def export_event(self, event): trace = self.document.create_trace() pb = trace.create_property_bundle( 'Message', # TODO: Confirm the difference between a sentTime and createdTime for message. sentTime=lib.convert_timestamp(event.timestamp), messageText=getattr(event, 'text', None)) # Add author. # The developer of this parser, connected the diplayname to the author username. display_name, _, username = event.from_account.rpartition(' ') username = username[1:-1] # Remove surrounding < > author = self.export_account(username, display_name) pb.add('from', author) # Add recipients. for username in event.to_account.split(', '): if username: recipient = self.export_account(username) pb.add('to', recipient) # Add message thread. # TODO: I don't think the title is good enough for thread id. # The parser needs to be updated to use the "name" column from the "Chats" table. _, message_thread_pb = self.export_message_thread(event.title) message_thread_pb.add('message', trace)
def export_timestamp(self, event, property_bundle): # NOTE: The skype parser unconventionality sets the timestamp description as # the attribute "call_type". try: property_bundle.add(self.TIMESTAMP_MAP[event.call_type], lib.convert_timestamp(event.timestamp)) except KeyError: pass
def export_event(self, event): # TODO: The parser could have potentially joined the "SMSes" table with the "Messages" table in order to grab # more information such as the username and direction... unfortunately it did not.. contact = self.export_contact(phonenNumber=event.number) trace = self.document.create_trace() trace.create_property_bundle('Message', participant=contact, sentTime=lib.convert_timestamp( event.timestamp))
def export_event(self, event): trace, file_pb = self.export_path_spec(event.pathspec) # NOTE: Re-adding the same property is fine. Duplicate triples will be removed. file_pb.add('fileSystemType', mappings.FileSystemType.get(event.file_system_type, None)) file_pb.add('isAllocated', event.is_allocated) file_pb.add('fileSize', getattr(event, 'file_size', None)) # TODO: What is file_entry_type? # Add timestamps. if event.timestamp_desc in self.TIMESTAMP_MAP: file_pb.add(self.TIMESTAMP_MAP[event.timestamp_desc], lib.convert_timestamp(event.timestamp)) # Add file system specific property bundles. # TODO: Is there anyway to get more information? elif event.timestamp_desc == 'bkup_time': trace.create_property_bundle('HFSFileSystem', hfsBackupTime=lib.convert_timestamp( event.timestamp)) elif event.timestamp_desc == 'dtime': trace.create_property_bundle('ExtInode', extDeletionTime=lib.convert_timestamp( event.timestamp)) # Add hash data into content_data property bundle. # NOTE: This is were we could technically add the dataPayload of the # file as well... although that would make the file HUGE! # TODO: Don't add ContentData if hash is missing. if event.pathspec not in self._content_data_pbs: self._content_data_pbs[ event.pathspec] = trace.create_property_bundle('ContentData') content_data = self._content_data_pbs[event.pathspec] for name, value in event.GetAttributes(): if name in mappings.HashMethod and ( content_data, name, value) not in self._processed_hashes: # Keep track of processed hashes, so we don't add the same hash twice. # TODO: Refactor this out when github.com/log2timeline/plaso/issues/910 is solved. self._processed_hashes.add((content_data, name, value)) hash = self.document.create_hash( hashMethod=mappings.HashMethod[name], hashValue=value) content_data.add('hash', hash)
def export_timestamp(self, event, property_bundle): """Exports the timestamp information from the element. Args: event: The plaso EventObject to export timestamp info from. property_bundle: The cached property bundle to place timestamp on. """ try: property_bundle.add(self.TIMESTAMP_MAP[event.timestamp_desc], lib.convert_timestamp(event.timestamp)) except KeyError: pass
def export_session(self, session): """Exports the given plaso storage Session into the graph.""" instrument = self.document.create_uco_object( 'Tool', name=session.product_name, version=session.product_version, toolType='parser?', creator='Joachim Metz') config = instrument.create_property_bundle('ToolConfiguration') for attribute in self._CONFIGURATION_ATTRIBUTES: if hasattr(session, attribute): value = getattr(session, attribute) if value is None: # None is technically a configuration, but we don't want to print "None". value = '' value = str(value) setting = self.document.create_node( 'ConfigurationSetting', bnode=True, itemName=attribute, itemValue=value) config.add('configurationSetting', setting) # TODO: How do we know who performed the Plaso action? That information # is not in the plaso storage file... performer = self.document.create_uco_object('Identity') performer.create_property_bundle( 'SimpleName', givenName='John', familyName='Doe') action = self.document.create_uco_object( 'ForensicAction', startTime=lib.convert_timestamp(session.start_time), endTime=lib.convert_timestamp(session.completion_time)) action.create_property_bundle( 'ActionReferences', performer=performer, instrument=instrument, result=None, # TODO: We can't fill this in because we don't know what session created what event objects... location=None) # TODO: How am I supposed to be able to get this information?
def export_event(self, event): contact = self.export_contact(phoneNumber=event.address) trace = self.document.create_trace() pb = trace.create_property_bundle( 'Message', # TODO: Confirm that this timestamp will always be 'sent' and not possibly 'received' or 'downloaded'. sentTime=lib.convert_timestamp(event.timestamp), messageText=event.body) if event.sms_read != 'UNKNOWN': pb.add('isRead', event.sms_read == 'READ') if event.sms_type == 'RECEIVED': pb.add('from', contact) elif event.sms_type == 'SENT': pb.add('to', contact) else: pb.add('participant', contact)