Skip to content

Commit

Permalink
Migrated MacOS keychain construct-based plugin to use dtfabric log2ti…
Browse files Browse the repository at this point in the history 
…meline#1893
  • Loading branch information
@joachimmetz
joachimmetz committed Aug 23, 2018
1 parent 8b5ca52 commit 8b8965d
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 11 deletions.
40 changes: 31 additions & 9 deletions plaso/parsers/mac_keychain.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -368,16 +368,20 @@ def _ReadRecord(self, tables, file_object, record_offset, record_type):
record_header = self._ReadRecordHeader(file_object, record_offset)

record = collections.OrderedDict()

if table.columns:
attribute_value_offsets = self._ReadRecordAttributeValueOffset(
file_object, record_offset + 24, len(table.columns))

file_offset = file_object.tell()
attribute_values_data_offset = file_offset - record_offset
attribute_values_data_size = record_header.data_size - (
file_offset - record_offset)
attribute_values_data = file_object.read(attribute_values_data_size)
file_offset = file_object.tell()
record_data_offset = file_offset - record_offset
record_data_size = record_header.data_size - (file_offset - record_offset)
record_data = file_object.read(record_data_size)

if record_header.key_data_size > 0:
record['_key_'] = record_data[:record_header.key_data_size]

if table.columns:
for index, column in enumerate(table.columns):
attribute_data_read_function = self._ATTRIBUTE_DATA_READ_FUNCTIONS.get(
column.attribute_data_type, None)
Expand All @@ -389,8 +393,8 @@ def _ReadRecord(self, tables, file_object, record_offset, record_type):
attribute_value = None
else:
attribute_value = attribute_data_read_function(
attribute_values_data, record_offset,
attribute_values_data_offset, attribute_value_offsets[index])
record_data, record_offset, record_data_offset,
attribute_value_offsets[index])

record[column.attribute_name] = attribute_value

Expand Down Expand Up @@ -771,14 +775,24 @@ def _ParseApplicationPasswordRecord(self, parser_mediator, record):
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
record (dict[str, object]): database record.
Raises:
ParseError: if Internet password record cannot be parsed.
"""
key = record.get('_key_', None)
if not key or not key.startswith(b'ssgp'):
raise errors.ParseError((
'Unsupported application password record key value does not start '
'with: "ssgp".'))

event_data = KeychainApplicationRecordEventData()
event_data.account_name = self._ParseBinaryDataAsString(
parser_mediator, record['acct'])
event_data.comments = self._ParseBinaryDataAsString(
parser_mediator, record['crtr'])
event_data.entry_name = self._ParseBinaryDataAsString(
parser_mediator, record['PrintName'])
event_data.ssgp_hash = codecs.encode(key[4:], 'hex')
event_data.text_description = self._ParseBinaryDataAsString(
parser_mediator, record['desc'])

Expand All @@ -801,7 +815,16 @@ def _ParseInternetPasswordRecord(self, parser_mediator, record):
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
record (dict[str, object]): database record.
Raises:
ParseError: if Internet password record cannot be parsed.
"""
key = record.get('_key_', None)
if not key or not key.startswith(b'ssgp'):
raise errors.ParseError((
'Unsupported Internet password record key value does not start '
'with: "ssgp".'))

protocol_string = codecs.decode('{0:08x}'.format(record['ptcl']), 'hex')

event_data = KeychainInternetRecordEventData()
Expand All @@ -813,8 +836,7 @@ def _ParseInternetPasswordRecord(self, parser_mediator, record):
parser_mediator, record['PrintName'])
event_data.protocol = self._PROTOCOL_TRANSLATION_DICT.get(
protocol_string, protocol_string)
event_data.ssgp_hash = self._ParseBinaryDataAsString(
parser_mediator, record['Label'])
event_data.ssgp_hash = codecs.encode(key[4:], 'hex')
event_data.text_description = self._ParseBinaryDataAsString(
parser_mediator, record['desc'])
event_data.type_protocol = self._ParseBinaryDataAsString(
Expand Down
4 changes: 2 additions & 2 deletions plaso/parsers/mac_keychain.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,9 @@ members:
data_type: uint32
- name: unknown3
data_type: uint32
- name: unknown4
- name: key_data_size
data_type: uint32
- name: unknown5
- name: unknown4
data_type: uint32
---
name: keychain_record_attribute_value_offsets
Expand Down

0 comments on commit 8b8965d

Please sign in to comment.