plaso.parsers.sqlite_plugins package
Submodules
plaso.parsers.sqlite_plugins.android_app_usage module
SQLite parser plugin for Android app_usage database files.
- class plaso.parsers.sqlite_plugins.android_app_usage.AndroidAppUsage(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Android app usage event data.
- package_name
name of the launched package.
- Type:
str
- start_time
date and time when the application was launched.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'android:sqlite:app_usage'
- class plaso.parsers.sqlite_plugins.android_app_usage.AndroidSQLiteAppUsage[source]
Bases:
SQLitePlugin
SQLite parser plugin for Android application usage database files.
- DATA_FORMAT = 'Android app_usage SQLite database (app_usage) file'
- NAME = 'android_app_usage'
- ParseAppUsageRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses an event record row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT events.timestamp, packages.package_name FROM events JOIN packages ON packages._id = events.package_id', 'ParseAppUsageRow')]
- REQUIRED_STRUCTURE = {'events': frozenset({'_id', 'package_id', 'timestamp'}), 'packages': frozenset({'_id', 'package_name'})}
- SCHEMAS = [{'events': 'CREATE TABLE "events" (_id INTEGER PRIMARY KEY,timestamp INTEGER NOT NULL,type INTEGER NOT NULL,package_id INTEGER NOT NULL REFERENCES packages(_id) ON UPDATE CASCADE ON DELETE CASCADE, instance_id INTEGER DEFAULT NULL, task_root_package_id INTEGER DEFAULT NULL REFERENCES packages(_id) ON UPDATE CASCADE ON DELETE CASCADE)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY,package_name TEXT, UNIQUE(package_name) ON CONFLICT ABORT)'}]
plaso.parsers.sqlite_plugins.android_calls module
SQLite parser plugin for Android call history database files.
- class plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Android Call event data.
- call_type
type of call, such as: Incoming, Outgoing, or Missed.
- Type:
int
- duration
number of seconds the call lasted.
- Type:
int
- end_time
date and time the call was stopped.
- Type:
dfdatetime.DateTimeValues
- name
name associated to the remote party.
- Type:
str
- number
phone number associated to the remote party.
- Type:
str
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- start_time
date and time the call was started.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'android:event:call'
- class plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Android call history database files.
The Android call history database file is typically stored in: contacts2.db
- DATA_FORMAT = 'Android call history SQLite database (contacts2.db) file'
- NAME = 'android_calls'
- ParseCallsRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a Call record row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT _id AS id, date, number, name, duration, type FROM calls', 'ParseCallsRow')]
- REQUIRED_STRUCTURE = {'calls': frozenset({'_id', 'date', 'duration', 'name', 'number', 'type'})}
- SCHEMAS = [{'_sync_state': 'CREATE TABLE _sync_state (_id INTEGER PRIMARY KEY, account_name TEXT NOT NULL, account_type TEXT NOT NULL, data TEXT, UNIQUE(account_name, account_type))', '_sync_state_metadata': 'CREATE TABLE _sync_state_metadata (version INTEGER)', 'accounts': 'CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT, account_name TEXT, account_type TEXT, data_set TEXT)', 'agg_exceptions': 'CREATE TABLE agg_exceptions (_id INTEGER PRIMARY KEY AUTOINCREMENT, type INTEGER NOT NULL, raw_contact_id1 INTEGER REFERENCES raw_contacts(_id), raw_contact_id2 INTEGER REFERENCES raw_contacts(_id))', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'calls': 'CREATE TABLE calls (_id INTEGER PRIMARY KEY AUTOINCREMENT, number TEXT, date INTEGER, duration INTEGER, type INTEGER, new INTEGER, name TEXT, numbertype INTEGER, numberlabel TEXT, countryiso TEXT, voicemail_uri TEXT, is_read INTEGER, geocoded_location TEXT, lookup_uri TEXT, matched_number TEXT, normalized_number TEXT, photo_id INTEGER NOT NULL DEFAULT 0, formatted_number TEXT, _data TEXT, has_content INTEGER, mime_type TEXT, source_data TEXT, source_package TEXT, state INTEGER)', 'contacts': 'CREATE TABLE contacts (_id INTEGER PRIMARY KEY AUTOINCREMENT, name_raw_contact_id INTEGER REFERENCES raw_contacts(_id), photo_id INTEGER REFERENCES data(_id), photo_file_id INTEGER REFERENCES photo_files(_id), custom_ringtone TEXT, send_to_voicemail INTEGER NOT NULL DEFAULT 0, times_contacted INTEGER NOT NULL DEFAULT 0, last_time_contacted INTEGER, starred INTEGER NOT NULL DEFAULT 0, has_phone_number INTEGER NOT NULL DEFAULT 0, lookup TEXT, status_update_id INTEGER REFERENCES data(_id), contact_last_updated_timestamp INTEGER)', 'data': 'CREATE TABLE data (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), mimetype_id INTEGER REFERENCES mimetype(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, is_read_only INTEGER NOT NULL DEFAULT 0, is_primary INTEGER NOT NULL DEFAULT 0, is_super_primary INTEGER NOT NULL DEFAULT 0, data_version INTEGER NOT NULL DEFAULT 0, data1 TEXT, data2 TEXT, data3 TEXT, data4 TEXT, data5 TEXT, data6 TEXT, data7 TEXT, data8 TEXT, data9 TEXT, data10 TEXT, data11 TEXT, data12 TEXT, data13 TEXT, data14 TEXT, data15 TEXT, data_sync1 TEXT, data_sync2 TEXT, data_sync3 TEXT, data_sync4 TEXT )', 'data_usage_stat': 'CREATE TABLE data_usage_stat(stat_id INTEGER PRIMARY KEY AUTOINCREMENT, data_id INTEGER NOT NULL, usage_type INTEGER NOT NULL DEFAULT 0, times_used INTEGER NOT NULL DEFAULT 0, last_time_used INTEGER NOT NULL DEFAULT 0, FOREIGN KEY(data_id) REFERENCES data(_id))', 'default_directory': 'CREATE TABLE default_directory (_id INTEGER PRIMARY KEY)', 'deleted_contacts': 'CREATE TABLE deleted_contacts (contact_id INTEGER PRIMARY KEY, contact_deleted_timestamp INTEGER NOT NULL default 0)', 'directories': 'CREATE TABLE directories(_id INTEGER PRIMARY KEY AUTOINCREMENT, packageName TEXT NOT NULL, authority TEXT NOT NULL, typeResourceId INTEGER, typeResourceName TEXT, accountType TEXT, accountName TEXT, displayName TEXT, exportSupport INTEGER NOT NULL DEFAULT 0, shortcutSupport INTEGER NOT NULL DEFAULT 0, photoSupport INTEGER NOT NULL DEFAULT 0)', 'groups': 'CREATE TABLE groups (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), account_name STRING DEFAULT NULL, account_type STRING DEFAULT NULL, data_set STRING DEFAULT NULL, sourceid TEXT, version INTEGER NOT NULL DEFAULT 1, dirty INTEGER NOT NULL DEFAULT 0, title TEXT, title_res INTEGER, notes TEXT, system_id TEXT, deleted INTEGER NOT NULL DEFAULT 0, group_visible INTEGER NOT NULL DEFAULT 0, should_sync INTEGER NOT NULL DEFAULT 1, auto_add INTEGER NOT NULL DEFAULT 0, favorites INTEGER NOT NULL DEFAULT 0, group_is_read_only INTEGER NOT NULL DEFAULT 0, sync1 TEXT, sync2 TEXT, sync3 TEXT, sync4 TEXT , account_id INTEGER REFERENCES accounts(_id))', 'mimetypes': 'CREATE TABLE mimetypes (_id INTEGER PRIMARY KEY AUTOINCREMENT, mimetype TEXT NOT NULL)', 'name_lookup': 'CREATE TABLE name_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_name TEXT NOT NULL, name_type INTEGER NOT NULL, PRIMARY KEY (data_id, normalized_name, name_type))', 'nickname_lookup': 'CREATE TABLE nickname_lookup (name TEXT, cluster TEXT)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL)', 'phone_lookup': 'CREATE TABLE phone_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_number TEXT NOT NULL, min_match TEXT NOT NULL)', 'photo_files': 'CREATE TABLE photo_files (_id INTEGER PRIMARY KEY AUTOINCREMENT, height INTEGER NOT NULL, width INTEGER NOT NULL, filesize INTEGER NOT NULL)', 'properties': 'CREATE TABLE properties (property_key TEXT PRIMARY KEY, property_value TEXT )'}]
plaso.parsers.sqlite_plugins.android_hangouts module
SQLite parser plugin for Google Hangouts conversations database files.
- class plaso.parsers.sqlite_plugins.android_hangouts.AndroidHangoutsMessageData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Google Hangouts Message event data.
- body
content of the SMS text message.
- Type:
str
- creation_time
date and time the Google Hangouts message was created.
- Type:
dfdatetime.DateTimeValues
- message_status
message status.
- Type:
int
- message_type
message type.
- Type:
int
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- sender
Name with the sender.
- Type:
str
- DATA_TYPE = 'android:messaging:hangouts'
- class plaso.parsers.sqlite_plugins.android_hangouts.AndroidHangoutsMessagePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Google Hangouts conversations database files.
The Google Hangouts conversations database file is typically stored in: /data/com.google.android.talk/databases/babel.db
This SQLite database is the conversation database for conversations, participant names, messages, and information about the Google Hangout event. There can be multiple babel.db databases, and each database name will be followed by an integer starting with 0, for example: “babel0.db,babel1.db,babel3.db”.
- DATA_FORMAT = 'Google Hangouts conversations SQLite database (babel.db) file'
- NAME = 'hangouts_messages'
- ParseMessagesRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses an Messages row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT messages._id, participants.full_name, text, messages.timestamp,status, type FROM messages INNER JOIN participants ON messages.author_chat_id=participants.chat_id;', 'ParseMessagesRow')]
- REQUIRED_STRUCTURE = {'blocked_people': frozenset({}), 'messages': frozenset({'_id', 'author_chat_id', 'status', 'text', 'timestamp', 'type'}), 'participants': frozenset({'chat_id', 'full_name'})}
- SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'blocked_people': 'CREATE TABLE blocked_people (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY, participant_row_id INT, participant_type INT, conversation_id TEXT, sequence INT, active INT, invitation_status INT DEFAULT(0), UNIQUE (conversation_id,participant_row_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, FOREIGN KEY (participant_row_id) REFERENCES participants(_id))', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY, conversation_id TEXT, conversation_type INT, latest_message_timestamp INT DEFAULT(0), latest_message_expiration_timestamp INT, metadata_present INT,notification_level INT, name TEXT, generated_name TEXT, snippet_type INT, snippet_text TEXT, snippet_image_url TEXT, snippet_author_gaia_id TEXT, snippet_author_chat_id TEXT, snippet_message_row_id INT, snippet_selector INT, snippet_status INT, snippet_new_conversation_name TEXT, snippet_participant_keys TEXT, snippet_sms_type TEXT, previous_latest_timestamp INT, status INT, view INT, inviter_gaia_id TEXT, inviter_chat_id TEXT, inviter_affinity INT, is_pending_leave INT, account_id INT, is_otr INT, packed_avatar_urls TEXT, self_avatar_url TEXT, self_watermark INT DEFAULT(0), chat_watermark INT DEFAULT(0), hangout_watermark INT DEFAULT(0), is_draft INT, sequence_number INT, call_media_type INT DEFAULT(0), has_joined_hangout INT, has_chat_notifications DEFAULT(0),has_video_notifications DEFAULT(0),last_hangout_event_time INT, draft TEXT, otr_status INT, otr_toggle INT, last_otr_modification_time INT, continuation_token BLOB, continuation_event_timestamp INT, has_oldest_message INT DEFAULT(0), sort_timestamp INT, first_peak_scroll_time INT, first_peak_scroll_to_message_timestamp INT, second_peak_scroll_time INT, second_peak_scroll_to_message_timestamp INT, conversation_hash BLOB, disposition INT DEFAULT(0), has_persistent_events INT DEFAULT(-1), transport_type INT DEFAULT(1), default_transport_phone TEXT, sms_service_center TEXT, is_temporary INT DEFAULT (0), sms_thread_id INT DEFAULT (-1), chat_ringtone_uri TEXT, hangout_ringtone_uri TEXT, snippet_voicemail_duration INT DEFAULT (0), share_count INT DEFAULT(0), has_unobserved TEXT, last_share_timestamp INT DEFAULT(0), gls_status INT DEFAULT(0), gls_link TEXT, is_guest INT DEFAULT(0), UNIQUE (conversation_id ))', 'dismissed_contacts': 'CREATE TABLE dismissed_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'event_suggestions': 'CREATE TABLE event_suggestions (_id INTEGER PRIMARY KEY, conversation_id TEXT, event_id TEXT, suggestion_id TEXT, timestamp INT, expiration_time_usec INT, type INT, gem_asset_url STRING, gem_horizontal_alignment INT, matched_message_substring TEXT, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,suggestion_id) ON CONFLICT REPLACE)', 'merge_keys': 'CREATE TABLE merge_keys (_id INTEGER PRIMARY KEY, conversation_id TEXT, merge_key TEXT, UNIQUE (conversation_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE )', 'merged_contact_details': 'CREATE TABLE merged_contact_details (_id INTEGER PRIMARY KEY, merged_contact_id INT, lookup_data_type INT, lookup_data TEXT, lookup_data_standardized TEXT, lookup_data_search TEXT, lookup_data_label TEXT, needs_gaia_ids_resolved INT DEFAULT (1), is_hangouts_user INT DEFAULT (0), gaia_id TEXT, avatar_url TEXT, display_name TEXT, last_checked_ts INT DEFAULT (0), lookup_data_display TEXT, detail_affinity_score REAL DEFAULT (0.0), detail_logging_id TEXT, is_in_viewer_dasher_domain INT DEFAULT (0), FOREIGN KEY (merged_contact_id) REFERENCES merged_contacts(_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'merged_contacts': 'CREATE TABLE merged_contacts (_id INTEGER PRIMARY KEY, contact_lookup_key TEXT, contact_id INT, raw_contact_id INT, display_name TEXT, avatar_url TEXT, is_frequent INT DEFAULT (0), is_favorite INT DEFAULT (0), contact_source INT DEFAULT(0), frequent_order INT, person_logging_id TEXT, person_affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'messages': 'CREATE TABLE messages (_id INTEGER PRIMARY KEY, message_id TEXT, message_type INT, conversation_id TEXT, author_chat_id TEXT, author_gaia_id TEXT, text TEXT, timestamp INT, delete_after_read_timetamp INT, status INT, type INT, local_url TEXT, remote_url TEXT, attachment_content_type TEXT, width_pixels INT, height_pixels INT, stream_id TEXT, image_id TEXT, album_id TEXT, latitude DOUBLE, longitude DOUBLE, address ADDRESS, notification_level INT, expiration_timestamp INT, notified_for_failure INT DEFAULT(0), off_the_record INT DEFAULT(0), transport_type INT NOT NULL DEFAULT(1), transport_phone TEXT, external_ids TEXT, sms_timestamp_sent INT DEFAULT(0), sms_priority INT DEFAULT(0), sms_message_size INT DEFAULT(0), mms_subject TEXT, sms_raw_sender TEXT, sms_raw_recipients TEXT, persisted INT DEFAULT(1), sms_message_status INT DEFAULT(-1), sms_type INT DEFAULT(-1), stream_url TEXT, attachment_target_url TEXT, attachment_name TEXT, image_rotation INT DEFAULT (0), new_conversation_name TEXT, participant_keys TEXT, forwarded_mms_url TEXT, forwarded_mms_count INT DEFAULT(0), attachment_description TEXT, attachment_target_url_description TEXT, attachment_target_url_name TEXT, attachment_blob_data BLOB,attachment_uploading_progress INT DEFAULT(0), sending_error INT DEFAULT(0), stream_expiration INT, voicemail_length INT DEFAULT (0), call_media_type INT DEFAULT(0), last_seen_timestamp INT DEFAULT(0), observed_status INT DEFAULT(2), receive_type INT DEFAULT(0), init_timestamp INT DEFAULT(0), in_app_msg_latency INT DEFAULT(0), notified INT DEFAULT(0), alert_in_conversation_list INT DEFAULT(0), attachments BLOB, is_user_mentioned INT DEFAULT(0), local_id TEXT, request_task_row_id INT DEFAULT(-1), FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,message_id) ON CONFLICT REPLACE)', 'mms_notification_inds': 'CREATE TABLE mms_notification_inds (_id INTEGER PRIMARY KEY, content_location TEXT, transaction_id TEXT, from_address TEXT, message_size INT DEFAULT(0), expiry INT)', 'multipart_attachments': 'CREATE TABLE multipart_attachments (_id INTEGER PRIMARY KEY, message_id TEXT, conversation_id TEXT, url TEXT, content_type TEXT, width INT, height INT, FOREIGN KEY (message_id, conversation_id) REFERENCES messages(message_id, conversation_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participant_email_fts': 'CREATE VIRTUAL TABLE participant_email_fts USING fts4(content="merged_contact_details", gaia_id,lookup_data)', 'participant_email_fts_docsize': "CREATE TABLE 'participant_email_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participant_email_fts_segdir': "CREATE TABLE 'participant_email_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participant_email_fts_segments': "CREATE TABLE 'participant_email_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participant_email_fts_stat': "CREATE TABLE 'participant_email_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'participants': "CREATE TABLE participants (_id INTEGER PRIMARY KEY, participant_type INT DEFAULT 1, gaia_id TEXT, chat_id TEXT, phone_id TEXT, circle_id TEXT, first_name TEXT, full_name TEXT, fallback_name TEXT, profile_photo_url TEXT, batch_gebi_tag STRING DEFAULT('-1'), blocked INT DEFAULT(0), in_users_domain BOOLEAN, UNIQUE (circle_id) ON CONFLICT REPLACE, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)", 'participants_fts': 'CREATE VIRTUAL TABLE participants_fts USING fts4(content="participants",gaia_id,full_name)', 'participants_fts_docsize': "CREATE TABLE 'participants_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participants_fts_segdir': "CREATE TABLE 'participants_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participants_fts_segments': "CREATE TABLE 'participants_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participants_fts_stat': "CREATE TABLE 'participants_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'presence': 'CREATE TABLE presence (_id INTEGER PRIMARY KEY, gaia_id TEXT NOT NULL, reachable INT DEFAULT(0), reachable_time INT DEFAULT(0), available INT DEFAULT(0), available_time INT DEFAULT(0), status_message TEXT, status_message_time INT DEFAULT(0), call_type INT DEFAULT(0), call_type_time INT DEFAULT(0), device_status INT DEFAULT(0), device_status_time INT DEFAULT(0), last_seen INT DEFAULT(0), last_seen_time INT DEFAULT(0), location BLOB, location_time INT DEFAULT(0), UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'recent_calls': 'CREATE TABLE recent_calls (_id INTEGER PRIMARY KEY, normalized_number TEXT NOT NULL, phone_number TEXT, contact_id TEXT, call_timestamp INT, call_type INT, contact_type INT, call_rate TEXT, is_free_call BOOLEAN)', 'search': 'CREATE TABLE search (search_key TEXT NOT NULL,continuation_token TEXT,PRIMARY KEY (search_key))', 'sticker_albums': 'CREATE TABLE sticker_albums (album_id TEXT NOT NULL, title TEXT, cover_photo_id TEXT, last_used INT DEFAULT(0), PRIMARY KEY (album_id))', 'sticker_photos': 'CREATE TABLE sticker_photos (photo_id TEXT NOT NULL, album_id TEXT NOT NULL, url TEXT NOT NULL, file_name TEXT, last_used INT DEFAULT(0), PRIMARY KEY (photo_id), FOREIGN KEY (album_id) REFERENCES sticker_albums(album_id) ON DELETE CASCADE)', 'suggested_contacts': 'CREATE TABLE suggested_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, first_name TEXT, packed_circle_ids TEXT, profile_photo_url TEXT, sequence INT, suggestion_type INT, logging_id TEXT, affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))'}]
plaso.parsers.sqlite_plugins.android_sms module
SQLite parser plugin for Android text messages (SMS) database files.
- class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Android SMS event data.
- address
phone number associated to the sender or receiver.
- Type:
str
- body
content of the SMS text message.
- Type:
str
- creation_time
creation date and time of the message.
- Type:
dfdatetime.DateTimeValues
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- sms_read
message read status, either Read or Unread.
- Type:
int
- sms_type
message type, either Sent or Received.
- Type:
int
- DATA_TYPE = 'android:messaging:sms'
- class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Android text messages (SMS) database files.
The Android text messages (SMS) database file is typically stored in: mmssms.dbs
- DATA_FORMAT = 'Android text messages (SMS) SQLite database (mmssms.dbs) file'
- NAME = 'android_sms'
- ParseSmsRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses an SMS row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT _id AS id, address, date, read, type, body FROM sms', 'ParseSmsRow')]
- REQUIRED_STRUCTURE = {'sms': frozenset({'_id', 'address', 'body', 'date', 'read', 'type'})}
- SCHEMAS = [{'addr': 'CREATE TABLE addr (_id INTEGER PRIMARY KEY, msg_id INTEGER, contact_id INTEGER, address TEXT, type INTEGER, charset INTEGER)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'attachments': 'CREATE TABLE attachments (sms_id INTEGER, content_url TEXT, offset INTEGER)', 'canonical_addresses': 'CREATE TABLE canonical_addresses (_id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT)', 'drm': 'CREATE TABLE drm (_id INTEGER PRIMARY KEY, _data TEXT)', 'part': 'CREATE TABLE part (_id INTEGER PRIMARY KEY AUTOINCREMENT, mid INTEGER, seq INTEGER DEFAULT 0, ct TEXT, name TEXT, chset INTEGER, cd TEXT, fn TEXT, cid TEXT, cl TEXT, ctt_s INTEGER, ctt_t TEXT, _data TEXT, text TEXT)', 'pd': 'CREATE TABLE pdu (_id INTEGER PRIMARY KEY AUTOINCREMENT, thread_id INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, msg_box INTEGER, read INTEGER DEFAULT 0, m_id TEXT, sub TEXT, sub_cs INTEGER, ct_t TEXT, ct_l TEXT, exp INTEGER, m_cls TEXT, m_type INTEGER, v INTEGER, m_size INTEGER, pri INTEGER, rr INTEGER, rpt_a INTEGER, resp_st INTEGER, st INTEGER, tr_id TEXT, retr_st INTEGER, retr_txt TEXT, retr_txt_cs INTEGER, read_status INTEGER, ct_cls INTEGER, resp_txt TEXT, d_tm INTEGER, d_rpt INTEGER, locked INTEGER DEFAULT 0, seen INTEGER DEFAULT 0, text_only INTEGER DEFAULT 0)', 'pending_msgs': 'CREATE TABLE pending_msgs (_id INTEGER PRIMARY KEY, proto_type INTEGER, msg_id INTEGER, msg_type INTEGER, err_type INTEGER, err_code INTEGER, retry_index INTEGER NOT NULL DEFAULT 0, due_time INTEGER, last_try INTEGER)', 'rate': 'CREATE TABLE rate (sent_time INTEGER)', 'raw': 'CREATE TABLE raw (_id INTEGER PRIMARY KEY, date INTEGER, reference_number INTEGER, count INTEGER, sequence INTEGER, destination_port INTEGER, address TEXT, pdu TEXT)', 'sms': 'CREATE TABLE sms (_id INTEGER PRIMARY KEY, thread_id INTEGER, address TEXT, person INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, protocol INTEGER, read INTEGER DEFAULT 0, status INTEGER DEFAULT -1, type INTEGER, reply_path_present INTEGER, subject TEXT, body TEXT, service_center TEXT, locked INTEGER DEFAULT 0, error_code INTEGER DEFAULT 0, seen INTEGER DEFAULT 0)', 'sr_pending': 'CREATE TABLE sr_pending (reference_number INTEGER, action TEXT, data TEXT)', 'threads': 'CREATE TABLE threads (_id INTEGER PRIMARY KEY AUTOINCREMENT, date INTEGER DEFAULT 0, message_count INTEGER DEFAULT 0, recipient_ids TEXT, snippet TEXT, snippet_cs INTEGER DEFAULT 0, read INTEGER DEFAULT 1, type INTEGER DEFAULT 0, error INTEGER DEFAULT 0, has_attachment INTEGER DEFAULT 0)', 'words': 'CREATE VIRTUAL TABLE words USING FTS3 (_id INTEGER PRIMARY KEY, index_text TEXT, source_id INTEGER, table_to_use INTEGER)', 'words_content': "CREATE TABLE 'words_content'(docid INTEGER PRIMARY KEY, 'c0_id', 'c1index_text', 'c2source_id', 'c3table_to_use')", 'words_segdir': "CREATE TABLE 'words_segdir'(level INTEGER, idx INTEGER, start_block INTEGER, leaves_end_block INTEGER, end_block INTEGER, root BLOB, PRIMARY KEY(level, idx))", 'words_segments': "CREATE TABLE 'words_segments'(blockid INTEGER PRIMARY KEY, block BLOB)"}]
plaso.parsers.sqlite_plugins.android_tango module
SQLite parser plugin for Tango on Android database files.
- class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoContactEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Tango on Android contact event data.
- access_time
date and time the contact was last accessed.
- Type:
dfdatetime.DateTimeValues
- birthday
contact profile birthday.
- Type:
str
- distance
contact profile distance.
- Type:
int
- first_name
contact profile first name.
- Type:
str
- friend_request_message
message sent on friend request.
- Type:
str
- friend_request_time
date and time a friend request was sent.
- Type:
dfdatetime.DateTimeValues
- friend_request_type
flag indicating the type of friend request sent for example outRequest for request sent or noRequest for no request.
- Type:
str
- gender
contact profile gender.
- Type:
str
- is_friend
True if the contact is considered a friend.
- Type:
bool
- last_active_time
date and time the contact was last active.
- Type:
dfdatetime.DateTimeValues
- last_name
contact profile last name.
- Type:
str
- status
contact status message.
- Type:
str
- DATA_TYPE = 'android:tango:contact'
- class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoConversationEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Tango on Android conversation event data.
- conversation_identifier
conversation identifier.
- Type:
int
- DATA_TYPE = 'android:tango:conversation'
- class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoMessageEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Tango on Android message event data.
- creation_time
date and time the message was created.
- Type:
dfdatetime.DateTimeValues
- direction
flag indicating direction of the message.
- Type:
int
- message_identifier
message identifier.
- Type:
int
- sent_time
date and time the message was sent.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'android:tango:message'
- class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoProfilePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Tango on Android profile database files.
- DATA_FORMAT = 'Tango on Android profile SQLite database file'
- NAME = 'tango_android_profile'
- ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a contact row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- QUERIES = [('SELECT itemLastActiveTime AS last_active_time, itemLastLocalAccessTime AS last_access_time, itemFriendRequestTime AS friend_request_time, itemFirstName AS first_name, itemLastName AS last_name, itemBirthday AS birthday, itemGender AS gender, itemStatus AS status, itemDistance AS distance, itemIsFriend AS friend, itemFriendRequestType AS friend_request_type, itemFriendRequestMessage AS friend_request_message FROM profiletable', 'ParseContactRow')]
- REQUIRED_STRUCTURE = {'profiletable': frozenset({'itemBirthday', 'itemDistance', 'itemFirstName', 'itemFriendRequestMessage', 'itemFriendRequestTime', 'itemFriendRequestType', 'itemGender', 'itemIsFriend', 'itemLastActiveTime', 'itemLastLocalAccessTime', 'itemLastName', 'itemStatus'})}
- SCHEMAS = [{'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'profiletable': 'CREATE TABLE `profiletable` (`itemUserId` TEXT PRIMARY KEY, `itemFirstName` TEXT NOT NULL, `itemLastName` TEXT NOT NULL, `itemBirthday` TEXT NOT NULL, `itemGender` TEXT NOT NULL, `itemStatus` TEXT NOT NULL, `itemLastActiveTime` BIGINT NOT NULL, `itemDistance` DOUBLE NOT NULL, `itemCity` TEXT NOT NULL, `itemGeoCountryCode` TEXT NOT NULL, `itemAvatarUrl` TEXT NOT NULL, `itemThumbnailUrl` TEXT NOT NULL, `itemVideoUrl` TEXT NOT NULL, `itemVideoThumbnailUrl` TEXT NOT NULL, `itemBackgroundUrl` TEXT NOT NULL, `itemIsFriend` INTEGER NOT NULL, `itemIsBlocked` INTEGER NOT NULL, `itemFriendRequestType` TEXT NOT NULL, `itemReverseRelationships` TEXT NOT NULL, `itemFavoriterCount` INTEGER NOT NULL, `itemFavoritingCount` INTEGER NOT NULL, `itemFeedCount` INTEGER NOT NULL, `itemRefereneCount` INTEGER NOT NULL, `itemLevel1DataSyncTime` BIGINT NOT NULL, `itemLevel2DataSyncTime` BIGINT NOT NULL, `itemLevel3DataSyncTime` BIGINT NOT NULL, `itemLevel4DataSyncTime` BIGINT NOT NULL, `itemLevel5DataSyncTime` BIGINT NOT NULL, `itemLastLocalAccessTime` BIGINT NOT NULL, `itemFriendRequestId` TEXT NOT NULL, `itemFriendRequestMessage` TEXT NOT NULL, `itemFriendRequestTime` BIGINT NOT NULL, `itemIsNewFriendRequest` INTEGER NOT NULL, `itemFriendRequestTCMessageId` INTEGER NOT NULL, `itemFriendRequestContext` TEXT NOT NULL, `itemFriendRequestAttachedPostType` INTEGER NOT NULL, `itemFriendRequestAttachedPostContent` TEXT NOT NULL, `itemFriendRequestHasBeenForwardedToTc` INTEGER NOT NULL, `itemProfileType` TEXT NOT NULL, `itemDatingAge` INTEGER NOT NULL, `itemDatingLocationString` TEXT NOT NULL, `itemDatingSeekingString` TEXT NOT NULL, `itemDatingEssayText` TEXT NOT NULL, `itemDatingBodyType` TEXT NOT NULL, `itemDatingLastActive` TEXT NOT NULL, `itemDatingProfileUrl` TEXT NOT NULL, `itemLastTimeOfLikeProfile` BIGINT NOT NULL, `itemIsHidden` INTEGER NOT NULL, `itemPrivacy` INTEGER NOT NULL, `itemCanSeeMyPost` INTEGER NOT NULL, `itemCanShareMyPost` INTEGER NOT NULL, `itemCanContactMe` INTEGER NOT NULL)'}]
- class plaso.parsers.sqlite_plugins.android_tango.AndroidTangoTCPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Tango on Android TC database files.
- DATA_FORMAT = 'Tango on Android TC SQLite database file'
- NAME = 'tango_android_tc'
- ParseConversationRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a conversation row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a message row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- QUERIES = [('SELECT conversations.conv_id AS conv_id, conversations.payload AS payload FROM conversations', 'ParseConversationRow'), ('SELECT messages.create_time AS create_time, messages.send_time AS send_time, messages.msg_id AS msg_id, messages.payload AS payload, messages.direction AS direction FROM messages LEFT JOIN likes ON messages.msg_id = likes.msg_id', 'ParseMessageRow')]
- REQUIRED_STRUCTURE = {'conversations': frozenset({'conv_id', 'payload'}), 'likes': frozenset({'msg_id'}), 'messages': frozenset({'create_time', 'direction', 'msg_id', 'payload', 'send_time'})}
- SCHEMAS = [{'conversations': 'CREATE TABLE `conversations` (`conv_id` TEXT PRIMARY KEY, `conv_type` INTEGER DEFAULT 0, `payload` BLOB, `last_msg_id` INTEGER, `unread_count` INTEGER, `last_read_sent_msg_id` INTEGER, `conv_del_status` INTEGER DEFAULT 0, `deleting_ts` BIGINT DEFAULT 0, `conv_restore_status` INTEGER DEFAULT 0, `peers_read` TEXT, `total_received_msg_count` INTEGER DEFAULT -1, `communication_context` INTEGER DEFAULT 0)', 'games': 'CREATE TABLE `games` (`game_session_id` TEXT PRIMARY KEY, `message_id` INTEGER, `conversation_id` TEXT, `game_id` TEXT, `game_state` INTEGER, `action_timestamp` BIGINT, `current_player_account_id` TEXT)', 'likes': 'CREATE TABLE `likes` (`msg_id` INTEGER PRIMARY KEY, `global_msg_id` TEXT, `conv_id` TEXT, `liker_aid` TEXT, `act_type` INTEGER, `status` INTEGER, `act_ts` BIGINT, `payload` BLOB)', 'messages': 'CREATE TABLE `messages` (`msg_id` INTEGER PRIMARY KEY, `conv_id` TEXT, `type` INTEGER, `media_id` TEXT, `share_id` TEXT, `create_time` BIGINT, `send_time` BIGINT, `direction` INTEGER, `status` INTEGER, `payload` BLOB, `del_status` INTEGER)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'receipts': 'CREATE TABLE `receipts` (`conv_id` TEXT PRIMARY KEY, `msg_id` INTEGER, `sender_msg_id` INTEGER, `sender_aids` TEXT, `type` INTEGER, `create_time` BIGINT, `status` INTEGER, `payload` BLOB)', 'sms': 'CREATE TABLE `sms` (`msg_id` INTEGER PRIMARY KEY, `phonenumber` TEXT, `text` TEXT)'}]
plaso.parsers.sqlite_plugins.android_turbo module
SQLite parser plugin for Android turbo database files.
- class plaso.parsers.sqlite_plugins.android_turbo.AndroidTurboBatteryEvent(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Android turbo battery event data.
- battery_level
Remaining battery level, expressed as a percentage.
- Type:
int
- battery_saver
Indicates if battery saver is turn on.
- Type:
int
- charge_type
Indicates that the device is charging.
- Type:
int
- recorded_time
date and time the battery event was recorded.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'android:event:battery'
- class plaso.parsers.sqlite_plugins.android_turbo.AndroidTurboPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Android’s turbo.db database files.
- DATA_FORMAT = 'Android turbo SQLite database (turbo.db) file'
- NAME = 'android_turbo'
- ParseBatteryEventRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a row from the battery_event table.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT timestamp_millis, battery_level, charge_type, battery_saver FROM battery_event', 'ParseBatteryEventRow')]
- REQUIRED_STRUCTURE = {'battery_event': frozenset({'battery_level', 'battery_saver', 'charge_type', 'timestamp_millis'})}
- SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'battery_event': 'CREATE TABLE battery_event(timestamp_millis INTEGER PRIMARY KEY DESC, battery_level INTEGER, charge_type INTEGER, battery_saver INTEGER, timezone TEXT, place_key INTEGER, FOREIGN KEY(place_key) REFERENCES charging_places(_id))', 'charging_places': 'CREATE TABLE charging_places(_id INTEGER PRIMARY KEY, place_name TEXT, place_api_id TEXT, UNIQUE(place_api_id) ON CONFLICT IGNORE)'}]
plaso.parsers.sqlite_plugins.android_twitter module
SQLite parser plugin for Twitter on Android database files.
- class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterContactEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Twitter on Android contact event data.
- creation_time
date and time the contact was created.
- Type:
dfdatetime.DateTimeValues
- description
twitter account profile description.
- Type:
str
- followers
number of followers.
- Type:
int
- friends
number of following.
- Type:
int
- friendship_time
date and time the contact was befriended.
- Type:
dfdatetime.DateTimeValues
- identifier
contact row id.
- Type:
int
- image_url
profile picture url.
- Type:
str
- location
twitter account profile location content.
- Type:
str
- modification_time
date and time the contact was last modified.
- Type:
dfdatetime.DateTimeValues
- name
twitter account name.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- statuses
twitter account number of tweets.
- Type:
int
- user_identifier
twitter account id.
- Type:
int
- username
twitter account handler.
- Type:
str
- web_url
twitter account profile url content.
- Type:
str
- DATA_TYPE = 'android:twitter:contact'
- class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Twitter on Android database files.
- DATA_FORMAT = 'Twitter on Android SQLite database file'
- NAME = 'twitter_android'
- ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a status row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- ParseSearchRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a search row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- ParseStatusRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a status row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- QUERIES = [('SELECT name, query, time FROM search_queries', 'ParseSearchRow'), ('SELECT statuses._id AS _id, statuses.author_id AS author_id, users.username AS username, statuses.content AS content, statuses.created AS time, statuses.favorited AS favorited, statuses.retweeted AS retweeted FROM statuses LEFT JOIN users ON statuses.author_id = users.user_id', 'ParseStatusRow'), ('SELECT _id, user_id, username, name, profile_created, description, web_url, location, followers, friends, statuses, image_url, updated, friendship_time FROM users', 'ParseContactRow')]
- REQUIRED_STRUCTURE = {'search_queries': frozenset({'name', 'query', 'time'}), 'statuses': frozenset({'_id', 'author_id', 'content', 'created', 'favorited', 'retweeted'}), 'users': frozenset({'_id', 'description', 'followers', 'friends', 'friendship_time', 'image_url', 'location', 'name', 'profile_created', 'statuses', 'updated', 'user_id', 'username', 'web_url'})}
- SCHEMAS = [{'activities': 'CREATE TABLE activities (_id INTEGER PRIMARY KEY,type INT,event INT,created_at INT,hash INT,max_position INT,min_position INT,sources_size INT,source_type INT,sources BLOB,targets_size INT,target_type INT,targets BLOB,target_objects_size INT,target_object_type INT,target_objects BLOB,is_last INT,tag INT,magic_rec_id INT,UNIQUE (type, max_position) ON CONFLICT REPLACE)', 'ads_account_permissions': 'CREATE TABLE ads_account_permissions (_id INTEGER PRIMARY KEY,promotable_users BLOB,last_synced INT NOT NULL)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'business_profiles': 'CREATE TABLE business_profiles (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,business_profile BLOB,last_synced INT NOT NULL)', 'card_state': 'CREATE TABLE card_state (_id INTEGER PRIMARY KEY AUTOINCREMENT,card_status_id INT,card_id INT, card_state BLOB)', 'category_timestamp': 'CREATE TABLE category_timestamp (_id INTEGER PRIMARY KEY,cat_status_id INT NOT NULL,cat_tag INT NOT NULL,cat_timestamp INT NOT NULL)', 'clusters': 'CREATE TABLE clusters (_id INTEGER PRIMARY KEY,cl_cluster_id TEXT UNIQUE NOT NULL,cl_type INT,cl_title TEXT,cl_subtitle TEXT,cl_size INT,cl_timestamp INT,cl_content BLOB)', 'conversation_entries': 'CREATE TABLE conversation_entries (_id INTEGER PRIMARY KEY,entry_id INT UNIQUE NOT NULL,sort_entry_id INT UNIQUE NOT NULL,conversation_id TEXT,user_id INT,created INT,entry_type INT,data BLOB,request_id TEXT)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY,conversation_id TEXT NOT NULL,user_id TEXT NOT NULL,join_time INT NOT NULL,participant_type INT NOT NULL)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY,conversation_id TEXT UNIQUE NOT NULL,title TEXT,avatar_url TEXT,type INT,sort_event_id BIGINT,last_readable_event_id BIGINT,last_read_event_id BIGINT,sort_timestamp BIGINT,is_muted INT,min_event_id BIGINT,is_hidden INT,has_more INT,read_only INT)', 'cursors': 'CREATE TABLE cursors (_id INTEGER PRIMARY KEY,kind INT,type INT,owner_id INT,ref_id TEXT,next TEXT)', 'dismiss_info': 'CREATE TABLE dismiss_info(timeline_id INTEGER REFERENCES timeline(_id),feedback_action_id INTEGER REFERENCES feedback_action(_id),UNIQUE(timeline_id,feedback_action_id))', 'feedback_action': 'CREATE TABLE feedback_action(_id INTEGER PRIMARY KEY AUTOINCREMENT,feedback_type TEXT,prompt TEXT,confirmation TEXT,UNIQUE(feedback_type,prompt,confirmation))', 'list_mapping': 'CREATE TABLE list_mapping (_id INTEGER PRIMARY KEY,list_mapping_list_id TEXT,list_mapping_type INT,list_mapping_user_id INT,list_is_last INT)', 'locations': 'CREATE TABLE locations (_id INTEGER PRIMARY KEY,name TEXT,woeid INT,country TEXT,country_code TEXT)', 'moments': 'CREATE TABLE moments (_id INTEGER PRIMARY KEY,title TEXT NOT NULL,can_subscribe INT,is_live INT,is_sensitive INT,subcategory_string TEXT,subcategory_favicon_url TEXT,time_string TEXT,duration_string TEXT,is_subscribed INT,description TEXT NOT NULL,moment_url TEXT,num_subscribers INT,author_info BLOB,promoted_content BLOB)', 'moments_guide': 'CREATE TABLE moments_guide (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,section_id INT NOT NULL,tweet_id INT NOT NULL, crop_data BLOB,media_id INT,media_url TEXT,media_size BLOB,FOREIGN KEY(section_id) REFERENCES moments_sections(_id) ON DELETE CASCADE)', 'moments_guide_categories': 'CREATE TABLE moments_guide_categories (_id INTEGER PRIMARY KEY,category_id TEXT NOT NULL,is_default_category INT NOT NULL,category_name TEXT NOT NULL,fetch_timestamp INT NOT NULL)', 'moments_guide_user_states': 'CREATE TABLE moments_guide_user_states (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,is_read INT,is_updated INT,FOREIGN KEY(moment_id) REFERENCES moments(_id) ON DELETE CASCADE)', 'moments_pages': 'CREATE TABLE moments_pages (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,page_id TEXT,type BLOB,tweet_id INT,display_mode BLOB,page_number INT,crop_data BLOB,theme_data BLOB,media_id INT,media_size BLOB,media_url TEXT,last_read_timestamp INT,FOREIGN KEY(moment_id) REFERENCES moments(_id))', 'moments_sections': 'CREATE TABLE moments_sections (_id INTEGER PRIMARY KEY,section_title TEXT,section_type BLOB NOT NULL,section_group_id TEXT,section_group_type INT NOT NULL)', 'moments_visit_badge': 'CREATE TABLE moments_visit_badge (_id INTEGER PRIMARY KEY,moment_id INT UNIQUE NOT NULL,is_new_since_visit INT,is_updated_since_visit INT)', 'news': 'CREATE TABLE news (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,topic_id INT,news_id TEXT,title TEXT,image_url TEXT,author_name TEXT,article_description TEXT,article_url TEXT,tweet_count INT,start_time INT,news_id_hash INT)', 'notifications': 'CREATE TABLE notifications (_id INTEGER PRIMARY KEY,type INT,notif_id INT,source_user_name TEXT,s_name TEXT,s_id INT,notif_txt TEXT,aggregation_data TEXT,notif_extra_data BLOB)', 'one_click': 'CREATE TABLE one_click (_id INTEGER PRIMARY KEY,topic TEXT,filter_name TEXT,filter_location TEXT,filter_follow INT)', 'order_history': 'CREATE TABLE order_history (_id INTEGER PRIMARY KEY,ordered_at INT ,order_id INT ,data BLOB)', 'promoted_retry': 'CREATE TABLE promoted_retry(impression_id TEXT,event INT NOT NULL,is_earned INT NOT NULL,trend_id INT,num_retries INT NOT NULL,url TEXT,video_playlist_url TEXT,video_content_uuid TEXT,video_content_type TEXT,video_cta_url TEXT,video_cta_app_id TEXT,video_cta_app_name TEXT,card_event TEXT,PRIMARY KEY(impression_id,event,is_earned,trend_id))', 'prompts': 'CREATE TABLE prompts (_id INTEGER PRIMARY KEY,p_id INT,p_format TEXT,p_template TEXT,p_header TEXT,p_text TEXT,p_action_text TEXT,p_action_url TEXT,p_icon TEXT,p_background_image_url TEXT,p_persistence TEXT,p_entities BLOB,p_header_entities BLOB,p_status_id LONG,p_insertion_index INT,p_trigger TEXT)', 'rankings': 'CREATE TABLE rankings (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,granularity TEXT,category TEXT,date INT)', 'search_queries': 'CREATE TABLE search_queries (_id INTEGER PRIMARY KEY,type INT,name TEXT NOT NULL,query TEXT NOT NULL,query_id INT,time INT,latitude REAL,longitude REAL,radius REAL,location TEXT,pc BLOB,cluster_titles BLOB)', 'search_results': 'CREATE TABLE search_results (_id INTEGER PRIMARY KEY,search_id INT,s_type INT,data_type INT,type_id INT,polled INT,data_id INT,related_data BLOB,cluster_id INT)', 'search_suggestion_metadata': 'CREATE TABLE search_suggestion_metadata (_id INTEGER PRIMARY KEY,type INT,last_update LONG)', 'status_groups': 'CREATE TABLE status_groups (_id INTEGER PRIMARY KEY,tweet_type INT DEFAULT 0,type INT,sender_id INT,owner_id INT,ref_id INT,tag INT,g_status_id INT,is_read INT,page INT,is_last INT,updated_at INT,timeline INT,pc BLOB,g_flags INT,preview_draft_id INT,preview_media BLOB,tweet_pivots BLOB)', 'status_metadata': 'CREATE TABLE status_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,status_id INT NOT NULL,status_group INT NOT NULL,status_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_second_name TEXT,soc_others_count INT,soc_fav_count INT,soc_rt_count INT,reason_icon_type TEXT,reason_text TEXT,scribe_component TEXT,scribe_data BLOB,highlights TEXT)', 'statuses': 'CREATE TABLE statuses (_id INTEGER PRIMARY KEY,status_id INT UNIQUE NOT NULL,author_id INT,content TEXT,source TEXT,created INT,in_r_user_id INT,in_r_status_id INT,favorited INT,latitude TEXT,longitude TEXT,place_data BLOB,entities TEXT,retweet_count INT,r_content TEXT,cards BLOB,flags INT,favorite_count INT,lang TEXT,supplemental_language TEXT,view_count INT,quoted_tweet_data BLOB,quoted_tweet_id INT,retweeted INT)', 'stories': 'CREATE TABLE stories ( _id INTEGER PRIMARY KEY,story_id TEXT,story_order INT,story_type INT,story_proof_type INT,story_proof_addl_count INT,data_type INT,data_id INT,story_is_read INT,story_meta_title TEXT,story_meta_subtitle TEXT,story_meta_query TEXT,story_meta_header_img_url TEXT,story_source TEXT,story_impression_info TEXT,story_tag INT)', 'timeline': 'CREATE TABLE timeline (_id INTEGER PRIMARY KEY AUTOINCREMENT,owner_id INT,type INT,sort_index INT,entity_id INT,entity_type INT,data_type INT,data_type_group INT,data_type_tag INT,timeline_tag TEXT,timeline_group_id INT,timeline_scribe_group_id INT,data_id INT,data BLOB,flags INT,updated_at INT,data_origin_id TEXT,is_last INT,is_read INT,scribe_content BLOB,timeline_moment_info BLOB,dismissed INT NOT NULL DEFAULT 0,dismiss_actions INT NOT NULL DEFAULT 0)', 'tokens': 'CREATE TABLE tokens (_id INTEGER PRIMARY KEY,text TEXT,weight INT,type INT,ref_id INT)', 'topics': 'CREATE TABLE topics (_id INTEGER PRIMARY KEY,ev_id TEXT UNIQUE NOT NULL,ev_type INT,ev_query TEXT NOT NULL,ev_seed_hashtag TEXT,ev_title STRING,ev_subtitle STRING,ev_view_url STRING,ev_status STRING,ev_image_url TEXT,ev_explanation TEXT,ev_tweet_count INT,ev_start_time INT,ev_owner_id INT,ev_pc BLOB,ev_content BLOB,ev_hash INT)', 'user_groups': 'CREATE TABLE user_groups (_id INTEGER PRIMARY KEY,type INT,tag INT,rank INT,owner_id INT,user_id INT,is_last INT,pc BLOB,g_flags INT)', 'user_metadata': 'CREATE TABLE user_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,user_id INT NOT NULL,user_group_type INT NOT NULL,user_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_follow_count INT,user_title TEXT,token TEXT)', 'users': 'CREATE TABLE users (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,username TEXT,name TEXT,description TEXT,web_url TEXT,bg_color INT,location TEXT,structured_location BLOB,user_flags INT,followers INT,fast_followers INT DEFAULT 0,friends INT,statuses INT,profile_created INT,image_url TEXT,hash INT,updated INT,friendship INT,friendship_time INT,favorites INT DEFAULT 0,header_url TEXT,description_entities BLOB,url_entities BLOB,media_count INT,extended_profile_fields BLOB,pinned_tweet_id INT,link_color INT,advertiser_type TEXT,business_profile_state TEXT)'}]
- class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterSearchEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Twitter on Android search event data.
- creation_time
date and time the search was created.
- Type:
dfdatetime.DateTimeValues
- name
twitter name handler.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- search_query
search query.
- Type:
str
- DATA_TYPE = 'android:twitter:search'
- class plaso.parsers.sqlite_plugins.android_twitter.AndroidTwitterStatusEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Twitter on Android status event data.
- author_identifier
twitter account identifier.
- Type:
int
- content
status content.
- Type:
str
- creation_time
date and time the status was created.
- Type:
dfdatetime.DateTimeValues
- favorited
favorited flag as 0/1 value.
- Type:
int
- identifier
status row identifier.
- Type:
int
- query
SQL query that was used to obtain the event data.
- Type:
str
- retweeted
retweeted flag as 0/1 value.
- Type:
int
- username
twitter account handler.
- Type:
str
- DATA_TYPE = 'android:twitter:status'
plaso.parsers.sqlite_plugins.android_webview module
SQLite parser plugin for Android WebView database files.
- class plaso.parsers.sqlite_plugins.android_webview.AndroidWebViewCookieEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Android WebView cookie event data.
- cookie_name
name of the cookie.
- Type:
str
- data
data stored in the cookie.
- Type:
str
- expiration_time
date and time the cache entry expires.
- Type:
dfdatetime.DateTimeValues
- host
host that set the cookie.
- Type:
str
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- path
path for which the cookie was set.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- secure
True if the cookie should only be transmitted over a secure channel.
- Type:
bool
- url
URL of the cookie.
- Type:
str
- DATA_TYPE = 'android:webview:cookie'
- class plaso.parsers.sqlite_plugins.android_webview.AndroidWebViewPlugin[source]
Bases:
SQLitePlugin
,CookiePluginsHelper
SQLite parser plugin for Android WebView database files.
- DATA_FORMAT = 'Android WebView SQLite database file'
- NAME = 'android_webview'
- ParseCookieRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = frozenset({('SELECT _id, name, value, domain, expires, path, secure FROM cookies', 'ParseCookieRow')})
- REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cookies': frozenset({'_id', 'domain', 'expires', 'name', 'path', 'secure', 'value'})}
- SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cookies': 'CREATE TABLE cookies (_id INTEGER PRIMARY KEY, name TEXT, value TEXT, domain TEXT, path TEXT, expires INTEGER, secure INTEGER)', 'formdata': 'CREATE TABLE formdata (_id INTEGER PRIMARY KEY, urlid INTEGER, name TEXT, value TEXT, UNIQUE (urlid, name, value) ON CONFLICT IGNORE)', 'formurl': 'CREATE TABLE formurl (_id INTEGER PRIMARY KEY, url TEXT)', 'httpauth': 'CREATE TABLE httpauth (_id INTEGER PRIMARY KEY, host TEXT, realm TEXT, username TEXT, password TEXT, UNIQUE (host, realm) ON CONFLICT REPLACE)', 'password': 'CREATE TABLE password (_id INTEGER PRIMARY KEY, host TEXT, username TEXT, password TEXT, UNIQUE (host, username) ON CONFLICT REPLACE)'}]
plaso.parsers.sqlite_plugins.android_webviewcache module
SQLite parser plugin for Android WebviewCache database files.
- class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Android WebViewCache event data.
- content_length
size of the cached content.
- Type:
int
- expiration_time
date and time the cache entry expires.
- Type:
dfdatetime.DateTimeValues
- last_modified_time
date and time the cache entry was last modified.
- Type:
dfdatetime.DateTimeValues
- query
SQL query that was used to obtain the event data.
- Type:
str
- url
URL the content was retrieved from.
- Type:
str
- DATA_TYPE = 'android:webviewcache'
- class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Android WebviewCache database files.
- DATA_FORMAT = 'Android WebViewCache SQLite database file'
- NAME = 'android_webviewcache'
- ParseRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = frozenset({('SELECT url, contentlength, expires, lastmodify FROM cache', 'ParseRow')})
- REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cache': frozenset({'contentlength', 'expires', 'lastmodify', 'url'})}
- SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cache': 'CREATE TABLE cache (_id INTEGER PRIMARY KEY, url TEXT, filepath TEXT, lastmodify TEXT, etag TEXT, expires INTEGER, expiresstring TEXT, mimetype TEXT, encoding TEXT, httpstatus INTEGER, location TEXT, contentlength INTEGER, contentdisposition TEXT, UNIQUE (url) ON CONFLICT REPLACE)'}]
plaso.parsers.sqlite_plugins.chrome_autofill module
SQLite parser plugin for Google Chrome autofill database (Web Data) files.
- class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Chrome Autofill event data.
- creation_time
creation date and time of the autofill entry.
- Type:
dfdatetime.DateTimeValues
- field_name
name of form field.
- Type:
str
- last_used_time
last date and time the autofill entry was last used.
- Type:
dfdatetime.DateTimeValues
- query
SQL query that was used to obtain the event data.
- Type:
str
- usage_count
count of times value has been used in field_name.
- Type:
int
- value
value populated in form field.
- Type:
str
- DATA_TYPE = 'chrome:autofill:entry'
- class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Google Chrome autofill database (Web Data) files.
The Google Chrome autofill database (Web Data) file is typically stored in: Web Data
- DATA_FORMAT = 'Google Chrome autofill SQLite database (Web Data) file'
- NAME = 'chrome_autofill'
- ParseAutofillRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses an autofill entry row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT autofill.date_created, autofill.date_last_used, autofill.name, autofill.value, autofill.count FROM autofill ORDER BY date_created', 'ParseAutofillRow')]
- REQUIRED_STRUCTURE = {'autofill': frozenset({'count', 'date_created', 'date_last_used', 'name', 'value'})}
- SCHEMAS = [{'autofill': 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value));)'}]
plaso.parsers.sqlite_plugins.chrome_extension_activity module
SQLite parser plugin for Google Chrome extension activity database files.
- class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Chrome Extension Activity event data.
- action_type
action type.
- Type:
str
- activity_id
activity identifier.
- Type:
str
- api_name
name of API.
- Type:
str
- arg_url
URL argument.
- Type:
str
- args
arguments.
- Type:
str
- extension_id
extension identifier.
- Type:
str
- other
other.
- Type:
str
- page_title
title of webpage.
- Type:
str
- page_url
URL of webpage.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- recorded_time
date and time the entry was recorded.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'chrome:extension_activity:activity_log'
- class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Google Chrome extension activity database files.
The Google Chrome extension activity database file is typically stored in: Extension Activity
- DATA_FORMAT = 'Google Chrome extension activity SQLite database file'
- NAME = 'chrome_extension_activity'
- ParseActivityLogUncompressedRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses an activity log row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT time, extension_id, action_type, api_name, args, page_url, page_title, arg_url, other, activity_id FROM activitylog_uncompressed ORDER BY time', 'ParseActivityLogUncompressedRow')]
- REQUIRED_STRUCTURE = {'activitylog_compressed': frozenset({'action_type', 'api_name_x', 'arg_url_x', 'args_x', 'extension_id_x', 'other_x', 'page_title_x', 'page_url_x', 'time'})}
- SCHEMAS = [{'activitylog_compressed': 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, action_type INTEGER, api_name_x INTEGER, args_x INTEGER, page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, other_x INTEGER)', 'string_ids': 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)', 'url_ids': 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)'}]
plaso.parsers.sqlite_plugins.chrome_history module
SQLite parser plugin for Google Chrome history database files.
- class plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Google Chrome history database files.
The Google Chrome history database file is typically stored in: Archived History History
Note that the Archived History database does not contain the downloads table.
- ParseLastVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]
Parses a last visited row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.
database (Optional[SQLiteDatabase]) – database.
- class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Chrome History file downloaded event data.
- danger_type
assessment by Safe Browsing of the danger of the downloaded content.
- Type:
int
- end_time
date and time the download was finished.
- Type:
dfdatetime.DateTimeValues
- full_path
full path where the file was downloaded to.
- Type:
str
- interrupt_reason
indication why the download was interrupted.
- Type:
int
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- opened
value to indicate if the downloaded file was opened from the browser.
- Type:
int
- query
SQL query that was used to obtain the event data.
- Type:
str
- received_bytes
number of bytes received while downloading.
- Type:
int
- start_time
date and time the download was started.
- Type:
dfdatetime.DateTimeValues
- state
state of the download, such as finished or cancelled.
- Type:
int
- total_bytes
total number of bytes to download.
- Type:
int
- url
URL of the downloaded file.
- Type:
str
- DATA_TYPE = 'chrome:history:file_downloaded'
- class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Chrome History page visited event data.
- from_visit
URL where the visit originated from.
- Type:
str
- last_visited_time
date and time the URL was last visited.
- Type:
dfdatetime.DateTimeValues
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- page_transition_type
type of transitions between pages.
- Type:
int
- query
SQL query that was used to obtain the event data.
- Type:
str
- title
title of the visited page.
- Type:
str
- typed_count
number of times the user has navigated to the page by typing in the address.
- Type:
int
- url
URL of the visited page.
- Type:
str
True if the URL is hidden.
- Type:
bool
- visit_count
number of times the user has navigated to this page.
- Type:
int
- visit_source
source of the page visit.
- Type:
int
- DATA_TYPE = 'chrome:history:page_visited'
- class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin[source]
Bases:
BaseGoogleChromeHistoryPlugin
SQLite parser plugin for Google Chrome 27+ history database files.
- DATA_FORMAT = 'Google Chrome 27 and later history SQLite database file'
- NAME = 'chrome_27_history'
- ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a file downloaded row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT downloads.id AS id, downloads.start_time,downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes, downloads.end_time, downloads.state, downloads.danger_type, downloads.interrupt_reason, downloads.opened FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id', 'ParseFileDownloadedRow')]
- REQUIRED_STRUCTURE = {'downloads': frozenset({'danger_type', 'end_time', 'id', 'interrupt_reason', 'opened', 'received_bytes', 'start_time', 'state', 'target_path', 'total_bytes'}), 'downloads_url_chains': frozenset({'id', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}
- SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL, mime_type VARCHAR(255) NOT NULL DEFAULT "", original_mime_type VARCHAR(255) NOT NULL DEFAULT "", guid VARCHAR NOT NULL DEFAULT \'\', hash BLOB NOT NULL DEFAULT X\'\', http_method VARCHAR NOT NULL DEFAULT \'\', tab_url VARCHAR NOT NULL DEFAULT \'\', tab_referrer_url VARCHAR NOT NULL DEFAULT \'\', site_url VARCHAR NOT NULL DEFAULT \'\', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]
- class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin[source]
Bases:
BaseGoogleChromeHistoryPlugin
SQLite parser plugin for Google Chrome 8 - 25 history database files.
- DATA_FORMAT = 'Google Chrome 8 - 25 history SQLite database file'
- NAME = 'chrome_8_history'
- ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a file downloaded row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT id, full_path, url, start_time, received_bytes, total_bytes, state FROM downloads', 'ParseFileDownloadedRow')]
- REQUIRED_STRUCTURE = {'downloads': frozenset({'full_path', 'id', 'received_bytes', 'start_time', 'state', 'total_bytes', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}
- SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]
plaso.parsers.sqlite_plugins.dropbox module
SQLite parser plugin for Dropbox sync_history database files.
- class plaso.parsers.sqlite_plugins.dropbox.DropboxSyncDatabasePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Dropbox sync_history.db database files.
The Linux sync_history.db database is typically stored in: $HOME/.dropbox/instance1/sync_history.db
The Windows 10 sync_history.db database is typically stored in: $HOME/AppData/Local/Dropbox/instance1/sync_history.db
- DATA_FORMAT = 'Dropbox sync history database (sync_history.db) file'
- NAME = 'dropbox'
- ParseSyncHistoryRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a sync_history row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT timestamp, event_type, file_event_type, direction, file_id, local_path FROM sync_history;', 'ParseSyncHistoryRow')]
- REQUIRED_STRUCTURE = {'sync_history': frozenset({'direction', 'event_type', 'file_event_type', 'file_id', 'local_path', 'timestamp'})}
- SCHEMAS = [{'sync_history': 'CREATE TABLE sync_history (event_type TEXT NOT NULL, file_event_type TEXT, direction TEXT, file_id TEXT, local_path TEXT, timestamp INTEGER NOT NULL, other_user INTEGER'}]
- class plaso.parsers.sqlite_plugins.dropbox.DropboxSyncHistoryEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Dropbox Sync History Database event data.
- event_type
the event type
- Type:
str
- file_event_type
the file event type
- Type:
str
- direction
the source of the synchronisation event
- Type:
str
- file_identifier
the Dropbox identifier of the file.
- Type:
str
- local_path
the local path of the file.
- Type:
str
- recorded_time
date and time the log entry was recorded.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'dropbox:sync_history:entry'
plaso.parsers.sqlite_plugins.edge_load_statistics module
Parser for Microsoft Edge load statistics database.
- class plaso.parsers.sqlite_plugins.edge_load_statistics.EdgeLoadStatisticsPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Microsoft Edge load statistics database.
- DESCRIPTION = 'Parser for Microsoft Edge load_statistics.db'
- NAME = 'edge_load_statistics'
- ParseResourceRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- QUERIES = [('SELECT top_level_hostname, resource_hostname, resource_type, last_update FROM load_statistics', 'ParseResourceRow')]
- REQUIRED_STRUCTURE = {'load_statistics': frozenset({'last_update', 'resource_hostname', 'resource_type', 'resource_url_hash', 'top_level_hostname'}), 'meta': frozenset({'key', 'value'}), 'redirect_statistics': frozenset({'destination_hostname', 'is_top_level_document', 'last_update', 'source_hostname'})}
- SCHEMAS = [{'load_statistics': 'CREATE TABLE load_statistics(top_level_hostname TEXT,resource_hostname TEXT, resource_url_hash TEXT, resource_typeINTEGER, last_update INTEGER NOT NULL,UNIQUE(top_level_hostname,resource_url_hash))', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'redirect_statistics': 'CREATE TABLE redirect_statistics(source_hostname TEXT,destination_hostname TEXT, is_top_level_document INTEGER NOTNULL, last_update INTEGER NOT NULL, UNIQUE(source_hostname,destination_hostname,is_top_level_document))'}]
- class plaso.parsers.sqlite_plugins.edge_load_statistics.EdgeLoadStatisticsResourceEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Microsoft Edge load statistics resource event data.
- last_update
Last update time of resource, cached or not.
- query
query that created the event data.
- Type:
str
- resource_hostname
External domain of the resource that was loaded
- resource_type
Integer descriptor of resource type
- top_level_hostname
Source domain that initiated resource load
- DATA_TYPE = 'edge:resources:load_statistics'
plaso.parsers.sqlite_plugins.firefox_downloads module
SQLite parser plugin for Mozilla Firefox downloads database files.
- class plaso.parsers.sqlite_plugins.firefox_downloads.Firefox118DownloadEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Firefox download event data.
- deleted
deleted state.
- Type:
int
- download_state
state of the download.
- Type:
int
- end_time
date and time the download was finished.
- Type:
dfdatetime.DateTimeValues
- expiration
expiration.
- Type:
int
- flags
flags associated with this download
- Type:
int
- full_path
full path of the target of the download.
- Type:
str
- mime_type
mime type of the download.
- Type:
str
- name
name of the download.
- Type:
str
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- received_bytes
number of bytes received.
- Type:
int
- referrer
referrer URL of the download.
- Type:
str
- start_time
date and time the download was started.
- Type:
dfdatetime.DateTimeValues
- temporary_location
temporary location of the download.
- Type:
str
- total_bytes
total number of bytes of the download.
- Type:
int
- type
type field.
- Type:
int
- url
source URL of the download.
- Type:
str
- DATA_TYPE = 'firefox:downloads:download'
- class plaso.parsers.sqlite_plugins.firefox_downloads.Firefox118DownloadsPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for version 118 Firefox downloads database files.
The version 118 Firefox downloads database file is typically stored in: places.sql
- DATA_FORMAT = 'Mozilla Firefox 118 downloads SQLite database (downloads.sqlite) file'
- NAME = 'firefox_118_downloads'
- ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a downloads row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT annos1.content, annos2.flags, annos2.expiration, annos2.type, annos2.dateAdded, annos2.lastModified, annos2.content as dest_fpath, places.url, places.title, places.last_visit_date from moz_annos annos1, moz_annos annos2, moz_places places WHERE annos1.anno_attribute_id == annos2.anno_attribute_id+1 AND annos1.place_id == annos2.place_id AND annos1.place_id == places.id', 'ParseDownloadsRow')]
- REQUIRED_STRUCTURE = {'moz_annos': frozenset({'anno_attribute_id', 'content', 'dateAdded', 'expiration', 'flags', 'id', 'lastModified', 'place_id', 'type'}), 'moz_places': frozenset({'id', 'last_visit_date', 'title', 'url'})}
- SCHEMAS = [{'moz_annos': 'CREATE TABLE moz_annos (id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)'}, {'moz_places': 'CREATE TABLE moz_places (id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER, guid TEXT, foreign_count INTEGER DEFAULT 0 NOT NULL, url_hash INTEGER DEFAULT 0 NOT NULL , description TEXT, preview_image_url TEXT, site_name TEXT, origin_id INTEGER REFERENCES moz_origins(id), recalc_frecency INTEGER NOT NULL DEFAULT 0, alt_frecency INTEGER, recalc_alt_frecency INTEGER NOT NULL DEFAULT 0)'}]
- class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Firefox download event data.
- end_time
date and time the download was finished.
- Type:
dfdatetime.DateTimeValues
- full_path
full path of the target of the download.
- Type:
str
- mime_type
mime type of the download.
- Type:
str
- name
name of the download.
- Type:
str
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- received_bytes
number of bytes received.
- Type:
int
- referrer
referrer URL of the download.
- Type:
str
- start_time
date and time the download was started.
- Type:
dfdatetime.DateTimeValues
- temporary_location
temporary location of the download.
- Type:
str
- total_bytes
total number of bytes of the download.
- Type:
int
- url
source URL of the download.
- Type:
str
- DATA_TYPE = 'firefox:downloads:download'
- class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Mozilla Firefox downloads database files.
The Mozilla Firefox downloads database file is typically stored in: downloads.sqlite
- DATA_FORMAT = 'Mozilla Firefox downloads SQLite database (downloads.sqlite) file'
- NAME = 'firefox_downloads'
- ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a downloads row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT moz_downloads.id, moz_downloads.name, moz_downloads.source, moz_downloads.target, moz_downloads.tempPath, moz_downloads.startTime, moz_downloads.endTime, moz_downloads.state, moz_downloads.referrer, moz_downloads.currBytes, moz_downloads.maxBytes, moz_downloads.mimeType FROM moz_downloads', 'ParseDownloadsRow')]
- REQUIRED_STRUCTURE = {'moz_downloads': frozenset({'currBytes', 'endTime', 'id', 'maxBytes', 'mimeType', 'name', 'referrer', 'source', 'startTime', 'state', 'target', 'tempPath'})}
- SCHEMAS = [{'moz_downloads': 'CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)'}]
plaso.parsers.sqlite_plugins.firefox_history module
SQLite parser plugin for Mozilla Firefox history database files.
- class plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Mozilla Firefox history database files.
The Mozilla Firefox history database file is typically stored in: places.sqlite
- DATA_FORMAT = 'Mozilla Firefox history SQLite database (places.sqlite) file'
- NAME = 'firefox_history'
- ParseBookmarkAnnotationRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a bookmark annotation row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- ParseBookmarkFolderRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a bookmark folder row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- ParseBookmarkRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a bookmark row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- ParsePageVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]
Parses a page visited row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (Optional[SQLiteCache]) – cache.
database (Optional[SQLiteDatabase]) – database.
- QUERIES = [('SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.from_visit, moz_places.rev_host, moz_places.hidden, moz_places.typed, moz_historyvisits.visit_type FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id', 'ParsePageVisitedRow'), ('SELECT moz_bookmarks.type, moz_bookmarks.title AS bookmark_title, moz_bookmarks.dateAdded, moz_bookmarks.lastModified, moz_places.url, moz_places.title AS places_title, moz_places.rev_host, moz_places.visit_count, moz_bookmarks.id FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3', 'ParseBookmarkRow'), ('SELECT moz_items_annos.content, moz_items_annos.dateAdded, moz_items_annos.lastModified, moz_bookmarks.title, moz_places.url, moz_places.rev_host, moz_items_annos.id FROM moz_items_annos, moz_bookmarks, moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id', 'ParseBookmarkAnnotationRow'), ('SELECT moz_bookmarks.id, moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2', 'ParseBookmarkFolderRow')]
- REQUIRED_STRUCTURE = {'moz_bookmarks': frozenset({'dateAdded', 'fk', 'id', 'lastModified', 'title', 'type'}), 'moz_historyvisits': frozenset({'from_visit', 'id', 'place_id', 'visit_date', 'visit_type'}), 'moz_items_annos': frozenset({'content', 'dateAdded', 'id', 'item_id', 'lastModified'}), 'moz_places': frozenset({'hidden', 'id', 'rev_host', 'title', 'typed', 'url', 'visit_count'})}
- SCHEMAS = [{'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER )'}, {'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER, guid TEXT)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG, guid TEXT)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_hosts': 'CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY, host TEXT NOT NULL UNIQUE, frecency INTEGER, typed INTEGER NOT NULL DEFAULT 0, prefix TEXT)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)', 'sqlite_stat1': 'CREATE TABLE sqlite_stat1(tbl, idx, stat)'}]
- URL_CACHE_QUERY = 'SELECT h.id AS id, p.url, p.rev_host FROM moz_places p, moz_historyvisits h WHERE p.id = h.place_id'
- class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Firefox bookmark annotation event data.
- added_time
date and time the bookmark annotation was added.
- Type:
dfdatetime.DateTimeValues
- content
annotation content.
- Type:
str
- modification_time
date and time the bookmark annotation was last modified.
- Type:
dfdatetime.DateTimeValues
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- title
title of the bookmark folder.
- Type:
str
- url
bookmarked URL.
- Type:
str
- DATA_TYPE = 'firefox:places:bookmark_annotation'
- class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Firefox bookmark event data.
- added_time
date and time the bookmark was added.
- Type:
dfdatetime.DateTimeValues
- host
visited hostname.
- Type:
str
- modification_time
date and time the bookmark was last modified.
- Type:
dfdatetime.DateTimeValues
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- places_title
places title.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- title
title of the bookmark folder.
- Type:
str
- type
bookmark type.
- Type:
int
- url
bookmarked URL.
- Type:
str
- visit_count
visit count.
- Type:
int
- DATA_TYPE = 'firefox:places:bookmark'
- class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Firefox bookmark folder event data.
- added_time
date and time the bookmark folder was added.
- Type:
dfdatetime.DateTimeValues
- modification_time
date and time the bookmark folder was last modified.
- Type:
dfdatetime.DateTimeValues
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- title
title of the bookmark folder.
- Type:
str
- DATA_TYPE = 'firefox:places:bookmark_folder'
- class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Firefox page visited event data.
- from_visit
URL that referred to the visited page.
- Type:
str
value to indicated if the URL was hidden.
- Type:
str
- host
visited hostname.
- Type:
str
- last_visited_time
date and time the URL was last visited.
- Type:
dfdatetime.DateTimeValues
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- title
title of the visited page.
- Type:
str
- typed
value to indicated if the URL was typed.
- Type:
str
- url
URL of the visited page.
- Type:
str
- visit_count
visit count.
- Type:
int
- visit_type
transition type for the event.
- Type:
str
- DATA_TYPE = 'firefox:places:page_visited'
plaso.parsers.sqlite_plugins.gdrive module
SQLite parser plugin for Google Drive snapshot database files.
- class plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Google Drive snapshot database files.
The Google Drive snapshot database file is typically stored in: snapshot.db
- CLOUD_PATH_CACHE_QUERY = 'SELECT cloud_entry.filename, cloud_entry.resource_id, cloud_relations.parent_resource_id AS parent FROM cloud_entry, cloud_relations WHERE cloud_entry.doc_type = 0 AND cloud_entry.resource_id = cloud_relations.child_resource_id'
- DATA_FORMAT = 'Google Drive snapshot SQLite database (snapshot.db) file'
- GetCloudPath(resource_id, cache, database)[source]
Return cloud path given a resource id.
- Parameters:
resource_id (str) – resource identifier for the file.
cache (SQLiteCache) – cache.
database (SQLiteDatabase) – database.
- Returns:
full path to the resource value.
- Return type:
str
- GetLocalPath(inode, cache, database)[source]
Return local path for a given inode.
- Parameters:
inode (int) – inode number for the file.
cache (SQLiteCache) – cache.
database (SQLiteDatabase) – database.
- Returns:
full path, including the filename of the given inode value.
- Return type:
str
- LOCAL_PATH_CACHE_QUERY = 'SELECT local_relations.child_inode_number, local_relations.parent_inode_number, local_entry.filename FROM local_relations, local_entry WHERE local_relations.child_inode_number = local_entry.inode_number'
- NAME = 'google_drive'
- ParseCloudEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]
Parses a cloud entry row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (SQLiteCache) – cache.
database (SQLiteDatabase) – database.
- ParseLocalEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]
Parses a local entry row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (Optional[SQLiteCache]) – cache.
database (Optional[SQLiteDatabase]) – database.
- QUERIES = [('SELECT cloud_entry.resource_id, cloud_entry.filename, cloud_entry.modified, cloud_entry.created, cloud_entry.size, cloud_entry.doc_type, cloud_entry.shared, cloud_entry.checksum, cloud_entry.url, cloud_relations.parent_resource_id FROM cloud_entry, cloud_relations WHERE cloud_relations.child_resource_id = cloud_entry.resource_id AND cloud_entry.modified IS NOT NULL;', 'ParseCloudEntryRow'), ('SELECT inode_number, filename, modified, checksum, size FROM local_entry WHERE modified IS NOT NULL;', 'ParseLocalEntryRow')]
- REQUIRED_STRUCTURE = {'cloud_entry': frozenset({'checksum', 'created', 'doc_type', 'filename', 'modified', 'resource_id', 'shared', 'size', 'url'}), 'cloud_relations': frozenset({'child_resource_id', 'parent_resource_id'}), 'local_entry': frozenset({'checksum', 'filename', 'inode_number', 'modified', 'size'}), 'local_relations': frozenset({'child_inode_number', 'parent_inode_number'})}
- SCHEMAS = [{'cloud_entry': 'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared INTEGER, PRIMARY KEY (resource_id))', 'cloud_relations': 'CREATE TABLE cloud_relations (child_resource_id TEXT, parent_resource_id TEXT, UNIQUE (child_resource_id, parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) REFERENCES cloud_entry(resource_id))', 'local_entry': 'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY (inode_number))', 'local_relations': 'CREATE TABLE local_relations (child_inode_number INTEGER, parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN KEY (parent_inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (child_inode_number) REFERENCES local_entry(inode_number))', 'mapping': 'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES cloud_entry(resource_id))', 'overlay_status': 'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, PRIMARY KEY (path))'}]
- class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Google Drive snapshot cloud entry event data.
- creation_time
date and time the snapshot cloud entry was created.
- Type:
dfdatetime.DateTimeValues
- doc_type
document type.
- Type:
int
- modification_time
date and time the snapshot cloud entry was last modified.
- Type:
dfdatetime.DateTimeValues
- path
path of the file.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
True if the file is shared, False if the file is private.
- Type:
bool
- size
size of the file.
- Type:
int
- url
URL of the file.
- Type:
str
- DATA_TYPE = 'gdrive:snapshot:cloud_entry'
- class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Google Drive snapshot local entry event data.
- modification_time
date and time the snapshot local entry was last modified.
- Type:
dfdatetime.DateTimeValues
- path
path of the file.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- size
size of the file.
- Type:
int
- DATA_TYPE = 'gdrive:snapshot:local_entry'
plaso.parsers.sqlite_plugins.imessage module
SQLite parser plugin for MacOS and iOS iMessage database files.
- class plaso.parsers.sqlite_plugins.imessage.IMessageEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
iMessage and SMS event data.
- attachment_location
location of the attachment.
- Type:
str
- client_version
client version.
- Type:
int
- creation_time
date and time the message was created.
- Type:
dfdatetime.DateTimeValues
- imessage_id
mobile number or email address the message was sent to or received from.
- Type:
str
- message_type
value to indicate the message was sent (1) or received (0).
- Type:
int
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- read_receipt
True if the message read receipt was received.
- Type:
bool
- service
service, which is either SMS or iMessage.
- Type:
str
- text
content of the message.
- Type:
str
- DATA_TYPE = 'imessage:event:chat'
- class plaso.parsers.sqlite_plugins.imessage.IMessagePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for MacOS and iOS iMessage database files.
The iMessage database file is typically stored in chat.db or sms.db.
- DATA_FORMAT = 'MacOS and iOS iMessage database (chat.db, sms.db) file'
- NAME = 'imessage'
- ParseMessageRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)[source]
Parses a message row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.
database (Optional[SQLiteDatabase]) – database.
- QUERIES = [('SELECT message.date, message.ROWID, handle.id AS imessage_id, message.is_read AS read_receipt, message.is_from_me AS message_type, message.service, attachment.filename AS attachment_location, message.text FROM message JOIN handle ON handle.ROWID = message.handle_id LEFT OUTER JOIN message_attachment_join AS maj ON message.ROWID = maj.message_id LEFT OUTER JOIN attachment ON maj.attachment_id = attachment.ROWID', 'ParseMessageRow')]
- REQUIRED_STRUCTURE = {'_SqliteDatabaseProperties': frozenset({'key', 'value'}), 'attachment': frozenset({'ROWID', 'filename'}), 'handle': frozenset({'ROWID', 'id'}), 'message': frozenset({'ROWID', 'date', 'handle_id', 'is_from_me', 'is_read', 'service', 'text'}), 'message_attachment_join': frozenset({'attachment_id', 'message_id'})}
plaso.parsers.sqlite_plugins.interface module
Interface for SQLite database file parser plugins.
- class plaso.parsers.sqlite_plugins.interface.SQLitePlugin[source]
Bases:
BasePlugin
SQLite parser plugin.
- CheckRequiredTablesAndColumns(database)[source]
Check if the database has the minimal structure required by the plugin.
- Parameters:
database (SQLiteDatabase) – the database who’s structure is being checked.
- Returns:
- True if the database has the required tables and columns defined by
the plugin, or False if it does not or if the plugin does not define required tables and columns. The database can have more tables and/or columns than specified by the plugin and still return True.
- Return type:
bool
- CheckSchema(database)[source]
Checks the schema of a database with that defined in the plugin.
- Parameters:
database (SQLiteDatabase) – SQLite database to check.
- Returns:
- True if the schema of the database matches that defined by
the plugin, or False if the schemas do not match or no schema is defined by the plugin.
- Return type:
bool
- DATA_FORMAT = 'SQLite database file'
- NAME = 'sqlite_plugin'
- Process(parser_mediator, cache=None, database=None, **unused_kwargs)[source]
Extracts events from a SQLite database.
- Parameters:
parser_mediator (ParserMediator) – parser mediator.
cache (Optional[SQLiteCache]) – cache.
database (Optional[SQLiteDatabase]) – database.
- Raises:
ValueError – If the database or cache value are missing.
- QUERIES = []
- REQUIRED_STRUCTURE = {}
- REQUIRES_SCHEMA_MATCH = False
- SCHEMAS = []
plaso.parsers.sqlite_plugins.ios_datausage module
SQLite parser plugin for iOS datausage.sqlite database files.
- class plaso.parsers.sqlite_plugins.ios_datausage.IOSDatausageEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
iOS datausage event data.
- bundle_identifier
bundle identifier.
- Type:
str
- process_name
name of the process.
- Type:
str
- start_time
date and time the start of the network connection was established.
- Type:
dfdatetime.DateTimeValues
- wifi_in
number of bytes received over Wi-Fi.
- Type:
int
- wifi_out
number of bytes sent over Wi-Fi.
- Type:
int
- wireless_wan_in
number of bytes received over cellular.
- Type:
int
- wireless_wan_out
number of bytes sent over cellular.
- Type:
int
- DATA_TYPE = 'ios:datausage:event'
- class plaso.parsers.sqlite_plugins.ios_datausage.IOSDatausagePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for iOS DataUsage database.
- DATA_FORMAT = 'iOS data usage SQLite databse (DataUsage.sqlite) file.'
- NAME = 'ios_datausage'
- ParseDatausageEventRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a row from the Datausage sqlite file.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT ZLIVEUSAGE.ZTIMESTAMP, ZLIVEUSAGE.ZWIFIIN, ZLIVEUSAGE.ZWIFIOUT, ZLIVEUSAGE.ZWWANIN, ZLIVEUSAGE.ZWWANOUT, ZPROCESS.ZBUNDLENAME, ZPROCESS.ZPROCNAME FROM ZLIVEUSAGE LEFT JOIN ZPROCESS ON ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS', 'ParseDatausageEventRow')]
- REQUIRED_STRUCTURE = {'ZLIVEUSAGE': frozenset({'ZHASPROCESS', 'ZKIND', 'ZMETADATA', 'ZTAG', 'ZTIMESTAMP', 'ZWIFIIN', 'ZWIFIOUT', 'ZWWANIN', 'ZWWANOUT', 'Z_ENT', 'Z_OPT', 'Z_PK'}), 'ZPROCESS': frozenset({'ZBUNDLENAME', 'ZFIRSTTIMESTAMP', 'ZPROCNAME', 'ZTIMESTAMP', 'Z_ENT', 'Z_OPT', 'Z_PK'})}
- REQUIRES_SCHEMA_MATCH = False
- SCHEMAS = {'ZLIVEUSAGE': 'CREATE TABLE ZLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZMETADATA INTEGER, ZTAG INTEGER, ZHASPROCESS INTEGER, ZBILLCYCLEEND TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZWIFIIN FLOAT, ZWIFIOUT FLOAT, ZWWANIN FLOAT, ZWWANOUT FLOAT )', 'ZPROCESS': 'CREATE TABLE ZPROCESS ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBUNDLENAME VARCHAR, ZPROCNAME VARCHAR )'}
plaso.parsers.sqlite_plugins.ios_kik module
SQLite parser plugin for iOS Kik messenger database files.
- class plaso.parsers.sqlite_plugins.ios_kik.IOSKikMessageEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Kik message event data.
- body
content of the message.
- Type:
str
- message_status
message status, such as: read, unread, not sent, delivered, etc.
- Type:
str
- message_type
message type, either Sent or Received.
- Type:
str
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- received_time
date and time the message was received.
- Type:
dfdatetime.DateTimeValues
- username
unique username of the sender or receiver.
- Type:
str
- DATA_TYPE = 'ios:kik:messaging'
- class plaso.parsers.sqlite_plugins.ios_kik.IOSKikPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for iOS Kik messenger database files.
The OS Kik messenger database file is typically stored in: kik.sqlite
- DATA_FORMAT = 'iOS Kik messenger SQLite database (kik.sqlite) file'
- NAME = 'kik_ios'
- ParseMessageRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a message row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', 'ParseMessageRow')]
- REQUIRED_STRUCTURE = {'ZKIKMESSAGE': frozenset({'ZBODY', 'ZRECEIVEDTIMESTAMP', 'ZSTATE', 'ZTYPE', 'ZUSER', 'Z_PK'}), 'ZKIKUSER': frozenset({'ZDISPLAYNAME', 'ZEXTRA', 'ZUSERNAME'})}
- SCHEMAS = [{'ZKIKATTACHMENT': 'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )', 'ZKIKATTACHMENTEXTRA': 'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', 'ZKIKCHAT': 'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED TIMESTAMP )', 'ZKIKCHATEXTRA': 'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ZMUTEDTIMESTAMP TIMESTAMP )', 'ZKIKMESSAGE': 'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ZRENDERINSTRUCTIONSET BLOB )', 'ZKIKUSER': 'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ZCONTENTLINKSPROTODATA BLOB )', 'ZKIKUSEREXTRA': 'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ZPUBLICMESSAGINGKEY BLOB )', 'Z_3MESSAGES': 'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', 'Z_6ADMINSINVERSE': 'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', 'Z_6BANSINVERSE': 'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', 'Z_6MEMBERS': 'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]
plaso.parsers.sqlite_plugins.ios_netusage module
SQLite parser plugin for iOS netusage.sqlite database files.
- class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusagePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for iOS netusage database.
- DATA_FORMAT = 'iOS network usage SQLite database (netusage.sqlite) file'
- NAME = 'ios_netusage'
- ParseNetusageProcessRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a Netusage process row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- ParseNetusageRouteRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a Netusage route row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('\n SELECT \n ZLIVEROUTEPERF.ZTIMESTAMP, \n ZLIVEROUTEPERF.ZKIND, \n ZLIVEROUTEPERF.ZBYTESIN, \n ZLIVEROUTEPERF.ZBYTESOUT, \n ZNETWORKATTACHMENT.ZIDENTIFIER, \n HEX(ZNETWORKATTACHMENT.ZNETSIGNATURE) as ZNETSIGNATURE\n FROM ZLIVEROUTEPERF\n LEFT JOIN ZNETWORKATTACHMENT \n ON ZLIVEROUTEPERF.ZHASNETWORKATTACHMENT = ZNETWORKATTACHMENT.Z_PK', 'ParseNetusageRouteRow'), ('\n SELECT\n ZLIVEUSAGE.ZTIMESTAMP,\n ZPROCESS.ZPROCNAME,\n ZLIVEUSAGE.ZWIFIIN,\n ZLIVEUSAGE.ZWIFIOUT,\n ZLIVEUSAGE.ZWWANIN,\n ZLIVEUSAGE.ZWWANOUT,\n ZLIVEUSAGE.ZWIREDIN,\n ZLIVEUSAGE.ZWIREDOUT\n FROM ZLIVEUSAGE \n LEFT JOIN ZPROCESS \n ON ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS', 'ParseNetusageProcessRow')]
- REQUIRED_STRUCTURE = {'ZLIVEROUTEPERF': frozenset({'ZBYTESIN', 'ZBYTESOUT', 'ZHASNETWORKATTACHMENT', 'ZKIND', 'ZTIMESTAMP'}), 'ZLIVEUSAGE': frozenset({'ZHASPROCESS', 'ZTIMESTAMP', 'ZWIFIIN', 'ZWIFIOUT', 'ZWIREDIN', 'ZWIREDOUT', 'ZWWANIN', 'ZWWANOUT'}), 'ZNETWORKATTACHMENT': frozenset({'ZIDENTIFIER', 'ZNETSIGNATURE', 'Z_PK'}), 'ZPROCESS': frozenset({'ZPROCNAME', 'Z_PK'})}
- REQUIRES_SCHEMA_MATCH = False
- SCHEMAS = {'ZLIVEROUTEPERF': 'CREATE TABLE ZLIVEROUTEPERF (Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZHASNETWORKATTACHMENT INTEGER, ZADMINDISABLES FLOAT, ZBYTESIN FLOAT, ZBYTESOUT FLOAT, ZCAPTIVITYREDIRECTS FLOAT, ZCERTERRORS FLOAT, ZCONNATTEMPTS FLOAT, ZCONNSUCCESSES FLOAT, ZDATASTALLS FLOAT, ZEPOCHS FLOAT, ZFAULTYSTAY FLOAT, ZLOWLQMSTAY FLOAT, ZLOWQSTAY FLOAT, ZLQMTRANSITIONCOUNT FLOAT, ZOVERALLSTAY FLOAT, ZOVERALLSTAYM2 FLOAT, ZPACKETSIN FLOAT, ZPACKETSOUT FLOAT, ZRETXBYTES FLOAT, ZRTTAVG FLOAT, ZRTTMIN FLOAT, ZRTTVAR FLOAT, ZRXDUPEBYTES FLOAT, ZRXOOOBYTES FLOAT, ZTIMESTAMP TIMESTAMP, ZTOPDOWNLOADRATE FLOAT )', 'ZLIVEUSAGE': 'CREATE TABLE ZLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZMETADATA INTEGER, ZTAG INTEGER, ZHASPROCESS INTEGER, Z15_HASPROCESS INTEGER, ZALLFLOWS FLOAT, ZBILLCYCLEEND TIMESTAMP, ZJUMBOFLOWS FLOAT, ZTIMESTAMP TIMESTAMP, ZWIFIIN FLOAT, ZWIFIOUT FLOAT, ZWIREDIN FLOAT, ZWIREDOUT FLOAT, ZWWANIN FLOAT, ZWWANOUT FLOAT, ZXIN FLOAT, ZXOUT FLOAT )', 'ZNETWORKATTACHMENT': 'CREATE TABLE ZNETWORKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTRS INTEGER, ZISHOTSPOT INTEGER, ZISKNOWNGOOD INTEGER, ZISLOWINTERNETDL INTEGER, ZISLOWINTERNETUL INTEGER, ZKIND INTEGER, ZWASLASTFAILED INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZOVERALLSTAYMEAN FLOAT, ZOVERALLSTAYVAR FLOAT, ZTIMESTAMP TIMESTAMP, ZVELO FLOAT, ZIDENTIFIER VARCHAR, ZSERVICE VARCHAR, ZNETSIGNATURE BLOB )', 'ZPROCESS': 'CREATE TABLE ZPROCESS ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBUNDLENAME VARCHAR, ZPROCNAME VARCHAR )'}
- class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusageProcessEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
iOS netusage process event data.
- process_name
name of the process.
- Type:
str
- start_time
date and time the start of the network connection was established.
- Type:
dfdatetime.DateTimeValues
- wifi_in
bytes received via wifi.
- Type:
int
- wifi_out
bytes sent via wifi.
- Type:
int
- wired_in
bytes received via wired connection.
- Type:
int
- wired_out
bytes sent via wired connection.
- Type:
int
- wireless_wan_in
bytes received via cellular connection.
- Type:
int
- wireless_wan_out
bytes sent via cellular connection.
- Type:
int
- DATA_TYPE = 'ios:netusage:process'
- class plaso.parsers.sqlite_plugins.ios_netusage.IOSNetusageRouteEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
iOS netusage connection event data.
- bytes_in
number of bytes received.
- Type:
int
- bytes_out
number of bytes sent.
- Type:
int
- network_identifier
name of network.
- Type:
str
- network_signature
signature of network.
- Type:
str
- network_type
integer indicating network type.
- Type:
int
- start_time
date and time the start of the network connection was established.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'ios:netusage:route'
plaso.parsers.sqlite_plugins.ios_powerlog module
SQLite parser plugin for iOS powerlog database files.
- class plaso.parsers.sqlite_plugins.ios_powerlog.IOSPowerlogApplicationUsageEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
iOS powerlog file application usage event data.
- background_time
Number of seconds that the application ran in the background.
- Type:
str
- bundle_identifier
Name of the application.
- Type:
str
- screen_on_time
Number of seconds that the application ran in the foreground.
- Type:
str
- start_time
date and time the start of the application.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'ios:powerlog:application_usage'
- class plaso.parsers.sqlite_plugins.ios_powerlog.IOSPowerlogApplicationUsagePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for iOS powerlog database files.
- DATA_FORMAT = 'iOS powerlog SQLite database (CurrentPowerlog.PLSQL) file'
- NAME = 'ios_powerlog'
- ParseApplicationRunTime(parser_mediator, query, row, **unused_kwargs)[source]
Parses an Application Run Time row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT timestamp, BackgroundTime, ScreenOnTime, BundleID FROM PLAppTimeService_Aggregate_AppRunTime', 'ParseApplicationRunTime')]
- REQUIRED_STRUCTURE = {'PLAppTimeService_Aggregate_AppRunTime': frozenset({'BackgroundTime', 'BundleID', 'ScreenOnTime', 'timestamp'})}
- REQUIRES_SCHEMA_MATCH = False
- SCHEMAS = {'PLAppTimeService_Aggregate_AppRunTime': 'CREATE TABLE PLAppTimeService_Aggregate_AppRunTime (id INTEGER PRIMARY KEY AUTOINCREMENT, timestamp REAL, timeInterval REAL, BackgroundAudioNowPlayingPluggedInTime REAL, BackgroundAudioNowPlayingTime REAL, BackgroundAudioPlayingTime REAL, BackgroundAudioPlayingTimePluggedIn REAL, BackgroundLocationAudioPluggedInTime REAL, BackgroundLocationAudioTime REAL, BackgroundLocationPluggedInTime REAL, BackgroundLocationTime REAL, BackgroundPluggedInTime REAL, BackgroundTime REAL, BundleID TEXT, ScreenOnPluggedInTime REAL, ScreenOnTime REAL)'}
plaso.parsers.sqlite_plugins.ios_screentime module
SQLite parser plugin for iOS Screen Time database files.
- class plaso.parsers.sqlite_plugins.ios_screentime.IOSScreenTimeEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
iOS Screen Time file usage event data.
- bundle_identifier
Bundle Identifier of the application.
- Type:
str
- device_identifier
GUID for the device.
- Type:
str
- device_name
Name of the device in use (when available).
- Type:
str
- domain
Domain of the website visited.
- Type:
str
- start_time
date and time the start of the application.
- Type:
dfdatetime.DateTimeValues
- total_time
Number of seconds where the application was in the foreground.
- Type:
int
- user_family_name
Family name of the user.
- Type:
str
- user_given_name
Given name of the user.
- Type:
str
- DATA_TYPE = 'ios:screentime:event'
- class plaso.parsers.sqlite_plugins.ios_screentime.IOSScreenTimePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for iOS Screen Time database files.
The Screen Time database is typically stored in: RMAdminStore-Local.sqlite
- DATA_FORMAT = 'iOS Screen Time SQLite database (RMAdminStore-Local.sqlite)'
- NAME = 'ios_screentime'
- ParseScreenTimeRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a Screen Time row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('\n SELECT ZUSAGETIMEDITEM.ZTOTALTIMEINSECONDS,\n ZUSAGETIMEDITEM.ZBUNDLEIDENTIFIER,\n ZUSAGETIMEDITEM.ZDOMAIN,\n ZUSAGEBLOCK.ZSTARTDATE,\n ZCOREDEVICE.ZIDENTIFIER,\n ZCOREDEVICE.ZNAME,\n ZCOREUSER.ZFAMILYNAME,\n ZCOREUSER.ZGIVENNAME\n FROM ZUSAGETIMEDITEM\n LEFT JOIN ZUSAGECATEGORY\n ON ZUSAGETIMEDITEM.ZCATEGORY = ZUSAGECATEGORY.Z_PK\n LEFT JOIN ZUSAGEBLOCK ON ZUSAGECATEGORY.ZBLOCK = ZUSAGEBLOCK.Z_PK\n LEFT JOIN ZUSAGE ON ZUSAGEBLOCK.ZUSAGE = ZUSAGE.Z_PK\n LEFT JOIN ZCOREDEVICE ON ZUSAGE.ZDEVICE = ZCOREDEVICE.Z_PK\n LEFT JOIN ZCOREUSER ON ZUSAGE.ZUSER = ZCOREUSER.Z_PK\n ', 'ParseScreenTimeRow')]
- REQUIRED_STRUCTURE = {'ZCOREDEVICE': frozenset({'ZIDENTIFIER', 'ZNAME', 'Z_PK'}), 'ZCOREUSER': frozenset({'ZFAMILYNAME', 'ZGIVENNAME', 'Z_PK'}), 'ZUSAGE': frozenset({'ZDEVICE', 'ZUSER', 'Z_PK'}), 'ZUSAGEBLOCK': frozenset({'ZSTARTDATE', 'ZUSAGE', 'Z_PK'}), 'ZUSAGECATEGORY': frozenset({'ZBLOCK', 'Z_PK'}), 'ZUSAGETIMEDITEM': frozenset({'ZBUNDLEIDENTIFIER', 'ZCATEGORY', 'ZDOMAIN', 'ZTOTALTIMEINSECONDS'})}
- REQUIRES_SCHEMA_MATCH = False
- SCHEMAS = {'ZCOREDEVICE': 'CREATE TABLE ZCOREDEVICE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZPLATFORM INTEGER, ZLOCALUSERDEVICESTATE INTEGER, ZIDENTIFIER VARCHAR, ZNAME VARCHAR )', 'ZCOREUSER': 'CREATE TABLE ZCOREUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDSID INTEGER, ZISFAMILYORGANIZER INTEGER, ZISPARENT INTEGER, ZPASSCODEENTRYATTEMPTCOUNT INTEGER, ZPASSCODERECOVERYATTEMPTCOUNT INTEGER, ZSUPPORTSENCRYPTION INTEGER, ZCLOUDSETTINGS INTEGER, ZFAMILYSETTINGS INTEGER, ZLOCALSETTINGS INTEGER, ZLOCALUSERDEVICESTATE INTEGER, ZPASSCODEENTRYTIMEOUTENDDATE TIMESTAMP, ZALTDSID VARCHAR, ZAPPLEID VARCHAR, ZFAMILYMEMBERTYPE VARCHAR, ZFAMILYNAME VARCHAR, ZGIVENNAME VARCHAR, ZPHONETICFAMILYNAME VARCHAR, ZPHONETICGIVENNAME VARCHAR )', 'ZUSAGE': 'CREATE TABLE ZUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICE INTEGER, ZUSER INTEGER, ZLASTEVENTDATE TIMESTAMP, ZLASTUPDATEDDATE TIMESTAMP )', 'ZUSAGEBLOCK': 'CREATE TABLE ZUSAGEBLOCK ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDURATIONINMINUTES INTEGER, ZNUMBEROFPICKUPSWITHOUTAPPLICATIONUSAGE INTEGER, ZSCREENTIMEINSECONDS INTEGER, ZUSAGE INTEGER, ZFIRSTPICKUPDATE TIMESTAMP, ZLASTEVENTDATE TIMESTAMP, ZLONGESTSESSIONENDDATE TIMESTAMP, ZLONGESTSESSIONSTARTDATE TIMESTAMP, ZSTARTDATE TIMESTAMP )', 'ZUSAGECATEGORY': 'CREATE TABLE ZUSAGECATEGORY ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTOTALTIMEINSECONDS INTEGER, ZBLOCK INTEGER, ZIDENTIFIER VARCHAR )', 'ZUSAGETIMEDITEM': 'CREATE TABLE ZUSAGETIMEDITEM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTOTALTIMEINSECONDS INTEGER, ZUSAGETRUSTED INTEGER, ZCATEGORY INTEGER, ZBUNDLEIDENTIFIER VARCHAR, ZDOMAIN VARCHAR )'}
plaso.parsers.sqlite_plugins.ios_twitter module
SQLite parser plugin for Twitter on iOS 8+ database files.
- class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterContactEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Twitter on iOS 8+ contact event data.
- creation_time
date and time the contact was created.
- Type:
dfdatetime.DateTimeValues
- description
description of the profile.
- Type:
str
- followers_count
number of accounts following the contact.
- Type:
int
- following_count
number of accounts the contact is following.
- Type:
int
- following
1 if the contact is following the user’s account, 0 if not.
- Type:
int
- location
location of the profile.
- Type:
str
- modification_time
date and time the contact was last modified.
- Type:
dfdatetime.DateTimeValues
- name
name of the profile.
- Type:
str
- profile_url
URL of the profile picture.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- screen_name
screen name.
- Type:
str
- url
URL of the profile.
- Type:
str
- DATA_TYPE = 'ios:twitter:contact'
- class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Twitter on iOS 8+ database files.
The Twitter on iOS 8+ database file is typically stored in: /private/var/mobile/Containers/Data/Application/Library/Caches/databases/ twitter.db
- DATA_FORMAT = 'Twitter on iOS 8 and later SQLite database (twitter.db) file'
- NAME = 'twitter_ios'
- ParseContactRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a contact row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- ParseStatusRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a contact row from the database.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row resulting from query.
- QUERIES = [('SELECT createdDate, updatedAt, screenName, name, profileImageUrl,location, description, url, following, followersCount, followingCount FROM Users ORDER BY createdDate', 'ParseContactRow'), ('SELECT Statuses.date AS date, Statuses.text AS text, Statuses.userId AS user_id, Users.name AS name, Statuses.retweetCount AS retweetCount, Statuses.favoriteCount AS favoriteCount, Statuses.favorited AS favorited, Statuses.updatedAt AS updatedAt FROM Statuses LEFT join Users ON Statuses.userId = Users.id ORDER BY date', 'ParseStatusRow')]
- REQUIRED_STRUCTURE = {'Statuses': frozenset({'date', 'favoriteCount', 'favorited', 'retweetCount', 'text', 'updatedAt', 'userId'}), 'Users': frozenset({'createdDate', 'description', 'followersCount', 'following', 'followingCount', 'id', 'location', 'name', 'profileImageUrl', 'screenName', 'updatedAt', 'url'})}
- SCHEMAS = [{'Lists': "CREATE TABLE Lists ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'ListsShadow': "CREATE TABLE ListsShadow ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'MyRetweets': "CREATE TABLE MyRetweets ( 'statusId' INTEGER PRIMARY KEY, 'myRetweetId' INTEGER )", 'Statuses': "CREATE TABLE Statuses ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplmentalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'StatusesShadow': "CREATE TABLE StatusesShadow ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplementalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'Users': "CREATE TABLE Users ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )", 'UsersShadow': "CREATE TABLE UsersShadow ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )"}]
- class plaso.parsers.sqlite_plugins.ios_twitter.IOSTwitterStatusEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Parent class for Twitter on iOS 8+ status events.
- creation_time
date and time the status was created.
- Type:
dfdatetime.DateTimeValues
- favorite_count
number of times the status message has been favorited.
- Type:
int
- favorited
value to mark status as favorite by the account.
- Type:
int
- modification_time
date and time the status was last modified.
- Type:
dfdatetime.DateTimeValues
- name
user’s profile name.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- retweet_count
number of times the status message has been retweeted.
- Type:
str
- text
content of the status message.
- Type:
str
- user_identifier
user identifier.
- Type:
int
- DATA_TYPE = 'ios:twitter:status'
plaso.parsers.sqlite_plugins.kodi module
SQLite parser plugin for Kodi videos database files.
- class plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for Kodi videos database files.
The Kodi videos database file is typically stored in: MyVideos.db
- DATA_FORMAT = 'Kodi videos SQLite database (MyVideos.db) file'
- NAME = 'kodi'
- ParseVideoRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a Video row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT idFile, strFilename, playCount, lastPlayed FROM files', 'ParseVideoRow')]
- REQUIRED_STRUCTURE = {'files': frozenset({'idFile', 'lastPlayed', 'playCount', 'strFilename'})}
- SCHEMAS = [{'actor': 'CREATE TABLE actor ( actor_id INTEGER PRIMARY KEY, name TEXT, art_urls TEXT )', 'actor_link': 'CREATE TABLE actor_link(actor_id INTEGER, media_id INTEGER, media_type TEXT, role TEXT, cast_order INTEGER)', 'art': 'CREATE TABLE art(art_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, type TEXT, url TEXT)', 'bookmark': 'CREATE TABLE bookmark ( idBookmark integer primary key, idFile integer, timeInSeconds double, totalTimeInSeconds double, thumbNailImage text, player text, playerState text, type integer)', 'country': 'CREATE TABLE country ( country_id integer primary key, name TEXT)', 'country_link': 'CREATE TABLE country_link (country_id integer, media_id integer, media_type TEXT)', 'director_link': 'CREATE TABLE director_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'episode': 'CREATE TABLE episode ( idEpisode integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 varchar(24),c13 varchar(24),c14 text,c15 text,c16 text,c17 varchar(24),c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idShow integer, userrating integer, idSeason integer)', 'files': 'CREATE TABLE files ( idFile integer primary key, idPath integer, strFilename text, playCount integer, lastPlayed text, dateAdded text)', 'genre': 'CREATE TABLE genre ( genre_id integer primary key, name TEXT)', 'genre_link': 'CREATE TABLE genre_link (genre_id integer, media_id integer, media_type TEXT)', 'movie': 'CREATE TABLE movie ( idMovie integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idSet integer, userrating integer, premiered text)', 'movielinktvshow': 'CREATE TABLE movielinktvshow ( idMovie integer, IdShow integer)', 'musicvideo': 'CREATE TABLE musicvideo ( idMVideo integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, premiered text)', 'path': 'CREATE TABLE path ( idPath integer primary key, strPath text, strContent text, strScraper text, strHash text, scanRecursive integer, useFolderNames bool, strSettings text, noUpdate bool, exclude bool, dateAdded text, idParentPath integer)', 'rating': 'CREATE TABLE rating (rating_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, rating_type TEXT, rating FLOAT, votes INTEGER)', 'seasons': 'CREATE TABLE seasons ( idSeason integer primary key, idShow integer, season integer, name text, userrating integer)', 'sets': 'CREATE TABLE sets ( idSet integer primary key, strSet text, strOverview text)', 'settings': 'CREATE TABLE settings ( idFile integer, Deinterlace bool,ViewMode integer,ZoomAmount float, PixelRatio float, VerticalShift float, AudioStream integer, SubtitleStream integer,SubtitleDelay float, SubtitlesOn bool, Brightness float, Contrast float, Gamma float,VolumeAmplification float, AudioDelay float, OutputToAllSpeakers bool, ResumeTime integer,Sharpness float, NoiseReduction float, NonLinStretch bool, PostProcess bool,ScalingMethod integer, DeinterlaceMode integer, StereoMode integer, StereoInvert bool, VideoStream integer)', 'stacktimes': 'CREATE TABLE stacktimes (idFile integer, times text)', 'streamdetails': 'CREATE TABLE streamdetails (idFile integer, iStreamType integer, strVideoCodec text, fVideoAspect float, iVideoWidth integer, iVideoHeight integer, strAudioCodec text, iAudioChannels integer, strAudioLanguage text, strSubtitleLanguage text, iVideoDuration integer, strStereoMode text, strVideoLanguage text)', 'studio': 'CREATE TABLE studio ( studio_id integer primary key, name TEXT)', 'studio_link': 'CREATE TABLE studio_link (studio_id integer, media_id integer, media_type TEXT)', 'tag': 'CREATE TABLE tag (tag_id integer primary key, name TEXT)', 'tag_link': 'CREATE TABLE tag_link (tag_id integer, media_id integer, media_type TEXT)', 'tvshow': 'CREATE TABLE tvshow ( idShow integer primary key,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, duration INTEGER)', 'tvshowlinkpath': 'CREATE TABLE tvshowlinkpath (idShow integer, idPath integer)', 'uniqueid': 'CREATE TABLE uniqueid (uniqueid_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, value TEXT, type TEXT)', 'version': 'CREATE TABLE version (idVersion integer, iCompressCount integer)', 'writer_link': 'CREATE TABLE writer_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)'}]
- class plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Kodi video event data.
- filename
video filename.
- Type:
str
- last_played_time
date and time of the last occurrence the video was played.
- Type:
dfdatetime.DateTimeValues
- play_count
number of times the video has been played.
- Type:
int
- query
SQL query that was used to obtain the event data.
- Type:
str
- DATA_TYPE = 'kodi:videos:viewing'
plaso.parsers.sqlite_plugins.ls_quarantine module
SQLite parser plugin for MacOS LS quarantine events database files.
- class plaso.parsers.sqlite_plugins.ls_quarantine.MacOSLSQuarantineEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
MacOS launch services quarantine event data.
- agent
user agent that was used to download the file.
- Type:
str
- data
data.
- Type:
bytes
- downloaded_time
date and time the file was downloaded.
- Type:
dfdatetime.DateTimeValues
- query
SQL query that was used to obtain the event data.
- Type:
str
- url
original URL of the file.
- Type:
str
- DATA_TYPE = 'macos:lsquarantine:entry'
- class plaso.parsers.sqlite_plugins.ls_quarantine.MacOSLSQuarantinePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for MacOS LS quarantine events database files.
The MacOS launch services (LS) quarantine database file is typically stored in: /Users/<username>/Library/Preferences/
QuarantineEvents.com.apple.LaunchServices
- DATA_FORMAT = 'MacOS launch services quarantine events database SQLite database file'
- NAME = 'ls_quarantine'
- ParseLSQuarantineRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a launch services quarantine event row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT LSQuarantineTimeStamp AS Time, LSQuarantineAgentName AS Agent, LSQuarantineOriginURLString AS URL, LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ORDER BY Time', 'ParseLSQuarantineRow')]
- REQUIRED_STRUCTURE = {'LSQuarantineEvent': frozenset({'LSQuarantineAgentName', 'LSQuarantineDataURLString', 'LSQuarantineOriginURLString', 'LSQuarantineTimeStamp'})}
- SCHEMAS = [{'LSQuarantineEvent': 'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, LSQuarantineOriginAlias BLOB )'}]
plaso.parsers.sqlite_plugins.mackeeper_cache module
SQLite parser plugin for MacOS MacKeeper cache database files.
- class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
MacKeeper Cache event data.
- added_time
date and time the cache entry was added.
- Type:
dfdatetime.DateTimeValues
- description
description.
- Type:
str
- event_type
event type.
- Type:
str
- offset
identifier of the row, from which the event data was extracted.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- record_id
record identifier.
- Type:
int
- room
room.
- Type:
str
- text
text.
- Type:
str
- url
URL.
- Type:
str
- user_name
user name.
- Type:
str
- user_sid
user security identifier (SID).
- Type:
str
- DATA_TYPE = 'mackeeper:cache'
- class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for MacOS MacKeeper cache database files.
- DATA_FORMAT = 'MacOS MacKeeper cache SQLite database file'
- NAME = 'mackeeper_cache'
- ParseReceiverData(parser_mediator, query, row, **unused_kwargs)[source]
Parses a single row from the receiver and cache response table.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT d.entry_ID AS id, d.receiver_data AS data, r.request_key, r.time_stamp AS time_string FROM cfurl_cache_receiver_data d, cfurl_cache_response r WHERE r.entry_ID = d.entry_ID', 'ParseReceiverData')]
- REQUIRED_STRUCTURE = {'cfurl_cache_blob_data': frozenset({}), 'cfurl_cache_receiver_data': frozenset({'entry_ID', 'receiver_data'}), 'cfurl_cache_response': frozenset({'entry_ID', 'request_key', 'time_stamp'})}
- SCHEMAS = [{'cfurl_cache_blob_data': 'CREATE TABLE cfurl_cache_blob_data(entry_ID INTEGER PRIMARY KEY, response_object BLOB, request_object BLOB, proto_props BLOB, user_info BLOB)', 'cfurl_cache_receiver_data': 'CREATE TABLE cfurl_cache_receiver_data(entry_ID INTEGER PRIMARY KEY, receiver_data BLOB)', 'cfurl_cache_response': 'CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, version INTEGER, hash_value INTEGER, storage_policy INTEGER, request_key TEXT UNIQUE, time_stamp NOT NULL DEFAULT CURRENT_TIMESTAMP, partition TEXT)', 'cfurl_cache_schema_version': 'CREATE TABLE cfurl_cache_schema_version(schema_version INTEGER)'}]
plaso.parsers.sqlite_plugins.macos_appusage module
SQLite parser plugin for MacOS application usage database files.
- class plaso.parsers.sqlite_plugins.macos_appusage.MacOSApplicationUsageEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
MacOS application usage event data.
- application
name of the application.
- Type:
str
- application_version
version of the application.
- Type:
str
- bundle_identifier
bundle identifier of the application.
- Type:
str
- count
number of occurances of the event.
- Type:
int
- event
event.
- Type:
str
- last_used_time
last date and time the application was last used.
- Type:
dfdatetime.DateTimeValues
- query
SQL query that was used to obtain the event data.
- Type:
str
- DATA_TYPE = 'macos:application_usage:entry'
- class plaso.parsers.sqlite_plugins.macos_appusage.MacOSApplicationUsagePlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for MacOS application usage database files.
The MacOS application usage database is typically stored in: /var/db/application_usage.sqlite
Application usage is a SQLite database that logs down entries triggered by NSWorkspaceWillLaunchApplicationNotification and NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by crankd.
More information can be found here: https://github.com/google/macops/blob/master/crankd/ApplicationUsage.py
- DATA_FORMAT = 'MacOS application usage SQLite database (application_usage.sqlite) file'
- NAME = 'appusage'
- ParseApplicationUsageRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses an application usage row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- QUERIES = [('SELECT last_time, event, bundle_id, app_version, app_path, number_times FROM application_usage ORDER BY last_time', 'ParseApplicationUsageRow')]
- REQUIRED_STRUCTURE = {'application_usage': frozenset({'app_path', 'app_version', 'bundle_id', 'event', 'last_time', 'number_times'})}
- SCHEMAS = [{'application_usage': 'CREATE TABLE application_usage (event TEXT, bundle_id TEXT, app_version TEXT, app_path TEXT, last_time INTEGER DEFAULT 0, number_times INTEGER DEFAULT 0, PRIMARY KEY (event, bundle_id))'}]
plaso.parsers.sqlite_plugins.macos_document_versions module
SQLite parser plugin for MacOS document revision database files.
- class plaso.parsers.sqlite_plugins.macos_document_versions.MacOSDocumentVersionsEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
MacOS document revision event data.
- creation_time
date and time the version information was created.
- Type:
dfdatetime.DateTimeValues
- last_seen_time
date and time and the original file was last seen (replicated).
- Type:
dfdatetime.DateTimeValues
- name
name of the original file.
- Type:
str
- path
path from the original file.
- Type:
str
- query
SQL query that was used to obtain the event data.
- Type:
str
- user_sid
user identifier that open the file.
- Type:
str
- version_path
path to the version copy of the original file.
- Type:
str
- DATA_TYPE = 'macos:document_versions:file'
- class plaso.parsers.sqlite_plugins.macos_document_versions.MacOSDocumentVersionsPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for MacOS document revision database files.
- DATA_FORMAT = 'MacOS document revisions SQLite database file'
- DocumentVersionsRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses a document versions row.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- NAME = 'mac_document_versions'
- QUERIES = [('SELECT f.file_name AS name, f.file_path AS path, f.file_last_seen AS last_time, g.generation_path AS version_path, g.generation_add_time AS version_time FROM files f, generations g WHERE f.file_storage_id = g.generation_storage_id;', 'DocumentVersionsRow')]
- REQUIRED_STRUCTURE = {'files': frozenset({'file_last_seen', 'file_name', 'file_path', 'file_storage_id'}), 'generations': frozenset({'generation_add_time', 'generation_path', 'generation_storage_id'})}
- ROOT_VERSION_PATH = '/.DocumentRevisions-V100/'
- SCHEMAS = [{'files': 'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)', 'generations': 'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)', 'storage': 'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1)'}]
plaso.parsers.sqlite_plugins.macos_knowledgec module
SQLite parser plugin for MacOS Duet/KnowledgeC database files.
- class plaso.parsers.sqlite_plugins.macos_knowledgec.MacOSKnowledgeCApplicationEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
KnowledgeC application execution event data.
- bundle_identifier
bundle identifier of the application.
- Type:
str
- creation_time
creation date and time of the KnowledgeC record.
- Type:
dfdatetime.DateTimeValues
- duration
duration of the activity.
- Type:
int
- end_time
date and time the activity ended.
- Type:
dfdatetime.DateTimeValues
- start_time
date and time the activity started.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'macos:knowledgec:application'
- class plaso.parsers.sqlite_plugins.macos_knowledgec.MacOSKnowledgeCPlugin[source]
Bases:
SQLitePlugin
SQLite parser plugin for MacOS Duet/KnowledgeC database files.
- DATA_FORMAT = 'MacOS Duet/KnowledgeC SQLites database file'
- KnowledgeCRow(parser_mediator, query, row, **unused_kwargs)[source]
Parses KnowledgeC application activity.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
query (str) – query that created the row.
row (sqlite3.Row) – row.
- NAME = 'mac_knowledgec'
- QUERIES = [('\n SELECT\n ZOBJECT.ZCREATIONDATE AS "entry_creation", \n ZOBJECT.ZSTARTDATE AS "start", \n ZOBJECT.ZENDDATE AS "end",\n ZOBJECT.ZSTREAMNAME AS "action",\n ZOBJECT.ZVALUESTRING AS "zvaluestring",\n ZSTRUCTUREDMETADATA.Z_DKSAFARIHISTORYMETADATAKEY__TITLE AS "title"\n FROM ZOBJECT\n LEFT JOIN ZSTRUCTUREDMETADATA \n ON ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK\n ', 'KnowledgeCRow')]
- REQUIRED_STRUCTURE = {'ZOBJECT': frozenset({'ZCREATIONDATE', 'ZENDDATE', 'ZSTARTDATE', 'ZSTREAMNAME', 'ZVALUESTRING'}), 'ZSTRUCTUREDMETADATA': frozenset({'Z_DKSAFARIHISTORYMETADATAKEY__TITLE'})}
- SCHEMAS = [{'ACHANGE': 'CREATE TABLE ACHANGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHANGETYPE INTEGER, ZENTITY INTEGER, ZENTITYPK INTEGER, ZTRANSACTIONID INTEGER, ZCOLUMNS BLOB, ZTOMBSTONE0 BLOB, ZTOMBSTONE1 BLOB, ZTOMBSTONE2 BLOB )', 'ATRANSACTION': 'CREATE TABLE ATRANSACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTIMESTAMP FLOAT, ZAUTHOR VARCHAR, ZBUNDLEID VARCHAR, ZCONTEXTNAME VARCHAR, ZPROCESSID VARCHAR, ZQUERYGEN BLOB )', 'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCOUNT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZSTRINGVALUE VARCHAR )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z8_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZSUBJECT INTEGER, Z8_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_DKSUNRISESUNSETMETADATAKEY__ISDAYLIGHT INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNSET TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR UNIQUE, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_10EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_10EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}, {'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCUSTOMIDENTIFIER VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZCOUNT FLOAT, ZSTRINGVALUE VARCHAR )', 'ZKEYVALUE': 'CREATE TABLE ZKEYVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDOMAIN VARCHAR, ZKEY VARCHAR, ZVALUE BLOB )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z9_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZSUBJECT INTEGER, Z9_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZLOCALCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISELIGIBLEFORPREDICTION INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKDIGITALHEALTHMETADATAKEY__USAGETYPE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKINTENTMETADATAKEY__INTENTTYPE INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__CONTENTDESCRIPTION VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__SUGGESTEDINVOCATIONPHRASE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETA