytes

number of bytes received while downloading.

Type:

int

start_time

date and time the download was started.

Type:

dfdatetime.DateTimeValues

state

state of the download, such as finished or cancelled.

Type:

int

total_bytes

total number of bytes to download.

Type:

int

url

URL of the downloaded file.

Type:

str

DATA_TYPE = 'chrome:history:file_downloaded'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome History page visited event data.

from_visit

URL where the visit originated from.

Type:

str

last_visited_time

date and time the URL was last visited.

Type:

dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:

str

page_transition_type

type of transitions between pages.

Type:

int

query

SQL query that was used to obtain the event data.

Type:

str

title

title of the visited page.

Type:

str

typed_count

number of times the user has navigated to the page by typing in the address.

Type:

int

url

URL of the visited page.

Type:

str

url_hidden

True if the URL is hidden.

Type:

bool

visit_count

number of times the user has navigated to this page.

Type:

int

visit_source

source of the page visit.

Type:

int

DATA_TYPE = 'chrome:history:page_visited'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin[source]

Bases: BaseGoogleChromeHistoryPlugin

SQLite parser plugin for Google Chrome 27+ history database files.

DATA_FORMAT = 'Google Chrome 27 and later history SQLite database file'
NAME = 'chrome_27_history'
ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a file downloaded row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT downloads.id AS id, downloads.start_time,downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes, downloads.end_time, downloads.state, downloads.danger_type, downloads.interrupt_reason, downloads.opened FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id', 'ParseFileDownloadedRow')]
REQUIRED_STRUCTURE = {'downloads': frozenset({'danger_type', 'end_time', 'id', 'interrupt_reason', 'opened', 'received_bytes', 'start_time', 'state', 'target_path', 'total_bytes'}), 'downloads_url_chains': frozenset({'id', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}
SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL, mime_type VARCHAR(255) NOT NULL DEFAULT "", original_mime_type VARCHAR(255) NOT NULL DEFAULT "", guid VARCHAR NOT NULL DEFAULT \'\', hash BLOB NOT NULL DEFAULT X\'\', http_method VARCHAR NOT NULL DEFAULT \'\', tab_url VARCHAR NOT NULL DEFAULT \'\', tab_referrer_url VARCHAR NOT NULL DEFAULT \'\', site_url VARCHAR NOT NULL DEFAULT \'\', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]
class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin[source]

Bases: BaseGoogleChromeHistoryPlugin

SQLite parser plugin for Google Chrome 8 - 25 history database files.

DATA_FORMAT = 'Google Chrome 8 - 25 history SQLite database file'
NAME = 'chrome_8_history'
ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a file downloaded row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT id, full_path, url, start_time, received_bytes, total_bytes, state FROM downloads', 'ParseFileDownloadedRow')]
REQUIRED_STRUCTURE = {'downloads': frozenset({'full_path', 'id', 'received_bytes', 'start_time', 'state', 'total_bytes', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}
SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]

plaso.parsers.sqlite_plugins.dropbox module

SQLite parser plugin for Dropbox sync_history database files.

class plaso.parsers.sqlite_plugins.dropbox.DropboxSyncDatabasePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Dropbox sync_history.db database files.

The Linux sync_history.db database is typically stored in: $HOME/.dropbox/instance1/sync_history.db

The Windows 10 sync_history.db database is typically stored in: $HOME/AppData/Local/Dropbox/instance1/sync_history.db

DATA_FORMAT = 'Dropbox sync history database (sync_history.db) file'
NAME = 'dropbox'
ParseSyncHistoryRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a sync_history row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT timestamp, event_type, file_event_type, direction, file_id, local_path FROM sync_history;', 'ParseSyncHistoryRow')]
REQUIRED_STRUCTURE = {'sync_history': frozenset({'direction', 'event_type', 'file_event_type', 'file_id', 'local_path', 'timestamp'})}
SCHEMAS = [{'sync_history': 'CREATE TABLE sync_history (event_type TEXT NOT NULL, file_event_type TEXT, direction TEXT, file_id TEXT, local_path TEXT, timestamp INTEGER NOT NULL, other_user INTEGER'}]
class plaso.parsers.sqlite_plugins.dropbox.DropboxSyncHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Dropbox Sync History Database event data.

event_type

the event type

Type:

str

file_event_type

the file event type

Type:

str

direction

the source of the synchronisation event

Type:

str

file_identifier

the Dropbox identifier of the file.

Type:

str

local_path

the local path of the file.

Type:

str

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'dropbox:sync_history:entry'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.edge_load_statistics module

Parser for Microsoft Edge load statistics database.

class plaso.parsers.sqlite_plugins.edge_load_statistics.EdgeLoadStatisticsPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Microsoft Edge load statistics database.

DESCRIPTION = 'Parser for Microsoft Edge load_statistics.db'
NAME = 'edge_load_statistics'
ParseResourceRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT top_level_hostname, resource_hostname, resource_type, last_update FROM load_statistics', 'ParseResourceRow')]
REQUIRED_STRUCTURE = {'load_statistics': frozenset({'last_update', 'resource_hostname', 'resource_type', 'resource_url_hash', 'top_level_hostname'}), 'meta': frozenset({'key', 'value'}), 'redirect_statistics': frozenset({'destination_hostname', 'is_top_level_document', 'last_update', 'source_hostname'})}
SCHEMAS = [{'load_statistics': 'CREATE TABLE load_statistics(top_level_hostname TEXT,resource_hostname TEXT, resource_url_hash TEXT, resource_typeINTEGER, last_update INTEGER NOT NULL,UNIQUE(top_level_hostname,resource_url_hash))', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'redirect_statistics': 'CREATE TABLE redirect_statistics(source_hostname TEXT,destination_hostname TEXT, is_top_level_document INTEGER NOTNULL, last_update INTEGER NOT NULL, UNIQUE(source_hostname,destination_hostname,is_top_level_document))'}]
class plaso.parsers.sqlite_plugins.edge_load_statistics.EdgeLoadStatisticsResourceEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Microsoft Edge load statistics resource event data.

last_update

Last update time of resource, cached or not.

query

query that created the event data.

Type:

str

resource_hostname

External domain of the resource that was loaded

resource_type

Integer descriptor of resource type

top_level_hostname

Source domain that initiated resource load

DATA_TYPE = 'edge:resources:load_statistics'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.firefox_cookies module

SQLite parser plugin for Mozilla Firefox cookies database files.

class plaso.parsers.sqlite_plugins.firefox_cookies.BaseFirefoxCookiePlugin[source]

Bases: SQLitePlugin, CookiePluginsHelper

Shared SQLite parser plugin for Mozilla Firefox cookies database files.

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a cookie row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookie10Plugin[source]

Bases: BaseFirefoxCookiePlugin

SQLite parser plugin for Mozilla Firefox cookies schema 10 databases.

In schema 10 baseDomain was removed.

Also see:

https://searchfox.org/mozilla-central/source/netwerk/cookie/CookiePersistentStorage.cpp

DATA_FORMAT = 'Mozilla Firefox cookies SQLite database file version 10'
NAME = 'firefox_10_cookies'
QUERIES = [('SELECT id, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')]
REQUIRED_STRUCTURE = {'moz_cookies': frozenset({'creationTime', 'expiry', 'host', 'id', 'isHttpOnly', 'isSecure', 'lastAccessed', 'name', 'path', 'value'})}
SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}]
class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookie2Plugin[source]

Bases: BaseFirefoxCookiePlugin

SQLite parser plugin for Mozilla Firefox cookies schema 2 databases.

Also see:

https://hg.mozilla.org/mozilla-central/file/349a2f003529/netwerk/cookie/nsCookie.h

DATA_FORMAT = 'Mozilla Firefox cookies SQLite database file version 2'
NAME = 'firefox_2_cookies'
QUERIES = [('SELECT id, baseDomain, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')]
REQUIRED_STRUCTURE = {'moz_cookies': frozenset({'baseDomain', 'creationTime', 'expiry', 'host', 'id', 'isHttpOnly', 'isSecure', 'lastAccessed', 'name', 'path', 'value'})}
SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}]
class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox Cookie event data.

access_time

date and time the cookie was last accessed.

Type:

dfdatetime.DateTimeValues

cookie_name

name field of the cookie.

Type:

str

creation_time

date and time the cookie was created.

Type:

dfdatetime.DateTimeValues

data

cookie data.

Type:

str

expiration_time

date and time the cookie expires.

Type:

dfdatetime.DateTimeValues

httponly

True if the cookie cannot be accessed through client side script.

Type:

bool

host

hostname of host that set the cookie value.

Type:

str

offset

identifier of the row, from which the event data was extracted.

Type:

str

path

URI of the page that set the cookie.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

secure

True if the cookie should only be transmitted over a secure channel.

Type:

bool

DATA_TYPE = 'firefox:cookie:entry'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.firefox_downloads module

SQLite parser plugin for Mozilla Firefox downloads database files.

class plaso.parsers.sqlite_plugins.firefox_downloads.Firefox118DownloadEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox download event data.

deleted

deleted state.

Type:

int

download_state

state of the download.

Type:

int

end_time

date and time the download was finished.

Type:

dfdatetime.DateTimeValues

expiration

expiration.

Type:

int

flags

flags associated with this download

Type:

int

full_path

full path of the target of the download.

Type:

str

mime_type

mime type of the download.

Type:

str

name

name of the download.

Type:

str

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

received_bytes

number of bytes received.

Type:

int

referrer

referrer URL of the download.

Type:

str

start_time

date and time the download was started.

Type:

dfdatetime.DateTimeValues

temporary_location

temporary location of the download.

Type:

str

total_bytes

total number of bytes of the download.

Type:

int

type

type field.

Type:

int

url

source URL of the download.

Type:

str

DATA_TYPE = 'firefox:downloads:download'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_downloads.Firefox118DownloadsPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for version 118 Firefox downloads database files.

The version 118 Firefox downloads database file is typically stored in: places.sql

DATA_FORMAT = 'Mozilla Firefox 118 downloads SQLite database (downloads.sqlite) file'
NAME = 'firefox_118_downloads'
ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a downloads row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT annos1.content, annos2.flags, annos2.expiration, annos2.type, annos2.dateAdded, annos2.lastModified, annos2.content as dest_fpath, places.url, places.title, places.last_visit_date from moz_annos annos1, moz_annos annos2, moz_places places WHERE annos1.anno_attribute_id == annos2.anno_attribute_id+1 AND annos1.place_id == annos2.place_id AND annos1.place_id == places.id', 'ParseDownloadsRow')]
REQUIRED_STRUCTURE = {'moz_annos': frozenset({'anno_attribute_id', 'content', 'dateAdded', 'expiration', 'flags', 'id', 'lastModified', 'place_id', 'type'}), 'moz_places': frozenset({'id', 'last_visit_date', 'title', 'url'})}
SCHEMAS = [{'moz_annos': 'CREATE TABLE moz_annos (id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)'}, {'moz_places': 'CREATE TABLE moz_places (id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER, guid TEXT, foreign_count INTEGER DEFAULT 0 NOT NULL, url_hash INTEGER DEFAULT 0 NOT NULL , description TEXT, preview_image_url TEXT, site_name TEXT, origin_id INTEGER REFERENCES moz_origins(id), recalc_frecency INTEGER NOT NULL DEFAULT 0, alt_frecency INTEGER, recalc_alt_frecency INTEGER NOT NULL DEFAULT 0)'}]
class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox download event data.

end_time

date and time the download was finished.

Type:

dfdatetime.DateTimeValues

full_path

full path of the target of the download.

Type:

str

mime_type

mime type of the download.

Type:

str

name

name of the download.

Type:

str

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

received_bytes

number of bytes received.

Type:

int

referrer

referrer URL of the download.

Type:

str

start_time

date and time the download was started.

Type:

dfdatetime.DateTimeValues

temporary_location

temporary location of the download.

Type:

str

total_bytes

total number of bytes of the download.

Type:

int

url

source URL of the download.

Type:

str

DATA_TYPE = 'firefox:downloads:download'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Mozilla Firefox downloads database files.

The Mozilla Firefox downloads database file is typically stored in: downloads.sqlite

DATA_FORMAT = 'Mozilla Firefox downloads SQLite database (downloads.sqlite) file'
NAME = 'firefox_downloads'
ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a downloads row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT moz_downloads.id, moz_downloads.name, moz_downloads.source, moz_downloads.target, moz_downloads.tempPath, moz_downloads.startTime, moz_downloads.endTime, moz_downloads.state, moz_downloads.referrer, moz_downloads.currBytes, moz_downloads.maxBytes, moz_downloads.mimeType FROM moz_downloads', 'ParseDownloadsRow')]
REQUIRED_STRUCTURE = {'moz_downloads': frozenset({'currBytes', 'endTime', 'id', 'maxBytes', 'mimeType', 'name', 'referrer', 'source', 'startTime', 'state', 'target', 'tempPath'})}
SCHEMAS = [{'moz_downloads': 'CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)'}]

plaso.parsers.sqlite_plugins.firefox_history module

SQLite parser plugin for Mozilla Firefox history database files.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Mozilla Firefox history database files.

The Mozilla Firefox history database file is typically stored in: places.sqlite

DATA_FORMAT = 'Mozilla Firefox history SQLite database (places.sqlite) file'
NAME = 'firefox_history'
ParseBookmarkAnnotationRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark annotation row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

ParseBookmarkFolderRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark folder row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

ParseBookmarkRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a bookmark row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

ParsePageVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a page visited row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (Optional[SQLiteCache]) – cache.

  • database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.from_visit, moz_places.rev_host, moz_places.hidden, moz_places.typed, moz_historyvisits.visit_type FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id', 'ParsePageVisitedRow'), ('SELECT moz_bookmarks.type, moz_bookmarks.title AS bookmark_title, moz_bookmarks.dateAdded, moz_bookmarks.lastModified, moz_places.url, moz_places.title AS places_title, moz_places.rev_host, moz_places.visit_count, moz_bookmarks.id FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3', 'ParseBookmarkRow'), ('SELECT moz_items_annos.content, moz_items_annos.dateAdded, moz_items_annos.lastModified, moz_bookmarks.title, moz_places.url, moz_places.rev_host, moz_items_annos.id FROM moz_items_annos, moz_bookmarks, moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id', 'ParseBookmarkAnnotationRow'), ('SELECT moz_bookmarks.id, moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2', 'ParseBookmarkFolderRow')]
REQUIRED_STRUCTURE = {'moz_bookmarks': frozenset({'dateAdded', 'fk', 'id', 'lastModified', 'title', 'type'}), 'moz_historyvisits': frozenset({'from_visit', 'id', 'place_id', 'visit_date', 'visit_type'}), 'moz_items_annos': frozenset({'content', 'dateAdded', 'id', 'item_id', 'lastModified'}), 'moz_places': frozenset({'hidden', 'id', 'rev_host', 'title', 'typed', 'url', 'visit_count'})}
SCHEMAS = [{'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER )'}, {'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER, guid TEXT)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG, guid TEXT)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_hosts': 'CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY, host TEXT NOT NULL UNIQUE, frecency INTEGER, typed INTEGER NOT NULL DEFAULT 0, prefix TEXT)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)', 'sqlite_stat1': 'CREATE TABLE sqlite_stat1(tbl, idx, stat)'}]
URL_CACHE_QUERY = 'SELECT h.id AS id, p.url, p.rev_host FROM moz_places p, moz_historyvisits h WHERE p.id = h.place_id'
class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox bookmark annotation event data.

added_time

date and time the bookmark annotation was added.

Type:

dfdatetime.DateTimeValues

content

annotation content.

Type:

str

modification_time

date and time the bookmark annotation was last modified.

Type:

dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

title

title of the bookmark folder.

Type:

str

url

bookmarked URL.

Type:

str

DATA_TYPE = 'firefox:places:bookmark_annotation'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox bookmark event data.

added_time

date and time the bookmark was added.

Type:

dfdatetime.DateTimeValues

host

visited hostname.

Type:

str

modification_time

date and time the bookmark was last modified.

Type:

dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:

str

places_title

places title.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

title

title of the bookmark folder.

Type:

str

type

bookmark type.

Type:

int

url

bookmarked URL.

Type:

str

visit_count

visit count.

Type:

int

DATA_TYPE = 'firefox:places:bookmark'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox bookmark folder event data.

added_time

date and time the bookmark folder was added.

Type:

dfdatetime.DateTimeValues

modification_time

date and time the bookmark folder was last modified.

Type:

dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

title

title of the bookmark folder.

Type:

str

DATA_TYPE = 'firefox:places:bookmark_folder'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox page visited event data.

from_visit

URL that referred to the visited page.

Type:

str

hidden

value to indicated if the URL was hidden.

Type:

str

host

visited hostname.

Type:

str

last_visited_time

date and time the URL was last visited.

Type:

dfdatetime.DateTimeValues

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

title

title of the visited page.

Type:

str

typed

value to indicated if the URL was typed.

Type:

str

url

URL of the visited page.

Type:

str

visit_count

visit count.

Type:

int

visit_type

transition type for the event.

Type:

str

DATA_TYPE = 'firefox:places:page_visited'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.gdrive module

SQLite parser plugin for Google Drive snapshot database files.

class plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Google Drive snapshot database files.

The Google Drive snapshot database file is typically stored in: snapshot.db

CLOUD_PATH_CACHE_QUERY = 'SELECT cloud_entry.filename, cloud_entry.resource_id, cloud_relations.parent_resource_id AS parent FROM cloud_entry, cloud_relations WHERE cloud_entry.doc_type = 0 AND cloud_entry.resource_id = cloud_relations.child_resource_id'
DATA_FORMAT = 'Google Drive snapshot SQLite database (snapshot.db) file'
GetCloudPath(resource_id, cache, database)[source]

Return cloud path given a resource id.

Parameters:
  • resource_id (str) – resource identifier for the file.

  • cache (SQLiteCache) – cache.

  • database (SQLiteDatabase) – database.

Returns:

full path to the resource value.

Return type:

str

GetLocalPath(inode, cache, database)[source]

Return local path for a given inode.

Parameters:
Returns:

full path, including the filename of the given inode value.

Return type:

str

LOCAL_PATH_CACHE_QUERY = 'SELECT local_relations.child_inode_number, local_relations.parent_inode_number, local_entry.filename FROM local_relations, local_entry WHERE local_relations.child_inode_number = local_entry.inode_number'
NAME = 'google_drive'
ParseCloudEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a cloud entry row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (SQLiteCache) – cache.

  • database (SQLiteDatabase) – database.

ParseLocalEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a local entry row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (Optional[SQLiteCache]) – cache.

  • database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT cloud_entry.resource_id, cloud_entry.filename, cloud_entry.modified, cloud_entry.created, cloud_entry.size, cloud_entry.doc_type, cloud_entry.shared, cloud_entry.checksum, cloud_entry.url, cloud_relations.parent_resource_id FROM cloud_entry, cloud_relations WHERE cloud_relations.child_resource_id = cloud_entry.resource_id AND cloud_entry.modified IS NOT NULL;', 'ParseCloudEntryRow'), ('SELECT inode_number, filename, modified, checksum, size FROM local_entry WHERE modified IS NOT NULL;', 'ParseLocalEntryRow')]
REQUIRED_STRUCTURE = {'cloud_entry': frozenset({'checksum', 'created', 'doc_type', 'filename', 'modified', 'resource_id', 'shared', 'size', 'url'}), 'cloud_relations': frozenset({'child_resource_id', 'parent_resource_id'}), 'local_entry': frozenset({'checksum', 'filename', 'inode_number', 'modified', 'size'}), 'local_relations': frozenset({'child_inode_number', 'parent_inode_number'})}
SCHEMAS = [{'cloud_entry': 'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared INTEGER, PRIMARY KEY (resource_id))', 'cloud_relations': 'CREATE TABLE cloud_relations (child_resource_id TEXT, parent_resource_id TEXT, UNIQUE (child_resource_id, parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) REFERENCES cloud_entry(resource_id))', 'local_entry': 'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY (inode_number))', 'local_relations': 'CREATE TABLE local_relations (child_inode_number INTEGER, parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN KEY (parent_inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (child_inode_number) REFERENCES local_entry(inode_number))', 'mapping': 'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES cloud_entry(resource_id))', 'overlay_status': 'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, PRIMARY KEY (path))'}]
class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Google Drive snapshot cloud entry event data.

creation_time

date and time the snapshot cloud entry was created.

Type:

dfdatetime.DateTimeValues

doc_type

document type.

Type:

int

modification_time

date and time the snapshot cloud entry was last modified.

Type:

dfdatetime.DateTimeValues

path

path of the file.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

shared

True if the file is shared, False if the file is private.

Type:

bool

size

size of the file.

Type:

int

url

URL of the file.

Type:

str

DATA_TYPE = 'gdrive:snapshot:cloud_entry'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Google Drive snapshot local entry event data.

modification_time

date and time the snapshot local entry was last modified.

Type:

dfdatetime.DateTimeValues

path

path of the file.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

size

size of the file.

Type:

int

DATA_TYPE = 'gdrive:snapshot:local_entry'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.imessage module

SQLite parser plugin for MacOS and iOS iMessage database files.

class plaso.parsers.sqlite_plugins.imessage.IMessageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iMessage and SMS event data.

attachment_location

location of the attachment.

Type:

str

client_version

client version.

Type:

int

creation_time

date and time the message was created.

Type:

dfdatetime.DateTimeValues

imessage_id

mobile number or email address the message was sent to or received from.

Type:

str

message_type

value to indicate the message was sent (1) or received (0).

Type:

int

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

read_receipt

True if the message read receipt was received.

Type:

bool

service

service, which is either SMS or iMessage.

Type:

str

text

content of the message.

Type:

str

DATA_TYPE = 'imessage:event:chat'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.imessage.IMessagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS and iOS iMessage database files.

The iMessage database file is typically stored in chat.db or sms.db.

DATA_FORMAT = 'MacOS and iOS iMessage database (chat.db, sms.db) file'
NAME = 'imessage'
ParseMessageRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]

Parses a message row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

  • cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.

  • database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT message.date, message.ROWID, handle.id AS imessage_id, message.is_read AS read_receipt, message.is_from_me AS message_type, message.service, attachment.filename AS attachment_location, message.text FROM message JOIN handle ON handle.ROWID = message.handle_id LEFT OUTER JOIN message_attachment_join AS maj ON message.ROWID = maj.message_id LEFT OUTER JOIN attachment ON maj.attachment_id = attachment.ROWID', 'ParseMessageRow')]
REQUIRED_STRUCTURE = {'_SqliteDatabaseProperties': frozenset({'key', 'value'}), 'attachment': frozenset({'ROWID', 'filename'}), 'handle': frozenset({'ROWID', 'id'}), 'message': frozenset({'ROWID', 'date', 'handle_id', 'is_from_me', 'is_read', 'service', 'text'}), 'message_attachment_join': frozenset({'attachment_id', 'message_id'})}

plaso.parsers.sqlite_plugins.interface module

Interface for SQLite database file parser plugins.

class plaso.parsers.sqlite_plugins.interface.SQLitePlugin[source]

Bases: BasePlugin

SQLite parser plugin.

CheckRequiredTablesAndColumns(database)[source]

Check if the database has the minimal structure required by the plugin.

Parameters:

database (SQLiteDatabase) – the database who’s structure is being checked.

Returns:

True if the database has the required tables and columns defined by

the plugin, or False if it does not or if the plugin does not define required tables and columns. The database can have more tables and/or columns than specified by the plugin and still return True.

Return type:

bool

CheckSchema(database)[source]

Checks the schema of a database with that defined in the plugin.

Parameters:

database (SQLiteDatabase) – SQLite database to check.

Returns:

True if the schema of the database matches that defined by

the plugin, or False if the schemas do not match or no schema is defined by the plugin.

Return type:

bool

DATA_FORMAT = 'SQLite database file'
NAME = 'sqlite_plugin'
Process(parser_mediator, cache=None, database=None, **unused_kwargs)[source]

Extracts events from a SQLite database.

Parameters:
Raises:

ValueError – If the database or cache value are missing.

QUERIES = []
REQUIRED_STRUCTURE = {}
REQUIRES_SCHEMA_MATCH = False
SCHEMAS = []
__init__()[source]

Initializes a SQLite parser plugin.

plaso.parsers.sqlite_plugins.ios_datausage module

SQLite parser plugin for iOS datausage.sqlite database files.

class plaso.parsers.sqlite_plugins.ios_datausage.IOSDatausageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS datausage event data.

bundle_identifier

bundle identifier.

Type:

str

process_name

name of the process.

Type:

str

start_time

date and time the start of the network connection was established.

Type:

dfdatetime.DateTimeValues

wifi_in

number of bytes received over Wi-Fi.

Type:

int

wifi_out

number of bytes sent over Wi-Fi.

Type:

int

wireless_wan_in

number of bytes received over cellular.

Type:

int

wireless_wan_out

number of bytes sent over cellular.

Type:

int

DATA_TYPE = 'ios:datausage:event'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.ios_datausage.IOSDatausagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS DataUsage database.

DATA_FORMAT = 'iOS data usage SQLite databse (DataUsage.sqlite) file.'
NAME = 'ios_datausage'
ParseDatausageEventRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a row from the Datausage sqlite file.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT ZLIVEUSAGE.ZTIMESTAMP, ZLIVEUSAGE.ZWIFIIN, ZLIVEUSAGE.ZWIFIOUT, ZLIVEUSAGE.ZWWANIN, ZLIVEUSAGE.ZWWANOUT, ZPROCESS.ZBUNDLENAME, ZPROCESS.ZPROCNAME FROM ZLIVEUSAGE LEFT JOIN ZPROCESS ON ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS', 'ParseDatausageEventRow')]
REQUIRED_STRUCTURE = {'ZLIVEUSAGE': frozenset({'ZHASPROCESS', 'ZKIND', 'ZMETADATA', 'ZTAG', 'ZTIMESTAMP', 'ZWIFIIN', 'ZWIFIOUT', 'ZWWANIN', 'ZWWANOUT', 'Z_ENT', 'Z_OPT', 'Z_PK'}), 'ZPROCESS': frozenset({'ZBUNDLENAME', 'ZFIRSTTIMESTAMP', 'ZPROCNAME', 'ZTIMESTAMP', 'Z_ENT', 'Z_OPT', 'Z_PK'})}
REQUIRES_SCHEMA_MATCH = False
SCHEMAS = {'ZLIVEUSAGE': 'CREATE TABLE ZLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZMETADATA INTEGER, ZTAG INTEGER, ZHASPROCESS INTEGER, ZBILLCYCLEEND TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZWIFIIN FLOAT, ZWIFIOUT FLOAT, ZWWANIN FLOAT, ZWWANOUT FLOAT )', 'ZPROCESS': 'CREATE TABLE ZPROCESS ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBUNDLENAME VARCHAR, ZPROCNAME VARCHAR )'}

plaso.parsers.sqlite_plugins.ios_kik module

SQLite parser plugin for iOS Kik messenger database files.

class plaso.parsers.sqlite_plugins.ios_kik.IOSKikMessageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Kik message event data.

body

content of the message.

Type:

str

message_status

message status, such as: read, unread, not sent, delivered, etc.

Type:

str

message_type

message type, either Sent or Received.

Type:

str

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

received_time

date and time the message was received.

Type:

dfdatetime.DateTimeValues

username

unique username of the sender or receiver.

Type:

str

DATA_TYPE = 'ios:kik:messaging'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.ios_kik.IOSKikPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS Kik messenger database files.

The OS Kik messenger database file is typically stored in: kik.sqlite

DATA_FORMAT = 'iOS Kik messenger SQLite database (kik.sqlite) file'
NAME = 'kik_ios'
ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a message row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', 'ParseMessageRow')]
REQUIRED_STRUCTURE = {'ZKIKMESSAGE': frozenset({'ZBODY', 'ZRECEIVEDTIMESTAMP', 'ZSTATE', 'ZTYPE', 'ZUSER', 'Z_PK'}), 'ZKIKUSER': frozenset({'ZDISPLAYNAME', 'ZEXTRA', 'ZUSERNAME'})}
SCHEMAS = [{'ZKIKATTACHMENT': 'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )', 'ZKIKATTACHMENTEXTRA': 'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', 'ZKIKCHAT': 'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED TIMESTAMP )', 'ZKIKCHATEXTRA': 'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ZMUTEDTIMESTAMP TIMESTAMP )', 'ZKIKMESSAGE': 'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ZRENDERINSTRUCTIONSET BLOB )', 'ZKIKUSER': 'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ZCONTENTLINKSPROTODATA BLOB )', 'ZKIKUSEREXTRA': 'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ZPUBLICMESSAGINGKEY BLOB )', 'Z_3MESSAGES': 'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', 'Z_6ADMINSINVERSE': 'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', 'Z_6BANSINVERSE': 'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', 'Z_6MEMBERS': 'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]

plaso.parsers.sqlite_plugins.ios_netusage module

SQLite parser plugin for iOS netusage.sqlite database files.

class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS netusage database.

DATA_FORMAT = 'iOS network usage SQLite database (netusage.sqlite) file'
NAME = 'ios_netusage'
ParseNetusageProcessRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Netusage process row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

ParseNetusageRouteRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Netusage route row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('\n       SELECT \n         ZLIVEROUTEPERF.ZTIMESTAMP, \n         ZLIVEROUTEPERF.ZKIND, \n         ZLIVEROUTEPERF.ZBYTESIN, \n         ZLIVEROUTEPERF.ZBYTESOUT, \n         ZNETWORKATTACHMENT.ZIDENTIFIER, \n         HEX(ZNETWORKATTACHMENT.ZNETSIGNATURE) as ZNETSIGNATURE\n       FROM ZLIVEROUTEPERF\n       LEFT JOIN ZNETWORKATTACHMENT \n       ON ZLIVEROUTEPERF.ZHASNETWORKATTACHMENT = ZNETWORKATTACHMENT.Z_PK', 'ParseNetusageRouteRow'), ('\n         SELECT\n           ZLIVEUSAGE.ZTIMESTAMP,\n           ZPROCESS.ZPROCNAME,\n           ZLIVEUSAGE.ZWIFIIN,\n           ZLIVEUSAGE.ZWIFIOUT,\n           ZLIVEUSAGE.ZWWANIN,\n           ZLIVEUSAGE.ZWWANOUT,\n           ZLIVEUSAGE.ZWIREDIN,\n           ZLIVEUSAGE.ZWIREDOUT\n         FROM ZLIVEUSAGE \n         LEFT JOIN ZPROCESS \n         ON ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS', 'ParseNetusageProcessRow')]
REQUIRED_STRUCTURE = {'ZLIVEROUTEPERF': frozenset({'ZBYTESIN', 'ZBYTESOUT', 'ZHASNETWORKATTACHMENT', 'ZKIND', 'ZTIMESTAMP'}), 'ZLIVEUSAGE': frozenset({'ZHASPROCESS', 'ZTIMESTAMP', 'ZWIFIIN', 'ZWIFIOUT', 'ZWIREDIN', 'ZWIREDOUT', 'ZWWANIN', 'ZWWANOUT'}), 'ZNETWORKATTACHMENT': frozenset({'ZIDENTIFIER', 'ZNETSIGNATURE', 'Z_PK'}), 'ZPROCESS': frozenset({'ZPROCNAME', 'Z_PK'})}
REQUIRES_SCHEMA_MATCH = False
SCHEMAS = {'ZLIVEROUTEPERF': 'CREATE TABLE ZLIVEROUTEPERF (Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZHASNETWORKATTACHMENT INTEGER, ZADMINDISABLES FLOAT, ZBYTESIN FLOAT, ZBYTESOUT FLOAT, ZCAPTIVITYREDIRECTS FLOAT, ZCERTERRORS FLOAT, ZCONNATTEMPTS FLOAT, ZCONNSUCCESSES FLOAT, ZDATASTALLS FLOAT, ZEPOCHS FLOAT, ZFAULTYSTAY FLOAT, ZLOWLQMSTAY FLOAT, ZLOWQSTAY FLOAT, ZLQMTRANSITIONCOUNT FLOAT, ZOVERALLSTAY FLOAT, ZOVERALLSTAYM2 FLOAT, ZPACKETSIN FLOAT, ZPACKETSOUT FLOAT, ZRETXBYTES FLOAT, ZRTTAVG FLOAT, ZRTTMIN FLOAT, ZRTTVAR FLOAT, ZRXDUPEBYTES FLOAT, ZRXOOOBYTES FLOAT, ZTIMESTAMP TIMESTAMP, ZTOPDOWNLOADRATE FLOAT )', 'ZLIVEUSAGE': 'CREATE TABLE ZLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZMETADATA INTEGER, ZTAG INTEGER, ZHASPROCESS INTEGER, Z15_HASPROCESS INTEGER, ZALLFLOWS FLOAT, ZBILLCYCLEEND TIMESTAMP, ZJUMBOFLOWS FLOAT, ZTIMESTAMP TIMESTAMP, ZWIFIIN FLOAT, ZWIFIOUT FLOAT, ZWIREDIN FLOAT, ZWIREDOUT FLOAT, ZWWANIN FLOAT, ZWWANOUT FLOAT, ZXIN FLOAT, ZXOUT FLOAT )', 'ZNETWORKATTACHMENT': 'CREATE TABLE ZNETWORKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTRS INTEGER, ZISHOTSPOT INTEGER, ZISKNOWNGOOD INTEGER, ZISLOWINTERNETDL INTEGER, ZISLOWINTERNETUL INTEGER, ZKIND INTEGER, ZWASLASTFAILED INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZOVERALLSTAYMEAN FLOAT, ZOVERALLSTAYVAR FLOAT, ZTIMESTAMP TIMESTAMP, ZVELO FLOAT, ZIDENTIFIER VARCHAR, ZSERVICE VARCHAR, ZNETSIGNATURE BLOB )', 'ZPROCESS': 'CREATE TABLE ZPROCESS ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBUNDLENAME VARCHAR, ZPROCNAME VARCHAR )'}
class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusageProcessEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS netusage process event data.

process_name

name of the process.

Type:

str

start_time

date and time the start of the network connection was established.

Type:

dfdatetime.DateTimeValues

wifi_in

bytes received via wifi.

Type:

int

wifi_out

bytes sent via wifi.

Type:

int

wired_in

bytes received via wired connection.

Type:

int

wired_out

bytes sent via wired connection.

Type:

int

wireless_wan_in

bytes received via cellular connection.

Type:

int

wireless_wan_out

bytes sent via cellular connection.

Type:

int

DATA_TYPE = 'ios:netusage:process'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusageRouteEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS netusage connection event data.

bytes_in

number of bytes received.

Type:

int

bytes_out

number of bytes sent.

Type:

int

network_identifier

name of network.

Type:

str

network_signature

signature of network.

Type:

str

network_type

integer indicating network type.

Type:

int

start_time

date and time the start of the network connection was established.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:netusage:route'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.ios_powerlog module

SQLite parser plugin for iOS powerlog database files.

class plaso.parsers.sqlite_plugins.ios_powerlog.IOSPowerlogApplicationUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS powerlog file application usage event data.

background_time

Number of seconds that the application ran in the background.

Type:

str

bundle_identifier

Name of the application.

Type:

str

screen_on_time

Number of seconds that the application ran in the foreground.

Type:

str

start_time

date and time the start of the application.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:powerlog:application_usage'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.ios_powerlog.IOSPowerlogApplicationUsagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS powerlog database files.

DATA_FORMAT = 'iOS powerlog SQLite database (CurrentPowerlog.PLSQL) file'
NAME = 'ios_powerlog'
ParseApplicationRunTime(parser_mediator, query, row, **unused_kwargs)[source]

Parses an Application Run Time row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT timestamp, BackgroundTime, ScreenOnTime, BundleID FROM PLAppTimeService_Aggregate_AppRunTime', 'ParseApplicationRunTime')]
REQUIRED_STRUCTURE = {'PLAppTimeService_Aggregate_AppRunTime': frozenset({'BackgroundTime', 'BundleID', 'ScreenOnTime', 'timestamp'})}
REQUIRES_SCHEMA_MATCH = False
SCHEMAS = {'PLAppTimeService_Aggregate_AppRunTime': 'CREATE TABLE PLAppTimeService_Aggregate_AppRunTime (id INTEGER PRIMARY KEY AUTOINCREMENT, timestamp REAL, timeInterval REAL, BackgroundAudioNowPlayingPluggedInTime REAL, BackgroundAudioNowPlayingTime REAL, BackgroundAudioPlayingTime REAL, BackgroundAudioPlayingTimePluggedIn REAL, BackgroundLocationAudioPluggedInTime REAL, BackgroundLocationAudioTime REAL, BackgroundLocationPluggedInTime REAL, BackgroundLocationTime REAL, BackgroundPluggedInTime REAL, BackgroundTime REAL, BundleID TEXT, ScreenOnPluggedInTime REAL, ScreenOnTime REAL)'}

plaso.parsers.sqlite_plugins.ios_screentime module

SQLite parser plugin for iOS Screen Time database files.

class plaso.parsers.sqlite_plugins.ios_screentime.IOSScreenTimeEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS Screen Time file usage event data.

bundle_identifier

Bundle Identifier of the application.

Type:

str

device_identifier

GUID for the device.

Type:

str

device_name

Name of the device in use (when available).

Type:

str

domain

Domain of the website visited.

Type:

str

start_time

date and time the start of the application.

Type:

dfdatetime.DateTimeValues

total_time

Number of seconds where the application was in the foreground.

Type:

int

user_family_name

Family name of the user.

Type:

str

user_given_name

Given name of the user.

Type:

str

DATA_TYPE = 'ios:screentime:event'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.ios_screentime.IOSScreenTimePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for iOS Screen Time database files.

The Screen Time database is typically stored in: RMAdminStore-Local.sqlite

DATA_FORMAT = 'iOS Screen Time SQLite database (RMAdminStore-Local.sqlite)'
NAME = 'ios_screentime'
ParseScreenTimeRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Screen Time row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('\n      SELECT ZUSAGETIMEDITEM.ZTOTALTIMEINSECONDS,\n        ZUSAGETIMEDITEM.ZBUNDLEIDENTIFIER,\n        ZUSAGETIMEDITEM.ZDOMAIN,\n        ZUSAGEBLOCK.ZSTARTDATE,\n        ZCOREDEVICE.ZIDENTIFIER,\n        ZCOREDEVICE.ZNAME,\n        ZCOREUSER.ZFAMILYNAME,\n        ZCOREUSER.ZGIVENNAME\n      FROM ZUSAGETIMEDITEM\n      LEFT JOIN ZUSAGECATEGORY\n        ON ZUSAGETIMEDITEM.ZCATEGORY = ZUSAGECATEGORY.Z_PK\n      LEFT JOIN ZUSAGEBLOCK ON ZUSAGECATEGORY.ZBLOCK = ZUSAGEBLOCK.Z_PK\n      LEFT JOIN ZUSAGE ON ZUSAGEBLOCK.ZUSAGE = ZUSAGE.Z_PK\n      LEFT JOIN ZCOREDEVICE ON ZUSAGE.ZDEVICE = ZCOREDEVICE.Z_PK\n      LEFT JOIN ZCOREUSER ON ZUSAGE.ZUSER = ZCOREUSER.Z_PK\n      ', 'ParseScreenTimeRow')]
REQUIRED_STRUCTURE = {'ZCOREDEVICE': frozenset({'ZIDENTIFIER', 'ZNAME', 'Z_PK'}), 'ZCOREUSER': frozenset({'ZFAMILYNAME', 'ZGIVENNAME', 'Z_PK'}), 'ZUSAGE': frozenset({'ZDEVICE', 'ZUSER', 'Z_PK'}), 'ZUSAGEBLOCK': frozenset({'ZSTARTDATE', 'ZUSAGE', 'Z_PK'}), 'ZUSAGECATEGORY': frozenset({'ZBLOCK', 'Z_PK'}), 'ZUSAGETIMEDITEM': frozenset({'ZBUNDLEIDENTIFIER', 'ZCATEGORY', 'ZDOMAIN', 'ZTOTALTIMEINSECONDS'})}
REQUIRES_SCHEMA_MATCH = False
SCHEMAS = {'ZCOREDEVICE': 'CREATE TABLE ZCOREDEVICE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZPLATFORM INTEGER, ZLOCALUSERDEVICESTATE INTEGER, ZIDENTIFIER VARCHAR, ZNAME VARCHAR )', 'ZCOREUSER': 'CREATE TABLE ZCOREUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDSID INTEGER, ZISFAMILYORGANIZER INTEGER, ZISPARENT INTEGER, ZPASSCODEENTRYATTEMPTCOUNT INTEGER, ZPASSCODERECOVERYATTEMPTCOUNT INTEGER, ZSUPPORTSENCRYPTION INTEGER, ZCLOUDSETTINGS INTEGER, ZFAMILYSETTINGS INTEGER, ZLOCALSETTINGS INTEGER, ZLOCALUSERDEVICESTATE INTEGER, ZPASSCODEENTRYTIMEOUTENDDATE TIMESTAMP, ZALTDSID VARCHAR, ZAPPLEID VARCHAR, ZFAMILYMEMBERTYPE VARCHAR, ZFAMILYNAME VARCHAR, ZGIVENNAME VARCHAR, ZPHONETICFAMILYNAME VARCHAR, ZPHONETICGIVENNAME VARCHAR )', 'ZUSAGE': 'CREATE TABLE ZUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICE INTEGER, ZUSER INTEGER, ZLASTEVENTDATE TIMESTAMP, ZLASTUPDATEDDATE TIMESTAMP )', 'ZUSAGEBLOCK': 'CREATE TABLE ZUSAGEBLOCK ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDURATIONINMINUTES INTEGER, ZNUMBEROFPICKUPSWITHOUTAPPLICATIONUSAGE INTEGER, ZSCREENTIMEINSECONDS INTEGER, ZUSAGE INTEGER, ZFIRSTPICKUPDATE TIMESTAMP, ZLASTEVENTDATE TIMESTAMP, ZLONGESTSESSIONENDDATE TIMESTAMP, ZLONGESTSESSIONSTARTDATE TIMESTAMP, ZSTARTDATE TIMESTAMP )', 'ZUSAGECATEGORY': 'CREATE TABLE ZUSAGECATEGORY ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTOTALTIMEINSECONDS INTEGER, ZBLOCK INTEGER, ZIDENTIFIER VARCHAR )', 'ZUSAGETIMEDITEM': 'CREATE TABLE ZUSAGETIMEDITEM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTOTALTIMEINSECONDS INTEGER, ZUSAGETRUSTED INTEGER, ZCATEGORY INTEGER, ZBUNDLEIDENTIFIER VARCHAR, ZDOMAIN VARCHAR )'}

plaso.parsers.sqlite_plugins.ios_twitter module

SQLite parser plugin for Twitter on iOS 8+ database files.

class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterContactEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Twitter on iOS 8+ contact event data.

creation_time

date and time the contact was created.

Type:

dfdatetime.DateTimeValues

description

description of the profile.

Type:

str

followers_count

number of accounts following the contact.

Type:

int

following_count

number of accounts the contact is following.

Type:

int

following

1 if the contact is following the user’s account, 0 if not.

Type:

int

location

location of the profile.

Type:

str

modification_time

date and time the contact was last modified.

Type:

dfdatetime.DateTimeValues

name

name of the profile.

Type:

str

profile_url

URL of the profile picture.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

screen_name

screen name.

Type:

str

url

URL of the profile.

Type:

str

DATA_TYPE = 'ios:twitter:contact'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Twitter on iOS 8+ database files.

The Twitter on iOS 8+ database file is typically stored in: /private/var/mobile/Containers/Data/Application/Library/Caches/databases/ twitter.db

DATA_FORMAT = 'Twitter on iOS 8 and later SQLite database (twitter.db) file'
NAME = 'twitter_ios'
ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a contact row from the database.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT createdDate, updatedAt, screenName, name, profileImageUrl,location, description, url, following, followersCount, followingCount FROM Users ORDER BY createdDate', 'ParseContactRow'), ('SELECT Statuses.date AS date, Statuses.text AS text, Statuses.userId AS user_id, Users.name AS name, Statuses.retweetCount AS retweetCount, Statuses.favoriteCount AS favoriteCount, Statuses.favorited AS favorited, Statuses.updatedAt AS updatedAt FROM Statuses LEFT join Users ON Statuses.userId = Users.id ORDER BY date', 'ParseStatusRow')]
REQUIRED_STRUCTURE = {'Statuses': frozenset({'date', 'favoriteCount', 'favorited', 'retweetCount', 'text', 'updatedAt', 'userId'}), 'Users': frozenset({'createdDate', 'description', 'followersCount', 'following', 'followingCount', 'id', 'location', 'name', 'profileImageUrl', 'screenName', 'updatedAt', 'url'})}
SCHEMAS = [{'Lists': "CREATE TABLE Lists ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'ListsShadow': "CREATE TABLE ListsShadow ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'MyRetweets': "CREATE TABLE MyRetweets ( 'statusId' INTEGER PRIMARY KEY, 'myRetweetId' INTEGER )", 'Statuses': "CREATE TABLE Statuses ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplmentalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'StatusesShadow': "CREATE TABLE StatusesShadow ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplementalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'Users': "CREATE TABLE Users ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )", 'UsersShadow': "CREATE TABLE UsersShadow ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )"}]
class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterStatusEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Parent class for Twitter on iOS 8+ status events.

creation_time

date and time the status was created.

Type:

dfdatetime.DateTimeValues

favorite_count

number of times the status message has been favorited.

Type:

int

favorited

value to mark status as favorite by the account.

Type:

int

modification_time

date and time the status was last modified.

Type:

dfdatetime.DateTimeValues

name

user’s profile name.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

retweet_count

number of times the status message has been retweeted.

Type:

str

text

content of the status message.

Type:

str

user_identifier

user identifier.

Type:

int

DATA_TYPE = 'ios:twitter:status'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.kodi module

SQLite parser plugin for Kodi videos database files.

class plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for Kodi videos database files.

The Kodi videos database file is typically stored in: MyVideos.db

DATA_FORMAT = 'Kodi videos SQLite database (MyVideos.db) file'
NAME = 'kodi'
ParseVideoRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a Video row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT idFile, strFilename, playCount, lastPlayed FROM files', 'ParseVideoRow')]
REQUIRED_STRUCTURE = {'files': frozenset({'idFile', 'lastPlayed', 'playCount', 'strFilename'})}
SCHEMAS = [{'actor': 'CREATE TABLE actor ( actor_id INTEGER PRIMARY KEY, name TEXT, art_urls TEXT )', 'actor_link': 'CREATE TABLE actor_link(actor_id INTEGER, media_id INTEGER, media_type TEXT, role TEXT, cast_order INTEGER)', 'art': 'CREATE TABLE art(art_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, type TEXT, url TEXT)', 'bookmark': 'CREATE TABLE bookmark ( idBookmark integer primary key, idFile integer, timeInSeconds double, totalTimeInSeconds double, thumbNailImage text, player text, playerState text, type integer)', 'country': 'CREATE TABLE country ( country_id integer primary key, name TEXT)', 'country_link': 'CREATE TABLE country_link (country_id integer, media_id integer, media_type TEXT)', 'director_link': 'CREATE TABLE director_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'episode': 'CREATE TABLE episode ( idEpisode integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 varchar(24),c13 varchar(24),c14 text,c15 text,c16 text,c17 varchar(24),c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idShow integer, userrating integer, idSeason integer)', 'files': 'CREATE TABLE files ( idFile integer primary key, idPath integer, strFilename text, playCount integer, lastPlayed text, dateAdded text)', 'genre': 'CREATE TABLE genre ( genre_id integer primary key, name TEXT)', 'genre_link': 'CREATE TABLE genre_link (genre_id integer, media_id integer, media_type TEXT)', 'movie': 'CREATE TABLE movie ( idMovie integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idSet integer, userrating integer, premiered text)', 'movielinktvshow': 'CREATE TABLE movielinktvshow ( idMovie integer, IdShow integer)', 'musicvideo': 'CREATE TABLE musicvideo ( idMVideo integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, premiered text)', 'path': 'CREATE TABLE path ( idPath integer primary key, strPath text, strContent text, strScraper text, strHash text, scanRecursive integer, useFolderNames bool, strSettings text, noUpdate bool, exclude bool, dateAdded text, idParentPath integer)', 'rating': 'CREATE TABLE rating (rating_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, rating_type TEXT, rating FLOAT, votes INTEGER)', 'seasons': 'CREATE TABLE seasons ( idSeason integer primary key, idShow integer, season integer, name text, userrating integer)', 'sets': 'CREATE TABLE sets ( idSet integer primary key, strSet text, strOverview text)', 'settings': 'CREATE TABLE settings ( idFile integer, Deinterlace bool,ViewMode integer,ZoomAmount float, PixelRatio float, VerticalShift float, AudioStream integer, SubtitleStream integer,SubtitleDelay float, SubtitlesOn bool, Brightness float, Contrast float, Gamma float,VolumeAmplification float, AudioDelay float, OutputToAllSpeakers bool, ResumeTime integer,Sharpness float, NoiseReduction float, NonLinStretch bool, PostProcess bool,ScalingMethod integer, DeinterlaceMode integer, StereoMode integer, StereoInvert bool, VideoStream integer)', 'stacktimes': 'CREATE TABLE stacktimes (idFile integer, times text)', 'streamdetails': 'CREATE TABLE streamdetails (idFile integer, iStreamType integer, strVideoCodec text, fVideoAspect float, iVideoWidth integer, iVideoHeight integer, strAudioCodec text, iAudioChannels integer, strAudioLanguage text, strSubtitleLanguage text, iVideoDuration integer, strStereoMode text, strVideoLanguage text)', 'studio': 'CREATE TABLE studio ( studio_id integer primary key, name TEXT)', 'studio_link': 'CREATE TABLE studio_link (studio_id integer, media_id integer, media_type TEXT)', 'tag': 'CREATE TABLE tag (tag_id integer primary key, name TEXT)', 'tag_link': 'CREATE TABLE tag_link (tag_id integer, media_id integer, media_type TEXT)', 'tvshow': 'CREATE TABLE tvshow ( idShow integer primary key,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, duration INTEGER)', 'tvshowlinkpath': 'CREATE TABLE tvshowlinkpath (idShow integer, idPath integer)', 'uniqueid': 'CREATE TABLE uniqueid (uniqueid_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, value TEXT, type TEXT)', 'version': 'CREATE TABLE version (idVersion integer, iCompressCount integer)', 'writer_link': 'CREATE TABLE writer_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)'}]
class plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Kodi video event data.

filename

video filename.

Type:

str

last_played_time

date and time of the last occurrence the video was played.

Type:

dfdatetime.DateTimeValues

play_count

number of times the video has been played.

Type:

int

query

SQL query that was used to obtain the event data.

Type:

str

DATA_TYPE = 'kodi:videos:viewing'
__init__()[source]

Initializes event data.

plaso.parsers.sqlite_plugins.ls_quarantine module

SQLite parser plugin for MacOS LS quarantine events database files.

class plaso.parsers.sqlite_plugins.ls_quarantine.MacOSLSQuarantineEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS launch services quarantine event data.

agent

user agent that was used to download the file.

Type:

str

data

data.

Type:

bytes

downloaded_time

date and time the file was downloaded.

Type:

dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:

str

url

original URL of the file.

Type:

str

DATA_TYPE = 'macos:lsquarantine:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.ls_quarantine.MacOSLSQuarantinePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS LS quarantine events database files.

The MacOS launch services (LS) quarantine database file is typically stored in: /Users/<username>/Library/Preferences/

QuarantineEvents.com.apple.LaunchServices

DATA_FORMAT = 'MacOS launch services quarantine events database SQLite database file'
NAME = 'ls_quarantine'
ParseLSQuarantineRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a launch services quarantine event row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT LSQuarantineTimeStamp AS Time, LSQuarantineAgentName AS Agent, LSQuarantineOriginURLString AS URL, LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ORDER BY Time', 'ParseLSQuarantineRow')]
REQUIRED_STRUCTURE = {'LSQuarantineEvent': frozenset({'LSQuarantineAgentName', 'LSQuarantineDataURLString', 'LSQuarantineOriginURLString', 'LSQuarantineTimeStamp'})}
SCHEMAS = [{'LSQuarantineEvent': 'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, LSQuarantineOriginAlias BLOB )'}]

plaso.parsers.sqlite_plugins.mackeeper_cache module

SQLite parser plugin for MacOS MacKeeper cache database files.

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacKeeper Cache event data.

added_time

date and time the cache entry was added.

Type:

dfdatetime.DateTimeValues

description

description.

Type:

str

event_type

event type.

Type:

str

offset

identifier of the row, from which the event data was extracted.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

record_id

record identifier.

Type:

int

room

room.

Type:

str

text

text.

Type:

str

url

URL.

Type:

str

user_name

user name.

Type:

str

user_sid

user security identifier (SID).

Type:

str

DATA_TYPE = 'mackeeper:cache'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS MacKeeper cache database files.

DATA_FORMAT = 'MacOS MacKeeper cache SQLite database file'
NAME = 'mackeeper_cache'
ParseReceiverData(parser_mediator, query, row, **unused_kwargs)[source]

Parses a single row from the receiver and cache response table.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT d.entry_ID AS id, d.receiver_data AS data, r.request_key, r.time_stamp AS time_string FROM cfurl_cache_receiver_data d, cfurl_cache_response r WHERE r.entry_ID = d.entry_ID', 'ParseReceiverData')]
REQUIRED_STRUCTURE = {'cfurl_cache_blob_data': frozenset({}), 'cfurl_cache_receiver_data': frozenset({'entry_ID', 'receiver_data'}), 'cfurl_cache_response': frozenset({'entry_ID', 'request_key', 'time_stamp'})}
SCHEMAS = [{'cfurl_cache_blob_data': 'CREATE TABLE cfurl_cache_blob_data(entry_ID INTEGER PRIMARY KEY, response_object BLOB, request_object BLOB, proto_props BLOB, user_info BLOB)', 'cfurl_cache_receiver_data': 'CREATE TABLE cfurl_cache_receiver_data(entry_ID INTEGER PRIMARY KEY, receiver_data BLOB)', 'cfurl_cache_response': 'CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, version INTEGER, hash_value INTEGER, storage_policy INTEGER, request_key TEXT UNIQUE, time_stamp NOT NULL DEFAULT CURRENT_TIMESTAMP, partition TEXT)', 'cfurl_cache_schema_version': 'CREATE TABLE cfurl_cache_schema_version(schema_version INTEGER)'}]

plaso.parsers.sqlite_plugins.macos_appusage module

SQLite parser plugin for MacOS application usage database files.

class plaso.parsers.sqlite_plugins.macos_appusage.MacOSApplicationUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS application usage event data.

application

name of the application.

Type:

str

application_version

version of the application.

Type:

str

bundle_identifier

bundle identifier of the application.

Type:

str

count

number of occurances of the event.

Type:

int

event

event.

Type:

str

last_used_time

last date and time the application was last used.

Type:

dfdatetime.DateTimeValues

query

SQL query that was used to obtain the event data.

Type:

str

DATA_TYPE = 'macos:application_usage:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.macos_appusage.MacOSApplicationUsagePlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS application usage database files.

The MacOS application usage database is typically stored in: /var/db/application_usage.sqlite

Application usage is a SQLite database that logs down entries triggered by NSWorkspaceWillLaunchApplicationNotification and NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by crankd.

More information can be found here: https://github.com/google/macops/blob/master/crankd/ApplicationUsage.py

DATA_FORMAT = 'MacOS application usage SQLite database (application_usage.sqlite) file'
NAME = 'appusage'
ParseApplicationUsageRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses an application usage row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

QUERIES = [('SELECT last_time, event, bundle_id, app_version, app_path, number_times FROM application_usage ORDER BY last_time', 'ParseApplicationUsageRow')]
REQUIRED_STRUCTURE = {'application_usage': frozenset({'app_path', 'app_version', 'bundle_id', 'event', 'last_time', 'number_times'})}
SCHEMAS = [{'application_usage': 'CREATE TABLE application_usage (event TEXT, bundle_id TEXT, app_version TEXT, app_path TEXT, last_time INTEGER DEFAULT 0, number_times INTEGER DEFAULT 0, PRIMARY KEY (event, bundle_id))'}]

plaso.parsers.sqlite_plugins.macos_document_versions module

SQLite parser plugin for MacOS document revision database files.

class plaso.parsers.sqlite_plugins.macos_document_versions.MacOSDocumentVersionsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS document revision event data.

creation_time

date and time the version information was created.

Type:

dfdatetime.DateTimeValues

last_seen_time

date and time and the original file was last seen (replicated).

Type:

dfdatetime.DateTimeValues

name

name of the original file.

Type:

str

path

path from the original file.

Type:

str

query

SQL query that was used to obtain the event data.

Type:

str

user_sid

user identifier that open the file.

Type:

str

version_path

path to the version copy of the original file.

Type:

str

DATA_TYPE = 'macos:document_versions:file'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.macos_document_versions.MacOSDocumentVersionsPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS document revision database files.

DATA_FORMAT = 'MacOS document revisions SQLite database file'
DocumentVersionsRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses a document versions row.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

NAME = 'mac_document_versions'
QUERIES = [('SELECT f.file_name AS name, f.file_path AS path, f.file_last_seen AS last_time, g.generation_path AS version_path, g.generation_add_time AS version_time FROM files f, generations g WHERE f.file_storage_id = g.generation_storage_id;', 'DocumentVersionsRow')]
REQUIRED_STRUCTURE = {'files': frozenset({'file_last_seen', 'file_name', 'file_path', 'file_storage_id'}), 'generations': frozenset({'generation_add_time', 'generation_path', 'generation_storage_id'})}
ROOT_VERSION_PATH = '/.DocumentRevisions-V100/'
SCHEMAS = [{'files': 'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)', 'generations': 'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)', 'storage': 'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1)'}]

plaso.parsers.sqlite_plugins.macos_knowledgec module

SQLite parser plugin for MacOS Duet/KnowledgeC database files.

class plaso.parsers.sqlite_plugins.macos_knowledgec.MacOSKnowledgeCApplicationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

KnowledgeC application execution event data.

bundle_identifier

bundle identifier of the application.

Type:

str

creation_time

creation date and time of the KnowledgeC record.

Type:

dfdatetime.DateTimeValues

duration

duration of the activity.

Type:

int

end_time

date and time the activity ended.

Type:

dfdatetime.DateTimeValues

start_time

date and time the activity started.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'macos:knowledgec:application'
__init__()[source]

Initializes event data.

class plaso.parsers.sqlite_plugins.macos_knowledgec.MacOSKnowledgeCPlugin[source]

Bases: SQLitePlugin

SQLite parser plugin for MacOS Duet/KnowledgeC database files.

DATA_FORMAT = 'MacOS Duet/KnowledgeC SQLites database file'
KnowledgeCRow(parser_mediator, query, row, **unused_kwargs)[source]

Parses KnowledgeC application activity.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • query (str) – query that created the row.

  • row (sqlite3.Row) – row.

NAME = 'mac_knowledgec'
QUERIES = [('\n        SELECT\n          ZOBJECT.ZCREATIONDATE AS "entry_creation", \n          ZOBJECT.ZSTARTDATE AS "start", \n          ZOBJECT.ZENDDATE AS "end",\n          ZOBJECT.ZSTREAMNAME AS "action",\n          ZOBJECT.ZVALUESTRING AS "zvaluestring",\n          ZSTRUCTUREDMETADATA.Z_DKSAFARIHISTORYMETADATAKEY__TITLE AS "title"\n        FROM ZOBJECT\n        LEFT JOIN ZSTRUCTUREDMETADATA \n        ON ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK\n        ', 'KnowledgeCRow')]
REQUIRED_STRUCTURE = {'ZOBJECT': frozenset({'ZCREATIONDATE', 'ZENDDATE', 'ZSTARTDATE', 'ZSTREAMNAME', 'ZVALUESTRING'}), 'ZSTRUCTUREDMETADATA': frozenset({'Z_DKSAFARIHISTORYMETADATAKEY__TITLE'})}
SCHEMAS = [{'ACHANGE': 'CREATE TABLE ACHANGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHANGETYPE INTEGER, ZENTITY INTEGER, ZENTITYPK INTEGER, ZTRANSACTIONID INTEGER, ZCOLUMNS BLOB, ZTOMBSTONE0 BLOB, ZTOMBSTONE1 BLOB, ZTOMBSTONE2 BLOB )', 'ATRANSACTION': 'CREATE TABLE ATRANSACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTIMESTAMP FLOAT, ZAUTHOR VARCHAR, ZBUNDLEID VARCHAR, ZCONTEXTNAME VARCHAR, ZPROCESSID VARCHAR, ZQUERYGEN BLOB )', 'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCOUNT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZSTRINGVALUE VARCHAR )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z8_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZSUBJECT INTEGER, Z8_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_DKSUNRISESUNSETMETADATAKEY__ISDAYLIGHT INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNSET TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR UNIQUE, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_10EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_10EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}, {'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCUSTOMIDENTIFIER VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZCOUNT FLOAT, ZSTRINGVALUE VARCHAR )', 'ZKEYVALUE': 'CREATE TABLE ZKEYVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDOMAIN VARCHAR, ZKEY VARCHAR, ZVALUE BLOB )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z9_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZSUBJECT INTEGER, Z9_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZLOCALCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISELIGIBLEFORPREDICTION INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKDIGITALHEALTHMETADATAKEY__USAGETYPE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKINTENTMETADATAKEY__INTENTTYPE INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__CONTENTDESCRIPTION VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__SUGGESTEDINVOCATIONPHRASE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETA