search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.66k stars 327 forks source link

Implemented Apple biome file parser #4878

Open rick-slin opened 2 months ago

rick-slin commented 2 months ago

One line description of pull request

The parser handles the Apple biome files (aka SEGB). Two parser plugins are included for application installation and launch.

Related issue (if applicable): fixes #4812

Notes:

All contributions to Plaso undergo code review. This makes sure that the code has appropriate test coverage and conforms to the Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in order, and then a maintainer will review your code.

Checklist:

joachimmetz commented 2 months ago

Thanks for the PR, I'll take a look as time permits.

joachimmetz commented 2 months ago

rebased with upstream for failing CI tests

joachimmetz commented 2 months ago

@rick-slin PTAL, CI tests are failing https://github.com/log2timeline/plaso/actions/runs/8957629211/job/24600914034?pr=4878#step:7:3036

======================================================================
ERROR: testExamineEventAndCompileReport (analysis.browser_search.BrowserSearchAnalysisTest)
Tests the ExamineEvent and CompileReport functions.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/__w/plaso/plaso/tests/analysis/browser_search.py", line 23, in testExamineEventAndCompileReport
    storage_writer = self._ParseAndAnalyzeFile(
  File "/__w/plaso/plaso/./tests/analysis/test_lib.py", line 76, in _ParseAndAnalyzeFile
    storage_writer = self._ParseFile(path_segments, parser)
  File "/__w/plaso/plaso/./tests/analysis/test_lib.py", line 138, in _ParseFile
    self._ProcessEventData(storage_writer)
  File "/__w/plaso/plaso/./tests/analysis/test_lib.py", line 148, in _ProcessEventData
    event_data_timeliner = timeliner.EventDataTimeliner(
  File "/__w/plaso/plaso/./plaso/engine/timeliner.py", line 61, in __init__
    self._ReadConfigurationFile()
  File "/__w/plaso/plaso/./plaso/engine/timeliner.py", line 354, in _ReadConfigurationFile
    for timeliner_definition in configuration_file.ReadFromFile(path):
  File "/__w/plaso/plaso/./plaso/engine/yaml_timeliner_file.py", line 120, in ReadFromFile
    for yaml_definition in self._ReadFromFileObject(file_object):
  File "/__w/plaso/plaso/./plaso/engine/yaml_timeliner_file.py", line 108, in _ReadFromFileObject
    yield self._ReadTimelinerDefinition(yaml_definition)
  File "/__w/plaso/plaso/./plaso/engine/yaml_timeliner_file.py", line 88, in _ReadTimelinerDefinition
    timeliner_definition.attribute_mappings = {
  File "/__w/plaso/plaso/./plaso/engine/yaml_timeliner_file.py", line 89, in <dictcomp>
    attribute_mapping['name']: attribute_mapping['description']
KeyError: 'description'
rick-slin commented 2 months ago

The more I think about this PR, the more I'm convinced that reverse engineering proto definition files and compiling them into the python classes for proper parsing is the better solution. @joachimmetz What do you think? It will take more work on my end, but I think it would be worthwhile. Would the proto file be part of the plaso repo or just the compile python classes?