def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Mac OS X update entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
"""
root = u'/'
key = u''
version = match.get(u'LastAttemptSystemVersion', u'N/A')
pending = match.get(u'LastUpdatesAvailable', None)
description = u'Last Mac OS X {0:s} full update.'.format(version)
if u'LastFullSuccessfulDate' in match and match[
u'LastFullSuccessfulDate']:
event_object = plist_event.PlistEvent(
root, key, match[u'LastFullSuccessfulDate'], description)
parser_mediator.ProduceEvent(event_object)
if pending and u'LastSuccessfulDate' in match:
software = []
for update in match.get(u'RecommendedUpdates', []):
software.append(u'{0:s}({1:s})'.format(
update.get(u'Identifier', u'<IDENTIFIER>'),
update.get(u'Product Key', u'<PRODUCT_KEY>')))
if not software:
return
description = (
u'Last Mac OS {0!s} partially update, pending {1!s}: {2:s}.'
).format(version, pending, u','.join(software))
event_object = plist_event.PlistEvent(root, key,
match[u'LastSuccessfulDate'],
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant TimeMachine entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
"""
if u'Destinations' not in match:
return
root = u'/Destinations'
key = u'item/SnapshotDates'
# For each TimeMachine devices.
for destination in match[u'Destinations']:
hd_uuid = destination.get(u'DestinationID', None)
if not hd_uuid:
hd_uuid = u'Unknown device'
alias = destination.get(u'BackupAlias', u'<ALIAS>')
try:
alias = self.TM_BACKUP_ALIAS.parse(alias).value
except construct.FieldError:
alias = u'Unknown alias'
# For each Backup.
for timestamp in destination.get(u'SnapshotDates', []):
description = u'TimeMachine Backup in {0:s} ({1:s})'.format(
alias, hd_uuid)
event_object = plist_event.PlistEvent(root, key, timestamp, description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs):
"""Extracts relevant install history entries.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
top_level: Optional plist in dictionary form.
"""
for entry in top_level:
packages = []
for package in entry.get(u'packageIdentifiers', []):
packages.append(package)
if not packages or not u'date' in entry:
continue
description = (u'Installation of [{0:s} {1:s}] using [{2:s}]. '
u'Packages: {3:s}.').format(
entry.get(u'displayName', u'<UNKNOWN>'),
entry.get(u'displayVersion',
u'<DISPLAY_VERSION>'),
entry.get(u'processName', u'<PROCESS_NAME>'),
u', '.join(packages))
event_object = plist_event.PlistEvent(u'/item', u'',
entry.get(u'date'),
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant BT entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing extracted keys from PLIST_KEYS.
"""
root = u'/DeviceCache'
if u'DeviceCache' not in match:
return
for device, value in match[u'DeviceCache'].iteritems():
name = value.get(u'Name', u'')
if name:
name = u''.join((u'Name:', name))
if device in match.get(u'PairedDevices', []):
desc = u'Paired:True {0:s}'.format(name)
key = device
if u'LastInquiryUpdate' in value:
event_object = plist_event.PlistEvent(
root, key, value[u'LastInquiryUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastInquiryUpdate', None):
desc = u' '.join(filter(None, (u'Bluetooth Discovery', name)))
key = u''.join((device, u'/LastInquiryUpdate'))
event_object = plist_event.PlistEvent(
root, key, value[u'LastInquiryUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastNameUpdate', None):
desc = u' '.join(filter(None, (u'Device Name Set', name)))
key = u''.join((device, u'/LastNameUpdate'))
event_object = plist_event.PlistEvent(root, key,
value[u'LastNameUpdate'],
desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastServicesUpdate', None):
desc = desc = u' '.join(
filter(None, (u'Services Updated', name)))
key = u''.join((device, u'/LastServicesUpdate'))
event_object = plist_event.PlistEvent(
root, key, value[u'LastServicesUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant BT entries.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
"""
root = u'/DeviceCache'
if u'DeviceCache' not in match:
return
for device, value in iter(match[u'DeviceCache'].items()):
name = value.get(u'Name', u'')
if name:
name = u''.join((u'Name:', name))
if device in match.get(u'PairedDevices', []):
desc = u'Paired:True {0:s}'.format(name)
key = device
if u'LastInquiryUpdate' in value:
event_object = plist_event.PlistEvent(
root, key, value[u'LastInquiryUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastInquiryUpdate', None):
desc = u' '.join(filter(None, (u'Bluetooth Discovery', name)))
key = u''.join((device, u'/LastInquiryUpdate'))
event_object = plist_event.PlistEvent(
root, key, value[u'LastInquiryUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastNameUpdate', None):
desc = u' '.join(filter(None, (u'Device Name Set', name)))
key = u''.join((device, u'/LastNameUpdate'))
event_object = plist_event.PlistEvent(
root, key, value[u'LastNameUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastServicesUpdate', None):
desc = desc = u' '.join(filter(None, (u'Services Updated', name)))
key = u''.join((device, u'/LastServicesUpdate'))
event_object = plist_event.PlistEvent(
root, key, value[u'LastServicesUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs):
"""Simple method to exact date values from a Plist.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
top_level: Plist in dictionary form.
"""
for root, key, value in interface.RecurseKey(top_level):
if isinstance(value, datetime.datetime):
event_object = plist_event.PlistEvent(root, key, value)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs):
"""Simple method to exact date values from a Plist.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
top_level: Plist in dictionary form.
"""
for root, key, value in interface.RecurseKey(top_level):
if isinstance(value, datetime.datetime):
event_object = plist_event.PlistEvent(root, key, value)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Apple Account entries.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
"""
root = u'/Accounts'
if not u'Accounts' in match:
return
for name_account, account in iter(match[u'Accounts'].items()):
general_description = u'{0:s} ({1:s} {2:s})'.format(
name_account, account.get(u'FirstName', u'<FirstName>'),
account.get(u'LastName', u'<LastName>'))
key = name_account
description = u'Configured Apple account {0:s}'.format(
general_description)
if u'CreationDate' in account:
event_object = plist_event.PlistEvent(root, key,
account[u'CreationDate'],
description)
parser_mediator.ProduceEvent(event_object)
if u'LastSuccessfulConnect' in account:
description = u'Connected Apple account {0:s}'.format(
general_description)
event_object = plist_event.PlistEvent(
root, key, account[u'LastSuccessfulConnect'], description)
parser_mediator.ProduceEvent(event_object)
if u'ValidationDate' in account:
description = u'Last validation Apple account {0:s}'.format(
general_description)
event_object = plist_event.PlistEvent(
root, key, account[u'ValidationDate'], description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Apple Account entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
"""
root = u'/Accounts'
if not u'Accounts' in match:
return
for name_account, account in iter(match[u'Accounts'].items()):
general_description = u'{0:s} ({1:s} {2:s})'.format(
name_account, account.get(u'FirstName', u'<FirstName>'),
account.get(u'LastName', u'<LastName>'))
key = name_account
description = u'Configured Apple account {0:s}'.format(
general_description)
if u'CreationDate' in account:
event_object = plist_event.PlistEvent(root, key,
account[u'CreationDate'],
description)
parser_mediator.ProduceEvent(event_object)
if u'LastSuccessfulConnect' in account:
description = u'Connected Apple account {0:s}'.format(
general_description)
event_object = plist_event.PlistEvent(
root, key, account[u'LastSuccessfulConnect'], description)
parser_mediator.ProduceEvent(event_object)
if u'ValidationDate' in account:
description = u'Last validation Apple account {0:s}'.format(
general_description)
event_object = plist_event.PlistEvent(
root, key, account[u'ValidationDate'], description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant VolumeConfiguration Spotlight entries.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
"""
for volume_name, volume in iter(match[u'Stores'].items()):
description = u'Spotlight Volume {0:s} ({1:s}) activated.'.format(
volume_name, volume[u'PartialPath'])
event_object = plist_event.PlistEvent(
u'/Stores', u'', volume[u'CreationDate'], description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant VolumeConfiguration Spotlight entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
"""
for volume_name, volume in match[u'Stores'].iteritems():
description = u'Spotlight Volume {0:s} ({1:s}) activated.'.format(
volume_name, volume[u'PartialPath'])
event_object = plist_event.PlistEvent(u'/Stores', u'',
volume[u'CreationDate'],
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Airport entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
"""
if u'RememberedNetworks' not in match:
return
for wifi in match[u'RememberedNetworks']:
description = (
u'[WiFi] Connected to network: <{0:s}> using security {1:s}'
).format(wifi.get(u'SSIDString', u'UNKNOWN_SSID'),
wifi.get(u'SecurityType', u'UNKNOWN_SECURITY_TYPE'))
event_object = plist_event.PlistEvent(
u'/RememberedNetworks', u'item', wifi.get(u'LastConnected', 0),
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Airport entries.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
"""
if u'RememberedNetworks' not in match:
return
for wifi in match[u'RememberedNetworks']:
description = (
u'[WiFi] Connected to network: <{0:s}> using security {1:s}'
).format(wifi.get(u'SSIDString', u'UNKNOWN_SSID'),
wifi.get(u'SecurityType', u'UNKNOWN_SECURITY_TYPE'))
event_object = plist_event.PlistEvent(
u'/RememberedNetworks', u'item', wifi.get(u'LastConnected', 0),
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Spotlight entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
"""
for search_text, data in match.get(u'UserShortcuts', {}).iteritems():
if not u'LAST_USED' in data:
continue
description = (
u'Spotlight term searched "{0:s}" associate to {1:s} '
u'({2:s})').format(
search_text, data.get(u'DISPLAY_NAME', u'<DISPLAY_NAME>'),
data.get(u'PATH', u'<PATH>'))
event_object = plist_event.PlistEvent(u'/UserShortcuts',
search_text,
data[u'LAST_USED'],
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Spotlight entries.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
"""
shortcuts = match.get(u'UserShortcuts', {})
for search_text, data in iter(shortcuts.items()):
if not u'LAST_USED' in data:
continue
description = (
u'Spotlight term searched "{0:s}" associate to {1:s} '
u'({2:s})').format(
search_text, data.get(u'DISPLAY_NAME', u'<DISPLAY_NAME>'),
data.get(u'PATH', u'<PATH>'))
event_object = plist_event.PlistEvent(u'/UserShortcuts',
search_text,
data[u'LAST_USED'],
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, **unused_kwargs):
event_object = plist_event.PlistEvent(
u'/DeviceCache/44-00-00-00-00-00', u'LastInquiryUpdate',
1351827808261762)
parser_mediator.ProduceEvent(event_object)