def GetEntries(self, match, **unused_kwargs):
"""Extracts relevant Apple Account entries.
Args:
match: A dictionary containing keys extracted from PLIST_KEYS.
Yields:
EventObject objects extracted from the plist.
"""
root = '/Accounts'
for name_account, account in match['Accounts'].iteritems():
general_description = u'{} ({} {})'.format(
name_account, account.get('FirstName', '<FirstName>'),
account.get('LastName', '<LastName>'))
key = name_account
description = u'Configured Apple account {}'.format(
general_description)
yield plist_event.PlistEvent(root, key, account['CreationDate'],
description)
if 'LastSuccessfulConnect' in account:
description = u'Connected Apple account {}'.format(
general_description)
yield plist_event.PlistEvent(root, key,
account['LastSuccessfulConnect'],
description)
if 'ValidationDate' in account:
description = u'Last validation Apple account {}'.format(
general_description)
yield plist_event.PlistEvent(root, key,
account['ValidationDate'],
description)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Mac OS X update entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
"""
root = u'/'
key = u''
version = match.get(u'LastAttemptSystemVersion', u'N/A')
pending = match.get(u'LastUpdatesAvailable', None)
description = u'Last Mac OS X {0:s} full update.'.format(version)
if u'LastFullSuccessfulDate' in match and match[
u'LastFullSuccessfulDate']:
event_object = plist_event.PlistEvent(
root, key, match[u'LastFullSuccessfulDate'], description)
parser_mediator.ProduceEvent(event_object)
if pending and u'LastSuccessfulDate' in match:
software = []
for update in match.get(u'RecommendedUpdates', []):
software.append(u'{0:s}({1:s})'.format(
update.get(u'Identifier', u'<IDENTIFIER>'),
update.get(u'Product Key', u'<PRODUCT_KEY>')))
if not software:
return
description = (
u'Last Mac OS {0!s} partially update, pending {1!s}: {2:s}.'
).format(version, pending, u','.join(software))
event_object = plist_event.PlistEvent(root, key,
match[u'LastSuccessfulDate'],
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Mac OS X update entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
The default is None.
"""
root = '/'
key = ''
version = match.get('LastAttemptSystemVersion', u'N/A')
pending = match['LastUpdatesAvailable']
description = u'Last Mac OS X {0:s} full update.'.format(version)
event_object = plist_event.PlistEvent(root, key,
match['LastFullSuccessfulDate'],
description)
parser_mediator.ProduceEvent(event_object)
if pending:
software = []
for update in match['RecommendedUpdates']:
software.append(u'{0:s}({1:s})'.format(update['Identifier'],
update['Product Key']))
description = (
u'Last Mac OS {0!s} partially update, pending {1!s}: {2:s}.'
).format(version, pending, u','.join(software))
event_object = plist_event.PlistEvent(root, key,
match['LastSuccessfulDate'],
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, match, **unused_kwargs):
"""Extracts relevant Mac OS X update entries.
Args:
match: A dictionary containing keys extracted from PLIST_KEYS.
Yields:
EventObject objects extracted from the plist.
"""
root = '/'
key = ''
version = match.get('LastAttemptSystemVersion', u'N/A')
pending = match['LastUpdatesAvailable']
description = u'Last Mac OS X {} full update.'.format(version)
yield plist_event.PlistEvent(root, key,
match['LastFullSuccessfulDate'],
description)
if pending:
software = []
for update in match['RecommendedUpdates']:
software.append(u'{}({})'.format(update['Identifier'],
update['Product Key']))
description = u'Last Mac OS {} partially udpate, pending {}: {}.'.format(
version, pending, u','.join(software))
yield plist_event.PlistEvent(root, key,
match['LastSuccessfulDate'],
description)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Apple Account entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
The default is None.
"""
root = '/Accounts'
for name_account, account in match['Accounts'].iteritems():
general_description = u'{0:s} ({1:s} {2:s})'.format(
name_account, account.get('FirstName', '<FirstName>'),
account.get('LastName', '<LastName>'))
key = name_account
description = u'Configured Apple account {0:s}'.format(
general_description)
event_object = plist_event.PlistEvent(
root, key, account['CreationDate'], description)
parser_mediator.ProduceEvent(event_object)
if 'LastSuccessfulConnect' in account:
description = u'Connected Apple account {0:s}'.format(
general_description)
event_object = plist_event.PlistEvent(
root, key, account['LastSuccessfulConnect'], description)
parser_mediator.ProduceEvent(event_object)
if 'ValidationDate' in account:
description = u'Last validation Apple account {0:s}'.format(
general_description)
event_object = plist_event.PlistEvent(
root, key, account['ValidationDate'], description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_context, match=None, **unused_kwargs):
"""Extracts relevant BT entries.
Args:
parser_context: A parser context object (instance of ParserContext).
match: Optional dictionary containing extracted keys from PLIST_KEYS.
The default is None.
"""
root = '/DeviceCache'
for device, value in match['DeviceCache'].items():
name = value.get('Name', '')
if name:
name = u''.join(('Name:', name))
if device in match['PairedDevices']:
desc = 'Paired:True {0:s}'.format(name)
key = device
if 'LastInquiryUpdate' in value:
event_object = plist_event.PlistEvent(
root, key, value['LastInquiryUpdate'], desc)
parser_context.ProduceEvent(event_object,
plugin_name=self.NAME)
if value.get('LastInquiryUpdate'):
desc = u' '.join(filter(None, ('Bluetooth Discovery', name)))
key = u''.join((device, '/LastInquiryUpdate'))
event_object = plist_event.PlistEvent(
root, key, value['LastInquiryUpdate'], desc)
parser_context.ProduceEvent(event_object,
plugin_name=self.NAME)
if value.get('LastNameUpdate'):
desc = u' '.join(filter(None, ('Device Name Set', name)))
key = u''.join((device, '/LastNameUpdate'))
event_object = plist_event.PlistEvent(root, key,
value['LastNameUpdate'],
desc)
parser_context.ProduceEvent(event_object,
plugin_name=self.NAME)
if value.get('LastServicesUpdate'):
desc = desc = u' '.join(
filter(None, ('Services Updated', name)))
key = ''.join((device, '/LastServicesUpdate'))
event_object = plist_event.PlistEvent(
root, key, value['LastServicesUpdate'], desc)
parser_context.ProduceEvent(event_object,
plugin_name=self.NAME)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant BT entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing extracted keys from PLIST_KEYS.
The default is None.
"""
root = u'/DeviceCache'
if u'DeviceCache' not in match:
return
for device, value in match[u'DeviceCache'].iteritems():
name = value.get(u'Name', u'')
if name:
name = u''.join((u'Name:', name))
if device in match.get(u'PairedDevices', []):
desc = u'Paired:True {0:s}'.format(name)
key = device
if u'LastInquiryUpdate' in value:
event_object = plist_event.PlistEvent(
root, key, value[u'LastInquiryUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastInquiryUpdate', None):
desc = u' '.join(filter(None, (u'Bluetooth Discovery', name)))
key = u''.join((device, u'/LastInquiryUpdate'))
event_object = plist_event.PlistEvent(
root, key, value[u'LastInquiryUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastNameUpdate', None):
desc = u' '.join(filter(None, (u'Device Name Set', name)))
key = u''.join((device, u'/LastNameUpdate'))
event_object = plist_event.PlistEvent(root, key,
value[u'LastNameUpdate'],
desc)
parser_mediator.ProduceEvent(event_object)
if value.get(u'LastServicesUpdate', None):
desc = desc = u' '.join(
filter(None, (u'Services Updated', name)))
key = u''.join((device, u'/LastServicesUpdate'))
event_object = plist_event.PlistEvent(
root, key, value[u'LastServicesUpdate'], desc)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, match, **unused_kwargs):
"""Extracts relevant TimeMachine entries.
Args:
match: A dictionary containing keys extracted from PLIST_KEYS.
Yields:
EventObject objects extracted from the plist.
"""
root = '/Destinations'
key = 'item/SnapshotDates'
# For each TimeMachine devices.
for destination in match['Destinations']:
hd_uuid = destination['DestinationID']
if not hd_uuid:
hd_uuid = u'Unknown device'
alias = destination['BackupAlias']
try:
alias = self.TM_BACKUP_ALIAS.parse(alias).value
except construct.FieldError:
alias = u'Unknown alias'
# For each Backup.
for timestamp in destination['SnapshotDates']:
description = u'TimeMachine Backup in {} ({})'.format(
alias, hd_uuid)
yield plist_event.PlistEvent(root, key, timestamp, description)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant TimeMachine entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
The default is None.
"""
root = '/Destinations'
key = 'item/SnapshotDates'
# For each TimeMachine devices.
for destination in match['Destinations']:
hd_uuid = destination['DestinationID']
if not hd_uuid:
hd_uuid = u'Unknown device'
alias = destination['BackupAlias']
try:
alias = self.TM_BACKUP_ALIAS.parse(alias).value
except construct.FieldError:
alias = u'Unknown alias'
# For each Backup.
for timestamp in destination['SnapshotDates']:
description = u'TimeMachine Backup in {0:s} ({1:s})'.format(
alias, hd_uuid)
event_object = plist_event.PlistEvent(root, key, timestamp, description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs):
"""Extracts relevant install history entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
top_level: Optional plist in dictionary form. The default is None.
"""
for entry in top_level:
packages = []
for package in entry.get(u'packageIdentifiers', []):
packages.append(package)
if not packages or not u'date' in entry:
continue
description = (
u'Installation of [{0:s} {1:s}] using [{2:s}]. '
u'Packages: {3:s}.').format(
entry.get(u'displayName', u'<UNKNOWN>'),
entry.get(u'displayVersion', u'<DISPLAY_VERSION>'),
entry.get(u'processName', u'<PROCESS_NAME>'),
u', '.join(packages))
event_object = plist_event.PlistEvent(
u'/item', u'', entry.get(u'date'), description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs):
"""Simple method to exact date values from a Plist.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
top_level: Plist in dictionary form.
"""
for root, key, value in interface.RecurseKey(top_level):
if isinstance(value, datetime.datetime):
event_object = plist_event.PlistEvent(root, key, value)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, top_level, **unused_kwargs):
"""Simple method to exact date values from a Plist.
Args:
top_level: Plist in dictionary form.
Yields:
An EventObject from Plists values that are date objects.
"""
for root, key, value in interface.RecurseKey(top_level):
if isinstance(value, datetime.datetime):
yield plist_event.PlistEvent(root, key, value)
def GetEntries(self, parser_context, top_level=None, **unused_kwargs):
"""Simple method to exact date values from a Plist.
Args:
parser_context: A parser context object (instance of ParserContext).
top_level: Plist in dictionary form.
"""
for root, key, value in interface.RecurseKey(top_level):
if isinstance(value, datetime.datetime):
event_object = plist_event.PlistEvent(root, key, value)
parser_context.ProduceEvent(event_object,
plugin_name=self.NAME)
def GetEntries(self, match, **unused_kwargs):
"""Extracts relevant BT entries.
Yields:
EventObject objects extracted from the plist.
"""
root = '/DeviceCache'
for device, value in match['DeviceCache'].items():
name = value.get('Name', '')
if name:
name = u''.join(('Name:', name))
if device in match['PairedDevices']:
desc = 'Paired:True {}'.format(name)
key = device
if 'LastInquiryUpdate' in value:
yield plist_event.PlistEvent(root, key,
value['LastInquiryUpdate'],
desc)
if value.get('LastInquiryUpdate'):
desc = u' '.join(filter(None, ('Bluetooth Discovery', name)))
key = u''.join((device, '/LastInquiryUpdate'))
yield plist_event.PlistEvent(root, key,
value['LastInquiryUpdate'], desc)
if value.get('LastNameUpdate'):
desc = u' '.join(filter(None, ('Device Name Set', name)))
key = u''.join((device, '/LastNameUpdate'))
yield plist_event.PlistEvent(root, key,
value['LastNameUpdate'], desc)
if value.get('LastServicesUpdate'):
desc = desc = u' '.join(
filter(None, ('Services Updated', name)))
key = ''.join((device, '/LastServicesUpdate'))
yield plist_event.PlistEvent(root, key,
value['LastServicesUpdate'], desc)
def GetEntries(self, match, **unused_kwargs):
"""Extracts relevant VolumeConfiguration Spotlight entries.
Args:
match: A dictionary containing keys extracted from PLIST_KEYS.
Yields:
EventObject objects extracted from the plist.
"""
for volume_name, volume in match['Stores'].iteritems():
description = u'Spotlight Volume {} ({}) activated.'.format(
volume_name, volume['PartialPath'])
yield plist_event.PlistEvent(u'/Stores', '',
volume['CreationDate'], description)
def GetEntries(self, match, **unused_kwargs):
"""Extracts relevant Spotlight entries.
Args:
match: A dictionary containing keys extracted from PLIST_KEYS.
Yields:
EventObject objects extracted from the plist.
"""
for search_text, data in match['UserShortcuts'].iteritems():
desc = u'Spotlight term searched "{}" associate to {} ({})'.format(
search_text, data['DISPLAY_NAME'], data['PATH'])
yield plist_event.PlistEvent(u'/UserShortcuts', search_text,
data['LAST_USED'], desc)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant VolumeConfiguration Spotlight entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
"""
for volume_name, volume in match[u'Stores'].iteritems():
description = u'Spotlight Volume {0:s} ({1:s}) activated.'.format(
volume_name, volume[u'PartialPath'])
event_object = plist_event.PlistEvent(u'/Stores', u'',
volume[u'CreationDate'],
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Spotlight entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
The default is None.
"""
for search_text, data in match['UserShortcuts'].iteritems():
description = (
u'Spotlight term searched "{0:s}" associate to {1:s} '
u'({2:s})').format(search_text, data['DISPLAY_NAME'], data['PATH'])
event_object = plist_event.PlistEvent(
u'/UserShortcuts', search_text, data['LAST_USED'], description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, match, **unused_kwargs):
"""Extracts relevant Airport entries.
Args:
match: A dictionary containing keys extracted from PLIST_KEYS.
Yields:
EventObject objects extracted from the plist.
"""
for wifi in match['RememberedNetworks']:
description = (u'[WiFi] Connected to network: <{}> '
u'using security {}').format(
wifi['SSIDString'], wifi['SecurityType'])
yield plist_event.PlistEvent(u'/RememberedNetworks', u'item',
wifi['LastConnected'], description)
def GetEntries(self, parser_context, match=None, **unused_kwargs):
"""Extracts relevant VolumeConfiguration Spotlight entries.
Args:
parser_context: A parser context object (instance of ParserContext).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
The default is None.
"""
for volume_name, volume in match['Stores'].iteritems():
description = u'Spotlight Volume {0:s} ({1:s}) activated.'.format(
volume_name, volume['PartialPath'])
event_object = plist_event.PlistEvent(u'/Stores', '',
volume['CreationDate'],
description)
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, top_level, **unused_kwargs):
"""Extracts relevant install history entries.
Yields:
EventObject objects extracted from the plist.
"""
for entry in top_level:
packages = []
for package in entry.get('packageIdentifiers'):
packages.append(package)
description = (u'Installation of [{} {}] '
u'using [{}]. Packages: {}.').format(
entry.get('displayName'),
entry.get('displayVersion'),
entry.get('processName'), u', '.join(packages))
yield plist_event.PlistEvent(u'/item', u'', entry.get('date'),
description)
def GetEntries(self, parser_context, match=None, **unused_kwargs):
"""Extracts relevant Airport entries.
Args:
parser_context: A parser context object (instance of ParserContext).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
The default is None.
"""
for wifi in match['RememberedNetworks']:
description = (
u'[WiFi] Connected to network: <{0:s}> using security {1:s}'
).format(wifi['SSIDString'], wifi['SecurityType'])
event_object = plist_event.PlistEvent(u'/RememberedNetworks',
u'item',
wifi['LastConnected'],
description)
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, parser_context, top_level=None, **unused_kwargs):
"""Extracts relevant install history entries.
Args:
parser_context: A parser context object (instance of ParserContext).
top_level: Optional plist in dictionary form. The default is None.
"""
for entry in top_level:
packages = []
for package in entry.get('packageIdentifiers'):
packages.append(package)
description = (u'Installation of [{0:s} {1:s}] using [{2:s}]. '
u'Packages: {3:s}.').format(
entry.get('displayName'),
entry.get('displayVersion'),
entry.get('processName'), u', '.join(packages))
event_object = plist_event.PlistEvent(u'/item', u'',
entry.get('date'),
description)
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs):
"""Extracts relevant Airport entries.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
match: Optional dictionary containing keys extracted from PLIST_KEYS.
The default is None.
"""
if u'RememberedNetworks' not in match:
return
for wifi in match[u'RememberedNetworks']:
description = (
u'[WiFi] Connected to network: <{0:s}> using security {1:s}'
).format(wifi.get(u'SSIDString', u'UNKNOWN_SSID'),
wifi.get(u'SecurityType', u'UNKNOWN_SECURITY_TYPE'))
event_object = plist_event.PlistEvent(
u'/RememberedNetworks', u'item', wifi.get(u'LastConnected', 0),
description)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_context, **unused_kwargs):
event_object = plist_event.PlistEvent(
u'/DeviceCache/44-00-00-00-00-00', u'LastInquiryUpdate',
1351827808261762)
parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, **unused_kwargs):
yield plist_event.PlistEvent(u'/DeviceCache/44-00-00-00-00-00',
u'LastInquiryUpdate', 1351827808261762)
def GetEntries(self, parser_mediator, **unused_kwargs):
event_object = plist_event.PlistEvent(
u'/DeviceCache/44-00-00-00-00-00', u'LastInquiryUpdate',
1351827808261762)
parser_mediator.ProduceEvent(event_object)
