diff --git a/plaso/parsers/sqlite_plugins/ios_notes.py b/plaso/parsers/sqlite_plugins/ios_notes.py index 5fbdbb7223..b87186d932 100644 --- a/plaso/parsers/sqlite_plugins/ios_notes.py +++ b/plaso/parsers/sqlite_plugins/ios_notes.py @@ -43,7 +43,8 @@ class IOSNotesPlugin(interface.SQLitePlugin): } QUERIES = [ - ('SELECT ZCREATIONDATE3, ZMODIFICATIONDATE1, ZTITLE1,ZSNIPPET from ZICCLOUDSYNCINGOBJECT', + ('SELECT ZCREATIONDATE3, ZMODIFICATIONDATE1, ZTITLE1,ZSNIPPET' + 'from ZICCLOUDSYNCINGOBJECT', 'ParseNoteRow')] SCHEMAS = [{ @@ -56,23 +57,29 @@ class IOSNotesPlugin(interface.SQLitePlugin): 'ZNEEDSTOSAVEUSERSPECIFICRECORD INTEGER, ZCLOUDSTATE INTEGER,' 'ZACCOUNT INTEGER, ZCHECKEDFORLOCATION INTEGER, ZFILESIZE INTEGER,' 'ZHANDWRITINGSUMMARYVERSION INTEGER, ZHASMARKUPDATA INTEGER,' - 'ZIMAGECLASSIFICATIONSUMMARYVERSION INTEGER, ZIMAGEFILTERTYPE INTEGER,' + 'ZIMAGECLASSIFICATIONSUMMARYVERSION INTEGER,' + 'ZIMAGEFILTERTYPE INTEGER,' 'ZNEEDSINITIALRELATIONSHIPSETUP INTEGER, ZOCRSUMMARYVERSION INTEGER,' 'ZORIENTATION INTEGER, ZSECTION INTEGER, ZURLEXPIRED INTEGER,' 'ZLOCATION INTEGER, ZMEDIA INTEGER, ZNOTE INTEGER,' 'ZNOTEUSINGTITLEFORNOTETITLE INTEGER, ZPARENTATTACHMENT INTEGER,' - 'ZAPPEARANCETYPE INTEGER, ZSCALEWHENDRAWING INTEGER, ZVERSION INTEGER,' + 'ZAPPEARANCETYPE INTEGER, ZSCALEWHENDRAWING INTEGER,' + 'ZVERSION INTEGER,' 'ZVERSIONOUTOFDATE INTEGER, ZATTACHMENT INTEGER, ZSTATE INTEGER,' - 'ZACCOUNT1 INTEGER, ZACCOUNT2 INTEGER, ZMENTIONNOTIFICATIONATTEMPTCOUNT' + 'ZACCOUNT1 INTEGER, ZACCOUNT2 INTEGER,' + 'ZMENTIONNOTIFICATIONATTEMPTCOUNT' 'INTEGER, ZMENTIONNOTIFICATIONSTATE INTEGER, ZNOTE1 INTEGER,' 'ZPARENTATTACHMENT1 INTEGER, ZTYPE INTEGER, ZACCOUNT3 INTEGER,' - 'ZATTACHMENT1 INTEGER, ZATTACHMENTVIEWTYPE INTEGER, ZISPINNED INTEGER,' + 'ZATTACHMENT1 INTEGER, ZATTACHMENTVIEWTYPE INTEGER,' + 'ZISPINNED INTEGER,' 'ZISSYSTEMPAPER INTEGER, ZLEGACYNOTEWASPLAINTEXT INTEGER,' 'ZNOTEHASCHANGES INTEGER, ZPAPERSTYLETYPE INTEGER,' - 'ZPREFERREDBACKGROUNDTYPE INTEGER, ZACCOUNT4 INTEGER, ZFOLDER INTEGER,' + 'ZPREFERREDBACKGROUNDTYPE INTEGER, ZACCOUNT4 INTEGER,' + 'ZFOLDER INTEGER,' 'ZNOTEDATA INTEGER, ZTITLESOURCEATTACHMENT INTEGER,' 'ZISHIDDENNOTECONTAINER INTEGER, ZSORTORDER INTEGER, ZOWNER INTEGER,' - 'ZACCOUNTTYPE INTEGER, ZDIDCHOOSETOMIGRATE INTEGER, ZDIDFINISHMIGRATION' + 'ZACCOUNTTYPE INTEGER, ZDIDCHOOSETOMIGRATE INTEGER,' + 'ZDIDFINISHMIGRATION' 'INTEGER, ZDIDMIGRATEONMAC INTEGER, ZSERVERSIDEUPDATETASKFAILURECOUNT' 'INTEGER, ZSTOREDATASEPARATELY INTEGER, ZACCOUNTDATA INTEGER,' 'ZCUSTOMNOTESORTTYPEVALUE INTEGER, ZFOLDERTYPE INTEGER,' @@ -82,27 +89,36 @@ class IOSNotesPlugin(interface.SQLitePlugin): 'ZCROPPINGQUADBOTTOMRIGHTY FLOAT, ZCROPPINGQUADTOPLEFTX FLOAT,' 'ZCROPPINGQUADTOPLEFTY FLOAT, ZCROPPINGQUADTOPRIGHTX FLOAT,' 'ZCROPPINGQUADTOPRIGHTY FLOAT, ZDURATION FLOAT, ZMODIFICATIONDATE' - 'TIMESTAMP, ZORIGINX FLOAT, ZORIGINY FLOAT, ZPREVIEWUPDATEDATE TIMESTAMP,' + 'TIMESTAMP, ZORIGINX FLOAT, ZORIGINY FLOAT,' + 'ZPREVIEWUPDATEDATE TIMESTAMP,' 'ZSIZEHEIGHT FLOAT, ZSIZEWIDTH FLOAT, ZHEIGHT FLOAT, ZMODIFIEDDATE' - 'TIMESTAMP, ZSCALE FLOAT, ZWIDTH FLOAT, ZSTATEMODIFICATIONDATE TIMESTAMP,' + 'TIMESTAMP, ZSCALE FLOAT, ZWIDTH FLOAT,' + 'ZSTATEMODIFICATIONDATE TIMESTAMP,' 'ZCREATIONDATE1 TIMESTAMP, ZCREATIONDATE2 TIMESTAMP,' 'ZMODIFICATIONDATEATIMPORT TIMESTAMP, ZCREATIONDATE3 TIMESTAMP,' - 'ZFOLDERMODIFICATIONDATE TIMESTAMP, ZLASTACTIVITYRECENTUPDATESVIEWEDDATE' + 'ZFOLDERMODIFICATIONDATE TIMESTAMP,' + 'ZLASTACTIVITYRECENTUPDATESVIEWEDDATE' 'TIMESTAMP, ZLASTACTIVITYSUMMARYVIEWEDDATE TIMESTAMP,' 'ZLASTATTRIBUTIONSVIEWEDDATE TIMESTAMP, ZLASTNOTIFIEDDATE TIMESTAMP,' 'ZLASTOPENEDDATE TIMESTAMP, ZLASTVIEWEDMODIFICATIONDATE TIMESTAMP,' - 'ZLEGACYMODIFICATIONDATEATIMPORT TIMESTAMP, ZMODIFICATIONDATE1 TIMESTAMP,' + 'ZLEGACYMODIFICATIONDATEATIMPORT TIMESTAMP,' + 'ZMODIFICATIONDATE1 TIMESTAMP,' 'ZCUSTOMNOTESORTTYPEMODIFICATIONDATE TIMESTAMP,' - 'ZDATEFORLASTTITLEMODIFICATION TIMESTAMP, ZPARENTMODIFICATIONDATE TIMESTAMP,' + 'ZDATEFORLASTTITLEMODIFICATION TIMESTAMP,' + 'ZPARENTMODIFICATIONDATE TIMESTAMP,' 'ZIDENTIFIER VARCHAR, ZPASSWORDHINT VARCHAR, ZZONEOWNERNAME VARCHAR,' 'ZADDITIONALINDEXABLETEXT VARCHAR, ZFALLBACKSUBTITLEIOS VARCHAR,' 'ZFALLBACKSUBTITLEMAC VARCHAR, ZFALLBACKTITLE VARCHAR,' 'ZHANDWRITINGSUMMARY VARCHAR, ZIMAGECLASSIFICATIONSUMMARY VARCHAR,' 'ZOCRSUMMARY VARCHAR, ZREMOTEFILEURLSTRING VARCHAR, ZSUMMARY VARCHAR,' - 'ZTITLE VARCHAR, ZTYPEUTI VARCHAR, ZURLSTRING VARCHAR, ZUSERTITLE VARCHAR,' - 'ZDEVICEIDENTIFIER VARCHAR, ZDISPLAYTEXT VARCHAR, ZSTANDARDIZEDCONTENT VARCHAR,' - 'ZALTTEXT VARCHAR, ZTOKENCONTENTIDENTIFIER VARCHAR, ZTYPEUTI1 VARCHAR,' - 'ZCONTENTHASHATIMPORT VARCHAR, ZFILENAME VARCHAR, ZLEGACYCONTENTHASHATIMPORT' + 'ZTITLE VARCHAR, ZTYPEUTI VARCHAR, ZURLSTRING VARCHAR,' + 'ZUSERTITLE VARCHAR,' + 'ZDEVICEIDENTIFIER VARCHAR, ZDISPLAYTEXT VARCHAR,' + 'ZSTANDARDIZEDCONTENT VARCHAR,' + 'ZALTTEXT VARCHAR, ZTOKENCONTENTIDENTIFIER VARCHAR,' + 'ZTYPEUTI1 VARCHAR,' + 'ZCONTENTHASHATIMPORT VARCHAR, ZFILENAME VARCHAR,' + 'ZLEGACYCONTENTHASHATIMPORT' 'VARCHAR, ZLEGACYIMPORTDEVICEIDENTIFIER VARCHAR,' 'ZLEGACYMANAGEDOBJECTIDURIREPRESENTATION VARCHAR,' 'ZSELECTEDINKCOLORSTRING VARCHAR, ZSELECTEDINKIDENTIFIER VARCHAR,' @@ -123,13 +139,15 @@ class IOSNotesPlugin(interface.SQLitePlugin): 'ZSERVERSHAREDATA BLOB, ZUNAPPLIEDENCRYPTEDRECORD BLOB,' 'ZUSERSPECIFICSERVERRECORDDATA BLOB, ZMERGEABLEDATA BLOB,' 'ZFALLBACKIMAGECRYPTOINITIALIZATIONVECTOR BLOB,' - 'ZFALLBACKIMAGECRYPTOTAG BLOB, ZLINKPRESENTATIONARCHIVEDMETADATA BLOB,' + 'ZFALLBACKIMAGECRYPTOTAG BLOB,' + 'ZLINKPRESENTATIONARCHIVEDMETADATA BLOB,' 'ZMARKUPMODELDATA BLOB, ZMERGEABLEDATA1 BLOB, ZMETADATADATA BLOB,' 'ZSYNAPSEDATA BLOB, ZCRYPTOMETADATAINITIALIZATIONVECTOR BLOB,' 'ZCRYPTOMETADATATAG BLOB, ZENCRYPTEDMETADATA BLOB, ZMETADATA BLOB,' 'ZLASTNOTIFIEDTIMESTAMPDATA BLOB, ZLASTVIEWEDTIMESTAMPDATA BLOB,' 'ZREPLICAIDTOUSERIDDICTDATA BLOB, ZCRYPTOVERIFIER BLOB,' - 'ZSERVERSIDEUPDATETASKCONTINUATIONTOKEN BLOB, ZMERGEABLEDATA2 BLOB )')}] + 'ZSERVERSIDEUPDATETASKCONTINUATIONTOKEN BLOB,' + 'ZMERGEABLEDATA2 BLOB )')}] def _GetDateTimeRowValue(self, query_hash, row, value_name): """Retrieves a date and time value from the row. @@ -162,7 +180,7 @@ def ParseNoteRow(self, parser_mediator, query, row, **unused_kwargs): event_data = IOSNotesEventData() event_data.creation_time = self._GetDateTimeRowValue( query_hash, row, 'ZCREATIONDATE3') - event_data.modification_time = self._GetDateTimeRowValue( + event_data.modification_time = self._GetDateTimeRowValue( query_hash, row, 'ZMODIFICATIONDATE1') event_data.title = self._GetRowValue(query_hash, row, 'ZTITLE1') event_data.snippet = self._GetRowValue(query_hash, row, 'ZSNIPPET') diff --git a/tests/parsers/sqlite_plugins/ios_notes.py b/tests/parsers/sqlite_plugins/ios_notes.py index 0fb53bcb36..e56404d9bf 100644 --- a/tests/parsers/sqlite_plugins/ios_notes.py +++ b/tests/parsers/sqlite_plugins/ios_notes.py @@ -16,7 +16,7 @@ def testProcess(self): plugin = ios_notes.IOSNotesPlugin() storage_writer = self._ParseDatabaseFileWithPlugin( ['NotesStore.sqlite'], plugin) - + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 28) @@ -34,10 +34,10 @@ def testProcess(self): 'modification_time': '2023-05-10T00:57:01.178374', 'title': 'iOS 15 Note', 'snippet': 'Here is the test iOS 15 note.'} - + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 25) self.CheckEventData(event_data, expected_event_values) - + if __name__ == '__main__': unittest.main() diff --git a/timeline.csv b/timeline.csv deleted file mode 100644 index e9c4b52979..0000000000 --- a/timeline.csv +++ /dev/null @@ -1,21 +0,0 @@ -datetime;timestamp_desc;source;source_long;message;parser;display_name;tag -0000-00-00T00:00:00.000000+00:00;Not a time;SQLITE;iOS notes database;;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2020-03-28T00:36:48.000000+00:00;Creation Time;SQLITE;iOS notes database;Title: My First Note Content: This is my first note. Nothing special.;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2020-03-28T00:37:43.000000+00:00;Modification Time;SQLITE;iOS notes database;Title: My First Note Content: This is my first note. Nothing special.;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2020-03-28T00:42:31.000000+00:00;Creation Time;SQLITE;iOS notes database;Title: My Secret Note;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2020-03-28T00:42:56.000000+00:00;Modification Time;SQLITE;iOS notes database;Title: My Secret Note;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2020-03-28T00:48:37.000000+00:00;Creation Time;SQLITE;iOS notes database;Title: My Super Secret Note;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2020-03-28T00:49:13.000000+00:00;Modification Time;SQLITE;iOS notes database;Title: My Super Secret Note;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2021-02-15T20:21:41.000000+00:00;Creation Time;SQLITE;iOS notes database;Title: iOS 14 Note Content: This is a note created for iOS 14. It is created on iPhone.;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2021-02-15T20:22:13.000000+00:00;Modification Time;SQLITE;iOS notes database;Title: iOS 14 Note Content: This is a note created for iOS 14. It is created on iPhone.;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2021-02-15T20:37:09.000000+00:00;Creation Time;SQLITE;iOS notes database;Title: iOS 14 Locked Note;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2021-02-15T20:37:54.000000+00:00;Modification Time;SQLITE;iOS notes database;Title: iOS 14 Locked Note;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2023-05-10T00:56:26.000000+00:00;Creation Time;SQLITE;iOS notes database;Title: iOS 15 Note Content: Here is the test iOS 15 note.;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2023-05-10T00:57:01.000000+00:00;Modification Time;SQLITE;iOS notes database;Title: iOS 15 Note Content: Here is the test iOS 15 note.;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2023-05-10T00:59:13.000000+00:00;Creation Time;SQLITE;iOS notes database;;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2023-05-10T00:59:13.000000+00:00;Creation Time;SQLITE;iOS notes database;Title: Secure iOS 15 Note;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2023-05-10T00:59:42.000000+00:00;Modification Time;SQLITE;iOS notes database;;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2023-05-10T00:59:42.000000+00:00;Modification Time;SQLITE;iOS notes database;Title: Secure iOS 15 Note;sqlite/ios_notes;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2024-11-11T03:03:34.000000+00:00;Creation Time;FILE;File stat;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite Type: file Owner identifier: 0 Group identifier: 0 Mode: 0o666 Number of links: 1;filestat;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2024-11-11T03:03:34.396728+00:00;Content Modification Time;FILE;File stat;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite Type: file Owner identifier: 0 Group identifier: 0 Mode: 0o666 Number of links: 1;filestat;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- -2024-12-05T00:44:47.387012+00:00;Last Access Time;FILE;File stat;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite Type: file Owner identifier: 0 Group identifier: 0 Mode: 0o666 Number of links: 1;filestat;OS:D:\Penting\ITS\Sem 1\Forensik Digital\plaso\test_data\NoteStore.sqlite;- diff --git a/timeline.plaso b/timeline.plaso deleted file mode 100644 index d509b78d90..0000000000 Binary files a/timeline.plaso and /dev/null differ