Create plist parser plugins to read com.apple.MobileBackup.plist #4916
Conversation
rizabudi
changed the title
|
Thanks for the suggested changes, I'll take a look later this week when time permits |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4916 +/- ##
==========================================
+ Coverage 85.05% 85.07% +0.01%
==========================================
Files 431 432 +1
Lines 38648 38684 +36
==========================================
+ Hits 32873 32911 +38
+ Misses 5775 5773 -2 ☔ View full report in Codecov by Sentry. |
plaso/data/formatters/ios.yaml
Outdated
| @@ -233,3 +233,12 @@ short_message: | |||
| - 'Message: {text}' | |||
| short_source: 'Twitter iOS' | |||
| source: 'Twitter iOS Status' | |||
| --- | |||
There was a problem hiding this comment.
Please keep the contents of this file in alphabetic order.
plaso/data/timeliner.yaml
Outdated
| @@ -1795,3 +1795,9 @@ attribute_mappings: | |||
| - name: 'recorded_time' | |||
| description: 'Recorded Time' | |||
| place_holder_event: true | |||
| --- | |||
There was a problem hiding this comment.
Please keep the contents of this file in alphabetic order.
|
|
||
| PLIST_KEYS = frozenset(['AccountEnabledDate','BackupStateInfo']) | ||
|
|
||
| def _getEventData(self, description, datetime_value): |
There was a problem hiding this comment.
method name does not align with style guide and missing docstring
| for key, value in plist_key.items(): | ||
| if key == "date": | ||
| parser_mediator.ProduceEventData( | ||
| self._getEventData("BackupStateInfo - date", value) |
There was a problem hiding this comment.
continuation indentation does not align with style guide
| match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS. | ||
| """ | ||
|
|
||
| datetime_value = match.get('AccountEnabledDate', {}) |
There was a problem hiding this comment.
Why not produce 1 event data with the different date and time values?
| event_data.activity_description = description | ||
| timestamp = datetime.datetime.timestamp(datetime_value) | ||
| timestamp = int(timestamp * definitions.NANOSECONDS_PER_SECOND) | ||
| event_data.activity_time = dfdatetime_posix_time.PosixTimeInNanoseconds( |
There was a problem hiding this comment.
Why not use _GetDateTimeValueFromPlistKey ?
| PLIST_PATH_FILTERS = frozenset([ | ||
| interface.PlistPathFilter('com.apple.MobileBackup.plist')]) | ||
|
|
||
| PLIST_KEYS = frozenset(['AccountEnabledDate','BackupStateInfo']) |
There was a problem hiding this comment.
style nit: space missing after ,
| ) | ||
|
|
||
| plist_key = match.get('BackupStateInfo', {}) | ||
| for key, value in plist_key.items(): |
There was a problem hiding this comment.
why iterate all keys if you're only interested in 'date' and 'errors' keys ?
| for key, value in plist_key.items(): | ||
| if key == "date": | ||
| parser_mediator.ProduceEventData( | ||
| self._getEventData("BackupStateInfo - date", value) |
There was a problem hiding this comment.
What does this date and time represent? Is this the creation date of the backup state info?
| for val in value: | ||
| parser_mediator.ProduceEventData( | ||
| self._getEventData( | ||
| f"BackupStateInfo - {val['localizedDescription']}", |
There was a problem hiding this comment.
Is this the start or end time of the backup ?
joachimmetz
added
the
pending reporter input
One line description of pull request
Create plist parser plugins to read com.apple.MobileBackup.plist
Description:
Create plist parser plugins to read com.apple.MobileBackup.plist
Related issue (if applicable): fixes #
Notes:
All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.
One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.
Checklist: