Added Android turbo.db SQLite parser plugin (#4880)

log2timeline · May 6, 2024 · abe91f5 · abe91f5
1 parent 32ae7ba
commit abe91f5
Show file tree

Hide file tree

Showing 7 changed files with 172 additions and 0 deletions.
diff --git a/plaso/data/formatters/android.yaml b/plaso/data/formatters/android.yaml
@@ -12,6 +12,32 @@ short_source: 'LOG'
 source: 'Android App Usage'
 ---
 type: 'conditional'
+data_type: 'android:event:battery'
+enumeration_helpers:
+- input_attribute: 'charge_type'
+  output_attribute: 'charge_type_string'
+  default_value: 'UNKNOWN'
+  values:
+    0: 'not charging'
+    1: 'rapid charging'
+    2: 'slow charging'
+    3: 'wireless charging'
+- input_attribute: 'battery_saver'
+  output_attribute: 'battery_saver_string'
+  default_value: 'UNKNOWN'
+  values:
+    1: 'on'
+    2: 'off'
+message:
+- 'Battery level: {battery_level}'
+- 'Battery saver: {battery_saver_string}'
+- 'Charge type: {charge_type_string}'
+short_message:
+- 'Battery level: {battery_level}'
+short_source: 'LOG'
+source: 'Android Turbo Battery Events'
+---
+type: 'conditional'
 data_type: 'android:event:call'
 enumeration_helpers:
 - input_attribute: 'call_type'

diff --git a/plaso/data/presets.yaml b/plaso/data/presets.yaml
@@ -8,6 +8,7 @@ parsers:
 - filestat
 - sqlite/android_calls
 - sqlite/android_sms
+- sqlite/android_turbo
 - sqlite/android_webview
 - sqlite/android_webviewcache
 - sqlite/chrome_8_history

diff --git a/plaso/data/timeliner.yaml b/plaso/data/timeliner.yaml
@@ -6,6 +6,12 @@ attribute_mappings:
   description: 'Last Resume Time'
 place_holder_event: true
 ---
+data_type: 'android:event:battery'
+attribute_mappings:
+- name: 'recorded_time'
+  description: 'Recorded Time'
+place_holder_event: true
+---
 data_type: 'android:event:call'
 attribute_mappings:
 - name: 'end_time'

diff --git a/plaso/parsers/sqlite_plugins/__init__.py b/plaso/parsers/sqlite_plugins/__init__.py
@@ -5,6 +5,7 @@
 from plaso.parsers.sqlite_plugins import android_hangouts
 from plaso.parsers.sqlite_plugins import android_sms
 from plaso.parsers.sqlite_plugins import android_tango
+from plaso.parsers.sqlite_plugins import android_turbo
 from plaso.parsers.sqlite_plugins import android_twitter
 from plaso.parsers.sqlite_plugins import android_webview
 from plaso.parsers.sqlite_plugins import android_webviewcache

diff --git a/plaso/parsers/sqlite_plugins/android_turbo.py b/plaso/parsers/sqlite_plugins/android_turbo.py
@@ -0,0 +1,85 @@
+# -*- coding: utf-8 -*-
+"""SQLite parser plugin for Android turbo database files."""
+
+from dfdatetime import posix_time as dfdatetime_posix_time
+
+from plaso.containers import events
+from plaso.parsers import sqlite
+from plaso.parsers.sqlite_plugins import interface
+
+
+class AndroidTurboBatteryEvent(events.EventData):
+  """Android turbo battery event data.
+
+  Attributes:
+    battery_level (int): Remaining battery level, expressed as a percentage.
+    battery_saver (int): Indicates if battery saver is turn on.
+    charge_type (int): Indicates that the device is charging.
+    recorded_time (dfdatetime.DateTimeValues): date and time the battery event
+        was recorded.
+  """
+
+  DATA_TYPE = 'android:event:battery'
+
+  def __init__(self):
+    """Initializes event data."""
+    super(AndroidTurboBatteryEvent, self).__init__(data_type=self.DATA_TYPE)
+    self.battery_level = None
+    self.battery_saver = None
+    self.charge_type = None
+    self.recorded_time = None
+
+
+class AndroidTurboPlugin(interface.SQLitePlugin):
+  """SQLite parser plugin for Android's turbo.db database files."""
+
+  NAME = 'android_turbo'
+  DATA_FORMAT = 'Android turbo SQLite database (turbo.db) file'
+
+  REQUIRED_STRUCTURE = {
+      'battery_event': frozenset([
+          'timestamp_millis', 'battery_level', 'charge_type', 'battery_saver'])}
+
+  QUERIES = [
+      ('SELECT timestamp_millis, battery_level, charge_type, battery_saver '
+       'FROM battery_event',
+       'ParseBatteryEventRow')]
+
+  SCHEMAS = [{
+      'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)',
+      'battery_event':  (
+          'CREATE TABLE battery_event(timestamp_millis INTEGER PRIMARY KEY '
+          'DESC, battery_level INTEGER, charge_type INTEGER, battery_saver '
+          'INTEGER, timezone TEXT, place_key INTEGER, FOREIGN KEY(place_key) '
+          'REFERENCES charging_places(_id))'),
+      'charging_places': (
+          'CREATE TABLE charging_places(_id INTEGER PRIMARY KEY, place_name '
+          'TEXT, place_api_id TEXT, UNIQUE(place_api_id) ON CONFLICT IGNORE)')}]
+
+  def ParseBatteryEventRow(self, parser_mediator, query, row, **unused_kwargs):
+    """Parses a row from the battery_event table.
+
+    Args:
+      parser_mediator (ParserMediator): mediates interactions between parsers
+          and other components, such as storage and dfVFS.
+      query (str): query that created the row.
+      row (sqlite3.Row): row.
+    """
+    query_hash = hash(query)
+
+    event_data = AndroidTurboBatteryEvent()
+    event_data.battery_level = self._GetRowValue(
+        query_hash, row, 'battery_level')
+    event_data.battery_saver = self._GetRowValue(
+        query_hash, row, 'battery_saver')
+    event_data.charge_type = self._GetRowValue(query_hash, row, 'charge_type')
+
+    timestamp = self._GetRowValue(query_hash, row, 'timestamp_millis')
+
+    event_data.recorded_time = dfdatetime_posix_time.PosixTimeInMilliseconds(
+        timestamp=timestamp)
+
+    parser_mediator.ProduceEventData(event_data)
+
+
+sqlite.SQLiteParser.RegisterPlugin(AndroidTurboPlugin)
diff --git a/test_data/android_turbo.db b/test_data/android_turbo.db
diff --git a/tests/parsers/sqlite_plugins/android_turbo.py b/tests/parsers/sqlite_plugins/android_turbo.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Tests for the Android turbo plugin."""
+
+import unittest
+
+from plaso.parsers.sqlite_plugins import android_turbo
+
+from tests.parsers.sqlite_plugins import test_lib
+
+
+class AndroidTurboSQLitePluginTest(test_lib.SQLitePluginTestCase):
+  """Tests for the Android turbo database plugin."""
+
+  def testProcess(self):
+    """Tests the Process function on an Android turbo.db file."""
+    plugin = android_turbo.AndroidTurboPlugin()
+    storage_writer = self._ParseDatabaseFileWithPlugin(
+        ['android_turbo.db'], plugin)
+
+    number_of_event_data = storage_writer.GetNumberOfAttributeContainers(
+        'event_data')
+    self.assertEqual(number_of_event_data, 2717)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'extraction_warning')
+    self.assertEqual(number_of_warnings, 0)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'recovery_warning')
+    self.assertEqual(number_of_warnings, 0)
+
+    expected_event_values = {
+        'battery_level': 99,
+        'battery_saver': 2,
+       'charge_type': 0,
+       'recorded_time': '2023-05-27T13:06:46.000+00:00'}
+
+    event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
+    self.CheckEventData(event_data, expected_event_values)
+
+    expected_event_values = {
+        'battery_level': 54,
+        'battery_saver': 2,
+        'charge_type': 1,
+        'recorded_time': '2023-06-22T11:26:27.000+00:00'}
+
+    event_data = storage_writer.GetAttributeContainerByIndex('event_data', 2138)
+    self.CheckEventData(event_data, expected_event_values)
+
+
+if __name__ == '__main__':
+  unittest.main()