def GetEntries(self, match, **unused_kwargs): """Extracts relevant Apple Account entries. Args: match: A dictionary containing keys extracted from PLIST_KEYS. Yields: EventObject objects extracted from the plist. """ root = '/Accounts' for name_account, account in match['Accounts'].iteritems(): general_description = u'{} ({} {})'.format( name_account, account.get('FirstName', '<FirstName>'), account.get('LastName', '<LastName>')) key = name_account description = u'Configured Apple account {}'.format( general_description) yield plist_event.PlistEvent(root, key, account['CreationDate'], description) if 'LastSuccessfulConnect' in account: description = u'Connected Apple account {}'.format( general_description) yield plist_event.PlistEvent(root, key, account['LastSuccessfulConnect'], description) if 'ValidationDate' in account: description = u'Last validation Apple account {}'.format( general_description) yield plist_event.PlistEvent(root, key, account['ValidationDate'], description)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Mac OS X update entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. """ root = u'/' key = u'' version = match.get(u'LastAttemptSystemVersion', u'N/A') pending = match.get(u'LastUpdatesAvailable', None) description = u'Last Mac OS X {0:s} full update.'.format(version) if u'LastFullSuccessfulDate' in match and match[ u'LastFullSuccessfulDate']: event_object = plist_event.PlistEvent( root, key, match[u'LastFullSuccessfulDate'], description) parser_mediator.ProduceEvent(event_object) if pending and u'LastSuccessfulDate' in match: software = [] for update in match.get(u'RecommendedUpdates', []): software.append(u'{0:s}({1:s})'.format( update.get(u'Identifier', u'<IDENTIFIER>'), update.get(u'Product Key', u'<PRODUCT_KEY>'))) if not software: return description = ( u'Last Mac OS {0!s} partially update, pending {1!s}: {2:s}.' ).format(version, pending, u','.join(software)) event_object = plist_event.PlistEvent(root, key, match[u'LastSuccessfulDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Mac OS X update entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. The default is None. """ root = '/' key = '' version = match.get('LastAttemptSystemVersion', u'N/A') pending = match['LastUpdatesAvailable'] description = u'Last Mac OS X {0:s} full update.'.format(version) event_object = plist_event.PlistEvent(root, key, match['LastFullSuccessfulDate'], description) parser_mediator.ProduceEvent(event_object) if pending: software = [] for update in match['RecommendedUpdates']: software.append(u'{0:s}({1:s})'.format(update['Identifier'], update['Product Key'])) description = ( u'Last Mac OS {0!s} partially update, pending {1!s}: {2:s}.' ).format(version, pending, u','.join(software)) event_object = plist_event.PlistEvent(root, key, match['LastSuccessfulDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, match, **unused_kwargs): """Extracts relevant Mac OS X update entries. Args: match: A dictionary containing keys extracted from PLIST_KEYS. Yields: EventObject objects extracted from the plist. """ root = '/' key = '' version = match.get('LastAttemptSystemVersion', u'N/A') pending = match['LastUpdatesAvailable'] description = u'Last Mac OS X {} full update.'.format(version) yield plist_event.PlistEvent(root, key, match['LastFullSuccessfulDate'], description) if pending: software = [] for update in match['RecommendedUpdates']: software.append(u'{}({})'.format(update['Identifier'], update['Product Key'])) description = u'Last Mac OS {} partially udpate, pending {}: {}.'.format( version, pending, u','.join(software)) yield plist_event.PlistEvent(root, key, match['LastSuccessfulDate'], description)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Apple Account entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. The default is None. """ root = '/Accounts' for name_account, account in match['Accounts'].iteritems(): general_description = u'{0:s} ({1:s} {2:s})'.format( name_account, account.get('FirstName', '<FirstName>'), account.get('LastName', '<LastName>')) key = name_account description = u'Configured Apple account {0:s}'.format( general_description) event_object = plist_event.PlistEvent( root, key, account['CreationDate'], description) parser_mediator.ProduceEvent(event_object) if 'LastSuccessfulConnect' in account: description = u'Connected Apple account {0:s}'.format( general_description) event_object = plist_event.PlistEvent( root, key, account['LastSuccessfulConnect'], description) parser_mediator.ProduceEvent(event_object) if 'ValidationDate' in account: description = u'Last validation Apple account {0:s}'.format( general_description) event_object = plist_event.PlistEvent( root, key, account['ValidationDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_context, match=None, **unused_kwargs): """Extracts relevant BT entries. Args: parser_context: A parser context object (instance of ParserContext). match: Optional dictionary containing extracted keys from PLIST_KEYS. The default is None. """ root = '/DeviceCache' for device, value in match['DeviceCache'].items(): name = value.get('Name', '') if name: name = u''.join(('Name:', name)) if device in match['PairedDevices']: desc = 'Paired:True {0:s}'.format(name) key = device if 'LastInquiryUpdate' in value: event_object = plist_event.PlistEvent( root, key, value['LastInquiryUpdate'], desc) parser_context.ProduceEvent(event_object, plugin_name=self.NAME) if value.get('LastInquiryUpdate'): desc = u' '.join(filter(None, ('Bluetooth Discovery', name))) key = u''.join((device, '/LastInquiryUpdate')) event_object = plist_event.PlistEvent( root, key, value['LastInquiryUpdate'], desc) parser_context.ProduceEvent(event_object, plugin_name=self.NAME) if value.get('LastNameUpdate'): desc = u' '.join(filter(None, ('Device Name Set', name))) key = u''.join((device, '/LastNameUpdate')) event_object = plist_event.PlistEvent(root, key, value['LastNameUpdate'], desc) parser_context.ProduceEvent(event_object, plugin_name=self.NAME) if value.get('LastServicesUpdate'): desc = desc = u' '.join( filter(None, ('Services Updated', name))) key = ''.join((device, '/LastServicesUpdate')) event_object = plist_event.PlistEvent( root, key, value['LastServicesUpdate'], desc) parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant BT entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing extracted keys from PLIST_KEYS. The default is None. """ root = u'/DeviceCache' if u'DeviceCache' not in match: return for device, value in match[u'DeviceCache'].iteritems(): name = value.get(u'Name', u'') if name: name = u''.join((u'Name:', name)) if device in match.get(u'PairedDevices', []): desc = u'Paired:True {0:s}'.format(name) key = device if u'LastInquiryUpdate' in value: event_object = plist_event.PlistEvent( root, key, value[u'LastInquiryUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastInquiryUpdate', None): desc = u' '.join(filter(None, (u'Bluetooth Discovery', name))) key = u''.join((device, u'/LastInquiryUpdate')) event_object = plist_event.PlistEvent( root, key, value[u'LastInquiryUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastNameUpdate', None): desc = u' '.join(filter(None, (u'Device Name Set', name))) key = u''.join((device, u'/LastNameUpdate')) event_object = plist_event.PlistEvent(root, key, value[u'LastNameUpdate'], desc) parser_mediator.ProduceEvent(event_object) if value.get(u'LastServicesUpdate', None): desc = desc = u' '.join( filter(None, (u'Services Updated', name))) key = u''.join((device, u'/LastServicesUpdate')) event_object = plist_event.PlistEvent( root, key, value[u'LastServicesUpdate'], desc) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, match, **unused_kwargs): """Extracts relevant TimeMachine entries. Args: match: A dictionary containing keys extracted from PLIST_KEYS. Yields: EventObject objects extracted from the plist. """ root = '/Destinations' key = 'item/SnapshotDates' # For each TimeMachine devices. for destination in match['Destinations']: hd_uuid = destination['DestinationID'] if not hd_uuid: hd_uuid = u'Unknown device' alias = destination['BackupAlias'] try: alias = self.TM_BACKUP_ALIAS.parse(alias).value except construct.FieldError: alias = u'Unknown alias' # For each Backup. for timestamp in destination['SnapshotDates']: description = u'TimeMachine Backup in {} ({})'.format( alias, hd_uuid) yield plist_event.PlistEvent(root, key, timestamp, description)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant TimeMachine entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. The default is None. """ root = '/Destinations' key = 'item/SnapshotDates' # For each TimeMachine devices. for destination in match['Destinations']: hd_uuid = destination['DestinationID'] if not hd_uuid: hd_uuid = u'Unknown device' alias = destination['BackupAlias'] try: alias = self.TM_BACKUP_ALIAS.parse(alias).value except construct.FieldError: alias = u'Unknown alias' # For each Backup. for timestamp in destination['SnapshotDates']: description = u'TimeMachine Backup in {0:s} ({1:s})'.format( alias, hd_uuid) event_object = plist_event.PlistEvent(root, key, timestamp, description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs): """Extracts relevant install history entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). top_level: Optional plist in dictionary form. The default is None. """ for entry in top_level: packages = [] for package in entry.get(u'packageIdentifiers', []): packages.append(package) if not packages or not u'date' in entry: continue description = ( u'Installation of [{0:s} {1:s}] using [{2:s}]. ' u'Packages: {3:s}.').format( entry.get(u'displayName', u'<UNKNOWN>'), entry.get(u'displayVersion', u'<DISPLAY_VERSION>'), entry.get(u'processName', u'<PROCESS_NAME>'), u', '.join(packages)) event_object = plist_event.PlistEvent( u'/item', u'', entry.get(u'date'), description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, top_level=None, **unused_kwargs): """Simple method to exact date values from a Plist. Args: parser_mediator: A parser mediator object (instance of ParserMediator). top_level: Plist in dictionary form. """ for root, key, value in interface.RecurseKey(top_level): if isinstance(value, datetime.datetime): event_object = plist_event.PlistEvent(root, key, value) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, top_level, **unused_kwargs): """Simple method to exact date values from a Plist. Args: top_level: Plist in dictionary form. Yields: An EventObject from Plists values that are date objects. """ for root, key, value in interface.RecurseKey(top_level): if isinstance(value, datetime.datetime): yield plist_event.PlistEvent(root, key, value)
def GetEntries(self, parser_context, top_level=None, **unused_kwargs): """Simple method to exact date values from a Plist. Args: parser_context: A parser context object (instance of ParserContext). top_level: Plist in dictionary form. """ for root, key, value in interface.RecurseKey(top_level): if isinstance(value, datetime.datetime): event_object = plist_event.PlistEvent(root, key, value) parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, match, **unused_kwargs): """Extracts relevant BT entries. Yields: EventObject objects extracted from the plist. """ root = '/DeviceCache' for device, value in match['DeviceCache'].items(): name = value.get('Name', '') if name: name = u''.join(('Name:', name)) if device in match['PairedDevices']: desc = 'Paired:True {}'.format(name) key = device if 'LastInquiryUpdate' in value: yield plist_event.PlistEvent(root, key, value['LastInquiryUpdate'], desc) if value.get('LastInquiryUpdate'): desc = u' '.join(filter(None, ('Bluetooth Discovery', name))) key = u''.join((device, '/LastInquiryUpdate')) yield plist_event.PlistEvent(root, key, value['LastInquiryUpdate'], desc) if value.get('LastNameUpdate'): desc = u' '.join(filter(None, ('Device Name Set', name))) key = u''.join((device, '/LastNameUpdate')) yield plist_event.PlistEvent(root, key, value['LastNameUpdate'], desc) if value.get('LastServicesUpdate'): desc = desc = u' '.join( filter(None, ('Services Updated', name))) key = ''.join((device, '/LastServicesUpdate')) yield plist_event.PlistEvent(root, key, value['LastServicesUpdate'], desc)
def GetEntries(self, match, **unused_kwargs): """Extracts relevant VolumeConfiguration Spotlight entries. Args: match: A dictionary containing keys extracted from PLIST_KEYS. Yields: EventObject objects extracted from the plist. """ for volume_name, volume in match['Stores'].iteritems(): description = u'Spotlight Volume {} ({}) activated.'.format( volume_name, volume['PartialPath']) yield plist_event.PlistEvent(u'/Stores', '', volume['CreationDate'], description)
def GetEntries(self, match, **unused_kwargs): """Extracts relevant Spotlight entries. Args: match: A dictionary containing keys extracted from PLIST_KEYS. Yields: EventObject objects extracted from the plist. """ for search_text, data in match['UserShortcuts'].iteritems(): desc = u'Spotlight term searched "{}" associate to {} ({})'.format( search_text, data['DISPLAY_NAME'], data['PATH']) yield plist_event.PlistEvent(u'/UserShortcuts', search_text, data['LAST_USED'], desc)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant VolumeConfiguration Spotlight entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. """ for volume_name, volume in match[u'Stores'].iteritems(): description = u'Spotlight Volume {0:s} ({1:s}) activated.'.format( volume_name, volume[u'PartialPath']) event_object = plist_event.PlistEvent(u'/Stores', u'', volume[u'CreationDate'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Spotlight entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. The default is None. """ for search_text, data in match['UserShortcuts'].iteritems(): description = ( u'Spotlight term searched "{0:s}" associate to {1:s} ' u'({2:s})').format(search_text, data['DISPLAY_NAME'], data['PATH']) event_object = plist_event.PlistEvent( u'/UserShortcuts', search_text, data['LAST_USED'], description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, match, **unused_kwargs): """Extracts relevant Airport entries. Args: match: A dictionary containing keys extracted from PLIST_KEYS. Yields: EventObject objects extracted from the plist. """ for wifi in match['RememberedNetworks']: description = (u'[WiFi] Connected to network: <{}> ' u'using security {}').format( wifi['SSIDString'], wifi['SecurityType']) yield plist_event.PlistEvent(u'/RememberedNetworks', u'item', wifi['LastConnected'], description)
def GetEntries(self, parser_context, match=None, **unused_kwargs): """Extracts relevant VolumeConfiguration Spotlight entries. Args: parser_context: A parser context object (instance of ParserContext). match: Optional dictionary containing keys extracted from PLIST_KEYS. The default is None. """ for volume_name, volume in match['Stores'].iteritems(): description = u'Spotlight Volume {0:s} ({1:s}) activated.'.format( volume_name, volume['PartialPath']) event_object = plist_event.PlistEvent(u'/Stores', '', volume['CreationDate'], description) parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, top_level, **unused_kwargs): """Extracts relevant install history entries. Yields: EventObject objects extracted from the plist. """ for entry in top_level: packages = [] for package in entry.get('packageIdentifiers'): packages.append(package) description = (u'Installation of [{} {}] ' u'using [{}]. Packages: {}.').format( entry.get('displayName'), entry.get('displayVersion'), entry.get('processName'), u', '.join(packages)) yield plist_event.PlistEvent(u'/item', u'', entry.get('date'), description)
def GetEntries(self, parser_context, match=None, **unused_kwargs): """Extracts relevant Airport entries. Args: parser_context: A parser context object (instance of ParserContext). match: Optional dictionary containing keys extracted from PLIST_KEYS. The default is None. """ for wifi in match['RememberedNetworks']: description = ( u'[WiFi] Connected to network: <{0:s}> using security {1:s}' ).format(wifi['SSIDString'], wifi['SecurityType']) event_object = plist_event.PlistEvent(u'/RememberedNetworks', u'item', wifi['LastConnected'], description) parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, parser_context, top_level=None, **unused_kwargs): """Extracts relevant install history entries. Args: parser_context: A parser context object (instance of ParserContext). top_level: Optional plist in dictionary form. The default is None. """ for entry in top_level: packages = [] for package in entry.get('packageIdentifiers'): packages.append(package) description = (u'Installation of [{0:s} {1:s}] using [{2:s}]. ' u'Packages: {3:s}.').format( entry.get('displayName'), entry.get('displayVersion'), entry.get('processName'), u', '.join(packages)) event_object = plist_event.PlistEvent(u'/item', u'', entry.get('date'), description) parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, parser_mediator, match=None, **unused_kwargs): """Extracts relevant Airport entries. Args: parser_mediator: A parser mediator object (instance of ParserMediator). match: Optional dictionary containing keys extracted from PLIST_KEYS. The default is None. """ if u'RememberedNetworks' not in match: return for wifi in match[u'RememberedNetworks']: description = ( u'[WiFi] Connected to network: <{0:s}> using security {1:s}' ).format(wifi.get(u'SSIDString', u'UNKNOWN_SSID'), wifi.get(u'SecurityType', u'UNKNOWN_SECURITY_TYPE')) event_object = plist_event.PlistEvent( u'/RememberedNetworks', u'item', wifi.get(u'LastConnected', 0), description) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_context, **unused_kwargs): event_object = plist_event.PlistEvent( u'/DeviceCache/44-00-00-00-00-00', u'LastInquiryUpdate', 1351827808261762) parser_context.ProduceEvent(event_object, plugin_name=self.NAME)
def GetEntries(self, **unused_kwargs): yield plist_event.PlistEvent(u'/DeviceCache/44-00-00-00-00-00', u'LastInquiryUpdate', 1351827808261762)
def GetEntries(self, parser_mediator, **unused_kwargs): event_object = plist_event.PlistEvent( u'/DeviceCache/44-00-00-00-00-00', u'LastInquiryUpdate', 1351827808261762) parser_mediator.ProduceEvent(event_object)