expanded the number of parsed fields

rick-slin · joachimmetz · commit 72ddaf1d6f66 · 2024-02-18T07:03:52.000+01:00
diff --git a/data/formatters/macos.yaml b/data/formatters/macos.yaml
@@ -3,12 +3,18 @@
 type: 'conditional'
 data_type: 'apple:ips_recovery_logd'
 message:
-- 'Application Name :{application_name}'
-- 'Application Version :{application_version}'
-- 'Bug Type :{bug_type}'
-- 'Device Model :{device_model}'
-- 'Incident Identifier :{incident_identifier}'
-- 'OS version :{os_version}'
+- 'Application Name: {application_name}'
+- 'Application Version: {application_version}'
+- 'Bug Type: {bug_type}'
+- 'Device Model: {device_model}'
+- 'Exception Type: {exception_type}'
+- 'Incident Identifier: {incident_identifier}'
+- 'OS Version: {os_version}'
+- 'Parent Process: {parent_process}'
+- 'Parent Process Identifier: {parent_process_identifier}'
+- 'Process Identifier: {process_identifier}'
+- 'Process Launch Time: {process_launch_time}'
+- 'User Identifier: {user_identifier}'
 short_message:
 - 'Bug Type :{bug_type}'
 - 'Device Model :{device_model}'
diff --git a/plaso/parsers/ips_plugins/recovery_logd.py b/plaso/parsers/ips_plugins/recovery_logd.py
@@ -17,10 +17,18 @@ class AppleRecoveryLogdEvent(events.EventData):
     application_name (str): name of the application.
     application_version (str): version of the application.
     bug_type (str): type of bug.
+    crash_reporter_key (str):
     device_model (str): model of the device.
     event_time (dfdatetime.DateTimeValues): date and time of the crash report.
+    exception_type (str): type of the exception that caused the crash.
     incident_identifier (str): uuid for crash.
     os_version (str): version of the operating system.
+    parent_process (str): parent process.
+    parent_process_identifier (int): process identifier of the parent process.
+    process_identifier (int): process identifier.
+    process_launch_time (dfdatetime.DateTimeValues): date and time when the
+        process started.
+    user_identifier (int): user identifier of the process.
   """
   DATA_TYPE = 'apple:ips_recovery_logd'
 
@@ -30,10 +38,17 @@ def __init__(self):
     self.application_name = None
     self.application_version = None
     self.bug_type = None
+    self.crash_reporter_key = None
     self.device_model = None
     self.event_time = None
+    self.exception_type = None
     self.incident_identifier = None
     self.os_version = None
+    self.parent_process = None
+    self.parent_process_identifier = None
+    self.process_identifier = None
+    self.process_launch_time = None
+    self.user_identifier = None
 
 
 class AppleRecoveryLogdIPSPlugin(interface.IPSPlugin):
@@ -48,7 +63,7 @@ class AppleRecoveryLogdIPSPlugin(interface.IPSPlugin):
       'app_name', 'app_version', 'bug_type', 'incident_id', 'os_version',
       'timestamp']
   REQUIRED_CONTENT_KEYS = [
-      'pid', 'procLaunch', 'threads', 'usedImages']
+      'captureTime', 'modelCode', 'os_version', 'pid', 'procLaunch', ]
 
   _TWO_DIGITS = pyparsing.Word(pyparsing.nums, exact=2).setParseAction(
       lambda tokens: int(tokens[0], 10))
@@ -63,7 +78,7 @@ class AppleRecoveryLogdIPSPlugin(interface.IPSPlugin):
       _TWO_DIGITS.setResultsName('hours') + pyparsing.Suppress(':') +
       _TWO_DIGITS.setResultsName('minutes') + pyparsing.Suppress(':') +
       _TWO_DIGITS.setResultsName('seconds') + pyparsing.Suppress('.') +
-      _TWO_DIGITS.setResultsName('hundredth') +
+      _FOUR_DIGITS.setResultsName('fraction') +
       pyparsing.Word(
           pyparsing.nums + '+' + '-').setResultsName('timezone_delta'))
 
@@ -72,58 +87,87 @@ def __init__(self):
     super(AppleRecoveryLogdIPSPlugin, self).__init__()
     self._event_data = None
 
-  # pylint: disable=unused-argument
-  def Process(self, parser_mediator, ips_file=None, **unused_kwargs):
-    """Extracts information from an IPS log file.
-    This is the main method that an IPS plugin needs to implement.
+  def _ParseTimestampValue(self, parser_mediator, timestamp_text):
+    """Parses a timestamp string.
+
     Args:
       parser_mediator (ParserMediator): parser mediator.
-      ips_file (Optional[IpsFile]): database.
-    Raises:
-      ValueError: If the file value is missing.
-    """
-    if ips_file is None:
-      raise ValueError('Missing ips_file value')
-
-    # This will raise if unhandled keyword arguments are passed.
-    super(AppleRecoveryLogdIPSPlugin, self).Process(parser_mediator)
-
-    event_data = AppleRecoveryLogdEvent()
-    event_data.application_name = ips_file.header.get('app_name')
-    event_data.application_version = ips_file.header.get('app_version')
-    event_data.bug_type = ips_file.header.get('bug_type')
-    event_data.device_model = ips_file.content.get('modelCode')
-    event_data.incident_identifier = ips_file.header.get('incident_id')
-    event_data.os_version = ips_file.header.get('os_version')
-
-    timestamp = ips_file.header.get('timestamp')
-
-    parsed_timestamp = self.TIMESTAMP_GRAMMAR.parseString(timestamp)
+      timestamp_text (str): the timestamp to parse.
 
+    Returns:
+       dfdatetime.TimeElements: date and time
+          or None if not available.
+    """
     # dfDateTime takes the time zone offset as number of minutes relative from
     # UTC. So for Easter Standard Time (EST), which is UTC-5:00 the sign needs
     # to be converted, to +300 minutes.
+
+    parsed_timestamp = self.TIMESTAMP_GRAMMAR.parseString(timestamp_text)
+
     try:
       time_delta_hours = int(parsed_timestamp['timezone_delta'][:3], 10)
       time_delta_minutes = int(parsed_timestamp['timezone_delta'][3:], 10)
     except (TypeError, ValueError):
       parser_mediator.ProduceExtractionWarning(
           'unsupported timezone offset value')
-      return
+      return None
 
     time_zone_offset = (time_delta_hours * -60) + time_delta_minutes
 
     try:
-      event_data.event_time = dfdatetime_time_elements.TimeElements(
+      milliseconds = round(parsed_timestamp['fraction']/10)
+
+      time_element_object = dfdatetime_time_elements.TimeElementsInMilliseconds(
           time_elements_tuple=(
               parsed_timestamp['year'], parsed_timestamp['month'],
               parsed_timestamp['day'], parsed_timestamp['hours'],
-              parsed_timestamp['minutes'], parsed_timestamp['seconds']),
+              parsed_timestamp['minutes'], parsed_timestamp['seconds'],
+              milliseconds),
           time_zone_offset=time_zone_offset)
 
     except (TypeError, ValueError):
       parser_mediator.ProduceExtractionWarning('unsupported date time value')
-      return
+      return None
+
+    return time_element_object
+
+  # pylint: disable=unused-argument
+  def Process(self, parser_mediator, ips_file=None, **unused_kwargs):
+    """Extracts information from an IPS log file.
+    This is the main method that an IPS plugin needs to implement.
+    Args:
+      parser_mediator (ParserMediator): parser mediator.
+      ips_file (Optional[IpsFile]): database.
+    Raises:
+      ValueError: If the file value is missing.
+    """
+    if ips_file is None:
+      raise ValueError('Missing ips_file value')
+
+    # This will raise if unhandled keyword arguments are passed.
+    super(AppleRecoveryLogdIPSPlugin, self).Process(parser_mediator)
+
+    event_data = AppleRecoveryLogdEvent()
+    event_data.application_name = ips_file.header.get('app_name')
+    event_data.application_version = ips_file.header.get('app_version')
+    event_data.bug_type = ips_file.header.get('bug_type')
+    event_data.device_model = ips_file.content.get('modelCode')
+    event_data.exception_type = ips_file.content.get(
+          'exception', {}).get('type')
+    event_data.incident_identifier = ips_file.header.get('incident_id')
+    event_data.os_version = ips_file.header.get('os_version')
+    event_data.parent_process = ips_file.content.get('parentProc')
+    event_data.parent_process_identifier = ips_file.content.get('parentPid')
+    event_data.process_identifier = ips_file.content.get('pid')
+    event_data.user_identifier = ips_file.content.get('userID')
+
+    event_timestamp = ips_file.content.get('captureTime')
+    event_data.event_time = self._ParseTimestampValue(
+        parser_mediator, event_timestamp)
+
+    launch_timestamp = ips_file.content.get('procLaunch')
+    event_data.process_launch_time = self._ParseTimestampValue(
+        parser_mediator, launch_timestamp)
 
     parser_mediator.ProduceEventData(event_data)
 
diff --git a/tests/parsers/ips_plugins/recovery_logd.py b/tests/parsers/ips_plugins/recovery_logd.py
@@ -27,9 +27,15 @@ def testProcess(self):
         'application_version': '',
         'bug_type': '309',
         'device_model': 'iBridge2,14',
-        'event_time': '2023-06-08T14:49:13+00:00',
+        'exception_type': 'EXC_CRASH',
+        'event_time': '2023-06-08T14:49:13.520+00:00',
         'incident_identifier': '9505C5CC-07DE-4E81-BCCE-60D07C96D1B1',
-        'os_version': 'Bridge OS 7.5 (20P5058)'}
+        'os_version': 'Bridge OS 7.5 (20P5058)',
+        'parent_process': 'launchd',
+        'parent_process_identifier': 1,
+        'process_identifier': 74,
+        'process_launch_time': '2023-06-08T14:49:12.507+00:00',
+        'user_identifier': 501}
 
     event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
     self.CheckEventData(event_data, expected_event_values)
