Skip to content

Add SQLite parser for Files by Google (files_master_database) file #4938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gustino7 wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add SQLite parser for Files by Google (files_master_database) file #4938

gustino7 wants to merge 9 commits into from

Conversation

@gustino7
Copy link

@gustino7 gustino7 commented Dec 5, 2024
edited by joachimmetz
Loading

One line description of pull request

Add SQLite parser for Files by Google (files_master_database) file

Description:

I add/edit several files:

  • Add import files_by_google to plaso/parsers/sqlite_plugins/init.py
  • Add a new parser plugin files_by_google.py to plaso/parsers/sqlite_plugins/
  • Add files_master_database file to test_data/
  • Add unit test files_by_google.py to tests/parsers/sqlite_plugins/
  • Modify android.yaml to support Files by Google parser plugin (plaso/data/formatters/android.yaml)
  • Modify timeliner.yaml to support Files by Google parser plugin (plaso/data/timeliner.yaml)

Notes:

All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

  • Automated checks (GitHub Actions, AppVeyor) pass
  • No new new dependencies are required or l2tdevtools has been updated
  • Reviewer assigned
  • Test data has a Plaso compatible license

@jundi77
Copy link

jundi77 commented Dec 9, 2024

Is the cause of continuous-integration/appveyor/pr failing because lack of appveyor quota?

@joachimmetz joachimmetz self-assigned this Mar 4, 2025
@joachimmetz
Copy link
Member

joachimmetz commented Mar 4, 2025
edited
Loading

Is the cause of continuous-integration/appveyor/pr failing because lack of appveyor quota?

@jundi77 looks like the run took more than 1h, that can be due to external factors.

@joachimmetz
Copy link
Member

joachimmetz commented Mar 4, 2025

@gustino7 what is the origin of the test data file?

“ino” and others added 8 commits March 4, 2025 06:33
@joachimmetz
add: parser Files by Google
9abd5bd
@joachimmetz
add: init.py sqlite plugin
16d038c
@jundi77 @joachimmetz
fix: wrong table in required structure files_by_google
d81015e
@jundi77 @joachimmetz
add: files_by_google to plaso timeliner
72f02bd
@jundi77 @joachimmetz
add: files_by_google to plaso timeliner
c6e7f66 
TODO: both timeliner and formatters MUST be reviewed for a better output on sentencing and description
@jundi77 @joachimmetz
Files by google parser unit test (#1)
69c2c19 
* Create files_by_google.py

* Add files_master_database for files_by_google unit test

* Update db filename used in files_by_google unit test

* Fix unit test files_by_google

Fix unit test files_by_google:
- Renamed class to conform with other test class
- Wrong class used in plugin variable used for testing
- Event data is mistakenly written in AM/PM mode, now is written in 24H format
- Fix some value `expected_event_values` is in number type
- Mistakenly assumed in GetAttributeContainerByIndex that 1 is the first event_data, now changed to 0
@gustino7 @joachimmetz
fix: linting with pylint
4f6df84
@jundi77 @joachimmetz
fix wrong query in files_by_google parser
4c342af
@joachimmetz
Copy link
Member

joachimmetz commented Mar 4, 2025

Rebased PR

@joachimmetz
Copy link
Member

joachimmetz commented Mar 4, 2025

@gustino7 @jundi77 PTAL at the lint warnings

@joachimmetz joachimmetz added the pending reporter input Issue is pending input from the reporter label Mar 4, 2025
@codecov
Copy link

codecov bot commented Mar 4, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 97.91667% with 1 line in your changes missing coverage. Please review.

Project coverage is 85.10%. Comparing base (11259d3) to head (4c342af).

Files with missing lines Patch % Lines
plaso/parsers/sqlite_plugins/files_by_google.py 97.91% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4938      +/-   ##
==========================================
+ Coverage   85.09%   85.10%   +0.01%     
==========================================
  Files         432      433       +1     
  Lines       38792    38840      +48     
==========================================
+ Hits        33009    33056      +47     
- Misses       5783     5784       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jundi77
Copy link

jundi77 commented Mar 5, 2025

@gustino7 what is the origin of the test data file?

We are using forensic image from https://corp.digitalcorpora.org/corpora/mobile/android_13/ at /data/data/user/0/com.google.android.apps.nbu.files/databases/files_master_database.

@jundi77
Copy link

jundi77 commented Mar 12, 2025

@gustino7 @jundi77 PTAL at the lint warnings

Commit 81f3508 is to fix previous lint issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@joachimmetz joachimmetz

Labels

pending reporter input Issue is pending input from the reporter

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gustino7 @jundi77 @joachimmetz