Added SQLite plugin for Tango or Android log2timeline#712 (log2timeli…

…ne#2109)

plaso/formatters/__init__.py

@@ -79,6 +79,7 @@
 from plaso.formatters import symantec
 from plaso.formatters import syslog
 from plaso.formatters import systemd_journal
+from plaso.formatters import tango_android
 from plaso.formatters import task_scheduler
 from plaso.formatters import text
 from plaso.formatters import trendmicroav

plaso/formatters/tango_android.py

@@ -0,0 +1,136 @@
+# -*- coding: utf-8 -*-
+"""Tango on Android databases formatter."""
+
+from __future__ import unicode_literals
+
+from plaso.formatters import interface
+from plaso.formatters import manager
+from plaso.lib import errors
+
+
+class TangoAndroidMessageFormatter(interface.ConditionalEventFormatter):
+  """Tango on Android message event formatter."""
+
+  DATA_TYPE = 'tango:android:message'
+
+  FORMAT_STRING_PIECES = [
+      '{direction}',
+      'Message ({message_identifier})',
+  ]
+
+  FORMAT_STRING_SHORT_PIECES = [
+      '{direction}',
+      'Message ({message_identifier})'
+  ]
+
+  SOURCE_LONG = 'Tango Android Message'
+  SOURCE_SHORT = 'Tango Android'
+
+  _DIRECTION = {
+      1: 'Incoming',
+      2: 'Outgoing'
+  }
+
+  # pylint: disable=unused-argument
+  def GetMessages(self, formatter_mediator, event):
+    """Determines the formatted message strings for an event.
+
+    Args:
+      formatter_mediator (FormatterMediator): mediates the interactions between
+          formatters and other components, such as storage and Windows EventLog
+          resources.
+      event (EventObject): event.
+
+    Returns:
+      tuple[str, str]: formatted message string and short message string.
+
+    Raises:
+      WrongFormatter: if the event object cannot be formatted by the formatter.
+    """
+    if self.DATA_TYPE != event.data_type:
+      raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
+          event.data_type))
+
+    event_values = event.CopyToDict()
+
+    direction = event_values.get('direction', None)
+    if direction is not None:
+      event_values['direction'] = self._DIRECTION.get(direction, 'Unknown')
+
+    return self._ConditionalFormatMessages(event_values)
+
+
+class TangoAndroidConversationFormatter(interface.ConditionalEventFormatter):
+  """Tango on Android conversation event formatter."""
+
+  DATA_TYPE = 'tango:android:conversation'
+
+  FORMAT_STRING_PIECES = [
+      'Conversation ({conversation_identifier})',
+  ]
+
+  FORMAT_STRING_SHORT_PIECES = [
+      'Conversation ({conversation_identifier})',
+  ]
+
+  SOURCE_LONG = 'Tango Android Conversation'
+  SOURCE_SHORT = 'Tango Android'
+
+
+class TangoAndroidContactFormatter(interface.ConditionalEventFormatter):
+  """Tango on Android contact event formatter."""
+
+  DATA_TYPE = 'tango:android:contact'
+
+  FORMAT_STRING_PIECES = [
+      '{first_name}',
+      '{last_name}',
+      '{gender}',
+      'birthday: {birthday}',
+      'Status: {status}',
+      'Friend: {is_friend}',
+      'Request type: {friend_request_type}',
+      'Request message: {friend_request_message}'
+  ]
+
+  FORMAT_STRING_SHORT_PIECES = [
+      '{first_name}',
+      '{last_name}',
+      'Status: {status}'
+  ]
+
+  SOURCE_LONG = 'Tango Android Contact'
+  SOURCE_SHORT = 'Tango Android'
+
+  # pylint: disable=unused-argument
+  def GetMessages(self, formatter_mediator, event):
+    """Determines the formatted message strings for an event.
+
+    Args:
+      formatter_mediator (FormatterMediator): mediates the interactions between
+          formatters and other components, such as storage and Windows EventLog
+          resources.
+      event (EventObject): event.
+
+    Returns:
+      tuple[str, str]: formatted message string and short message string.
+
+    Raises:
+      WrongFormatter: if the event object cannot be formatted by the formatter.
+    """
+    if self.DATA_TYPE != event.data_type:
+      raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
+          event.data_type))
+
+    event_values = event.CopyToDict()
+
+    is_friend = event_values.get('is_friend', None)
+    if is_friend is not None:
+      event_values['is_friend'] = '{0!s}'.format(is_friend)
+
+    return self._ConditionalFormatMessages(event_values)
+
+
+manager.FormattersManager.RegisterFormatters([
+    TangoAndroidMessageFormatter, TangoAndroidConversationFormatter,
+    TangoAndroidContactFormatter])

plaso/lib/definitions.py

@@ -115,6 +115,7 @@
 TIME_DESCRIPTION_FILE_DOWNLOADED = 'File Downloaded'
 TIME_DESCRIPTION_FIRST_CONNECTED = 'First Connection Time'
 TIME_DESCRIPTION_INSTALLATION = 'Installation Time'
+TIME_DESCRIPTION_LAST_ACTIVE = 'Last Active Time'
 TIME_DESCRIPTION_LAST_ACCESS = 'Last Access Time'
 TIME_DESCRIPTION_LAST_CHECKED = 'Last Checked Time'
 TIME_DESCRIPTION_LAST_CONNECTED = 'Last Connection Time'
@@ -131,6 +132,7 @@
 TIME_DESCRIPTION_SAMPLE = 'Sample Time'
 TIME_DESCRIPTION_SCHEDULED_TO_END = 'Scheduled to end'
 TIME_DESCRIPTION_SCHEDULED_TO_START = 'Scheduled to start'
+TIME_DESCRIPTION_SENT = 'Sent Time'
 TIME_DESCRIPTION_START = 'Start Time'
 TIME_DESCRIPTION_UPDATE = 'Update Time'
 TIME_DESCRIPTION_WRITTEN = TIME_DESCRIPTION_MODIFICATION

plaso/parsers/sqlite_plugins/__init__.py

@@ -23,6 +23,7 @@
 from plaso.parsers.sqlite_plugins import mackeeper_cache
 from plaso.parsers.sqlite_plugins import safari
 from plaso.parsers.sqlite_plugins import skype
+from plaso.parsers.sqlite_plugins import tango_android
 from plaso.parsers.sqlite_plugins import twitter_android
 from plaso.parsers.sqlite_plugins import twitter_ios
 from plaso.parsers.sqlite_plugins import windows_timeline