plaso-rubanetra/plaso/parsers/plist_plugins/safari.py

98 lines
3.5 KiB
Python
Raw Normal View History

2020-04-06 16:48:34 +00:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a default plist plugin in Plaso."""
import logging
from plaso.events import time_events
from plaso.lib import eventdata
from plaso.lib import timelib
from plaso.parsers import plist
from plaso.parsers.plist_plugins import interface
class SafariHistoryEvent(time_events.TimestampEvent):
"""An EventObject for Safari history entries."""
def __init__(self, timestamp, history_entry):
"""Initialize the event.
Args:
timestamp: The timestamp of the Event, in microseconds since Unix Epoch.
history_entry: A dict object read from the Safari history plist.
"""
super(SafariHistoryEvent, self).__init__(
timestamp, eventdata.EventTimestamp.LAST_VISITED_TIME)
self.data_type = 'safari:history:visit'
self.url = history_entry.get('', None)
self.title = history_entry.get('title', None)
display_title = history_entry.get('displayTitle', None)
if display_title != self.title:
self.display_title = display_title
self.visit_count = history_entry.get('visitCount', None)
self.was_http_non_get = history_entry.get('lastVisitWasHTTPNonGet', None)
class SafariHistoryPlugin(interface.PlistPlugin):
"""Plugin to extract Safari history timestamps."""
NAME = 'safari_history'
DESCRIPTION = u'Parser for Safari history plist files.'
PLIST_PATH = 'History.plist'
PLIST_KEYS = frozenset(['WebHistoryDates', 'WebHistoryFileVersion'])
def GetEntries(
self, parser_context, file_entry=None, parser_chain=None, match=None,
**unused_kwargs):
"""Extracts Safari history items.
Args:
parser_context: A parser context object (instance of ParserContext).
file_entry: Optional file entry object (instance of dfvfs.FileEntry).
The default is None.
parser_chain: Optional string containing the parsing chain up to this
point. The default is None.
match: Optional dictionary containing keys extracted from PLIST_KEYS.
The default is None.
"""
if match.get('WebHistoryFileVersion', 0) != 1:
logging.warning(u'Unable to parse Safari version: {0:s}'.format(
match.get('WebHistoryFileVersion', 0)))
return
for history_entry in match.get('WebHistoryDates', {}):
try:
time = timelib.Timestamp.FromCocoaTime(float(
history_entry.get('lastVisitedDate', 0)))
except ValueError:
logging.warning(u'Unable to translate timestamp: {0:s}'.format(
history_entry.get('lastVisitedDate', 0)))
continue
if not time:
logging.debug('No timestamp set, skipping record.')
continue
event_object = SafariHistoryEvent(time, history_entry)
parser_context.ProduceEvent(
event_object, parser_chain=parser_chain, file_entry=file_entry)
plist.PlistParser.RegisterPlugin(SafariHistoryPlugin)