def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Mac OS X update entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. """ root = u'/' key = u'' version = match.get(u'LastAttemptSystemVersion', u'N/A') pending = match.get(u'LastUpdatesAvailable', None) description = u'Last Mac OS X {0:s} full update.'.format(version) if u'LastFullSuccessfulDate' in match and match[ u'LastFullSuccessfulDate']: event_object = plist_event.PlistEvent( root, key, match[u'LastFullSuccessfulDate'], description) parser_mediator.ProduceEvent(event_object) if pending and u'LastSuccessfulDate' in match: software = [] for update in match.get(u'RecommendedUpdates', []): software.append(u'{0:s}({1:s})'.format( update.get(u'Identifier', u'<IDENTIFIER>'), update.get(u'Product Key', u'<PRODUCT_KEY>'))) if not software: return description = ( u'Last Mac OS {0!s} partially update, pending {1!s}: {2:s}.' ).format(version, pending, u','.join(software)) event_object = plist_event.PlistEvent(root, key, match[u'LastSuccessfulDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant TimeMachine entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. """ if u'Destinations' not in match: return root = u'/Destinations' key = u'item/SnapshotDates' # For each TimeMachine devices. for destination in match[u'Destinations']: hd_uuid = destination.get(u'DestinationID', None) if not hd_uuid: hd_uuid = u'Unknown device' alias = destination.get(u'BackupAlias', u'<ALIAS>') try: alias = self.TM_BACKUP_ALIAS.parse(alias).value except construct.FieldError: alias = u'Unknown alias' # For each Backup. for timestamp in destination.get(u'SnapshotDates', []): description = u'TimeMachine Backup in {0:s} ({1:s})'.format( alias, hd_uuid) event_object = plist_event.PlistEvent(root, key, timestamp, description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs): """Extracts relevant install history entries. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. top_level: Optional plist in dictionary form. """ for entry in top_level: packages = [] for package in entry.get(u'packageIdentifiers', []): packages.append(package) if not packages or not u'date' in entry: continue description = (u'Installation of [{0:s} {1:s}] using [{2:s}]. ' u'Packages: {3:s}.').format( entry.get(u'displayName', u'<UNKNOWN>'), entry.get(u'displayVersion', u'<DISPLAY_VERSION>'), entry.get(u'processName', u'<PROCESS_NAME>'), u', '.join(packages)) event_object = plist_event.PlistEvent(u'/item', u'', entry.get(u'date'), description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant BT entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing extracted keys from PLIST_KEYS. """ root = u'/DeviceCache' if u'DeviceCache' not in match: return for device, value in match[u'DeviceCache'].iteritems(): name = value.get(u'Name', u'') if name: name = u''.join((u'Name:', name)) if device in match.get(u'PairedDevices', []): desc = u'Paired:True {0:s}'.format(name) key = device if u'LastInquiryUpdate' in value: event_object = plist_event.PlistEvent( root, key, value[u'LastInquiryUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastInquiryUpdate', None): desc = u' '.join(filter(None, (u'Bluetooth Discovery', name))) key = u''.join((device, u'/LastInquiryUpdate')) event_object = plist_event.PlistEvent( root, key, value[u'LastInquiryUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastNameUpdate', None): desc = u' '.join(filter(None, (u'Device Name Set', name))) key = u''.join((device, u'/LastNameUpdate')) event_object = plist_event.PlistEvent(root, key, value[u'LastNameUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastServicesUpdate', None): desc = desc = u' '.join( filter(None, (u'Services Updated', name))) key = u''.join((device, u'/LastServicesUpdate')) event_object = plist_event.PlistEvent( root, key, value[u'LastServicesUpdate'], desc) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant BT entries. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS. """ root = u'/DeviceCache' if u'DeviceCache' not in match: return for device, value in iter(match[u'DeviceCache'].items()): name = value.get(u'Name', u'') if name: name = u''.join((u'Name:', name)) if device in match.get(u'PairedDevices', []): desc = u'Paired:True {0:s}'.format(name) key = device if u'LastInquiryUpdate' in value: event_object = plist_event.PlistEvent( root, key, value[u'LastInquiryUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastInquiryUpdate', None): desc = u' '.join(filter(None, (u'Bluetooth Discovery', name))) key = u''.join((device, u'/LastInquiryUpdate')) event_object = plist_event.PlistEvent( root, key, value[u'LastInquiryUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastNameUpdate', None): desc = u' '.join(filter(None, (u'Device Name Set', name))) key = u''.join((device, u'/LastNameUpdate')) event_object = plist_event.PlistEvent( root, key, value[u'LastNameUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastServicesUpdate', None): desc = desc = u' '.join(filter(None, (u'Services Updated', name))) key = u''.join((device, u'/LastServicesUpdate')) event_object = plist_event.PlistEvent( root, key, value[u'LastServicesUpdate'], desc) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs): """Simple method to exact date values from a Plist. Args: parser_mediator: A parser mediator object (instance of ParserMediator). top_level: Plist in dictionary form. """ for root, key, value in interface.RecurseKey(top_level): if isinstance(value, datetime.datetime): event_object = plist_event.PlistEvent(root, key, value) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs): """Simple method to exact date values from a Plist. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. top_level: Plist in dictionary form. """ for root, key, value in interface.RecurseKey(top_level): if isinstance(value, datetime.datetime): event_object = plist_event.PlistEvent(root, key, value) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Apple Account entries. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS. """ root = u'/Accounts' if not u'Accounts' in match: return for name_account, account in iter(match[u'Accounts'].items()): general_description = u'{0:s} ({1:s} {2:s})'.format( name_account, account.get(u'FirstName', u'<FirstName>'), account.get(u'LastName', u'<LastName>')) key = name_account description = u'Configured Apple account {0:s}'.format( general_description) if u'CreationDate' in account: event_object = plist_event.PlistEvent(root, key, account[u'CreationDate'], description) parser_mediator.ProduceEvent(event_object) if u'LastSuccessfulConnect' in account: description = u'Connected Apple account {0:s}'.format( general_description) event_object = plist_event.PlistEvent( root, key, account[u'LastSuccessfulConnect'], description) parser_mediator.ProduceEvent(event_object) if u'ValidationDate' in account: description = u'Last validation Apple account {0:s}'.format( general_description) event_object = plist_event.PlistEvent( root, key, account[u'ValidationDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Apple Account entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. """ root = u'/Accounts' if not u'Accounts' in match: return for name_account, account in iter(match[u'Accounts'].items()): general_description = u'{0:s} ({1:s} {2:s})'.format( name_account, account.get(u'FirstName', u'<FirstName>'), account.get(u'LastName', u'<LastName>')) key = name_account description = u'Configured Apple account {0:s}'.format( general_description) if u'CreationDate' in account: event_object = plist_event.PlistEvent(root, key, account[u'CreationDate'], description) parser_mediator.ProduceEvent(event_object) if u'LastSuccessfulConnect' in account: description = u'Connected Apple account {0:s}'.format( general_description) event_object = plist_event.PlistEvent( root, key, account[u'LastSuccessfulConnect'], description) parser_mediator.ProduceEvent(event_object) if u'ValidationDate' in account: description = u'Last validation Apple account {0:s}'.format( general_description) event_object = plist_event.PlistEvent( root, key, account[u'ValidationDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant VolumeConfiguration Spotlight entries. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS. """ for volume_name, volume in iter(match[u'Stores'].items()): description = u'Spotlight Volume {0:s} ({1:s}) activated.'.format( volume_name, volume[u'PartialPath']) event_object = plist_event.PlistEvent( u'/Stores', u'', volume[u'CreationDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant VolumeConfiguration Spotlight entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. """ for volume_name, volume in match[u'Stores'].iteritems(): description = u'Spotlight Volume {0:s} ({1:s}) activated.'.format( volume_name, volume[u'PartialPath']) event_object = plist_event.PlistEvent(u'/Stores', u'', volume[u'CreationDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Airport entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. """ if u'RememberedNetworks' not in match: return for wifi in match[u'RememberedNetworks']: description = ( u'[WiFi] Connected to network: <{0:s}> using security {1:s}' ).format(wifi.get(u'SSIDString', u'UNKNOWN_SSID'), wifi.get(u'SecurityType', u'UNKNOWN_SECURITY_TYPE')) event_object = plist_event.PlistEvent( u'/RememberedNetworks', u'item', wifi.get(u'LastConnected', 0), description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Airport entries. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS. """ if u'RememberedNetworks' not in match: return for wifi in match[u'RememberedNetworks']: description = ( u'[WiFi] Connected to network: <{0:s}> using security {1:s}' ).format(wifi.get(u'SSIDString', u'UNKNOWN_SSID'), wifi.get(u'SecurityType', u'UNKNOWN_SECURITY_TYPE')) event_object = plist_event.PlistEvent( u'/RememberedNetworks', u'item', wifi.get(u'LastConnected', 0), description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Spotlight entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. """ for search_text, data in match.get(u'UserShortcuts', {}).iteritems(): if not u'LAST_USED' in data: continue description = ( u'Spotlight term searched "{0:s}" associate to {1:s} ' u'({2:s})').format( search_text, data.get(u'DISPLAY_NAME', u'<DISPLAY_NAME>'), data.get(u'PATH', u'<PATH>')) event_object = plist_event.PlistEvent(u'/UserShortcuts', search_text, data[u'LAST_USED'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Spotlight entries. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS. """ shortcuts = match.get(u'UserShortcuts', {}) for search_text, data in iter(shortcuts.items()): if not u'LAST_USED' in data: continue description = ( u'Spotlight term searched "{0:s}" associate to {1:s} ' u'({2:s})').format( search_text, data.get(u'DISPLAY_NAME', u'<DISPLAY_NAME>'), data.get(u'PATH', u'<PATH>')) event_object = plist_event.PlistEvent(u'/UserShortcuts', search_text, data[u'LAST_USED'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, **unused_kwargs): event_object = plist_event.PlistEvent( u'/DeviceCache/44-00-00-00-00-00', u'LastInquiryUpdate', 1351827808261762) parser_mediator.ProduceEvent(event_object)