109 lines
3.8 KiB
Python
109 lines
3.8 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
# Copyright 2012 The Plaso Project Authors.
|
|
# Please see the AUTHORS file for details on individual authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""This file contains a parser for the Mac OS X application usage.
|
|
|
|
The application usage is stored in SQLite database files named
|
|
/var/db/application_usage.sqlite
|
|
"""
|
|
|
|
from plaso.events import time_events
|
|
from plaso.parsers import sqlite
|
|
from plaso.parsers.sqlite_plugins import interface
|
|
|
|
|
|
class MacOSXApplicationUsageEvent(time_events.PosixTimeEvent):
|
|
"""Convenience class for a Mac OS X application usage event."""
|
|
|
|
DATA_TYPE = 'macosx:application_usage'
|
|
|
|
def __init__(
|
|
self, posix_time, usage, application_name, application_version,
|
|
bundle_id, number_of_times):
|
|
"""Initializes the event object.
|
|
|
|
Args:
|
|
posix_time: The POSIX time value.
|
|
usage: The description of the usage of the time value.
|
|
application_name: The name of the application.
|
|
application_version: The version of the application.
|
|
bundle_id: The bundle identifier of the application.
|
|
number_of_times: TODO: number of times what?
|
|
"""
|
|
super(MacOSXApplicationUsageEvent, self).__init__(posix_time, usage)
|
|
|
|
self.application = application_name
|
|
self.app_version = application_version
|
|
self.bundle_id = bundle_id
|
|
self.count = number_of_times
|
|
|
|
|
|
class ApplicationUsagePlugin(interface.SQLitePlugin):
|
|
"""Parse Application Usage history files.
|
|
|
|
Application usage is a SQLite database that logs down entries
|
|
triggered by NSWorkspaceWillLaunchApplicationNotification and
|
|
NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by
|
|
crankd.
|
|
|
|
See the code here:
|
|
http://code.google.com/p/google-macops/source/browse/trunk/crankd/\
|
|
ApplicationUsage.py
|
|
|
|
Default installation: /var/db/application_usage.sqlite
|
|
"""
|
|
|
|
NAME = 'appusage'
|
|
DESCRIPTION = u'Parser for Mac OS X application usage SQLite database files.'
|
|
|
|
# Define the needed queries.
|
|
QUERIES = [(
|
|
('SELECT last_time, event, bundle_id, app_version, app_path, '
|
|
'number_times FROM application_usage ORDER BY last_time'),
|
|
'ParseApplicationUsageRow')]
|
|
|
|
# The required tables.
|
|
REQUIRED_TABLES = frozenset(['application_usage'])
|
|
|
|
def ParseApplicationUsageRow(
|
|
self, parser_context, row, file_entry=None, parser_chain=None, query=None,
|
|
**unused_kwargs):
|
|
"""Parses an application usage row.
|
|
|
|
Args:
|
|
parser_context: A parser context object (instance of ParserContext).
|
|
row: The row resulting from the query.
|
|
file_entry: Optional file entry object (instance of dfvfs.FileEntry).
|
|
The default is None.
|
|
parser_chain: Optional string containing the parsing chain up to this
|
|
point. The default is None.
|
|
query: Optional query string. The default is None.
|
|
"""
|
|
# TODO: replace usage by definition(s) in eventdata. Not sure which values
|
|
# it will hold here.
|
|
usage = u'Application {0:s}'.format(row['event'])
|
|
|
|
event_object = MacOSXApplicationUsageEvent(
|
|
row['last_time'], usage, row['app_path'], row['app_version'],
|
|
row['bundle_id'], row['number_times'])
|
|
parser_context.ProduceEvent(
|
|
event_object, query=query, parser_chain=parser_chain,
|
|
file_entry=file_entry)
|
|
|
|
|
|
sqlite.SQLiteParser.RegisterPlugin(ApplicationUsagePlugin)
|