plaso.parsers.sqlite_plugins package

Submodules

plaso.parsers.sqlite_plugins.android_calls module

This file contains a parser for the Android contacts2 Call History.

Android Call History is stored in SQLite database files named contacts2.db.

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData

Bases: plaso.containers.events.EventData

Android Call event data.

call_type

str – type of call, such as: Incoming, Outgoing, or Missed.

duration

int – number of seconds the call lasted.

name

str – name associated to the remote party.

number

str – phone number associated to the remote party.

DATA_TYPE = 'android:event:call'

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse Android contacts2 database.

CALL_TYPE = {1: 'INCOMING', 2: 'OUTGOING', 3: 'MISSED'}

DESCRIPTION = 'Parser for Android calls SQLite database files.'

NAME = 'android_calls'

ParseCallsRow(parser_mediator, query, row, **unused_kwargs)

Parses a Call record row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, date, number, name, duration, type FROM calls', 'ParseCallsRow')]

REQUIRED_TABLES = frozenset({'calls'})

SCHEMAS = [{'groups': 'CREATE TABLE groups (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), account_name STRING DEFAULT NULL, account_type STRING DEFAULT NULL, data_set STRING DEFAULT NULL, sourceid TEXT, version INTEGER NOT NULL DEFAULT 1, dirty INTEGER NOT NULL DEFAULT 0, title TEXT, title_res INTEGER, notes TEXT, system_id TEXT, deleted INTEGER NOT NULL DEFAULT 0, group_visible INTEGER NOT NULL DEFAULT 0, should_sync INTEGER NOT NULL DEFAULT 1, auto_add INTEGER NOT NULL DEFAULT 0, favorites INTEGER NOT NULL DEFAULT 0, group_is_read_only INTEGER NOT NULL DEFAULT 0, sync1 TEXT, sync2 TEXT, sync3 TEXT, sync4 TEXT , account_id INTEGER REFERENCES accounts(_id))', 'directories': 'CREATE TABLE directories(_id INTEGER PRIMARY KEY AUTOINCREMENT, packageName TEXT NOT NULL, authority TEXT NOT NULL, typeResourceId INTEGER, typeResourceName TEXT, accountType TEXT, accountName TEXT, displayName TEXT, exportSupport INTEGER NOT NULL DEFAULT 0, shortcutSupport INTEGER NOT NULL DEFAULT 0, photoSupport INTEGER NOT NULL DEFAULT 0)', 'agg_exceptions': 'CREATE TABLE agg_exceptions (_id INTEGER PRIMARY KEY AUTOINCREMENT, type INTEGER NOT NULL, raw_contact_id1 INTEGER REFERENCES raw_contacts(_id), raw_contact_id2 INTEGER REFERENCES raw_contacts(_id))', '_sync_state_metadata': 'CREATE TABLE _sync_state_metadata (version INTEGER)', 'phone_lookup': 'CREATE TABLE phone_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_number TEXT NOT NULL, min_match TEXT NOT NULL)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'name_lookup': 'CREATE TABLE name_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_name TEXT NOT NULL, name_type INTEGER NOT NULL, PRIMARY KEY (data_id, normalized_name, name_type))', 'data_usage_stat': 'CREATE TABLE data_usage_stat(stat_id INTEGER PRIMARY KEY AUTOINCREMENT, data_id INTEGER NOT NULL, usage_type INTEGER NOT NULL DEFAULT 0, times_used INTEGER NOT NULL DEFAULT 0, last_time_used INTEGER NOT NULL DEFAULT 0, FOREIGN KEY(data_id) REFERENCES data(_id))', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL)', 'contacts': 'CREATE TABLE contacts (_id INTEGER PRIMARY KEY AUTOINCREMENT, name_raw_contact_id INTEGER REFERENCES raw_contacts(_id), photo_id INTEGER REFERENCES data(_id), photo_file_id INTEGER REFERENCES photo_files(_id), custom_ringtone TEXT, send_to_voicemail INTEGER NOT NULL DEFAULT 0, times_contacted INTEGER NOT NULL DEFAULT 0, last_time_contacted INTEGER, starred INTEGER NOT NULL DEFAULT 0, has_phone_number INTEGER NOT NULL DEFAULT 0, lookup TEXT, status_update_id INTEGER REFERENCES data(_id), contact_last_updated_timestamp INTEGER)', '_sync_state': 'CREATE TABLE _sync_state (_id INTEGER PRIMARY KEY, account_name TEXT NOT NULL, account_type TEXT NOT NULL, data TEXT, UNIQUE(account_name, account_type))', 'calls': 'CREATE TABLE calls (_id INTEGER PRIMARY KEY AUTOINCREMENT, number TEXT, date INTEGER, duration INTEGER, type INTEGER, new INTEGER, name TEXT, numbertype INTEGER, numberlabel TEXT, countryiso TEXT, voicemail_uri TEXT, is_read INTEGER, geocoded_location TEXT, lookup_uri TEXT, matched_number TEXT, normalized_number TEXT, photo_id INTEGER NOT NULL DEFAULT 0, formatted_number TEXT, _data TEXT, has_content INTEGER, mime_type TEXT, source_data TEXT, source_package TEXT, state INTEGER)', 'deleted_contacts': 'CREATE TABLE deleted_contacts (contact_id INTEGER PRIMARY KEY, contact_deleted_timestamp INTEGER NOT NULL default 0)', 'accounts': 'CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT, account_name TEXT, account_type TEXT, data_set TEXT)', 'nickname_lookup': 'CREATE TABLE nickname_lookup (name TEXT, cluster TEXT)', 'properties': 'CREATE TABLE properties (property_key TEXT PRIMARY KEY, property_value TEXT )', 'mimetypes': 'CREATE TABLE mimetypes (_id INTEGER PRIMARY KEY AUTOINCREMENT, mimetype TEXT NOT NULL)', 'photo_files': 'CREATE TABLE photo_files (_id INTEGER PRIMARY KEY AUTOINCREMENT, height INTEGER NOT NULL, width INTEGER NOT NULL, filesize INTEGER NOT NULL)', 'data': 'CREATE TABLE data (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), mimetype_id INTEGER REFERENCES mimetype(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, is_read_only INTEGER NOT NULL DEFAULT 0, is_primary INTEGER NOT NULL DEFAULT 0, is_super_primary INTEGER NOT NULL DEFAULT 0, data_version INTEGER NOT NULL DEFAULT 0, data1 TEXT, data2 TEXT, data3 TEXT, data4 TEXT, data5 TEXT, data6 TEXT, data7 TEXT, data8 TEXT, data9 TEXT, data10 TEXT, data11 TEXT, data12 TEXT, data13 TEXT, data14 TEXT, data15 TEXT, data_sync1 TEXT, data_sync2 TEXT, data_sync3 TEXT, data_sync4 TEXT )', 'default_directory': 'CREATE TABLE default_directory (_id INTEGER PRIMARY KEY)'}]

plaso.parsers.sqlite_plugins.android_sms module

This file contains a parser for the Android SMS database.

Android SMS messages are stored in SQLite database files named mmssms.dbs.

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData

Bases: plaso.containers.events.EventData

Android SMS event data.

address

str – phone number associated to the sender or receiver.

body

str – content of the SMS text message.

sms_read

str – message read status, either Read or Unread.

sms_type

str – message type, either Sent or Received.

DATA_TYPE = 'android:messaging:sms'

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Android SMS databases.

DESCRIPTION = 'Parser for Android text messages SQLite database files.'

NAME = 'android_sms'

ParseSmsRow(parser_mediator, query, row, **unused_kwargs)

Parses an SMS row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, address, date, read, type, body FROM sms', 'ParseSmsRow')]

REQUIRED_TABLES = frozenset({'sms'})

SCHEMAS = [{'rate': 'CREATE TABLE rate (sent_time INTEGER)', 'words_segments': "CREATE TABLE 'words_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'canonical_addresses': 'CREATE TABLE canonical_addresses (_id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT)', 'words_content': "CREATE TABLE 'words_content'(docid INTEGER PRIMARY KEY, 'c0_id', 'c1index_text', 'c2source_id', 'c3table_to_use')", 'attachments': 'CREATE TABLE attachments (sms_id INTEGER, content_url TEXT, offset INTEGER)', 'drm': 'CREATE TABLE drm (_id INTEGER PRIMARY KEY, _data TEXT)', 'threads': 'CREATE TABLE threads (_id INTEGER PRIMARY KEY AUTOINCREMENT, date INTEGER DEFAULT 0, message_count INTEGER DEFAULT 0, recipient_ids TEXT, snippet TEXT, snippet_cs INTEGER DEFAULT 0, read INTEGER DEFAULT 1, type INTEGER DEFAULT 0, error INTEGER DEFAULT 0, has_attachment INTEGER DEFAULT 0)', 'words': 'CREATE VIRTUAL TABLE words USING FTS3 (_id INTEGER PRIMARY KEY, index_text TEXT, source_id INTEGER, table_to_use INTEGER)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'raw': 'CREATE TABLE raw (_id INTEGER PRIMARY KEY, date INTEGER, reference_number INTEGER, count INTEGER, sequence INTEGER, destination_port INTEGER, address TEXT, pdu TEXT)', 'sms': 'CREATE TABLE sms (_id INTEGER PRIMARY KEY, thread_id INTEGER, address TEXT, person INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, protocol INTEGER, read INTEGER DEFAULT 0, status INTEGER DEFAULT -1, type INTEGER, reply_path_present INTEGER, subject TEXT, body TEXT, service_center TEXT, locked INTEGER DEFAULT 0, error_code INTEGER DEFAULT 0, seen INTEGER DEFAULT 0)', 'pd': 'CREATE TABLE pdu (_id INTEGER PRIMARY KEY AUTOINCREMENT, thread_id INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, msg_box INTEGER, read INTEGER DEFAULT 0, m_id TEXT, sub TEXT, sub_cs INTEGER, ct_t TEXT, ct_l TEXT, exp INTEGER, m_cls TEXT, m_type INTEGER, v INTEGER, m_size INTEGER, pri INTEGER, rr INTEGER, rpt_a INTEGER, resp_st INTEGER, st INTEGER, tr_id TEXT, retr_st INTEGER, retr_txt TEXT, retr_txt_cs INTEGER, read_status INTEGER, ct_cls INTEGER, resp_txt TEXT, d_tm INTEGER, d_rpt INTEGER, locked INTEGER DEFAULT 0, seen INTEGER DEFAULT 0, text_only INTEGER DEFAULT 0)', 'pending_msgs': 'CREATE TABLE pending_msgs (_id INTEGER PRIMARY KEY, proto_type INTEGER, msg_id INTEGER, msg_type INTEGER, err_type INTEGER, err_code INTEGER, retry_index INTEGER NOT NULL DEFAULT 0, due_time INTEGER, last_try INTEGER)', 'part': 'CREATE TABLE part (_id INTEGER PRIMARY KEY AUTOINCREMENT, mid INTEGER, seq INTEGER DEFAULT 0, ct TEXT, name TEXT, chset INTEGER, cd TEXT, fn TEXT, cid TEXT, cl TEXT, ctt_s INTEGER, ctt_t TEXT, _data TEXT, text TEXT)', 'words_segdir': "CREATE TABLE 'words_segdir'(level INTEGER, idx INTEGER, start_block INTEGER, leaves_end_block INTEGER, end_block INTEGER, root BLOB, PRIMARY KEY(level, idx))", 'sr_pending': 'CREATE TABLE sr_pending (reference_number INTEGER, action TEXT, data TEXT)', 'addr': 'CREATE TABLE addr (_id INTEGER PRIMARY KEY, msg_id INTEGER, contact_id INTEGER, address TEXT, type INTEGER, charset INTEGER)'}]

SMS_READ = {0: 'UNREAD', 1: 'READ'}

SMS_TYPE = {1: 'RECEIVED', 2: 'SENT'}

plaso.parsers.sqlite_plugins.android_webview module

Parser for Android WebView databases.

class plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData

Bases: plaso.containers.events.EventData

Android WebView cookie event data.

cookie_name

str – name of the cookie.

data

str – data stored in the cookie.

domain

str – host that set the cookie.

path

str – path for which the cookie was set.

secure

bool – True if the cookie should only be transmitted over a secure channel.

url

str – URL of the cookie.

DATA_TYPE = 'webview:cookie'

class plaso.parsers.sqlite_plugins.android_webview.WebViewPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for WebView databases.

DESCRIPTION = 'Parser for Android WebView databases'

NAME = 'android_webview'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)

Parses a row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT _id, name, value, domain, expires, path, secure FROM cookies', 'ParseCookieRow')})

REQUIRED_TABLES = frozenset({'cookies', 'android_metadata'})

SCHEMAS = [{'cookies': 'CREATE TABLE cookies (_id INTEGER PRIMARY KEY, name TEXT, value TEXT, domain TEXT, path TEXT, expires INTEGER, secure INTEGER)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'formdata': 'CREATE TABLE formdata (_id INTEGER PRIMARY KEY, urlid INTEGER, name TEXT, value TEXT, UNIQUE (urlid, name, value) ON CONFLICT IGNORE)', 'formurl': 'CREATE TABLE formurl (_id INTEGER PRIMARY KEY, url TEXT)', 'httpauth': 'CREATE TABLE httpauth (_id INTEGER PRIMARY KEY, host TEXT, realm TEXT, username TEXT, password TEXT, UNIQUE (host, realm) ON CONFLICT REPLACE)', 'password': 'CREATE TABLE password (_id INTEGER PRIMARY KEY, host TEXT, username TEXT, password TEXT, UNIQUE (host, username) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.android_webviewcache module

Parser for Android WebviewCache databases.

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData

Bases: plaso.containers.events.EventData

Android WebViewCache event data.

content_length

int – size of the cached content.

url

str – URL the content was retrieved from.

DATA_TYPE = 'android:webviewcache'

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Android WebViewCache databases.

DESCRIPTION = 'Parser for Android WebViewCache databases'

NAME = 'android_webviewcache'

ParseRow(parser_mediator, query, row, **unused_kwargs)

Parses a row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT url, contentlength, expires, lastmodify FROM cache', 'ParseRow')})

REQUIRED_TABLES = frozenset({'android_metadata', 'cache'})

SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cache': 'CREATE TABLE cache (_id INTEGER PRIMARY KEY, url TEXT, filepath TEXT, lastmodify TEXT, etag TEXT, expires INTEGER, expiresstring TEXT, mimetype TEXT, encoding TEXT, httpstatus INTEGER, location TEXT, contentlength INTEGER, contentdisposition TEXT, UNIQUE (url) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.appusage module

This file contains a parser for the MacOS application usage.

The application usage is stored in SQLite database files named /var/db/application_usage.sqlite

class plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse Application Usage history files.

Application usage is a SQLite database that logs down entries triggered by NSWorkspaceWillLaunchApplicationNotification and NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by crankd.

See the code here: http://code.google.com/p/google-macops/source/browse/trunk/crankd/ ApplicationUsage.py

Default installation: /var/db/application_usage.sqlite

DESCRIPTION = 'Parser for MacOS application usage SQLite database files.'

NAME = 'appusage'

ParseApplicationUsageRow(parser_mediator, query, row, **unused_kwargs)

Parses an application usage row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT last_time, event, bundle_id, app_version, app_path, number_times FROM application_usage ORDER BY last_time', 'ParseApplicationUsageRow')]

REQUIRED_TABLES = frozenset({'application_usage'})

SCHEMAS = [{'application_usage': 'CREATE TABLE application_usage (event TEXT, bundle_id TEXT, app_version TEXT, app_path TEXT, last_time INTEGER DEFAULT 0, number_times INTEGER DEFAULT 0, PRIMARY KEY (event, bundle_id))'}]

class plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData

Bases: plaso.containers.events.EventData

MacOS application usage event data.

application

str – name of the application.

app_version

str – version of the application.

bundle_id

str – bundle identifier of the application.

count

int – TODO: number of times what?

DATA_TYPE = 'macosx:application_usage'

plaso.parsers.sqlite_plugins.chrome module

Parser for the Google Chrome History files.

The Chrome History is stored in SQLite database files named History and Archived History. Where the Archived History does not contain the downloads table.

class plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Google Chrome history SQLite database plugin.

ParseLastVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a last visited row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.
• cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.
• database (Optional[SQLiteDatabase]) – database.

class plaso.parsers.sqlite_plugins.chrome.ChromeHistoryFileDownloadedEventData

Bases: plaso.containers.events.EventData

Chrome History file downloaded event data.

full_path

str – full path where the file was downloaded to.

received_bytes

int – number of bytes received while downloading.

total_bytes

int – total number of bytes to download.

url

str – URL of the downloaded file.

DATA_TYPE = 'chrome:history:file_downloaded'

class plaso.parsers.sqlite_plugins.chrome.ChromeHistoryPageVisitedEventData

Bases: plaso.containers.events.EventData

Chrome History page visited event data.

from_visit

str – URL where the visit originated from.

page_transition_type

int – type of transitions between pages.

title

str – title of the visited page.

typed_count

int – number of characters of the URL that were typed.

url

str – URL of the visited page.

url_hidden

bool – True if the URL is hidden.

visit_source

int – source of the page visit.

DATA_TYPE = 'chrome:history:page_visited'

class plaso.parsers.sqlite_plugins.chrome.GoogleChrome27HistoryPlugin

Bases: plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin

Google Chrome 27 - 65 history SQLite database plugin.

DESCRIPTION = 'Parser for Google Chrome 27 and up history SQLite database files.'

NAME = 'chrome_27_history'

ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)

Parses a file downloaded row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT downloads.id AS id, downloads.start_time,downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id', 'ParseFileDownloadedRow')]

REQUIRED_TABLES = frozenset({'keyword_search_terms', 'downloads', 'visits', 'urls', 'meta', 'downloads_url_chains', 'visit_source'})

SCHEMAS = [{'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL, mime_type VARCHAR(255) NOT NULL DEFAULT "", original_mime_type VARCHAR(255) NOT NULL DEFAULT "", guid VARCHAR NOT NULL DEFAULT \'\', hash BLOB NOT NULL DEFAULT X\'\', http_method VARCHAR NOT NULL DEFAULT \'\', tab_url VARCHAR NOT NULL DEFAULT \'\', tab_referrer_url VARCHAR NOT NULL DEFAULT \'\', site_url VARCHAR NOT NULL DEFAULT \'\', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)'}]

class plaso.parsers.sqlite_plugins.chrome.GoogleChrome8HistoryPlugin

Bases: plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin

Google Chrome 8 - 25 history SQLite database plugin.

DESCRIPTION = 'Parser for Google Chrome 8 - 25 history SQLite database files.'

NAME = 'chrome_8_history'

ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)

Parses a file downloaded row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT id, full_path, url, start_time, received_bytes, total_bytes,state FROM downloads', 'ParseFileDownloadedRow')]

REQUIRED_TABLES = frozenset({'keyword_search_terms', 'downloads', 'visits', 'presentation', 'urls', 'meta', 'visit_source'})

SCHEMAS = [{'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)'}, {'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)'}]

plaso.parsers.sqlite_plugins.chrome_autofill module

Parser for Google Chrome autofill entries.

The Chrome autofill information is stored in SQLite database files named Web Data.

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData

Bases: plaso.containers.events.EventData

Chrome Autofill event data.

field_name

str – name of form field.

value

str – value populated in form field.

usage_count

int – count of times value has been used in field_name.

DATA_TYPE = 'chrome:autofill:entry'

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Plugin to parse Chrome Autofill entries from Web Data database files.

DESCRIPTION = 'Parser for Chrome autofill SQLite database files.'

NAME = 'chrome_autofill'

ParseAutofillRow(parser_mediator, query, row, **unused_kwargs)

Parses an autofill entry row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT autofill.date_created, autofill.date_last_used, autofill.name, autofill.value, autofill.count FROM autofill ORDER BY date_created', 'ParseAutofillRow')]

REQUIRED_TABLES = frozenset({'autofill'})

SCHEMAS = [{'autofill': 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value));)'}]

plaso.parsers.sqlite_plugins.chrome_cookies module

Parser for the Google Chrome Cookie database.

class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData

Bases: plaso.containers.events.EventData

Chrome Cookie event data.

cookie_name

str – name of the cookie.

host

str – hostname of host that set the cookie value.

httponly

bool – True if the cookie cannot be accessed through client side script.

path

str – path where the cookie got set.

persistent

bool – True if the cookie is persistent.

secure

bool – True if the cookie should only be transmitted over a secure channel.

url

str – URL or path where the cookie got set.

data

str – value of the cookie.

DATA_TYPE = 'chrome:cookie:entry'

class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookiePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse Chrome Cookies file.

DESCRIPTION = 'Parser for Chrome cookies SQLite database files.'

GA_UTMZ_TRANSLATION = {'utmccn': 'Ad campaign information.', 'utmcct': 'Path to the page of referring link.', 'utmcmd': 'Last type of visit.', 'utmcsr': 'Last source used to access.', 'utmctr': 'Keywords used to find site.'}

NAME = 'chrome_cookies'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)

Parses a cookie row.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from the query.

QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent FROM cookies', 'ParseCookieRow'), ('SELECT creation_utc, host_key, name, value, path, expires_utc, is_secure AS secure, is_httponly AS httponly, last_access_utc, has_expires, is_persistent AS persistent FROM cookies', 'ParseCookieRow')]

REQUIRED_TABLES = frozenset({'cookies', 'meta'})

SCHEMAS = [{'cookies': 'CREATE TABLE cookies (creation_utc INTEGER NOT NULL UNIQUE PRIMARY KEY, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, secure INTEGER NOT NULL, httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER DEFAULT 1, persistent INTEGER DEFAULT 1)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]

URLS = ['http://src.chromium.org/svn/trunk/src/net/cookies/', 'http://www.dfinews.com/articles/2012/02/google-analytics-cookies-and-forensic-implications']

plaso.parsers.sqlite_plugins.chrome_extension_activity module

Parser for the Google Chrome extension activity database files.

The Chrome extension activity is stored in SQLite database files named Extension Activity.

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData

Bases: plaso.containers.events.EventData

Chrome Extension Activity event data.

action_type

str – action type.

activity_id

str – activity identifier.

api_name

str – name of API.

arg_url

str – URL argument.

args

str – arguments.

extension_id

str – extension identifier.

other

str – other.

page_title

str – title of webpage.

page_url

str – URL of webpage.

DATA_TYPE = 'chrome:extension_activity:activity_log'

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Plugin to parse Chrome extension activity database files.

DESCRIPTION = 'Parser for Chrome extension activity SQLite database files.'

NAME = 'chrome_extension_activity'

ParseActivityLogUncompressedRow(parser_mediator, query, row, **unused_kwargs)

Parses an activity log row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT time, extension_id, action_type, api_name, args, page_url, page_title, arg_url, other, activity_id FROM activitylog_uncompressed ORDER BY time', 'ParseActivityLogUncompressedRow')]

REQUIRED_TABLES = frozenset({'activitylog_compressed', 'string_ids', 'url_ids'})

SCHEMAS = [{'activitylog_compressed': 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, action_type INTEGER, api_name_x INTEGER, args_x INTEGER, page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, other_x INTEGER)', 'string_ids': 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)', 'url_ids': 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)'}]

plaso.parsers.sqlite_plugins.firefox module

This file contains a parser for the Mozilla Firefox history.

class plaso.parsers.sqlite_plugins.firefox.FirefoxDownloadEventData

Bases: plaso.containers.events.EventData

Firefox download event data.

full_path

str – full path of the target of the download.

mime_type

str – mime type of the download.

name

str – name of the download.

received_bytes

int – number of bytes received.

referrer

str – referrer URL of the download.

temporary_location

str – temporary location of the download.

total_bytes

int – total number of bytes of the download.

url

str – source URL of the download.

DATA_TYPE = 'firefox:downloads:download'

class plaso.parsers.sqlite_plugins.firefox.FirefoxDownloadsPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parses a Firefox downloads file.

The Firefox downloads history is stored in a SQLite database file named downloads.sqlite.

DESCRIPTION = 'Parser for Firefox downloads SQLite database files.'

NAME = 'firefox_downloads'

ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)

Parses a downloads row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT moz_downloads.id, moz_downloads.name, moz_downloads.source, moz_downloads.target, moz_downloads.tempPath, moz_downloads.startTime, moz_downloads.endTime, moz_downloads.state, moz_downloads.referrer, moz_downloads.currBytes, moz_downloads.maxBytes, moz_downloads.mimeType FROM moz_downloads', 'ParseDownloadsRow')]

REQUIRED_TABLES = frozenset({'moz_downloads'})

SCHEMAS = [{'moz_downloads': 'CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)'}]

class plaso.parsers.sqlite_plugins.firefox.FirefoxHistoryPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parses a Firefox history file.

The Firefox history is stored in a SQLite database file named places.sqlite.

DESCRIPTION = 'Parser for Firefox history SQLite database files.'

NAME = 'firefox_history'

ParseBookmarkAnnotationRow(parser_mediator, query, row, **unused_kwargs)

Parses a bookmark annotation row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

ParseBookmarkFolderRow(parser_mediator, query, row, **unused_kwargs)

Parses a bookmark folder row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

ParseBookmarkRow(parser_mediator, query, row, **unused_kwargs)

Parses a bookmark row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

ParsePageVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a page visited row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.
• cache (Optional[SQLiteCache]) – cache.
• database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.from_visit, moz_places.rev_host, moz_places.hidden, moz_places.typed, moz_historyvisits.visit_type FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id', 'ParsePageVisitedRow'), ('SELECT moz_bookmarks.type, moz_bookmarks.title AS bookmark_title, moz_bookmarks.dateAdded, moz_bookmarks.lastModified, moz_places.url, moz_places.title AS places_title, moz_places.rev_host, moz_places.visit_count, moz_bookmarks.id FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3', 'ParseBookmarkRow'), ('SELECT moz_items_annos.content, moz_items_annos.dateAdded, moz_items_annos.lastModified, moz_bookmarks.title, moz_places.url, moz_places.rev_host, moz_items_annos.id FROM moz_items_annos, moz_bookmarks, moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id', 'ParseBookmarkAnnotationRow'), ('SELECT moz_bookmarks.id, moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2', 'ParseBookmarkFolderRow')]

REQUIRED_TABLES = frozenset({'moz_items_annos', 'moz_places', 'moz_bookmarks', 'moz_historyvisits'})

SCHEMAS = [{'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER )', 'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)'}, {'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'sqlite_stat1': 'CREATE TABLE sqlite_stat1(tbl, idx, stat)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG, guid TEXT)', 'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER, guid TEXT)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_hosts': 'CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY, host TEXT NOT NULL UNIQUE, frecency INTEGER, typed INTEGER NOT NULL DEFAULT 0, prefix TEXT)'}]

URL_CACHE_QUERY = 'SELECT h.id AS id, p.url, p.rev_host FROM moz_places p, moz_historyvisits h WHERE p.id = h.place_id'

class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkAnnotationEventData

Bases: plaso.containers.events.EventData

Firefox bookmark annotation event data.

content

str – annotation content.

title

str – title of the bookmark folder.

url

str – bookmarked URL.

DATA_TYPE = 'firefox:places:bookmark_annotation'

class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkEventData

Bases: plaso.containers.events.EventData

Firefox bookmark event data.

bookmark_type

int – bookmark type.

hostname

str – hostname.

places_title

str – places title.

title

str – title of the bookmark folder.

url

str – bookmarked URL.

visit_count

int – visit count.

DATA_TYPE = 'firefox:places:bookmark'

class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkFolderEventData

Bases: plaso.containers.events.EventData

Firefox bookmark folder event data.

title

str – title of the bookmark folder.

DATA_TYPE = 'firefox:places:bookmark_folder'

class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesPageVisitedEventData

Bases: plaso.containers.events.EventData

Firefox page visited event data.

extra

list[object] – extra event data.

hostname

str – visited hostname.

title

str – title of the visited page.

url

str – URL of the visited page.

visit_count

int – visit count.

visit_type

str – transition type for the event.

DATA_TYPE = 'firefox:places:page_visited'

plaso.parsers.sqlite_plugins.firefox_cookies module

Parser for the Firefox Cookie database.

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData

Bases: plaso.containers.events.EventData

Firefox Cookie event data.

cookie_name

str – name field of the cookie.

data

str – cookie data.

httponly

bool – True if the cookie cannot be accessed through client side script.

host

str – hostname of host that set the cookie value.

path

str – URI of the page that set the cookie.

secure

bool – True if the cookie should only be transmitted over a secure channel.

DATA_TYPE = 'firefox:cookie:entry'

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for the Firefox Cookie database.

DESCRIPTION = 'Parser for Firefox cookies SQLite database files.'

NAME = 'firefox_cookies'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)

Parses a cookie row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT id, baseDomain, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')]

REQUIRED_TABLES = frozenset({'moz_cookies'})

SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}]

URLS = ['https://hg.mozilla.org/mozilla-central/file/349a2f003529/netwerk/cookie/nsCookie.h']

plaso.parsers.sqlite_plugins.gdrive module

This file contains a parser for the Google Drive snapshots.

The Google Drive snapshots are stored in SQLite database files named snapshot.db.

class plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for Google Drive snapshot.db files.

CLOUD_PATH_CACHE_QUERY = 'SELECT cloud_entry.filename, cloud_entry.resource_id, cloud_relations.parent_resource_id AS parent FROM cloud_entry, cloud_relations WHERE cloud_entry.doc_type = 0 AND cloud_entry.resource_id = cloud_relations.child_resource_id'

DESCRIPTION = 'Parser for Google Drive SQLite database files.'

GetCloudPath(resource_id, cache, database)

Return cloud path given a resource id.

Parameters:

• resource_id (str) – resource identifier for the file.
• cache (SQLiteCache) – cache.
• database (SQLiteDatabase) – database.

Returns:

full path to the resource value.

Return type:

str

GetLocalPath(inode, cache, database)

Return local path for a given inode.

Parameters:

• inode (int) – inode number for the file.
• cache (SQLiteCache) – cache.
• database (SQLiteDatabase) – database.

Returns:

full path, including the filename of the given inode value.

Return type:

str

LOCAL_PATH_CACHE_QUERY = 'SELECT local_relations.child_inode_number, local_relations.parent_inode_number, local_entry.filename FROM local_relations, local_entry WHERE local_relations.child_inode_number = local_entry.inode_number'

NAME = 'google_drive'

ParseCloudEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a cloud entry row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.
• cache (SQLiteCache) – cache.
• database (SQLiteDatabase) – database.

ParseLocalEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a local entry row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.
• cache (Optional[SQLiteCache]) – cache.
• database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT cloud_entry.resource_id, cloud_entry.filename, cloud_entry.modified, cloud_entry.created, cloud_entry.size, cloud_entry.doc_type, cloud_entry.shared, cloud_entry.checksum, cloud_entry.url, cloud_relations.parent_resource_id FROM cloud_entry, cloud_relations WHERE cloud_relations.child_resource_id = cloud_entry.resource_id AND cloud_entry.modified IS NOT NULL;', 'ParseCloudEntryRow'), ('SELECT inode_number, filename, modified, checksum, size FROM local_entry WHERE modified IS NOT NULL;', 'ParseLocalEntryRow')]

REQUIRED_TABLES = frozenset({'cloud_entry', 'local_relations', 'local_entry', 'mapping', 'overlay_status', 'cloud_relations'})

SCHEMAS = [{'overlay_status': 'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, PRIMARY KEY (path))', 'local_relations': 'CREATE TABLE local_relations (child_inode_number INTEGER, parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN KEY (parent_inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (child_inode_number) REFERENCES local_entry(inode_number))', 'local_entry': 'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY (inode_number))', 'mapping': 'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES cloud_entry(resource_id))', 'cloud_entry': 'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared INTEGER, PRIMARY KEY (resource_id))', 'cloud_relations': 'CREATE TABLE cloud_relations (child_resource_id TEXT, parent_resource_id TEXT, UNIQUE (child_resource_id, parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) REFERENCES cloud_entry(resource_id))'}]

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData

Bases: plaso.containers.events.EventData

Google Drive snapshot cloud entry event data.

doc_type

int – document type.

path

str – path of the file.

shared

bool – True if the file is shared, False if the file is private.

size

int – size of the file.

url

str – URL of the file.

DATA_TYPE = 'gdrive:snapshot:cloud_entry'

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData

Bases: plaso.containers.events.EventData

Google Drive snapshot local entry event data.

path

str – path of the file.

size

int – size of the file.

DATA_TYPE = 'gdrive:snapshot:local_entry'

plaso.parsers.sqlite_plugins.hangouts_messages module

This file contains a parser for the Google Hangouts Active Conversations DB.

/data/com.google.android.talk/databases/babel.db This SQLite database is the conversation database for conversations,

participant names, messages, and information about the Google Hangout event. There can be multiple babel.db databases, and each database name will be followed by an integer starting with 0 (e.g., babel0.db,babel1.db,babel3.db)..

class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData

Bases: plaso.containers.events.EventData

GoogleHangouts Message event data.

sender

str – Name with the sender.

body

str – content of the SMS text message.

message_status

int – message status.

message_type

int – message type.

DATA_TYPE = 'android:messaging:hangouts'

class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Google Hangouts databases.

DESCRIPTION = 'Parser for Google Hangouts Messages SQLite database files.'

NAME = 'hangouts_messages'

ParseMessagesRow(parser_mediator, query, row, **unused_kwargs)

Parses an Messages row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT messages._id, participants.full_name, text, messages.timestamp,status, type FROM messages INNER JOIN participants ON messages.author_chat_id=participants.chat_id;', 'ParseMessagesRow')]

REQUIRED_TABLES = frozenset({'blocked_people', 'participants', 'messages'})

SCHEMAS = [{'suggested_contacts': 'CREATE TABLE suggested_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, first_name TEXT, packed_circle_ids TEXT, profile_photo_url TEXT, sequence INT, suggestion_type INT, logging_id TEXT, affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'recent_calls': 'CREATE TABLE recent_calls (_id INTEGER PRIMARY KEY, normalized_number TEXT NOT NULL, phone_number TEXT, contact_id TEXT, call_timestamp INT, call_type INT, contact_type INT, call_rate TEXT, is_free_call BOOLEAN)', 'sticker_photos': 'CREATE TABLE sticker_photos (photo_id TEXT NOT NULL, album_id TEXT NOT NULL, url TEXT NOT NULL, file_name TEXT, last_used INT DEFAULT(0), PRIMARY KEY (photo_id), FOREIGN KEY (album_id) REFERENCES sticker_albums(album_id) ON DELETE CASCADE)', 'participant_email_fts': 'CREATE VIRTUAL TABLE participant_email_fts USING fts4(content="merged_contact_details", gaia_id,lookup_data)', 'search': 'CREATE TABLE search (search_key TEXT NOT NULL,continuation_token TEXT,PRIMARY KEY (search_key))', 'sticker_albums': 'CREATE TABLE sticker_albums (album_id TEXT NOT NULL, title TEXT, cover_photo_id TEXT, last_used INT DEFAULT(0), PRIMARY KEY (album_id))', 'participants_fts': 'CREATE VIRTUAL TABLE participants_fts USING fts4(content="participants",gaia_id,full_name)', 'merged_contacts': 'CREATE TABLE merged_contacts (_id INTEGER PRIMARY KEY, contact_lookup_key TEXT, contact_id INT, raw_contact_id INT, display_name TEXT, avatar_url TEXT, is_frequent INT DEFAULT (0), is_favorite INT DEFAULT (0), contact_source INT DEFAULT(0), frequent_order INT, person_logging_id TEXT, person_affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'event_suggestions': 'CREATE TABLE event_suggestions (_id INTEGER PRIMARY KEY, conversation_id TEXT, event_id TEXT, suggestion_id TEXT, timestamp INT, expiration_time_usec INT, type INT, gem_asset_url STRING, gem_horizontal_alignment INT, matched_message_substring TEXT, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,suggestion_id) ON CONFLICT REPLACE)', 'mms_notification_inds': 'CREATE TABLE mms_notification_inds (_id INTEGER PRIMARY KEY, content_location TEXT, transaction_id TEXT, from_address TEXT, message_size INT DEFAULT(0), expiry INT)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY, participant_row_id INT, participant_type INT, conversation_id TEXT, sequence INT, active INT, invitation_status INT DEFAULT(0), UNIQUE (conversation_id,participant_row_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, FOREIGN KEY (participant_row_id) REFERENCES participants(_id))', 'participants_fts_stat': "CREATE TABLE 'participants_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'dismissed_contacts': 'CREATE TABLE dismissed_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'blocked_people': 'CREATE TABLE blocked_people (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY, conversation_id TEXT, conversation_type INT, latest_message_timestamp INT DEFAULT(0), latest_message_expiration_timestamp INT, metadata_present INT,notification_level INT, name TEXT, generated_name TEXT, snippet_type INT, snippet_text TEXT, snippet_image_url TEXT, snippet_author_gaia_id TEXT, snippet_author_chat_id TEXT, snippet_message_row_id INT, snippet_selector INT, snippet_status INT, snippet_new_conversation_name TEXT, snippet_participant_keys TEXT, snippet_sms_type TEXT, previous_latest_timestamp INT, status INT, view INT, inviter_gaia_id TEXT, inviter_chat_id TEXT, inviter_affinity INT, is_pending_leave INT, account_id INT, is_otr INT, packed_avatar_urls TEXT, self_avatar_url TEXT, self_watermark INT DEFAULT(0), chat_watermark INT DEFAULT(0), hangout_watermark INT DEFAULT(0), is_draft INT, sequence_number INT, call_media_type INT DEFAULT(0), has_joined_hangout INT, has_chat_notifications DEFAULT(0),has_video_notifications DEFAULT(0),last_hangout_event_time INT, draft TEXT, otr_status INT, otr_toggle INT, last_otr_modification_time INT, continuation_token BLOB, continuation_event_timestamp INT, has_oldest_message INT DEFAULT(0), sort_timestamp INT, first_peak_scroll_time INT, first_peak_scroll_to_message_timestamp INT, second_peak_scroll_time INT, second_peak_scroll_to_message_timestamp INT, conversation_hash BLOB, disposition INT DEFAULT(0), has_persistent_events INT DEFAULT(-1), transport_type INT DEFAULT(1), default_transport_phone TEXT, sms_service_center TEXT, is_temporary INT DEFAULT (0), sms_thread_id INT DEFAULT (-1), chat_ringtone_uri TEXT, hangout_ringtone_uri TEXT, snippet_voicemail_duration INT DEFAULT (0), share_count INT DEFAULT(0), has_unobserved TEXT, last_share_timestamp INT DEFAULT(0), gls_status INT DEFAULT(0), gls_link TEXT, is_guest INT DEFAULT(0), UNIQUE (conversation_id ))', 'participant_email_fts_segdir': "CREATE TABLE 'participant_email_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'multipart_attachments': 'CREATE TABLE multipart_attachments (_id INTEGER PRIMARY KEY, message_id TEXT, conversation_id TEXT, url TEXT, content_type TEXT, width INT, height INT, FOREIGN KEY (message_id, conversation_id) REFERENCES messages(message_id, conversation_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participants': "CREATE TABLE participants (_id INTEGER PRIMARY KEY, participant_type INT DEFAULT 1, gaia_id TEXT, chat_id TEXT, phone_id TEXT, circle_id TEXT, first_name TEXT, full_name TEXT, fallback_name TEXT, profile_photo_url TEXT, batch_gebi_tag STRING DEFAULT('-1'), blocked INT DEFAULT(0), in_users_domain BOOLEAN, UNIQUE (circle_id) ON CONFLICT REPLACE, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)", 'presence': 'CREATE TABLE presence (_id INTEGER PRIMARY KEY, gaia_id TEXT NOT NULL, reachable INT DEFAULT(0), reachable_time INT DEFAULT(0), available INT DEFAULT(0), available_time INT DEFAULT(0), status_message TEXT, status_message_time INT DEFAULT(0), call_type INT DEFAULT(0), call_type_time INT DEFAULT(0), device_status INT DEFAULT(0), device_status_time INT DEFAULT(0), last_seen INT DEFAULT(0), last_seen_time INT DEFAULT(0), location BLOB, location_time INT DEFAULT(0), UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'participant_email_fts_stat': "CREATE TABLE 'participant_email_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'participant_email_fts_segments': "CREATE TABLE 'participant_email_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participants_fts_docsize': "CREATE TABLE 'participants_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participants_fts_segments': "CREATE TABLE 'participants_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participant_email_fts_docsize': "CREATE TABLE 'participant_email_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'merged_contact_details': 'CREATE TABLE merged_contact_details (_id INTEGER PRIMARY KEY, merged_contact_id INT, lookup_data_type INT, lookup_data TEXT, lookup_data_standardized TEXT, lookup_data_search TEXT, lookup_data_label TEXT, needs_gaia_ids_resolved INT DEFAULT (1), is_hangouts_user INT DEFAULT (0), gaia_id TEXT, avatar_url TEXT, display_name TEXT, last_checked_ts INT DEFAULT (0), lookup_data_display TEXT, detail_affinity_score REAL DEFAULT (0.0), detail_logging_id TEXT, is_in_viewer_dasher_domain INT DEFAULT (0), FOREIGN KEY (merged_contact_id) REFERENCES merged_contacts(_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participants_fts_segdir': "CREATE TABLE 'participants_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'merge_keys': 'CREATE TABLE merge_keys (_id INTEGER PRIMARY KEY, conversation_id TEXT, merge_key TEXT, UNIQUE (conversation_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE )', 'messages': 'CREATE TABLE messages (_id INTEGER PRIMARY KEY, message_id TEXT, message_type INT, conversation_id TEXT, author_chat_id TEXT, author_gaia_id TEXT, text TEXT, timestamp INT, delete_after_read_timetamp INT, status INT, type INT, local_url TEXT, remote_url TEXT, attachment_content_type TEXT, width_pixels INT, height_pixels INT, stream_id TEXT, image_id TEXT, album_id TEXT, latitude DOUBLE, longitude DOUBLE, address ADDRESS, notification_level INT, expiration_timestamp INT, notified_for_failure INT DEFAULT(0), off_the_record INT DEFAULT(0), transport_type INT NOT NULL DEFAULT(1), transport_phone TEXT, external_ids TEXT, sms_timestamp_sent INT DEFAULT(0), sms_priority INT DEFAULT(0), sms_message_size INT DEFAULT(0), mms_subject TEXT, sms_raw_sender TEXT, sms_raw_recipients TEXT, persisted INT DEFAULT(1), sms_message_status INT DEFAULT(-1), sms_type INT DEFAULT(-1), stream_url TEXT, attachment_target_url TEXT, attachment_name TEXT, image_rotation INT DEFAULT (0), new_conversation_name TEXT, participant_keys TEXT, forwarded_mms_url TEXT, forwarded_mms_count INT DEFAULT(0), attachment_description TEXT, attachment_target_url_description TEXT, attachment_target_url_name TEXT, attachment_blob_data BLOB,attachment_uploading_progress INT DEFAULT(0), sending_error INT DEFAULT(0), stream_expiration INT, voicemail_length INT DEFAULT (0), call_media_type INT DEFAULT(0), last_seen_timestamp INT DEFAULT(0), observed_status INT DEFAULT(2), receive_type INT DEFAULT(0), init_timestamp INT DEFAULT(0), in_app_msg_latency INT DEFAULT(0), notified INT DEFAULT(0), alert_in_conversation_list INT DEFAULT(0), attachments BLOB, is_user_mentioned INT DEFAULT(0), local_id TEXT, request_task_row_id INT DEFAULT(-1), FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,message_id) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.imessage module

This file contains a parser for the iMessage database on OSX and iOS.

iMessage and SMS data in OSX and iOS are stored in SQLite databases named chat.db and sms.db respectively.

class plaso.parsers.sqlite_plugins.imessage.IMessageEventData

Bases: plaso.containers.events.EventData

iMessage and SMS event data.

attachment_location

str – location of the attachment.

imessage_id

str – mobile number or email address the message was sent to or received from.

message_type

int – value to indicate the message was sent (1) or received (0).

read_receipt

bool – True if the message read receipt was received.

service

str – service, which is either SMS or iMessage.

text

str – content of the message.

DATA_TYPE = 'imessage:event:chat'

class plaso.parsers.sqlite_plugins.imessage.IMessagePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for the iMessage and SMS database.

DESCRIPTION = 'Parser for the iMessage and SMS SQLite databases on OSX and iOS.'

NAME = 'imessage'

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)

Parses a message row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT m.date, m.ROWID, h.id AS imessage_id, m.is_read AS read_receipt, m.is_from_me AS message_type, m.service, a.filename AS"attachment_location", m.text FROM message AS m JOIN handle AS h ON h.ROWID = m.handle_id LEFT OUTER JOIN message_attachment_join AS maj ON m.ROWID = maj.message_id LEFT OUTER JOIN attachment AS a ON maj.attachment_id = a.ROWID', 'ParseMessageRow')]

REQUIRED_TABLES = frozenset({'attachment', 'message', 'message_attachment_join', 'handle'})

SCHEMAS = [{'chat_handle_join': 'CREATE TABLE chat_handle_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, handle_id INTEGER REFERENCES handle (ROWID) ON DELETE CASCADE, UNIQUE(chat_id, handle_id))', 'deleted_messages': 'CREATE TABLE deleted_messages (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, guid TEXT NOT NULL)', 'chat': 'CREATE TABLE chat (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, style INTEGER, state INTEGER, account_id TEXT, properties BLOB, chat_identifier TEXT, service_name TEXT, room_name TEXT, account_login TEXT, is_archived INTEGER DEFAULT 0, last_addressed_handle TEXT, display_name TEXT, group_id TEXT, is_filtered INTEGER, successful_query INTEGER)', 'message': 'CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, text TEXT, replace INTEGER DEFAULT 0, service_center TEXT, handle_id INTEGER DEFAULT 0, subject TEXT, country TEXT, attributedBody BLOB, version INTEGER DEFAULT 0, type INTEGER DEFAULT 0, service TEXT, account TEXT, account_guid TEXT, error INTEGER DEFAULT 0, date INTEGER, date_read INTEGER, date_delivered INTEGER, is_delivered INTEGER DEFAULT 0, is_finished INTEGER DEFAULT 0, is_emote INTEGER DEFAULT 0, is_from_me INTEGER DEFAULT 0, is_empty INTEGER DEFAULT 0, is_delayed INTEGER DEFAULT 0, is_auto_reply INTEGER DEFAULT 0, is_prepared INTEGER DEFAULT 0, is_read INTEGER DEFAULT 0, is_system_message INTEGER DEFAULT 0, is_sent INTEGER DEFAULT 0, has_dd_results INTEGER DEFAULT 0, is_service_message INTEGER DEFAULT 0, is_forward INTEGER DEFAULT 0, was_downgraded INTEGER DEFAULT 0, is_archive INTEGER DEFAULT 0, cache_has_attachments INTEGER DEFAULT 0, cache_roomnames TEXT, was_data_detected INTEGER DEFAULT 0, was_deduplicated INTEGER DEFAULT 0, is_audio_message INTEGER DEFAULT 0, is_played INTEGER DEFAULT 0, date_played INTEGER, item_type INTEGER DEFAULT 0, other_handle INTEGER DEFAULT 0, group_title TEXT, group_action_type INTEGER DEFAULT 0, share_status INTEGER DEFAULT 0, share_direction INTEGER DEFAULT 0, is_expirable INTEGER DEFAULT 0, expire_state INTEGER DEFAULT 0, message_action_type INTEGER DEFAULT 0, message_source INTEGER DEFAULT 0)', 'attachment': 'CREATE TABLE attachment (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, created_date INTEGER DEFAULT 0, start_date INTEGER DEFAULT 0, filename TEXT, uti TEXT, mime_type TEXT, transfer_state INTEGER DEFAULT 0, is_outgoing INTEGER DEFAULT 0, user_info BLOB, transfer_name TEXT, total_bytes INTEGER DEFAULT 0)', 'chat_message_join': 'CREATE TABLE chat_message_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, PRIMARY KEY (chat_id, message_id))', '_SqliteDatabaseProperties': 'CREATE TABLE _SqliteDatabaseProperties (key TEXT, value TEXT, UNIQUE(key))', 'message_attachment_join': 'CREATE TABLE message_attachment_join (message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, attachment_id INTEGER REFERENCES attachment (ROWID) ON DELETE CASCADE, UNIQUE(message_id, attachment_id))', 'handle': 'CREATE TABLE handle (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, id TEXT NOT NULL, country TEXT, service TEXT NOT NULL, uncanonicalized_id TEXT, UNIQUE (id, service) )'}]

plaso.parsers.sqlite_plugins.interface module

The SQLite parser plugin interface.

class plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Bases: plaso.parsers.plugins.BasePlugin

SQLite parser plugin.

CheckSchema(database)

Checks the schema of a database with that defined in the plugin.

Parameters:database (SQLiteDatabase) – database. Returns:

True if the schema of the database matches that defined by

the plugin, or False if the schemas do not match or no schema is defined by the plugin.

Return type:bool

DESCRIPTION = 'Parser for SQLite database files.'

NAME = 'sqlite'

Process(parser_mediator, cache=None, database=None, **unused_kwargs)

Determine if this is the right plugin for this database.

This function takes a SQLiteDatabase object and compares the list of required tables against the available tables in the database. If all the tables defined in REQUIRED_TABLES are present in the database then this plugin is considered to be the correct plugin and the function will return back a generator that yields event objects.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• cache (Optional[SQLiteCache]) – cache.
• database (Optional[SQLiteDatabase]) – database.

Raises:

ValueError – If the database or cache value are missing.

QUERIES = []

REQUIRED_TABLES = frozenset()

REQUIRES_SCHEMA_MATCH = False

SCHEMAS = []

plaso.parsers.sqlite_plugins.kik_ios module

This file contains a parser for the Kik database on iOS.

Kik messages on iOS devices are stored in an SQLite database file named kik.sqlite.

class plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData

Bases: plaso.containers.events.EventData

Kik message event data.

body

str – content of the message.

message_status

str – message status, such as: read, unread, not sent, delivered, etc.

message_type

str – message type, either Sent or Received.

username

str – unique username of the sender or receiver.

DATA_TYPE = 'ios:kik:messaging'

class plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for Kik iOS database.

DESCRIPTION = 'Parser for iOS Kik messenger SQLite database files.'

NAME = 'kik_messenger'

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)

Parses a message row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', 'ParseMessageRow')]

REQUIRED_TABLES = frozenset({'ZKIKMESSAGE', 'ZKIKUSER'})

SCHEMAS = [{'ZKIKATTACHMENT': 'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )', 'ZKIKATTACHMENTEXTRA': 'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', 'ZKIKMESSAGE': 'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ZRENDERINSTRUCTIONSET BLOB )', 'Z_6MEMBERS': 'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', 'ZKIKUSEREXTRA': 'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ZPUBLICMESSAGINGKEY BLOB )', 'Z_6ADMINSINVERSE': 'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', 'Z_6BANSINVERSE': 'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', 'ZKIKCHAT': 'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED TIMESTAMP )', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)', 'ZKIKUSER': 'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ZCONTENTLINKSPROTODATA BLOB )', 'Z_3MESSAGES': 'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', 'ZKIKCHATEXTRA': 'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ZMUTEDTIMESTAMP TIMESTAMP )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)'}]

plaso.parsers.sqlite_plugins.kodi module

This file contains a parser for the Kodi MyVideos.db

Kodi videos events are stored in a database called MyVideos.db

class plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Kodi Video databases.

DESCRIPTION = 'Parser for Kodi MyVideos.db files.'

NAME = 'kodi'

ParseVideoRow(parser_mediator, query, row, **unused_kwargs)

Parses a Video row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT idFile,strFilename,playCount,lastPlayed FROM files;', 'ParseVideoRow')]

REQUIRED_TABLES = frozenset({'files'})

SCHEMAS = [{'episode': 'CREATE TABLE episode ( idEpisode integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 varchar(24),c13 varchar(24),c14 text,c15 text,c16 text,c17 varchar(24),c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idShow integer, userrating integer, idSeason integer)', 'tvshowlinkpath': 'CREATE TABLE tvshowlinkpath (idShow integer, idPath integer)', 'movielinktvshow': 'CREATE TABLE movielinktvshow ( idMovie integer, IdShow integer)', 'writer_link': 'CREATE TABLE writer_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'art': 'CREATE TABLE art(art_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, type TEXT, url TEXT)', 'files': 'CREATE TABLE files ( idFile integer primary key, idPath integer, strFilename text, playCount integer, lastPlayed text, dateAdded text)', 'sets': 'CREATE TABLE sets ( idSet integer primary key, strSet text, strOverview text)', 'version': 'CREATE TABLE version (idVersion integer, iCompressCount integer)', 'actor': 'CREATE TABLE actor ( actor_id INTEGER PRIMARY KEY, name TEXT, art_urls TEXT )', 'rating': 'CREATE TABLE rating (rating_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, rating_type TEXT, rating FLOAT, votes INTEGER)', 'musicvideo': 'CREATE TABLE musicvideo ( idMVideo integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, premiered text)', 'actor_link': 'CREATE TABLE actor_link(actor_id INTEGER, media_id INTEGER, media_type TEXT, role TEXT, cast_order INTEGER)', 'country_link': 'CREATE TABLE country_link (country_id integer, media_id integer, media_type TEXT)', 'stacktimes': 'CREATE TABLE stacktimes (idFile integer, times text)', 'tag_link': 'CREATE TABLE tag_link (tag_id integer, media_id integer, media_type TEXT)', 'studio_link': 'CREATE TABLE studio_link (studio_id integer, media_id integer, media_type TEXT)', 'path': 'CREATE TABLE path ( idPath integer primary key, strPath text, strContent text, strScraper text, strHash text, scanRecursive integer, useFolderNames bool, strSettings text, noUpdate bool, exclude bool, dateAdded text, idParentPath integer)', 'settings': 'CREATE TABLE settings ( idFile integer, Deinterlace bool,ViewMode integer,ZoomAmount float, PixelRatio float, VerticalShift float, AudioStream integer, SubtitleStream integer,SubtitleDelay float, SubtitlesOn bool, Brightness float, Contrast float, Gamma float,VolumeAmplification float, AudioDelay float, OutputToAllSpeakers bool, ResumeTime integer,Sharpness float, NoiseReduction float, NonLinStretch bool, PostProcess bool,ScalingMethod integer, DeinterlaceMode integer, StereoMode integer, StereoInvert bool, VideoStream integer)', 'tag': 'CREATE TABLE tag (tag_id integer primary key, name TEXT)', 'director_link': 'CREATE TABLE director_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'movie': 'CREATE TABLE movie ( idMovie integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idSet integer, userrating integer, premiered text)', 'bookmark': 'CREATE TABLE bookmark ( idBookmark integer primary key, idFile integer, timeInSeconds double, totalTimeInSeconds double, thumbNailImage text, player text, playerState text, type integer)', 'streamdetails': 'CREATE TABLE streamdetails (idFile integer, iStreamType integer, strVideoCodec text, fVideoAspect float, iVideoWidth integer, iVideoHeight integer, strAudioCodec text, iAudioChannels integer, strAudioLanguage text, strSubtitleLanguage text, iVideoDuration integer, strStereoMode text, strVideoLanguage text)', 'seasons': 'CREATE TABLE seasons ( idSeason integer primary key, idShow integer, season integer, name text, userrating integer)', 'genre': 'CREATE TABLE genre ( genre_id integer primary key, name TEXT)', 'country': 'CREATE TABLE country ( country_id integer primary key, name TEXT)', 'uniqueid': 'CREATE TABLE uniqueid (uniqueid_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, value TEXT, type TEXT)', 'tvshow': 'CREATE TABLE tvshow ( idShow integer primary key,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, duration INTEGER)', 'studio': 'CREATE TABLE studio ( studio_id integer primary key, name TEXT)', 'genre_link': 'CREATE TABLE genre_link (genre_id integer, media_id integer, media_type TEXT)'}]

class plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData

Bases: plaso.containers.events.EventData

Kodi event data.

filename

str – video filename.

play_count

int – number of times the video has been played.

DATA_TYPE = 'kodi:videos:viewing'

plaso.parsers.sqlite_plugins.ls_quarantine module

Plugin for the MacOS launch services quarantine events.

class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData

Bases: plaso.containers.events.EventData

MacOS launch services quarantine event data.

data

bytes – data.

url

str – original URL of the file.

user_agent

str – user agent that was used to download the file.

DATA_TYPE = 'macosx:lsquarantine'

class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parses the launch services quarantine events database.

The LS quarantine events are stored in SQLite database files named /Users/<username>/Library/Preferences/

QuarantineEvents.com.apple.LaunchServices

DESCRIPTION = 'Parser for LS quarantine events SQLite database files.'

NAME = 'ls_quarantine'

ParseLSQuarantineRow(parser_mediator, query, row, **unused_kwargs)

Parses a launch services quarantine event row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT LSQuarantineTimestamp AS Time, LSQuarantineAgentName AS Agent, LSQuarantineOriginURLString AS URL, LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ORDER BY Time', 'ParseLSQuarantineRow')]

REQUIRED_TABLES = frozenset({'LSQuarantineEvent'})

SCHEMAS = [{'LSQuarantineEvent': 'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, LSQuarantineOriginAlias BLOB )'}]

plaso.parsers.sqlite_plugins.mac_document_versions module

Parser for the MacOS Document Versions files.

class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventData

Bases: plaso.containers.events.EventData

MacOS Document Versions database event data.

name

str – name of the original file.

path

str – path from the original file.

version_path

str – path to the version copy of the original file.

last_time

str – the system user ID of the user that opened the file.

user_sid

str – identification user ID that open the file.

DATA_TYPE = 'mac:document_versions:file'

class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse the MacOS Document Versions SQLite database..

DESCRIPTION = 'Parser for document revisions SQLite database files.'

DocumentVersionsRow(parser_mediator, query, row, **unused_kwargs)

Parses a document versions row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

NAME = 'mac_document_versions'

QUERIES = [('SELECT f.file_name AS name, f.file_path AS path, f.file_last_seen AS last_time, g.generation_path AS version_path, g.generation_add_time AS version_time FROM files f, generations g WHERE f.file_storage_id = g.generation_storage_id;', 'DocumentVersionsRow')]

REQUIRED_TABLES = frozenset({'generations', 'files'})

ROOT_VERSION_PATH = '/.DocumentRevisions-V100/'

SCHEMAS = [{'generations': 'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)', 'files': 'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)', 'storage': 'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1)'}]

plaso.parsers.sqlite_plugins.mac_notificationcenter module

This file contains a parser for the Notification Center database on MacOS.

Notification Center events on MacOS are stored in a SQLite database file named “db”, path is usually something like /private/var/folders/<W><d>/../0/com.apple.notificationcenter/db2/

At the moment it takes into consideration only the main table, ‘record’. Documentation of the behavior of each table still work in progress, current tables and supposed related content is the following:

Record: contains historical records Requests: contain pending requests Delivered: delivered requests Displayed: displayed requests, by app_id Snoozed: snoozed by user requests

class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventData

Bases: plaso.containers.events.EventData

MacOS NotificationCenter database event data

body

str – body of the notification message

bundle_name

str – name of the application’s bundle that generated the notification.

presented

int – either 1 or 0 if the notification has been shown to the user.

subtitle

str – optional. Subtitle of the notification message.

title

str – title of the message. Usually the name of the application that generated the notification. Occasionally the name of the sender of the notification for example, in case of chat messages.

DATA_TYPE = 'mac:notificationcenter:db'

class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse the MacOS Notification Center SQLite database

DESCRIPTION = 'Parser for the Notification Center SQLite database'

NAME = 'mac_notificationcenter'

ParseNotificationcenterRow(parser_mediator, query, row, **unused_kwargs)

Parses a message row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT a.identifier AS bundle_name, r.data AS dataBlob, r.delivered_date AS timestamp,r.presented AS presented FROM app a, record r WHERE a.app_id = r.app_id', 'ParseNotificationcenterRow')]

REQUIRED_TABLES = frozenset({'app', 'record'})

SCHEMAS = [{'app': 'CREATE TABLE app (app_id INTEGER PRIMARY KEY, identifier VARCHAR)', 'snoozed': 'CREATE TABLE snoozed (app_id INTEGER PRIMARY KEY, list BLOB)', 'delivered': 'CREATE TABLE delivered (app_id INTEGER PRIMARY KEY, list BLOB)', 'record': 'CREATE TABLE record (rec_id INTEGER PRIMARY KEY, app_id INTEGER, uuid BLOB, data BLOB, request_date REAL, request_last_date REAL, delivered_date REAL, presented Bool, style INTEGER, snooze_fire_date REAL)', 'displayed': 'CREATE TABLE displayed (app_id INTEGER PRIMARY KEY, list BLOB)', 'requests': 'CREATE TABLE requests (app_id INTEGER PRIMARY KEY, list BLOB)', 'dbinfo': 'CREATE TABLE dbinfo (key VARCHAR, value VARCHAR)'}]

plaso.parsers.sqlite_plugins.mackeeper_cache module

This file contains a parser for the MacOS MacKeeper cache database.

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData

Bases: plaso.containers.events.EventData

MacKeeper Cache event data.

description

str – description.

event_type

str – event type.

record_id

int – record identifier.

room

str – room.

text

str – text.

url

str – URL.

user_name

str – user name.

user_sid

str – user security identifier (SID).

DATA_TYPE = 'mackeeper:cache'

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Plugin for the MacKeeper Cache database file.

DESCRIPTION = 'Parser for MacKeeper Cache SQLite database files.'

NAME = 'mackeeper_cache'

ParseReceiverData(parser_mediator, query, row, **unused_kwargs)

Parses a single row from the receiver and cache response table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT d.entry_ID AS id, d.receiver_data AS data, r.request_key, r.time_stamp AS time_string FROM cfurl_cache_receiver_data d, cfurl_cache_response r WHERE r.entry_ID = d.entry_ID', 'ParseReceiverData')]

REQUIRED_TABLES = frozenset({'cfurl_cache_receiver_data', 'cfurl_cache_response', 'cfurl_cache_blob_data'})

SCHEMAS = [{'cfurl_cache_schema_version': 'CREATE TABLE cfurl_cache_schema_version(schema_version INTEGER)', 'cfurl_cache_response': 'CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, version INTEGER, hash_value INTEGER, storage_policy INTEGER, request_key TEXT UNIQUE, time_stamp NOT NULL DEFAULT CURRENT_TIMESTAMP, partition TEXT)', 'cfurl_cache_receiver_data': 'CREATE TABLE cfurl_cache_receiver_data(entry_ID INTEGER PRIMARY KEY, receiver_data BLOB)', 'cfurl_cache_blob_data': 'CREATE TABLE cfurl_cache_blob_data(entry_ID INTEGER PRIMARY KEY, response_object BLOB, request_object BLOB, proto_props BLOB, user_info BLOB)'}]

plaso.parsers.sqlite_plugins.safari module

Parser for the Safari History files.

The Safari History is stored in SQLite database files named History.db

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData

Bases: plaso.containers.events.EventData

Safari history event data.

host

str – hostname of the server.

title

str – title of the webpage visited.

url

str – URL visited.

visit_count

int – number of times the website was visited.

was_http_non_get

bool – True if the webpage was visited using a non-GET HTTP request.

DATA_TYPE = 'safari:history:visit_sqlite'

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse Safari History Files.

Safari history file is stored in a SQLite database file named History.db

DESCRIPTION = 'Parser for Safari history SQLite database files.'

NAME = 'safari_history'

ParsePageVisitRow(parser_mediator, query, row, **unused_kwargs)

Parses a visited row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT history_items.id, history_items.url, history_items.visit_count, history_visits.id AS visit_id, history_visits.history_item,history_visits.visit_time, history_visits.redirect_destination, history_visits.title, history_visits.http_non_get, history_visits.redirect_source FROM history_items, history_visits WHERE history_items.id = history_visits.history_item ORDER BY history_visits.visit_time', 'ParsePageVisitRow')]

REQUIRED_TABLES = frozenset({'history_visits', 'history_items'})

SCHEMAS = [{'history_event_listeners': 'CREATE TABLE history_event_listeners (listener_name TEXT PRIMARY KEY NOT NULL UNIQUE,last_seen REAL NOT NULL)', 'history_tombstones': 'CREATE TABLE history_tombstones (id INTEGER PRIMARY KEY AUTOINCREMENT,start_time REAL NOT NULL,end_time REAL NOT NULL,url TEXT,generation INTEGER NOT NULL DEFAULT 0)', 'history_visits': 'CREATE TABLE history_visits (id INTEGER PRIMARY KEY AUTOINCREMENT,history_item INTEGER NOT NULL REFERENCES history_items(id) ON DELETE CASCADE,visit_time REAL NOT NULL,title TEXT NULL,load_successful BOOLEAN NOT NULL DEFAULT 1,http_non_get BOOLEAN NOT NULL DEFAULT 0,synthesized BOOLEAN NOT NULL DEFAULT 0,redirect_source INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,redirect_destination INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,origin INTEGER NOT NULL DEFAULT 0,generation INTEGER NOT NULL DEFAULT 0,attributes INTEGER NOT NULL DEFAULT 0,score INTEGER NOT NULL DEFAULT 0)', 'history_items': 'CREATE TABLE history_items (id INTEGER PRIMARY KEY AUTOINCREMENT,url TEXT NOT NULL UNIQUE,domain_expansion TEXT NULL,visit_count INTEGER NOT NULL,daily_visit_counts BLOB NOT NULL,weekly_visit_counts BLOB NULL,autocomplete_triggers BLOB NULL,should_recompute_derived_visit_counts INTEGER NOT NULL,visit_count_score INTEGER NOT NULL)', 'metadata': 'CREATE TABLE metadata (key TEXT NOT NULL UNIQUE, value)', 'history_events': 'CREATE TABLE history_events (id INTEGER PRIMARY KEY AUTOINCREMENT,event_type TEXT NOT NULL,event_time REAL NOT NULL,pending_listeners TEXT NOT NULL,value BLOB)', 'history_client_versions': 'CREATE TABLE history_client_versions (client_version INTEGER PRIMARY KEY,last_seen REAL NOT NULL)'}]

plaso.parsers.sqlite_plugins.skype module

This file contains a basic Skype SQLite parser.

class plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData

Bases: plaso.containers.events.EventData

Skype account event data.

country

str – home country of the account holder.

display_name

str – display name of the account holder.

email

str – registered email address of the account holder.

username

str – full name of the Skype account holder and display name.

DATA_TYPE = 'skype:event:account'

class plaso.parsers.sqlite_plugins.skype.SkypeCallEventData

Bases: plaso.containers.events.EventData

Skype call event data.

call_type

str – call type, such as: WAITING, STARTED, FINISHED.

dst_call

str – account which received the call.

src_call

str – account which started the call.

user_start_call

bool – True if the owner account started the call.

video_conference

bool – True if the call was a video conference.

DATA_TYPE = 'skype:event:call'

class plaso.parsers.sqlite_plugins.skype.SkypeChatEventData

Bases: plaso.containers.events.EventData

Skype chat event data.

from_account

str – from display name and the author.

text

str – body XML.

title

str – title.

to_account

str – accounts, excluding the author, of the conversation.

DATA_TYPE = 'skype:event:chat'

class plaso.parsers.sqlite_plugins.skype.SkypePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for Skype main.db SQlite database file.

DESCRIPTION = 'Parser for Skype SQLite database files.'

NAME = 'skype'

ParseAccountInformation(parser_mediator, query, row, **unused_kwargs)

Parses account information.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row with account information.

ParseCall(parser_mediator, query, row, **unused_kwargs)

Parses a call.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (Optional[str]) – query that created the row.
• row (sqlite3.Row) – row resulting from query.
• query – query.

ParseChat(parser_mediator, query, row, **unused_kwargs)

Parses a chat message.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseFileTransfer(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a file transfer.

There is no direct relationship between who sends the file and who accepts the file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.
• cache (Optional[SQLiteCache]) – cache.
• database (Optional[SQLiteDatabase]) – database.

ParseSMS(parser_mediator, query, row, **unused_kwargs)

Parses an SMS.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT c.id, c.participants, c.friendlyname AS title, m.author AS author, m.from_dispname AS from_displayname, m.body_xml, m.timestamp, c.dialog_partner FROM Chats c, Messages m WHERE c.name = m.chatname', 'ParseChat'), ('SELECT id, fullname, given_displayname, emails, country, profile_timestamp, authreq_timestamp, lastonline_timestamp, mood_timestamp, sent_authrequest_time, lastused_timestamp FROM Accounts', 'ParseAccountInformation'), ('SELECT id, target_numbers AS dstnum_sms, timestamp AS time_sms, body AS msg_sms FROM SMSes', 'ParseSMS'), ('SELECT id, partner_handle, partner_dispname, offer_send_list, starttime, accepttime, finishtime, filepath, filename, filesize, status, parent_id, pk_id FROM Transfers', 'ParseFileTransfer'), ('SELECT c.id, cm.guid, c.is_incoming, cm.call_db_id, cm.videostatus, c.begin_timestamp AS try_call, cm.start_timestamp AS accept_call, cm.call_duration FROM Calls c, CallMembers cm WHERE c.id = cm.call_db_id;', 'ParseCall')]

QUERY_DEST_FROM_TRANSFER = 'SELECT parent_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'

QUERY_SOURCE_FROM_TRANSFER = 'SELECT pk_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'

REQUIRED_TABLES = frozenset({'Contacts', 'Accounts', 'Chats', 'Calls', 'CallMembers', 'Transfers', 'SMSes', 'Conversations'})

SCHEMAS = [{'ChatMembers': 'CREATE TABLE ChatMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, chatname TEXT, identity TEXT, role INTEGER, is_active INTEGER, cur_activities INTEGER, adder TEXT)', 'Participants': 'CREATE TABLE Participants (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, identity TEXT, rank INTEGER, requested_rank INTEGER, text_status INTEGER, voice_status INTEGER, video_status INTEGER, live_identity TEXT, live_price_for_me TEXT, live_fwd_identities TEXT, live_start_timestamp INTEGER, sound_level INTEGER, debuginfo TEXT, next_redial_time INTEGER, nrof_redials_left INTEGER, last_voice_error TEXT, quality_problems TEXT, live_type INTEGER, live_country TEXT, transferred_by TEXT, transferred_to TEXT, adder TEXT, last_leavereason INTEGER, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, live_identity_to_use TEXT, livesession_recovery_in_progress INTEGER, is_multiparty_video_updatable INTEGER, real_identity TEXT, extprop_default_identity INTEGER)', 'DbMeta': 'CREATE TABLE DbMeta (key TEXT NOT NULL PRIMARY KEY, value TEXT)', 'Voicemails': 'CREATE TABLE Voicemails (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, subject TEXT, timestamp INTEGER, duration INTEGER, allowed_duration INTEGER, playback_progress INTEGER, convo_id INTEGER, chatmsg_guid BLOB, notification_id INTEGER, flags INTEGER, size INTEGER, path TEXT, failures INTEGER, vflags INTEGER, xmsg TEXT, extprop_hide_from_history INTEGER)', 'LegacyMessages': 'CREATE TABLE LegacyMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER)', 'Contacts': 'CREATE TABLE Contacts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, aliases TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, hashed_emails TEXT, homepage TEXT, about TEXT, avatar_image BLOB, mood_text TEXT, rich_mood_text TEXT, timezone INTEGER, capabilities BLOB, profile_timestamp INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, received_authrequest TEXT, authreq_timestamp INTEGER, lastonline_timestamp INTEGER, availability INTEGER, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, given_displayname TEXT, assigned_speeddial TEXT, assigned_comment TEXT, alertstring TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_phone1 TEXT, assigned_phone1_label TEXT, assigned_phone2 TEXT, assigned_phone2_label TEXT, assigned_phone3 TEXT, assigned_phone3_label TEXT, buddystatus INTEGER, isauthorized INTEGER, popularity_ord INTEGER, external_id TEXT, external_system_id TEXT, isblocked INTEGER, authorization_certificate BLOB, certificate_send_count INTEGER, account_modification_serial_nr INTEGER, saved_directory_blob BLOB, nr_of_buddies INTEGER, server_synced INTEGER, contactlist_track INTEGER, last_used_networktime INTEGER, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, node_capabilities_and INTEGER, authreq_crc INTEGER, authreq_src INTEGER, pop_score INTEGER, authreq_nodeinfo BLOB, main_phone TEXT, unified_servants TEXT, phone_home_normalized TEXT, phone_office_normalized TEXT, phone_mobile_normalized TEXT, sent_authrequest_initmethod INTEGER, authreq_initmethod INTEGER, verified_email BLOB, verified_company BLOB, sent_authrequest_extrasbitmask INTEGER, liveid_cid TEXT, extprop_seen_birthday INTEGER, extprop_sms_target INTEGER, extprop_external_data TEXT, extprop_must_hide_avatar INTEGER)', 'AppSchemaVersion': 'CREATE TABLE AppSchemaVersion (ClientVersion TEXT NOT NULL, SQLiteSchemaVersion INTEGER NOT NULL, SchemaUpdateType INTEGER NOT NULL)', 'Messages': 'CREATE TABLE Messages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, chatname TEXT, author TEXT, from_dispname TEXT, author_was_live INTEGER, guid BLOB, dialog_partner TEXT, timestamp INTEGER, type INTEGER, sending_status INTEGER, consumption_status INTEGER, edited_by TEXT, edited_timestamp INTEGER, param_key INTEGER, param_value INTEGER, body_xml TEXT, identities TEXT, reason TEXT, leavereason INTEGER, participant_count INTEGER, error_code INTEGER, chatmsg_type INTEGER, chatmsg_status INTEGER, body_is_rawxml INTEGER, oldoptions INTEGER, newoptions INTEGER, newrole INTEGER, pk_id INTEGER, crc INTEGER, remote_id INTEGER, call_guid TEXT, extprop_contact_review_date TEXT, extprop_contact_received_stamp INTEGER, extprop_contact_reviewed INTEGER)', 'Chats': 'CREATE TABLE Chats (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, name TEXT, options INTEGER, friendlyname TEXT, description TEXT, timestamp INTEGER, activity_timestamp INTEGER, dialog_partner TEXT, adder TEXT, type INTEGER, mystatus INTEGER, myrole INTEGER, posters TEXT, participants TEXT, applicants TEXT, banned_users TEXT, name_text TEXT, topic TEXT, topic_xml TEXT, guidelines TEXT, picture BLOB, alertstring TEXT, is_bookmarked INTEGER, passwordhint TEXT, unconsumed_suppressed_msg INTEGER, unconsumed_normal_msg INTEGER, unconsumed_elevated_msg INTEGER, unconsumed_msg_voice INTEGER, activemembers TEXT, state_data BLOB, lifesigns INTEGER, last_change INTEGER, first_unread_message INTEGER, pk_type INTEGER, dbpath TEXT, split_friendlyname TEXT, conv_dbid INTEGER)', 'Transfers': 'CREATE TABLE Transfers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, starttime INTEGER, finishtime INTEGER, filepath TEXT, filename TEXT, filesize TEXT, bytestransferred TEXT, bytespersecond INTEGER, chatmsg_guid BLOB, chatmsg_index INTEGER, convo_id INTEGER, pk_id INTEGER, nodeid BLOB, last_activity INTEGER, flags INTEGER, old_status INTEGER, old_filepath INTEGER, accepttime INTEGER, parent_id INTEGER, offer_send_list TEXT, extprop_localfilename TEXT, extprop_hide_from_history INTEGER, extprop_window_visible INTEGER, extprop_handled_by_chat INTEGER)', 'VideoMessages': 'CREATE TABLE VideoMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, qik_id BLOB, attached_msg_ids TEXT, sharing_id TEXT, status INTEGER, vod_status INTEGER, vod_path TEXT, local_path TEXT, public_link TEXT, progress INTEGER, title TEXT, description TEXT, author TEXT, creation_timestamp INTEGER)', 'Calls': 'CREATE TABLE Calls (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, begin_timestamp INTEGER, topic TEXT, is_muted INTEGER, is_unseen_missed INTEGER, host_identity TEXT, mike_status INTEGER, duration INTEGER, soundlevel INTEGER, access_token TEXT, active_members INTEGER, is_active INTEGER, name TEXT, video_disabled INTEGER, joined_existing INTEGER, server_identity TEXT, vaa_input_status INTEGER, is_incoming INTEGER, is_conference INTEGER, is_on_hold INTEGER, start_timestamp INTEGER, quality_problems TEXT, current_video_audience TEXT, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, is_premium_video_sponsor INTEGER, premium_video_sponsor_list TEXT, old_members BLOB, partner_handle TEXT, partner_dispname TEXT, type INTEGER, status INTEGER, failurereason INTEGER, failurecode INTEGER, pstn_number TEXT, old_duration INTEGER, conf_participants BLOB, pstn_status TEXT, members BLOB, conv_dbid INTEGER)', 'CallMembers': 'CREATE TABLE CallMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, dispname TEXT, languages TEXT, call_duration INTEGER, price_per_minute INTEGER, price_precision INTEGER, price_currency TEXT, payment_category TEXT, type INTEGER, status INTEGER, failurereason INTEGER, sounderror_code INTEGER, soundlevel INTEGER, pstn_statustext TEXT, pstn_feedback TEXT, forward_targets TEXT, forwarded_by TEXT, debuginfo TEXT, videostatus INTEGER, target_identity TEXT, mike_status INTEGER, is_read_only INTEGER, quality_status INTEGER, call_name TEXT, transfer_status INTEGER, transfer_active INTEGER, transferred_by TEXT, transferred_to TEXT, guid TEXT, next_redial_time INTEGER, nrof_redials_done INTEGER, nrof_redials_left INTEGER, transfer_topic TEXT, real_identity TEXT, start_timestamp INTEGER, is_conference INTEGER, quality_problems TEXT, identity_type INTEGER, country TEXT, creation_timestamp INTEGER, stats_xml TEXT, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, recovery_in_progress INTEGER, nonse_word TEXT, nr_of_delivered_push_notifications INTEGER, call_session_guid TEXT, version_string TEXT, pk_status INTEGER, call_db_id INTEGER, prime_status INTEGER)', 'ContactGroups': 'CREATE TABLE ContactGroups (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, custom_group_id INTEGER, given_displayname TEXT, nrofcontacts INTEGER, nrofcontacts_online INTEGER, given_sortorder INTEGER, type_old INTEGER, proposer TEXT, description TEXT, associated_chat TEXT, members TEXT, cbl_id INTEGER, cbl_blob BLOB, fixed INTEGER, keep_sharedgroup_contacts INTEGER, chats TEXT, extprop_is_hidden INTEGER, extprop_sortorder_value INTEGER, extprop_is_expanded INTEGER)', 'Videos': 'CREATE TABLE Videos (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, error TEXT, debuginfo TEXT, dimensions TEXT, media_type INTEGER, duration_1080 INTEGER, duration_720 INTEGER, duration_hqv INTEGER, duration_vgad2 INTEGER, duration_ltvgad2 INTEGER, timestamp INTEGER, hq_present INTEGER, duration_ss INTEGER, ss_timestamp INTEGER, convo_id INTEGER, device_path TEXT)', 'Conversations': 'CREATE TABLE Conversations (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, type INTEGER, live_host TEXT, live_start_timestamp INTEGER, live_is_muted INTEGER, alert_string TEXT, is_bookmarked INTEGER, given_displayname TEXT, displayname TEXT, local_livestatus INTEGER, inbox_timestamp INTEGER, inbox_message_id INTEGER, unconsumed_suppressed_messages INTEGER, unconsumed_normal_messages INTEGER, unconsumed_elevated_messages INTEGER, unconsumed_messages_voice INTEGER, active_vm_id INTEGER, context_horizon INTEGER, consumption_horizon INTEGER, last_activity_timestamp INTEGER, active_invoice_message INTEGER, spawned_from_convo_id INTEGER, pinned_order INTEGER, creator TEXT, creation_timestamp INTEGER, my_status INTEGER, opt_joining_enabled INTEGER, opt_access_token TEXT, opt_entry_level_rank INTEGER, opt_disclose_history INTEGER, opt_history_limit_in_days INTEGER, opt_admin_only_activities INTEGER, passwordhint TEXT, meta_name TEXT, meta_topic TEXT, meta_guidelines TEXT, meta_picture BLOB, picture TEXT, is_p2p_migrated INTEGER, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, guid TEXT, dialog_partner TEXT, meta_description TEXT, premium_video_sponsor_list TEXT, mcr_caller TEXT, chat_dbid INTEGER, history_horizon INTEGER, history_sync_state TEXT, thread_version TEXT, consumption_horizon_set_at INTEGER, alt_identity TEXT, extprop_profile_height INTEGER, extprop_chat_width INTEGER, extprop_chat_left_margin INTEGER, extprop_chat_right_margin INTEGER, extprop_entry_height INTEGER, extprop_windowpos_x INTEGER, extprop_windowpos_y INTEGER, extprop_windowpos_w INTEGER, extprop_windowpos_h INTEGER, extprop_window_maximized INTEGER, extprop_window_detached INTEGER, extprop_pinned_order INTEGER, extprop_new_in_inbox INTEGER, extprop_tab_order INTEGER, extprop_video_layout INTEGER, extprop_video_chat_height INTEGER, extprop_chat_avatar INTEGER, extprop_consumption_timestamp INTEGER, extprop_form_visible INTEGER, extprop_recovery_mode INTEGER)', 'Alerts': 'CREATE TABLE Alerts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, timestamp INTEGER, partner_name TEXT, is_unseen INTEGER, partner_id INTEGER, partner_event TEXT, partner_history TEXT, partner_header TEXT, partner_logo TEXT, meta_expiry INTEGER, message_header_caption TEXT, message_header_title TEXT, message_header_subject TEXT, message_header_cancel TEXT, message_header_later TEXT, message_content TEXT, message_footer TEXT, message_button_caption TEXT, message_button_uri TEXT, message_type INTEGER, window_size INTEGER, chatmsg_guid BLOB, notification_id INTEGER, event_flags INTEGER, extprop_hide_from_history INTEGER)', 'SMSes': 'CREATE TABLE SMSes (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, outgoing_reply_type INTEGER, status INTEGER, failurereason INTEGER, is_failed_unseen INTEGER, timestamp INTEGER, price INTEGER, price_precision INTEGER, price_currency TEXT, reply_to_number TEXT, target_numbers TEXT, target_statuses BLOB, body TEXT, chatmsg_id INTEGER, identity TEXT, notification_id INTEGER, event_flags INTEGER, reply_id_number TEXT, convo_name TEXT, extprop_hide_from_history INTEGER, extprop_extended INTEGER)', 'Accounts': 'CREATE TABLE Accounts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, pwdchangestatus INTEGER, logoutreason INTEGER, commitstatus INTEGER, suggested_skypename TEXT, skypeout_balance_currency TEXT, skypeout_balance INTEGER, skypeout_precision INTEGER, skypein_numbers TEXT, subscriptions TEXT, cblsyncstatus INTEGER, offline_callforward TEXT, chat_policy INTEGER, skype_call_policy INTEGER, pstn_call_policy INTEGER, avatar_policy INTEGER, buddycount_policy INTEGER, timezone_policy INTEGER, webpresence_policy INTEGER, phonenumbers_policy INTEGER, voicemail_policy INTEGER, authrequest_policy INTEGER, ad_policy INTEGER, partner_optedout TEXT, service_provider_info TEXT, registration_timestamp INTEGER, nr_of_other_instances INTEGER, partner_channel_status TEXT, flamingo_xmpp_status INTEGER, federated_presence_policy INTEGER, liveid_membername TEXT, roaming_history_enabled INTEGER, cobrand_id INTEGER, owner_under_legal_age INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, homepage TEXT, about TEXT, profile_timestamp INTEGER, received_authrequest TEXT, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, aliases TEXT, authreq_timestamp INTEGER, mood_text TEXT, timezone INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, given_displayname TEXT, availability INTEGER, lastonline_timestamp INTEGER, capabilities BLOB, avatar_image BLOB, assigned_speeddial TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_comment TEXT, alertstring TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, rich_mood_text TEXT, synced_email BLOB, set_availability INTEGER, options_change_future BLOB, cbl_profile_blob BLOB, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, node_capabilities_and INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, verified_email BLOB, verified_company BLOB, uses_jcs INTEGER)'}]

class plaso.parsers.sqlite_plugins.skype.SkypeSMSEventData

Bases: plaso.containers.events.EventData

Skype SMS event data.

number

str – phone number where the SMS was sent.

text

str – text (SMS body) that was sent.

DATA_TYPE = 'skype:event:sms'

class plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventData

Bases: plaso.containers.events.EventData

Skype file transfer event data.

action_type

str – action type e.g. GETSOLICITUDE, SENDSOLICITUDE, ACCEPTED, FINISHED.

destination

str – account that received the file.

source

str – account that sent the file.

transferred_filename

str – name of the file transferred.

transferred_filepath

str – path of the file transferred.

transferred_filesize

int – size of the file transferred.

DATA_TYPE = 'skype:event:transferfile'

plaso.parsers.sqlite_plugins.tango_android module

Parser for Tango on Android databases.

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData

Bases: plaso.containers.events.EventData

Tango on Android contact event data.

first_name

str – contact profile first name.

last_name

str – contact profile last name.

birthday

str – contact profile birthday.

gender

str – contact profile gender.

status

str – contact status message.

distance

int – contact profile distance.

is_friend

bool – True if the contact is considered a friend.

friend_request_type

str – flag indicating the type of friend request sent for example outRequest for request sent or noRequest for no request.

friend_request_message

str – message sent on friend request.

DATA_TYPE = 'tango:android:contact'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventData

Bases: plaso.containers.events.EventData

Tango on Android conversation event data.

conversation_identifier

int – conversation identifier.

DATA_TYPE = 'tango:android:conversation'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventData

Bases: plaso.containers.events.EventData

Tango on Android message event data.

message_identifier

int – message identifier.

direction

int – flag indicating direction of the message.

DATA_TYPE = 'tango:android:message'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Tango on Android profile database.

DESCRIPTION = 'Parser for Tango on Android profile database.'

NAME = 'tango_android_profile'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)

Parses a contact row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT itemLastActiveTime AS last_active_time, itemLastLocalAccessTime AS last_access_time, itemFriendRequestTime AS friend_request_time, itemFirstName AS first_name, itemLastName AS last_name, itemBirthday AS birthday, itemGender AS gender, itemStatus AS status, itemDistance AS distance, itemIsFriend AS friend, itemFriendRequestType AS friend_request_type, itemFriendRequestMessage AS friend_request_message FROM profiletable', 'ParseContactRow')]

REQUIRED_TABLES = frozenset({'profiletable', 'profiles'})

SCHEMAS = [{'profiletable': 'CREATE TABLE `profiletable` (`itemUserId` TEXT PRIMARY KEY, `itemFirstName` TEXT NOT NULL, `itemLastName` TEXT NOT NULL, `itemBirthday` TEXT NOT NULL, `itemGender` TEXT NOT NULL, `itemStatus` TEXT NOT NULL, `itemLastActiveTime` BIGINT NOT NULL, `itemDistance` DOUBLE NOT NULL, `itemCity` TEXT NOT NULL, `itemGeoCountryCode` TEXT NOT NULL, `itemAvatarUrl` TEXT NOT NULL, `itemThumbnailUrl` TEXT NOT NULL, `itemVideoUrl` TEXT NOT NULL, `itemVideoThumbnailUrl` TEXT NOT NULL, `itemBackgroundUrl` TEXT NOT NULL, `itemIsFriend` INTEGER NOT NULL, `itemIsBlocked` INTEGER NOT NULL, `itemFriendRequestType` TEXT NOT NULL, `itemReverseRelationships` TEXT NOT NULL, `itemFavoriterCount` INTEGER NOT NULL, `itemFavoritingCount` INTEGER NOT NULL, `itemFeedCount` INTEGER NOT NULL, `itemRefereneCount` INTEGER NOT NULL, `itemLevel1DataSyncTime` BIGINT NOT NULL, `itemLevel2DataSyncTime` BIGINT NOT NULL, `itemLevel3DataSyncTime` BIGINT NOT NULL, `itemLevel4DataSyncTime` BIGINT NOT NULL, `itemLevel5DataSyncTime` BIGINT NOT NULL, `itemLastLocalAccessTime` BIGINT NOT NULL, `itemFriendRequestId` TEXT NOT NULL, `itemFriendRequestMessage` TEXT NOT NULL, `itemFriendRequestTime` BIGINT NOT NULL, `itemIsNewFriendRequest` INTEGER NOT NULL, `itemFriendRequestTCMessageId` INTEGER NOT NULL, `itemFriendRequestContext` TEXT NOT NULL, `itemFriendRequestAttachedPostType` INTEGER NOT NULL, `itemFriendRequestAttachedPostContent` TEXT NOT NULL, `itemFriendRequestHasBeenForwardedToTc` INTEGER NOT NULL, `itemProfileType` TEXT NOT NULL, `itemDatingAge` INTEGER NOT NULL, `itemDatingLocationString` TEXT NOT NULL, `itemDatingSeekingString` TEXT NOT NULL, `itemDatingEssayText` TEXT NOT NULL, `itemDatingBodyType` TEXT NOT NULL, `itemDatingLastActive` TEXT NOT NULL, `itemDatingProfileUrl` TEXT NOT NULL, `itemLastTimeOfLikeProfile` BIGINT NOT NULL, `itemIsHidden` INTEGER NOT NULL, `itemPrivacy` INTEGER NOT NULL, `itemCanSeeMyPost` INTEGER NOT NULL, `itemCanShareMyPost` INTEGER NOT NULL, `itemCanContactMe` INTEGER NOT NULL)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)'}]

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Tango on Android tc database.

DESCRIPTION = 'Parser for Tango on Android tc database.'

NAME = 'tango_android_tc'

ParseConversationRow(parser_mediator, query, row, **unused_kwargs)

Parses a conversation row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)

Parses a message row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT conversations.conv_id AS conv_id, conversations.payload AS payload FROM conversations', 'ParseConversationRow'), ('SELECT messages.create_time AS create_time, messages.send_time AS send_time, messages.msg_id AS msg_id, messages.payload AS payload, messages.direction AS direction FROM messages LEFT JOIN likes ON messages.msg_id = likes.msg_id', 'ParseMessageRow')]

REQUIRED_TABLES = frozenset({'profiles', 'likes', 'sms', 'games', 'receipts', 'conversations', 'messages'})

SCHEMAS = [{'sms': 'CREATE TABLE `sms` (`msg_id` INTEGER PRIMARY KEY, `phonenumber` TEXT, `text` TEXT)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'games': 'CREATE TABLE `games` (`game_session_id` TEXT PRIMARY KEY, `message_id` INTEGER, `conversation_id` TEXT, `game_id` TEXT, `game_state` INTEGER, `action_timestamp` BIGINT, `current_player_account_id` TEXT)', 'receipts': 'CREATE TABLE `receipts` (`conv_id` TEXT PRIMARY KEY, `msg_id` INTEGER, `sender_msg_id` INTEGER, `sender_aids` TEXT, `type` INTEGER, `create_time` BIGINT, `status` INTEGER, `payload` BLOB)', 'conversations': 'CREATE TABLE `conversations` (`conv_id` TEXT PRIMARY KEY, `conv_type` INTEGER DEFAULT 0, `payload` BLOB, `last_msg_id` INTEGER, `unread_count` INTEGER, `last_read_sent_msg_id` INTEGER, `conv_del_status` INTEGER DEFAULT 0, `deleting_ts` BIGINT DEFAULT 0, `conv_restore_status` INTEGER DEFAULT 0, `peers_read` TEXT, `total_received_msg_count` INTEGER DEFAULT -1, `communication_context` INTEGER DEFAULT 0)', 'likes': 'CREATE TABLE `likes` (`msg_id` INTEGER PRIMARY KEY, `global_msg_id` TEXT, `conv_id` TEXT, `liker_aid` TEXT, `act_type` INTEGER, `status` INTEGER, `act_ts` BIGINT, `payload` BLOB)', 'messages': 'CREATE TABLE `messages` (`msg_id` INTEGER PRIMARY KEY, `conv_id` TEXT, `type` INTEGER, `media_id` TEXT, `share_id` TEXT, `create_time` BIGINT, `send_time` BIGINT, `direction` INTEGER, `status` INTEGER, `payload` BLOB, `del_status` INTEGER)'}]

plaso.parsers.sqlite_plugins.twitter_android module

Parser for Twitter on Android.

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData

Bases: plaso.containers.events.EventData

Twitter on Android contact event data.

identifier

int – contact row id.

user_identifier

int – twitter account id.

username

str – twitter account handler.

name

str – twitter account name.

description

str – twitter account profile description.

web_url

str – twitter account profile url content.

location

str – twitter account profile location content.

followers

int – number of followers.

friends

int – number of following.

statuses

int – twitter account number of tweets.

image_url

str – profile picture url.

DATA_TYPE = 'twitter:android:contact'

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser plugin for Twitter on Android.

DESCRIPTION = 'Parser for Twitter on android database'

NAME = 'twitter_android'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)

Parses a status row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseSearchRow(parser_mediator, query, row, **unused_kwargs)

Parses a search row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)

Parses a status row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT name, query, time FROM search_queries', 'ParseSearchRow'), ('SELECT statuses._id AS _id, statuses.author_id AS author_id, users.username AS username, statuses.content AS content, statuses.created AS time, statuses.favorited AS favorited, statuses.retweeted AS retweeted FROM statuses LEFT JOIN users ON statuses.author_id = users.user_id', 'ParseStatusRow'), ('SELECT _id, user_id, username, name, profile_created, description, web_url, location, followers, friends, statuses, image_url, updated, friendship_time FROM users', 'ParseContactRow')]

REQUIRED_TABLES = frozenset({'search_queries', 'statuses', 'users'})

SCHEMAS = [{'conversation_entries': 'CREATE TABLE conversation_entries (_id INTEGER PRIMARY KEY,entry_id INT UNIQUE NOT NULL,sort_entry_id INT UNIQUE NOT NULL,conversation_id TEXT,user_id INT,created INT,entry_type INT,data BLOB,request_id TEXT)', 'feedback_action': 'CREATE TABLE feedback_action(_id INTEGER PRIMARY KEY AUTOINCREMENT,feedback_type TEXT,prompt TEXT,confirmation TEXT,UNIQUE(feedback_type,prompt,confirmation))', 'news': 'CREATE TABLE news (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,topic_id INT,news_id TEXT,title TEXT,image_url TEXT,author_name TEXT,article_description TEXT,article_url TEXT,tweet_count INT,start_time INT,news_id_hash INT)', 'clusters': 'CREATE TABLE clusters (_id INTEGER PRIMARY KEY,cl_cluster_id TEXT UNIQUE NOT NULL,cl_type INT,cl_title TEXT,cl_subtitle TEXT,cl_size INT,cl_timestamp INT,cl_content BLOB)', 'moments_sections': 'CREATE TABLE moments_sections (_id INTEGER PRIMARY KEY,section_title TEXT,section_type BLOB NOT NULL,section_group_id TEXT,section_group_type INT NOT NULL)', 'status_groups': 'CREATE TABLE status_groups (_id INTEGER PRIMARY KEY,tweet_type INT DEFAULT 0,type INT,sender_id INT,owner_id INT,ref_id INT,tag INT,g_status_id INT,is_read INT,page INT,is_last INT,updated_at INT,timeline INT,pc BLOB,g_flags INT,preview_draft_id INT,preview_media BLOB,tweet_pivots BLOB)', 'ads_account_permissions': 'CREATE TABLE ads_account_permissions (_id INTEGER PRIMARY KEY,promotable_users BLOB,last_synced INT NOT NULL)', 'moments_guide': 'CREATE TABLE moments_guide (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,section_id INT NOT NULL,tweet_id INT NOT NULL, crop_data BLOB,media_id INT,media_url TEXT,media_size BLOB,FOREIGN KEY(section_id) REFERENCES moments_sections(_id) ON DELETE CASCADE)', 'search_results': 'CREATE TABLE search_results (_id INTEGER PRIMARY KEY,search_id INT,s_type INT,data_type INT,type_id INT,polled INT,data_id INT,related_data BLOB,cluster_id INT)', 'activities': 'CREATE TABLE activities (_id INTEGER PRIMARY KEY,type INT,event INT,created_at INT,hash INT,max_position INT,min_position INT,sources_size INT,source_type INT,sources BLOB,targets_size INT,target_type INT,targets BLOB,target_objects_size INT,target_object_type INT,target_objects BLOB,is_last INT,tag INT,magic_rec_id INT,UNIQUE (type, max_position) ON CONFLICT REPLACE)', 'users': 'CREATE TABLE users (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,username TEXT,name TEXT,description TEXT,web_url TEXT,bg_color INT,location TEXT,structured_location BLOB,user_flags INT,followers INT,fast_followers INT DEFAULT 0,friends INT,statuses INT,profile_created INT,image_url TEXT,hash INT,updated INT,friendship INT,friendship_time INT,favorites INT DEFAULT 0,header_url TEXT,description_entities BLOB,url_entities BLOB,media_count INT,extended_profile_fields BLOB,pinned_tweet_id INT,link_color INT,advertiser_type TEXT,business_profile_state TEXT)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'topics': 'CREATE TABLE topics (_id INTEGER PRIMARY KEY,ev_id TEXT UNIQUE NOT NULL,ev_type INT,ev_query TEXT NOT NULL,ev_seed_hashtag TEXT,ev_title STRING,ev_subtitle STRING,ev_view_url STRING,ev_status STRING,ev_image_url TEXT,ev_explanation TEXT,ev_tweet_count INT,ev_start_time INT,ev_owner_id INT,ev_pc BLOB,ev_content BLOB,ev_hash INT)', 'timeline': 'CREATE TABLE timeline (_id INTEGER PRIMARY KEY AUTOINCREMENT,owner_id INT,type INT,sort_index INT,entity_id INT,entity_type INT,data_type INT,data_type_group INT,data_type_tag INT,timeline_tag TEXT,timeline_group_id INT,timeline_scribe_group_id INT,data_id INT,data BLOB,flags INT,updated_at INT,data_origin_id TEXT,is_last INT,is_read INT,scribe_content BLOB,timeline_moment_info BLOB,dismissed INT NOT NULL DEFAULT 0,dismiss_actions INT NOT NULL DEFAULT 0)', 'stories': 'CREATE TABLE stories ( _id INTEGER PRIMARY KEY,story_id TEXT,story_order INT,story_type INT,story_proof_type INT,story_proof_addl_count INT,data_type INT,data_id INT,story_is_read INT,story_meta_title TEXT,story_meta_subtitle TEXT,story_meta_query TEXT,story_meta_header_img_url TEXT,story_source TEXT,story_impression_info TEXT,story_tag INT)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY,conversation_id TEXT NOT NULL,user_id TEXT NOT NULL,join_time INT NOT NULL,participant_type INT NOT NULL)', 'promoted_retry': 'CREATE TABLE promoted_retry(impression_id TEXT,event INT NOT NULL,is_earned INT NOT NULL,trend_id INT,num_retries INT NOT NULL,url TEXT,video_playlist_url TEXT,video_content_uuid TEXT,video_content_type TEXT,video_cta_url TEXT,video_cta_app_id TEXT,video_cta_app_name TEXT,card_event TEXT,PRIMARY KEY(impression_id,event,is_earned,trend_id))', 'moments_guide_user_states': 'CREATE TABLE moments_guide_user_states (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,is_read INT,is_updated INT,FOREIGN KEY(moment_id) REFERENCES moments(_id) ON DELETE CASCADE)', 'moments_guide_categories': 'CREATE TABLE moments_guide_categories (_id INTEGER PRIMARY KEY,category_id TEXT NOT NULL,is_default_category INT NOT NULL,category_name TEXT NOT NULL,fetch_timestamp INT NOT NULL)', 'search_queries': 'CREATE TABLE search_queries (_id INTEGER PRIMARY KEY,type INT,name TEXT NOT NULL,query TEXT NOT NULL,query_id INT,time INT,latitude REAL,longitude REAL,radius REAL,location TEXT,pc BLOB,cluster_titles BLOB)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY,conversation_id TEXT UNIQUE NOT NULL,title TEXT,avatar_url TEXT,type INT,sort_event_id BIGINT,last_readable_event_id BIGINT,last_read_event_id BIGINT,sort_timestamp BIGINT,is_muted INT,min_event_id BIGINT,is_hidden INT,has_more INT,read_only INT)', 'business_profiles': 'CREATE TABLE business_profiles (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,business_profile BLOB,last_synced INT NOT NULL)', 'user_groups': 'CREATE TABLE user_groups (_id INTEGER PRIMARY KEY,type INT,tag INT,rank INT,owner_id INT,user_id INT,is_last INT,pc BLOB,g_flags INT)', 'moments_visit_badge': 'CREATE TABLE moments_visit_badge (_id INTEGER PRIMARY KEY,moment_id INT UNIQUE NOT NULL,is_new_since_visit INT,is_updated_since_visit INT)', 'cursors': 'CREATE TABLE cursors (_id INTEGER PRIMARY KEY,kind INT,type INT,owner_id INT,ref_id TEXT,next TEXT)', 'prompts': 'CREATE TABLE prompts (_id INTEGER PRIMARY KEY,p_id INT,p_format TEXT,p_template TEXT,p_header TEXT,p_text TEXT,p_action_text TEXT,p_action_url TEXT,p_icon TEXT,p_background_image_url TEXT,p_persistence TEXT,p_entities BLOB,p_header_entities BLOB,p_status_id LONG,p_insertion_index INT,p_trigger TEXT)', 'tokens': 'CREATE TABLE tokens (_id INTEGER PRIMARY KEY,text TEXT,weight INT,type INT,ref_id INT)', 'one_click': 'CREATE TABLE one_click (_id INTEGER PRIMARY KEY,topic TEXT,filter_name TEXT,filter_location TEXT,filter_follow INT)', 'card_state': 'CREATE TABLE card_state (_id INTEGER PRIMARY KEY AUTOINCREMENT,card_status_id INT,card_id INT, card_state BLOB)', 'rankings': 'CREATE TABLE rankings (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,granularity TEXT,category TEXT,date INT)', 'moments_pages': 'CREATE TABLE moments_pages (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,page_id TEXT,type BLOB,tweet_id INT,display_mode BLOB,page_number INT,crop_data BLOB,theme_data BLOB,media_id INT,media_size BLOB,media_url TEXT,last_read_timestamp INT,FOREIGN KEY(moment_id) REFERENCES moments(_id))', 'order_history': 'CREATE TABLE order_history (_id INTEGER PRIMARY KEY,ordered_at INT ,order_id INT ,data BLOB)', 'list_mapping': 'CREATE TABLE list_mapping (_id INTEGER PRIMARY KEY,list_mapping_list_id TEXT,list_mapping_type INT,list_mapping_user_id INT,list_is_last INT)', 'search_suggestion_metadata': 'CREATE TABLE search_suggestion_metadata (_id INTEGER PRIMARY KEY,type INT,last_update LONG)', 'user_metadata': 'CREATE TABLE user_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,user_id INT NOT NULL,user_group_type INT NOT NULL,user_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_follow_count INT,user_title TEXT,token TEXT)', 'notifications': 'CREATE TABLE notifications (_id INTEGER PRIMARY KEY,type INT,notif_id INT,source_user_name TEXT,s_name TEXT,s_id INT,notif_txt TEXT,aggregation_data TEXT,notif_extra_data BLOB)', 'locations': 'CREATE TABLE locations (_id INTEGER PRIMARY KEY,name TEXT,woeid INT,country TEXT,country_code TEXT)', 'status_metadata': 'CREATE TABLE status_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,status_id INT NOT NULL,status_group INT NOT NULL,status_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_second_name TEXT,soc_others_count INT,soc_fav_count INT,soc_rt_count INT,reason_icon_type TEXT,reason_text TEXT,scribe_component TEXT,scribe_data BLOB,highlights TEXT)', 'category_timestamp': 'CREATE TABLE category_timestamp (_id INTEGER PRIMARY KEY,cat_status_id INT NOT NULL,cat_tag INT NOT NULL,cat_timestamp INT NOT NULL)', 'dismiss_info': 'CREATE TABLE dismiss_info(timeline_id INTEGER REFERENCES timeline(_id),feedback_action_id INTEGER REFERENCES feedback_action(_id),UNIQUE(timeline_id,feedback_action_id))', 'moments': 'CREATE TABLE moments (_id INTEGER PRIMARY KEY,title TEXT NOT NULL,can_subscribe INT,is_live INT,is_sensitive INT,subcategory_string TEXT,subcategory_favicon_url TEXT,time_string TEXT,duration_string TEXT,is_subscribed INT,description TEXT NOT NULL,moment_url TEXT,num_subscribers INT,author_info BLOB,promoted_content BLOB)', 'statuses': 'CREATE TABLE statuses (_id INTEGER PRIMARY KEY,status_id INT UNIQUE NOT NULL,author_id INT,content TEXT,source TEXT,created INT,in_r_user_id INT,in_r_status_id INT,favorited INT,latitude TEXT,longitude TEXT,place_data BLOB,entities TEXT,retweet_count INT,r_content TEXT,cards BLOB,flags INT,favorite_count INT,lang TEXT,supplemental_language TEXT,view_count INT,quoted_tweet_data BLOB,quoted_tweet_id INT,retweeted INT)'}]

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventData

Bases: plaso.containers.events.EventData

Twitter on Android search event data.

name

str – twitter name handler.

search_query

str – search query.

DATA_TYPE = 'twitter:android:search'

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData

Bases: plaso.containers.events.EventData

Twitter on Android status event data.

identifier

int – status row identifier.

author_identifier

int – twitter account identifier.

username

str – twitter account handler.

content

str – status content.

favorited

int – favorited flag as 0/1 value.

retweeted

int – retweeted flag as 0/1 value.

DATA_TYPE = 'twitter:android:status'

plaso.parsers.sqlite_plugins.twitter_ios module

Parser for Twitter on iOS 8+ database.

SQLite database path: /private/var/mobile/Containers/Data/Application/Library/Caches/databases/ SQLite database name: twitter.db

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData

Bases: plaso.containers.events.EventData

Twitter on iOS 8+ contact event data.

description

str – description of the profile.

followers_count

int – number of accounts following the contact.

following_count

int – number of accounts the contact is following.

following

int – 1 if the contact is following the user’s account, 0 if not.

location

str – location of the profile.

name

str – name of the profile.

profile_url

str – URL of the profile picture.

screen_name

str – screen name.

url

str – URL of the profile.

DATA_TYPE = 'twitter:ios:contact'

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Twitter on iOS 8+ database.

DESCRIPTION = 'Parser for Twitter on iOS 8+ database'

NAME = 'twitter_ios'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)

Parses a contact row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)

Parses a contact row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT createdDate, updatedAt, screenName, name, profileImageUrl,location, description, url, following, followersCount, followingCount FROM Users ORDER BY createdDate', 'ParseContactRow'), ('SELECT Statuses.date AS date, Statuses.text AS text, Statuses.userId AS user_id, Users.name AS name, Statuses.retweetCount AS retweetCount, Statuses.favoriteCount AS favoriteCount, Statuses.favorited AS favorited, Statuses.updatedAt AS updatedAt FROM Statuses LEFT join Users ON Statuses.userId = Users.id ORDER BY date', 'ParseStatusRow')]

REQUIRED_TABLES = frozenset({'UsersShadow', 'Statuses', 'ListsShadow', 'Users', 'StatusesShadow', 'MyRetweets', 'Lists'})

SCHEMAS = [{'StatusesShadow': "CREATE TABLE StatusesShadow ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplementalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'Statuses': "CREATE TABLE Statuses ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplmentalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'MyRetweets': "CREATE TABLE MyRetweets ( 'statusId' INTEGER PRIMARY KEY, 'myRetweetId' INTEGER )", 'ListsShadow': "CREATE TABLE ListsShadow ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'Lists': "CREATE TABLE Lists ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'Users': "CREATE TABLE Users ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )", 'UsersShadow': "CREATE TABLE UsersShadow ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )"}]

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData

Bases: plaso.containers.events.EventData

Parent class for Twitter on iOS 8+ status events.

favorite_count

int – number of times the status message has been favorited.

favorited

int – value to mark status as favorite by the account.

name

str – user’s profile name.

retweet_count

str – number of times the status message has been retweeted.

text

str – content of the status messsage.

user_id

int – user unique identifier.

DATA_TYPE = 'twitter:ios:status'

plaso.parsers.sqlite_plugins.windows_timeline module

Plugin for the Windows 10 Timeline SQLite database.

Timeline events on Windows are stored in a SQLite database file usually found in ActivitiesCache.db, path is usually something like: %APPDATA%LocalConnectedDevicesPlatformL.<username>

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData

Bases: plaso.containers.events.EventData

Windows Timeline database generic event data.

package_identifier

str – the package ID or path to the executable run. Depending on the program, this either looks like a path (for example, c:python34python.exe) or like a package name (for example Docker.DockerForWindows.Settings).

description

str – this is an optional field, used to describe the action in the timeline view, and is usually populated with the path of the file currently open in the program described by package_identifier. Otherwise None.

application_display_name

str – a more human-friendly version of the package_identifier, such as ‘Docker for Windows’ or ‘Microsoft Store’.

DATA_TYPE = 'windows:timeline:generic'

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse the Windows Timeline SQLite database.

DESCRIPTION = 'Parser for the Windows Timeline SQLite database'

NAME = 'windows_timeline'

ParseGenericRow(parser_mediator, query, row, **unused_kwargs)

Parses a generic windows timeline row.

Args: parser_mediator (ParserMediator): mediates interactions between parsers

and other components, such as storage and dfvfs.

query (str): query that created the row. row (sqlite3.Row): row.

ParseUserEngagedRow(parser_mediator, query, row, **unused_kwargs)

Parses a timeline row that describes a user interacting with an app.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT StartTime, Payload, PackageName FROM Activity INNER JOIN Activity_PackageId ON Activity.Id = Activity_PackageId.ActivityId WHERE instr(Payload, "UserEngaged") > 0 AND Platform = "packageid"', 'ParseUserEngagedRow'), ('SELECT StartTime, Payload, AppId FROM Activity WHERE instr(Payload, "UserEngaged") = 0', 'ParseGenericRow')]

REQUIRED_TABLES = frozenset({'Activity', 'Activity_PackageId'})

SCHEMAS = [{'Activity': 'CREATE TABLE [Activity]([Id] GUID PRIMARY KEY NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ActivityStatus] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [IsLocalOnly] INT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'Metadata': 'CREATE TABLE [Metadata]([Key] TEXT PRIMARY KEY NOT NULL, [Value] TEXT)', 'AppSettings': 'CREATE TABLE [AppSettings]([AppId] TEXT PRIMARY KEY NOT NULL, [SettingsPropertyBag] BLOB, [AppTitle] TEXT, [Logo4141] TEXT)', 'ActivityOperation': 'CREATE TABLE [ActivityOperation]([OperationOrder] INTEGER PRIMARY KEY ASC NOT NULL, [Id] GUID NOT NULL, [OperationType] INT NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [CreatedTime] DATETIME, [Attachments] TEXT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME NOT NULL, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME NOT NULL, [CorrelationVector] TEXT, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'ManualSequence': 'CREATE TABLE [ManualSequence]([Key] TEXT PRIMARY KEY NOT NULL, [Value] INT NOT NULL)', 'ActivityAssetCache': 'CREATE TABLE [ActivityAssetCache]([ResourceId] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, [AppId] TEXT NOT NULL, [AssetHash] TEXT NOT NULL, [TimeToLive] DATETIME NOT NULL, [AssetUri] TEXT, [AssetId] TEXT, [AssetKey] TEXT, [Contents] BLOB)', 'Activity_PackageId': 'CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL, [PackageName] TEXT NOT NULL, [ExpirationTime] DATETIME NOT NULL)'}]

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventData

Bases: plaso.containers.events.EventData

Windows Timeline database User Engaged event data.

Contains information describing how long a user interacted with an application for.

package_identifier

str – the package ID or location of the executable the user interacted with.

reporting_app

str – the name of the application that reported the user’s interaction. This is the name of a monitoring tool, e.g. ShellActivityMonitor

active_duration_seconds

int – the number of seconds the user spent interacting with the program.

DATA_TYPE = 'windows:timeline:user_engaged'

plaso.parsers.sqlite_plugins.zeitgeist module

Plugin for the Zeitgeist SQLite database.

Zeitgeist is a service which logs the user activities and events, anywhere from files opened to websites visited and conversations.

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for Zeitgeist activity database.

DESCRIPTION = 'Parser for Zeitgeist activity SQLite database files.'

NAME = 'zeitgeist'

ParseZeitgeistEventRow(parser_mediator, query, row, **unused_kwargs)

Parses a zeitgeist event row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT id, timestamp, subj_uri FROM event_view', 'ParseZeitgeistEventRow')]

REQUIRED_TABLES = frozenset({'event', 'actor'})

SCHEMAS = [{'actor': 'CREATE TABLE actor ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'storage': 'CREATE TABLE storage ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE, state INTEGER, icon VARCHAR, display_name VARCHAR )', 'interpretation': 'CREATE TABLE interpretation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'extensions_conf': 'CREATE TABLE extensions_conf ( extension VARCHAR, key VARCHAR, value BLOB, CONSTRAINT unique_extension UNIQUE (extension, key) )', 'text': 'CREATE TABLE text ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )', 'uri': 'CREATE TABLE uri ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )', 'mimetype': 'CREATE TABLE mimetype ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'payload': 'CREATE TABLE payload (id INTEGER PRIMARY KEY, value BLOB)', 'schema_version': 'CREATE TABLE schema_version ( schema VARCHAR PRIMARY KEY ON CONFLICT REPLACE, version INT )', 'manifestation': 'CREATE TABLE manifestation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'event': 'CREATE TABLE event ( id INTEGER, timestamp INTEGER, interpretation INTEGER, manifestation INTEGER, actor INTEGER, payload INTEGER, subj_id INTEGER, subj_interpretation INTEGER, subj_manifestation INTEGER, subj_origin INTEGER, subj_mimetype INTEGER, subj_text INTEGER, subj_storage INTEGER, origin INTEGER, subj_id_current INTEGER, CONSTRAINT interpretation_fk FOREIGN KEY(interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT manifestation_fk FOREIGN KEY(manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT actor_fk FOREIGN KEY(actor) REFERENCES actor(id) ON DELETE CASCADE, CONSTRAINT origin_fk FOREIGN KEY(origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT payload_fk FOREIGN KEY(payload) REFERENCES payload(id) ON DELETE CASCADE, CONSTRAINT subj_id_fk FOREIGN KEY(subj_id) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_id_current_fk FOREIGN KEY(subj_id_current) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_interpretation_fk FOREIGN KEY(subj_interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT subj_manifestation_fk FOREIGN KEY(subj_manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT subj_origin_fk FOREIGN KEY(subj_origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_mimetype_fk FOREIGN KEY(subj_mimetype) REFERENCES mimetype(id) ON DELETE CASCADE, CONSTRAINT subj_text_fk FOREIGN KEY(subj_text) REFERENCES text(id) ON DELETE CASCADE, CONSTRAINT subj_storage_fk FOREIGN KEY(subj_storage) REFERENCES storage(id) ON DELETE CASCADE, CONSTRAINT unique_event UNIQUE (timestamp, interpretation, manifestation, actor, subj_id) )'}]

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventData

Bases: plaso.containers.events.EventData

Zeitgeist activity event data.

subject_uri

str – subject URI.

DATA_TYPE = 'zeitgeist:activity'

Module contents

Imports for the SQLite database parser.