def export_event(self, event):
trace = self.document.create_trace()
pb = trace.create_property_bundle(
'Message',
# TODO: Confirm the difference between a sentTime and createdTime for message.
sentTime=lib.convert_timestamp(event.timestamp),
messageText=getattr(event, 'text', None))
# Add author.
# The developer of this parser, connected the diplayname to the author username.
display_name, _, username = event.from_account.rpartition(' ')
username = username[1:-1] # Remove surrounding < >
author = self.export_account(username, display_name)
pb.add('from', author)
# Add recipients.
for username in event.to_account.split(', '):
if username:
recipient = self.export_account(username)
pb.add('to', recipient)
# Add message thread.
# TODO: I don't think the title is good enough for thread id.
# The parser needs to be updated to use the "name" column from the "Chats" table.
_, message_thread_pb = self.export_message_thread(event.title)
message_thread_pb.add('message', trace)
def export_timestamp(self, event, property_bundle):
# NOTE: The skype parser unconventionality sets the timestamp description as
# the attribute "call_type".
try:
property_bundle.add(self.TIMESTAMP_MAP[event.call_type],
lib.convert_timestamp(event.timestamp))
except KeyError:
pass
def export_event(self, event):
# TODO: The parser could have potentially joined the "SMSes" table with the "Messages" table in order to grab
# more information such as the username and direction... unfortunately it did not..
contact = self.export_contact(phonenNumber=event.number)
trace = self.document.create_trace()
trace.create_property_bundle('Message',
participant=contact,
sentTime=lib.convert_timestamp(
event.timestamp))
def export_event(self, event):
trace, file_pb = self.export_path_spec(event.pathspec)
# NOTE: Re-adding the same property is fine. Duplicate triples will be removed.
file_pb.add('fileSystemType',
mappings.FileSystemType.get(event.file_system_type, None))
file_pb.add('isAllocated', event.is_allocated)
file_pb.add('fileSize', getattr(event, 'file_size', None))
# TODO: What is file_entry_type?
# Add timestamps.
if event.timestamp_desc in self.TIMESTAMP_MAP:
file_pb.add(self.TIMESTAMP_MAP[event.timestamp_desc],
lib.convert_timestamp(event.timestamp))
# Add file system specific property bundles.
# TODO: Is there anyway to get more information?
elif event.timestamp_desc == 'bkup_time':
trace.create_property_bundle('HFSFileSystem',
hfsBackupTime=lib.convert_timestamp(
event.timestamp))
elif event.timestamp_desc == 'dtime':
trace.create_property_bundle('ExtInode',
extDeletionTime=lib.convert_timestamp(
event.timestamp))
# Add hash data into content_data property bundle.
# NOTE: This is were we could technically add the dataPayload of the
# file as well... although that would make the file HUGE!
# TODO: Don't add ContentData if hash is missing.
if event.pathspec not in self._content_data_pbs:
self._content_data_pbs[
event.pathspec] = trace.create_property_bundle('ContentData')
content_data = self._content_data_pbs[event.pathspec]
for name, value in event.GetAttributes():
if name in mappings.HashMethod and (
content_data, name, value) not in self._processed_hashes:
# Keep track of processed hashes, so we don't add the same hash twice.
# TODO: Refactor this out when github.com/log2timeline/plaso/issues/910 is solved.
self._processed_hashes.add((content_data, name, value))
hash = self.document.create_hash(
hashMethod=mappings.HashMethod[name], hashValue=value)
content_data.add('hash', hash)
def export_timestamp(self, event, property_bundle):
"""Exports the timestamp information from the element.
Args:
event: The plaso EventObject to export timestamp info from.
property_bundle: The cached property bundle to place timestamp on.
"""
try:
property_bundle.add(self.TIMESTAMP_MAP[event.timestamp_desc],
lib.convert_timestamp(event.timestamp))
except KeyError:
pass
def export_session(self, session):
"""Exports the given plaso storage Session into the graph."""
instrument = self.document.create_uco_object(
'Tool',
name=session.product_name,
version=session.product_version,
toolType='parser?',
creator='Joachim Metz')
config = instrument.create_property_bundle('ToolConfiguration')
for attribute in self._CONFIGURATION_ATTRIBUTES:
if hasattr(session, attribute):
value = getattr(session, attribute)
if value is None:
# None is technically a configuration, but we don't want to print "None".
value = ''
value = str(value)
setting = self.document.create_node(
'ConfigurationSetting', bnode=True, itemName=attribute, itemValue=value)
config.add('configurationSetting', setting)
# TODO: How do we know who performed the Plaso action? That information
# is not in the plaso storage file...
performer = self.document.create_uco_object('Identity')
performer.create_property_bundle(
'SimpleName',
givenName='John',
familyName='Doe')
action = self.document.create_uco_object(
'ForensicAction',
startTime=lib.convert_timestamp(session.start_time),
endTime=lib.convert_timestamp(session.completion_time))
action.create_property_bundle(
'ActionReferences',
performer=performer,
instrument=instrument,
result=None, # TODO: We can't fill this in because we don't know what session created what event objects...
location=None) # TODO: How am I supposed to be able to get this information?
def export_event(self, event):
contact = self.export_contact(phoneNumber=event.address)
trace = self.document.create_trace()
pb = trace.create_property_bundle(
'Message',
# TODO: Confirm that this timestamp will always be 'sent' and not possibly 'received' or 'downloaded'.
sentTime=lib.convert_timestamp(event.timestamp),
messageText=event.body)
if event.sms_read != 'UNKNOWN':
pb.add('isRead', event.sms_read == 'READ')
if event.sms_type == 'RECEIVED':
pb.add('from', contact)
elif event.sms_type == 'SENT':
pb.add('to', contact)
else:
pb.add('participant', contact)