From a28171cf92eeacb4c53a2d214129c511b313a0a1 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Sat, 3 Feb 2024 11:39:26 +0100 Subject: [PATCH] Added parser for Mac OS com.apple.loginitems.plist Alias data --- ... in and out (CPIO) archive format.asciidoc | 28 +- ...c OS login item alias data format.asciidoc | 709 ++++++++++++++++++ ...tem Events Disk Log Stream format.asciidoc | 18 +- dtformats/alias_data.debug.yaml | 67 ++ dtformats/alias_data.py | 156 ++++ dtformats/alias_data.yaml | 181 +++++ dtformats/data_format.py | 20 + dtformats/dfvfs_helpers.py | 2 - dtformats/firefox_cache1.debug.yaml | 4 +- dtformats/firefox_cache1.py | 2 +- scripts/alias_data.py | 75 ++ .../com.apple.loginitems.plist.alias_data | Bin 0 -> 216 bytes tests/alias_data.py | 35 + 13 files changed, 1289 insertions(+), 8 deletions(-) create mode 100644 documentation/Mac OS login item alias data format.asciidoc create mode 100644 dtformats/alias_data.debug.yaml create mode 100644 dtformats/alias_data.py create mode 100644 dtformats/alias_data.yaml create mode 100755 scripts/alias_data.py create mode 100644 test_data/com.apple.loginitems.plist.alias_data create mode 100644 tests/alias_data.py diff --git a/documentation/Copy in and out (CPIO) archive format.asciidoc b/documentation/Copy in and out (CPIO) archive format.asciidoc index a9f6fc6..d3384d2 100644 --- a/documentation/Copy in and out (CPIO) archive format.asciidoc +++ b/documentation/Copy in and out (CPIO) archive format.asciidoc @@ -6,6 +6,7 @@ :numbered!: [abstract] == Summary + The copy in and out (CPIO) archive format is an archive format that predates TAR but is still being used e.g. in initramfs or rpm. @@ -14,6 +15,7 @@ specification. [preface] == Document information + [cols="1,5"] |=== | Author(s): | Joachim Metz @@ -24,8 +26,9 @@ specification. [preface] == License + .... -Copyright (C) 2016, Joachim Metz . +Copyright (C) 2016-2024, Joachim Metz . Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no @@ -35,17 +38,20 @@ in the section entitled "GNU Free Documentation License". [preface] == Revision history + [cols="1,1,1,5",options="header"] |=== | Version | Author | Date | Comments | 0.0.1 | J.B. Metz | February 2016 | Initial version. +| 0.0.2 | J.B. Metz | February 2024 | Changes for formatting. |=== :numbered: == Overview + The copy in and out (CPIO) archive format is an archive format that predates TAR but is still being used e.g. in initramfs or rpm. There are multiple -variant of the CPIO format: +variants of the CPIO format: * binary CPIO format * portable ASCII CPIO format @@ -65,6 +71,7 @@ A CPIO file consists of: |=== == Binary CPIO format + The binary CPIO format (or "bin"), sometimes referred to as the old CPIO format, stores the values as either big-endian or little-endian binary data. @@ -98,6 +105,7 @@ Should be set to 0 |=== == Portable ASCII CPIO format + The portable ASCII CPIO format (or "odc"), sometimes referred to as the old character or POSIX.1 format, stores the values are as octal strings. @@ -121,6 +129,7 @@ The size of the path string including the end-of-string character (NUL) |=== == New ASCII CPIO format + The new (SVR4) ASCII CPIO format stores the values as hexadecimal strings. The new ASCII CPIO format is technically 2 different formats one without ("newc") and one with a checksum ("crc"). Both support file systems having more than @@ -158,6 +167,7 @@ Should be set to 0 [yellow-background]*TODO: describe checksum* == Mode (permissions and type) + [yellow-background]*TODO: convert text to table* .... @@ -183,6 +193,7 @@ Should be set to 0 The link target of a symbolic link is stored as file data. == Notes + Predecessor to CPIO is the PWB/UNIX 1.0 format? .... @@ -208,6 +219,7 @@ How do file entries with duplicate path need to be handled? [appendix] == GNU Free Documentation License + Version 1.3, 3 November 2008 Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. @@ -216,6 +228,7 @@ Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. === 0. PREAMBLE + The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, @@ -236,6 +249,7 @@ recommend this License principally for works whose purpose is instruction or reference. === 1. APPLICABILITY AND DEFINITIONS + This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, @@ -314,6 +328,7 @@ disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. === 2. VERBATIM COPYING + You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in @@ -327,6 +342,7 @@ You may also lend copies, under the same conditions stated above, and you may publicly display copies. === 3. COPYING IN QUANTITY + If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, @@ -360,6 +376,7 @@ well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. === 4. MODIFICATIONS + You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the @@ -452,6 +469,7 @@ permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. === 5. COMBINING DOCUMENTS + You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the @@ -473,6 +491,7 @@ combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements". === 6. COLLECTIONS OF DOCUMENTS + You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, @@ -485,6 +504,7 @@ into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. === 7. AGGREGATION WITH INDEPENDENT WORKS + A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the @@ -501,6 +521,7 @@ in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate. === 8. TRANSLATION + Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright @@ -518,6 +539,7 @@ If a section in the Document is Entitled "Acknowledgements", "Dedications", or typically require changing the actual title. === 9. TERMINATION + You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your @@ -541,6 +563,7 @@ your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it. === 10. FUTURE REVISIONS OF THIS LICENSE + The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems @@ -558,6 +581,7 @@ License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Document. === 11. RELICENSING + "Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit diff --git a/documentation/Mac OS login item alias data format.asciidoc b/documentation/Mac OS login item alias data format.asciidoc new file mode 100644 index 0000000..5a4838d --- /dev/null +++ b/documentation/Mac OS login item alias data format.asciidoc @@ -0,0 +1,709 @@ += Mac OS login item alias data format + +:toc: +:toclevels: 4 + +:numbered!: +[abstract] +== Summary + +The Mac OS login item alias data format is used by the +com.apple.loginitems.plist file. + +This document is intended as a working document for the Mac OS login item +alias data format specification. + +[preface] +== Document information + +[cols="1,5"] +|=== +| Author(s): | Joachim Metz +| Abstract: | MacOS Finder Alias and Bookmark file format specification +| Classification: | Public +| Keywords: | Alias, Bookmark +|=== + +[preface] +== License + +.... +Copyright (C) 2024, Joachim Metz . +Permission is granted to copy, distribute and/or modify this document under the +terms of the GNU Free Documentation License, Version 1.3 or any later version +published by the Free Software Foundation; with no Invariant Sections, no +Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included +in the section entitled "GNU Free Documentation License". +.... + +[preface] +== Revision history + +[cols="1,1,1,5",options="header"] +|=== +| Version | Author | Date | Comments +| 0.0.1 | J.B. Metz | February 2024 | Initial version. +|=== + +:numbered: +== Overview + +The Mac OS login item alias data format is used by the +com.apple.loginitems.plist file. + +[NOTE] +This document used Mac OS to refer to the Macintosh Operating System in general, +instead of specific versions like Mac OS X or macOS. Mac OS X is used to refer +to version of Mac OS 10.0 or later. + +The alias data is stored in the property of the following keys: + +.... +/SessionItems/CustomListItems/CustomItemProperties/Alias +/SessionItems/CustomListItems/CustomItemProperties/com.apple.loginitem.legacyprefs/AliasData +.... + +[cols="1,5",options="header"] +|=== +| Characteristics | Description +| Byte order | Big-endian +| Date and time values | HFS+ date and time +| Character strings | +|=== + +=== Test version + +The following version of programs were used to test the information within +this document: + +* Mac OS X 10.7 (Lion) +* Mac OS X 10.8 (Mountain Lion) +* Mac OS X 10.9 (Mavericks) +* macOS 10.12 (Sierra) + +== Alias data + +The alias data consists of: + +* one or more record + +=== Record + +A record consists of: + +* a <> +* record data +* optional <> + +==== [[record_header]]Record header + +The record header is 8 bytes in size and consists of: + +[cols="1,1,1,5",options="header"] +|=== +| Offset | Size | Value | Description +| 0 | 4 | | [yellow-background]*Unknown (creator code / application information)* +| 4 | 2 | | Record size + +Contains the size of the record including the size of the header +| 6 | 2 | | Format version +|=== + +===== Format versions + +[cols="1,1,5",options="header"] +|=== +| Value | Identifier | Description +| 2 | | [yellow-background]*Unknown* +| 3 | | Observed on Mac OS 10.7 +|=== + +==== [[tagged_value]]Tagged value + +The tagged value is variable in size and consists of: + +[cols="1,1,1,5",options="header"] +|=== +| Offset | Size | Value | Description +| 0 | 2 | | Value tag + +See section: <> +| 2 | 2 | | Value data size +| 4 | ... | | Value data +| ... | ... | | 16-bit alignment padding +|=== + +==== [[value_tags]]Value tags + +[cols="1,1,5",options="header"] +|=== +| Value | Identifier | Description +| 0x0000 | | [yellow-background]*Unknown (Carbon folder name)* + +Contains an UTF-8 encoded string without end-of-string character +| 0x0001 | | [yellow-background]*Unknown (chain of ancestor file system identifier)* + +Contains an array of file system identifiers, where the first element is the parent of the target, the second the grand parrent, etc. +| 0x0002 | | [yellow-background]*Unknown (Carbon/HFS path)* + +Contains an UTF-8 encoded string without end-of-string character +| 0x0003 | | [yellow-background]*Unknown (AppleShare zone (a string))* +| 0x0004 | | [yellow-background]*Unknown (AppleShare server name (a string))* +| 0x0005 | | [yellow-background]*Unknown (AppleShare username (a string))* +| 0x0006 | | [yellow-background]*Unknown (Driver name)* + +Contains an UTF-8 encoded string without end-of-string character +| | | +| 0x0009 | | [yellow-background]*Unknown (Network mount information)* +| 0x000a | | [yellow-background]*Unknown (Dial-up connection information)* +| | | +| 0x000e | | Target file name + +See section: <> +| 0x000f | | Volume name + +See section: <> +| 0x0010 | | [yellow-background]*Unknown (High resolution volume creation date (65536ths of a second since 1904-01-01 00:00:00 UTC))* +| 0x0011 | | [yellow-background]*Unknown (High resolution creation date (65536ths of a second since 1904-01-01 00:00:00 UTC))* +| 0x0012 | | (POSIX) target path + +The path is relative from the mount point + +Contains an UTF-8 encoded string without end-of-string character +| 0x0013 | | (POSIX) volume mount point + +Contains an UTF-8 encoded string without end-of-string character +| 0x0014 | | [yellow-background]*Unknown (Recursive alias of disk image (an alias record) )* +| 0x0015 | | [yellow-background]*Unknown (User home length prefix (two-byte integer, says how many directory levels to the user’s home folder))* +| | | +| 0xfffe | | [yellow-background]*Unknown (None)* +| 0xffff | | Terminator + +Indicates the end of the tagged values + +Contains a value data size of 0 +|=== + +==== [[utf16_string_tagged_value_data]]UTF-16 string tagged value data + +[cols="1,1,1,5",options="header"] +|=== +| Offset | Size | Value | Description +| 0 | 2 | | Number of characters +| 2 | ... | | String data + +Contains an UTF-16 big-endian encoded string without end-of-string character +|=== + +=== Alias data version 2 record + +The alias data version 2 record is variable in size and consists of: + +[cols="1,1,1,5",options="header"] +|=== +| Offset | Size | Value | Description +4+| _Record header_ +| 0 | 4 | 0 | [yellow-background]*Unknown (creator code / application information)* +| 4 | 2 | | Record size + +Contains the size of the record including the size of the header +| 6 | 2 | 2 | Format version +4+| _Record data_ +| 8 | 2 | | Alias type + +See section: <> +| 10 | 28 | | Volume name string, where the first byte contains the size of the string +| 38 | 4 | | Volume creation date + +Contains a HFS+ date and time in seconds +| 42 | 2 | | File system type + +See section: <> +| 44 | 2 | | Disk type + +See section: <> +| 46 | 4 | | File system identifier of the parent (directory) + +Contains -1 (0xffffffff) if not set. +| 50 | 64 | | Target name string, where the first byte contains the size of the string +| 114 | 4 | | File system identifier of the target + +Contains -1 (0xffffffff) if not set. +| 118 | 4 | | Target creation date + +Contains a HFS+ date and time in seconds +| 122 | 4 | | [yellow-background]*Unknown (target creator code)* +| 126 | 4 | | [yellow-background]*Unknown (target type code)* +| 130 | 2 | | [yellow-background]*Unknown (Number of directory levels from alias to root (or -1))* +| 132 | 2 | | [yellow-background]*Unknown (Number of directory levels from root to target (or -1))* +| 134 | 4 | | [yellow-background]*Unknown (volume attributes/flags)* +| 138 | 2 | | [yellow-background]*Unknown (volume file system type)* +| 140 | 10 | | [yellow-background]*Unknown* +|=== + +==== [[file_system_type_v2]]File system type - version 2 + +[cols="1,1,5",options="header"] +|=== +| Value | Identifier | Description +| "H+" | | HFS+ +| "HX" | | HFSX +|=== + +=== Alias data version 3 record + +The alias data version 3 record is variable in size and consists of: + +[cols="1,1,1,5",options="header"] +|=== +| Offset | Size | Value | Description +4+| _Record header_ +| 0 | 4 | 0 | [yellow-background]*Unknown (creator code / application information)* +| 4 | 2 | | Record size + +Contains the size of the record including the size of the header +| 6 | 2 | 3 | Format version +4+| _Record data_ +| 8 | 2 | | Alias type + +See section: <> +| 10 | 8 | | High resolution volume creation date + +Contains a HFS+ date and time in 65536ths of a second +| 18 | 4 | | File system type + +See section: <> +| 22 | 2 | | Disk type + +See section: <> +| 24 | 4 | | File system identifier of the parent (directory) +| 28 | 4 | | File system identifier of the target +| 32 | 8 | | High resolution target creation date + +Contains a HFS+ date and time in 65536ths of a second +| 40 | 4 | | [yellow-background]*Unknown (volume attributes/flags)* +| 44 | 14 | | [yellow-background]*Unknown* +|=== + +==== [[file_system_type_v3]]File system type - version 3 + +[cols="1,1,5",options="header"] +|=== +| Value | Identifier | Description +| "BDcu" | | UDF +| "BDIS" | | FAT32 +| "BDxF" | | exFAT +| "H+\x00\x00" | HFS+ +| "HX\x00\x00" | HFSX +| "KG\x00\x00" | FTP +| "NTcu" | | NTFS +|=== + +=== [[alias_types]]Alias types + +[cols="1,1,5",options="header"] +|=== +| Value | Identifier | Description +| 0 | | File +| 1 | | Directory (or folder) +|=== + +=== [[disk_types]]Disk types + +[cols="1,1,5",options="header"] +|=== +| Value | Identifier | Description +| 0 | | Fixed disk +| 1 | | Network drive +| 2 | | 400Kb floppy disk +| 3 | | 800Kb floppy disk +| 4 | | 1.44MB floppy disk +| 5 | | [yellow-background]*Unknown (removable / ejectable drive)* +|=== + +=== [[volume_flags]]Volume flage + +[cols="1,1,5",options="header"] +|=== +| Value | Identifier | Description +| 0x0002 | | Is removable (ejectable) +| | | +| 0x0020 | | Is boot volume +| | | +| 0x0080 | | Is auto-mounted +| | | +| 0x0100 | | Has persistent file system identifiers +|=== + +:numbered!: +[appendix] +== References + +[cols="1,5",options="header"] +|=== +| Title: | Mac Alias Format +| URL: | https://mac-alias.readthedocs.io/en/latest/alias_fmt.html +|=== + +[appendix] +== GNU Free Documentation License + +Version 1.3, 3 November 2008 +Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. + + +Everyone is permitted to copy and distribute verbatim copies of this license +document, but changing it is not allowed. + +=== 0. PREAMBLE + +The purpose of this License is to make a manual, textbook, or other functional +and useful document "free" in the sense of freedom: to assure everyone the +effective freedom to copy and redistribute it, with or without modifying it, +either commercially or noncommercially. Secondarily, this License preserves for +the author and publisher a way to get credit for their work, while not being +considered responsible for modifications made by others. + +This License is a kind of "copyleft", which means that derivative works of the +document must themselves be free in the same sense. It complements the GNU +General Public License, which is a copyleft license designed for free software. + +We have designed this License in order to use it for manuals for free software, +because free software needs free documentation: a free program should come with +manuals providing the same freedoms that the software does. But this License is +not limited to software manuals; it can be used for any textual work, +regardless of subject matter or whether it is published as a printed book. We +recommend this License principally for works whose purpose is instruction or +reference. + +=== 1. APPLICABILITY AND DEFINITIONS + +This License applies to any manual or other work, in any medium, that contains +a notice placed by the copyright holder saying it can be distributed under the +terms of this License. Such a notice grants a world-wide, royalty-free license, +unlimited in duration, to use that work under the conditions stated herein. The +"Document", below, refers to any such manual or work. Any member of the public +is a licensee, and is addressed as "you". You accept the license if you copy, +modify or distribute the work in a way requiring permission under copyright law. + +A "Modified Version" of the Document means any work containing the Document or +a portion of it, either copied verbatim, or with modifications and/or +translated into another language. + +A "Secondary Section" is a named appendix or a front-matter section of the +Document that deals exclusively with the relationship of the publishers or +authors of the Document to the Document's overall subject (or to related +matters) and contains nothing that could fall directly within that overall +subject. (Thus, if the Document is in part a textbook of mathematics, a +Secondary Section may not explain any mathematics.) The relationship could be a +matter of historical connection with the subject or with related matters, or of +legal, commercial, philosophical, ethical or political position regarding them. + +The "Invariant Sections" are certain Secondary Sections whose titles are +designated, as being those of Invariant Sections, in the notice that says that +the Document is released under this License. If a section does not fit the +above definition of Secondary then it is not allowed to be designated as +Invariant. The Document may contain zero Invariant Sections. If the Document +does not identify any Invariant Sections then there are none. + +The "Cover Texts" are certain short passages of text that are listed, as +Front-Cover Texts or Back-Cover Texts, in the notice that says that the +Document is released under this License. A Front-Cover Text may be at most 5 +words, and a Back-Cover Text may be at most 25 words. + +A "Transparent" copy of the Document means a machine-readable copy, represented +in a format whose specification is available to the general public, that is +suitable for revising the document straightforwardly with generic text editors +or (for images composed of pixels) generic paint programs or (for drawings) +some widely available drawing editor, and that is suitable for input to text +formatters or for automatic translation to a variety of formats suitable for +input to text formatters. A copy made in an otherwise Transparent file format +whose markup, or absence of markup, has been arranged to thwart or discourage +subsequent modification by readers is not Transparent. An image format is not +Transparent if used for any substantial amount of text. A copy that is not +"Transparent" is called "Opaque". + +Examples of suitable formats for Transparent copies include plain ASCII without +markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly +available DTD, and standard-conforming simple HTML, PostScript or PDF designed +for human modification. Examples of transparent image formats include PNG, XCF +and JPG. Opaque formats include proprietary formats that can be read and edited +only by proprietary word processors, SGML or XML for which the DTD and/or +processing tools are not generally available, and the machine-generated HTML, +PostScript or PDF produced by some word processors for output purposes only. + +The "Title Page" means, for a printed book, the title page itself, plus such +following pages as are needed to hold, legibly, the material this License +requires to appear in the title page. For works in formats which do not have +any title page as such, "Title Page" means the text near the most prominent +appearance of the work's title, preceding the beginning of the body of the text. + +The "publisher" means any person or entity that distributes copies of the +Document to the public. + +A section "Entitled XYZ" means a named subunit of the Document whose title +either is precisely XYZ or contains XYZ in parentheses following text that +translates XYZ in another language. (Here XYZ stands for a specific section +name mentioned below, such as "Acknowledgements", "Dedications", +"Endorsements", or "History".) To "Preserve the Title" of such a section when +you modify the Document means that it remains a section "Entitled XYZ" +according to this definition. + +The Document may include Warranty Disclaimers next to the notice which states +that this License applies to the Document. These Warranty Disclaimers are +considered to be included by reference in this License, but only as regards +disclaiming warranties: any other implication that these Warranty Disclaimers +may have is void and has no effect on the meaning of this License. + +=== 2. VERBATIM COPYING + +You may copy and distribute the Document in any medium, either commercially or +noncommercially, provided that this License, the copyright notices, and the +license notice saying this License applies to the Document are reproduced in +all copies, and that you add no other conditions whatsoever to those of this +License. You may not use technical measures to obstruct or control the reading +or further copying of the copies you make or distribute. However, you may +accept compensation in exchange for copies. If you distribute a large enough +number of copies you must also follow the conditions in section 3. + +You may also lend copies, under the same conditions stated above, and you may +publicly display copies. + +=== 3. COPYING IN QUANTITY + +If you publish printed copies (or copies in media that commonly have printed +covers) of the Document, numbering more than 100, and the Document's license +notice requires Cover Texts, you must enclose the copies in covers that carry, +clearly and legibly, all these Cover Texts: Front-Cover Texts on the front +cover, and Back-Cover Texts on the back cover. Both covers must also clearly +and legibly identify you as the publisher of these copies. The front cover must +present the full title with all words of the title equally prominent and +visible. You may add other material on the covers in addition. Copying with +changes limited to the covers, as long as they preserve the title of the +Document and satisfy these conditions, can be treated as verbatim copying in +other respects. + +If the required texts for either cover are too voluminous to fit legibly, you +should put the first ones listed (as many as fit reasonably) on the actual +cover, and continue the rest onto adjacent pages. + +If you publish or distribute Opaque copies of the Document numbering more than +100, you must either include a machine-readable Transparent copy along with +each Opaque copy, or state in or with each Opaque copy a computer-network +location from which the general network-using public has access to download +using public-standard network protocols a complete Transparent copy of the +Document, free of added material. If you use the latter option, you must take +reasonably prudent steps, when you begin distribution of Opaque copies in +quantity, to ensure that this Transparent copy will remain thus accessible at +the stated location until at least one year after the last time you distribute +an Opaque copy (directly or through your agents or retailers) of that edition +to the public. + +It is requested, but not required, that you contact the authors of the Document +well before redistributing any large number of copies, to give them a chance to +provide you with an updated version of the Document. + +=== 4. MODIFICATIONS + +You may copy and distribute a Modified Version of the Document under the +conditions of sections 2 and 3 above, provided that you release the Modified +Version under precisely this License, with the Modified Version filling the +role of the Document, thus licensing distribution and modification of the +Modified Version to whoever possesses a copy of it. In addition, you must do +these things in the Modified Version: + +A. Use in the Title Page (and on the covers, if any) a title distinct from that +of the Document, and from those of previous versions (which should, if there +were any, be listed in the History section of the Document). You may use the +same title as a previous version if the original publisher of that version +gives permission. + +B. List on the Title Page, as authors, one or more persons or entities +responsible for authorship of the modifications in the Modified Version, +together with at least five of the principal authors of the Document (all of +its principal authors, if it has fewer than five), unless they release you from +this requirement. + +C. State on the Title page the name of the publisher of the Modified Version, +as the publisher. + +D. Preserve all the copyright notices of the Document. + +E. Add an appropriate copyright notice for your modifications adjacent to the +other copyright notices. + +F. Include, immediately after the copyright notices, a license notice giving +the public permission to use the Modified Version under the terms of this +License, in the form shown in the Addendum below. + +G. Preserve in that license notice the full lists of Invariant Sections and +required Cover Texts given in the Document's license notice. + +H. Include an unaltered copy of this License. + +I. Preserve the section Entitled "History", Preserve its Title, and add to it +an item stating at least the title, year, new authors, and publisher of the +Modified Version as given on the Title Page. If there is no section Entitled +"History" in the Document, create one stating the title, year, authors, and +publisher of the Document as given on its Title Page, then add an item +describing the Modified Version as stated in the previous sentence. + +J. Preserve the network location, if any, given in the Document for public +access to a Transparent copy of the Document, and likewise the network +locations given in the Document for previous versions it was based on. These +may be placed in the "History" section. You may omit a network location for a +work that was published at least four years before the Document itself, or if +the original publisher of the version it refers to gives permission. + +K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the +Title of the section, and preserve in the section all the substance and tone of +each of the contributor acknowledgements and/or dedications given therein. + +L. Preserve all the Invariant Sections of the Document, unaltered in their text +and in their titles. Section numbers or the equivalent are not considered part +of the section titles. + +M. Delete any section Entitled "Endorsements". Such a section may not be +included in the Modified Version. + +N. Do not retitle any existing section to be Entitled "Endorsements" or to +conflict in title with any Invariant Section. + +O. Preserve any Warranty Disclaimers. + +If the Modified Version includes new front-matter sections or appendices that +qualify as Secondary Sections and contain no material copied from the Document, +you may at your option designate some or all of these sections as invariant. To +do this, add their titles to the list of Invariant Sections in the Modified +Version's license notice. These titles must be distinct from any other section +titles. + +You may add a section Entitled "Endorsements", provided it contains nothing but +endorsements of your Modified Version by various parties—for example, +statements of peer review or that the text has been approved by an organization +as the authoritative definition of a standard. + +You may add a passage of up to five words as a Front-Cover Text, and a passage +of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts +in the Modified Version. Only one passage of Front-Cover Text and one of +Back-Cover Text may be added by (or through arrangements made by) any one +entity. If the Document already includes a cover text for the same cover, +previously added by you or by arrangement made by the same entity you are +acting on behalf of, you may not add another; but you may replace the old one, +on explicit permission from the previous publisher that added the old one. + +The author(s) and publisher(s) of the Document do not by this License give +permission to use their names for publicity for or to assert or imply +endorsement of any Modified Version. + +=== 5. COMBINING DOCUMENTS + +You may combine the Document with other documents released under this License, +under the terms defined in section 4 above for modified versions, provided that +you include in the combination all of the Invariant Sections of all of the +original documents, unmodified, and list them all as Invariant Sections of your +combined work in its license notice, and that you preserve all their Warranty +Disclaimers. + +The combined work need only contain one copy of this License, and multiple +identical Invariant Sections may be replaced with a single copy. If there are +multiple Invariant Sections with the same name but different contents, make the +title of each such section unique by adding at the end of it, in parentheses, +the name of the original author or publisher of that section if known, or else +a unique number. Make the same adjustment to the section titles in the list of +Invariant Sections in the license notice of the combined work. + +In the combination, you must combine any sections Entitled "History" in the +various original documents, forming one section Entitled "History"; likewise +combine any sections Entitled "Acknowledgements", and any sections Entitled +"Dedications". You must delete all sections Entitled "Endorsements". + +=== 6. COLLECTIONS OF DOCUMENTS + +You may make a collection consisting of the Document and other documents +released under this License, and replace the individual copies of this License +in the various documents with a single copy that is included in the collection, +provided that you follow the rules of this License for verbatim copying of each +of the documents in all other respects. + +You may extract a single document from such a collection, and distribute it +individually under this License, provided you insert a copy of this License +into the extracted document, and follow this License in all other respects +regarding verbatim copying of that document. + +=== 7. AGGREGATION WITH INDEPENDENT WORKS + +A compilation of the Document or its derivatives with other separate and +independent documents or works, in or on a volume of a storage or distribution +medium, is called an "aggregate" if the copyright resulting from the +compilation is not used to limit the legal rights of the compilation's users +beyond what the individual works permit. When the Document is included in an +aggregate, this License does not apply to the other works in the aggregate +which are not themselves derivative works of the Document. + +If the Cover Text requirement of section 3 is applicable to these copies of the +Document, then if the Document is less than one half of the entire aggregate, +the Document's Cover Texts may be placed on covers that bracket the Document +within the aggregate, or the electronic equivalent of covers if the Document is +in electronic form. Otherwise they must appear on printed covers that bracket +the whole aggregate. + +=== 8. TRANSLATION + +Translation is considered a kind of modification, so you may distribute +translations of the Document under the terms of section 4. Replacing Invariant +Sections with translations requires special permission from their copyright +holders, but you may include translations of some or all Invariant Sections in +addition to the original versions of these Invariant Sections. You may include +a translation of this License, and all the license notices in the Document, and +any Warranty Disclaimers, provided that you also include the original English +version of this License and the original versions of those notices and +disclaimers. In case of a disagreement between the translation and the original +version of this License or a notice or disclaimer, the original version will +prevail. + +If a section in the Document is Entitled "Acknowledgements", "Dedications", or +"History", the requirement (section 4) to Preserve its Title (section 1) will +typically require changing the actual title. + +=== 9. TERMINATION + +You may not copy, modify, sublicense, or distribute the Document except as +expressly provided under this License. Any attempt otherwise to copy, modify, +sublicense, or distribute it is void, and will automatically terminate your +rights under this License. + +However, if you cease all violation of this License, then your license from a +particular copyright holder is reinstated (a) provisionally, unless and until +the copyright holder explicitly and finally terminates your license, and (b) +permanently, if the copyright holder fails to notify you of the violation by +some reasonable means prior to 60 days after the cessation. + +Moreover, your license from a particular copyright holder is reinstated +permanently if the copyright holder notifies you of the violation by some +reasonable means, this is the first time you have received notice of violation +of this License (for any work) from that copyright holder, and you cure the +violation prior to 30 days after your receipt of the notice. + +Termination of your rights under this section does not terminate the licenses +of parties who have received copies or rights from you under this License. If +your rights have been terminated and not permanently reinstated, receipt of a +copy of some or all of the same material does not give you any rights to use it. + +=== 10. FUTURE REVISIONS OF THIS LICENSE + +The Free Software Foundation may publish new, revised versions of the GNU Free +Documentation License from time to time. Such new versions will be similar in +spirit to the present version, but may differ in detail to address new problems +or concerns. See http://www.gnu.org/copyleft/. + +Each version of the License is given a distinguishing version number. If the +Document specifies that a particular numbered version of this License "or any +later version" applies to it, you have the option of following the terms and +conditions either of that specified version or of any later version that has +been published (not as a draft) by the Free Software Foundation. If the +Document does not specify a version number of this License, you may choose any +version ever published (not as a draft) by the Free Software Foundation. If the +Document specifies that a proxy can decide which future versions of this +License can be used, that proxy's public statement of acceptance of a version +permanently authorizes you to choose that version for the Document. + +=== 11. RELICENSING + +"Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide +Web server that publishes copyrightable works and also provides prominent +facilities for anybody to edit those works. A public wiki that anybody can edit +is an example of such a server. A "Massive Multiauthor Collaboration" (or +"MMC") contained in the site means any set of copyrightable works thus +published on the MMC site. + +"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 license +published by Creative Commons Corporation, a not-for-profit corporation with a +principal place of business in San Francisco, California, as well as future +copyleft versions of that license published by that same organization. + +"Incorporate" means to publish or republish a Document, in whole or in part, as +part of another Document. + +An MMC is "eligible for relicensing" if it is licensed under this License, and +if all works that were first published under this License somewhere other than +this MMC, and subsequently incorporated in whole or in part into the MMC, (1) +had no cover texts or invariant sections, and (2) were thus incorporated prior +to November 1, 2008. + +The operator of an MMC Site may republish an MMC contained in the site under +CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC +is eligible for relicensing. + diff --git a/documentation/MacOS File System Events Disk Log Stream format.asciidoc b/documentation/MacOS File System Events Disk Log Stream format.asciidoc index 8ff2a02..4124d16 100644 --- a/documentation/MacOS File System Events Disk Log Stream format.asciidoc +++ b/documentation/MacOS File System Events Disk Log Stream format.asciidoc @@ -6,12 +6,13 @@ :numbered!: [abstract] == Summary + The MacOS File System Events Disk Log Stream format is used by fseventsd on MacOS to store file system events. This specification is based on the source code and documentation. This document is intended as a working document for the MacOS File System -Events Disk Log Stream format file format specification. +Events Disk Log Stream format specification. [preface] == Document information @@ -25,6 +26,7 @@ Events Disk Log Stream format file format specification. [preface] == License + .... Copyright (C) 2018, Joachim Metz . Permission is granted to copy, distribute and/or modify this document under the @@ -36,6 +38,7 @@ in the section entitled "GNU Free Documentation License". [preface] == Revision history + [cols="1,1,1,5",options="header"] |=== | Version | Author | Date | Comments @@ -194,6 +197,7 @@ notification is for a hard-link [appendix] == GNU Free Documentation License + Version 1.3, 3 November 2008 Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. @@ -202,6 +206,7 @@ Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. === 0. PREAMBLE + The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, @@ -222,6 +227,7 @@ recommend this License principally for works whose purpose is instruction or reference. === 1. APPLICABILITY AND DEFINITIONS + This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, @@ -300,6 +306,7 @@ disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. === 2. VERBATIM COPYING + You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in @@ -313,6 +320,7 @@ You may also lend copies, under the same conditions stated above, and you may publicly display copies. === 3. COPYING IN QUANTITY + If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, @@ -346,6 +354,7 @@ well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. === 4. MODIFICATIONS + You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the @@ -438,6 +447,7 @@ permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. === 5. COMBINING DOCUMENTS + You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the @@ -459,6 +469,7 @@ combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements". === 6. COLLECTIONS OF DOCUMENTS + You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, @@ -471,6 +482,7 @@ into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. === 7. AGGREGATION WITH INDEPENDENT WORKS + A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the @@ -487,6 +499,7 @@ in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate. === 8. TRANSLATION + Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright @@ -504,6 +517,7 @@ If a section in the Document is Entitled "Acknowledgements", "Dedications", or typically require changing the actual title. === 9. TERMINATION + You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your @@ -527,6 +541,7 @@ your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it. === 10. FUTURE REVISIONS OF THIS LICENSE + The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems @@ -544,6 +559,7 @@ License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Document. === 11. RELICENSING + "Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit diff --git a/dtformats/alias_data.debug.yaml b/dtformats/alias_data.debug.yaml new file mode 100644 index 0000000..ce9fcdf --- /dev/null +++ b/dtformats/alias_data.debug.yaml @@ -0,0 +1,67 @@ +# dtFormats debug specification. +--- +data_type_map: alias_data_record_header +attributes: +- name: application_information + description: "Application information" + format: binary_data +- name: record_size + description: "Record size" + format: decimal +- name: format_version + description: "Format version" + format: decimal +--- +data_type_map: alias_data_record_v3 +attributes: +- name: alias_type + description: "Alias type" + format: decimal +- name: volume_creation_time + description: "Volume creation date and time" + format: custom:hfs_time_64bit +- name: file_system_type + description: "File system type" + format: binary_data +- name: disk_type + description: "Disk type" + format: decimal +- name: parent_fsid + description: "Parent file system identifier" + format: decimal +- name: target_fsid + description: "Target file system identifier" + format: decimal +- name: target_creation_time + description: "Target creation date and time" + format: custom:hfs_time_64bit +- name: volume_flags + description: "Volume flags" + format: hexadecimal_4digits +- name: unknown1 + description: "Unknown1" + format: binary_data +--- +data_type_map: alias_data_tagged_value +attributes: +- name: value_tag + description: "Value tag" + format: hexadecimal_4digits +- name: value_data_size + description: "Value data size" + format: decimal +- name: value_data + description: "Value data" + format: binary_data +- name: integers + description: "Integers" + format: custom:array_of_decimals +- name: number_of_characters + description: "Number of characters" + format: decimal +- name: string + description: "String" + format: string +- name: alignment_padding + description: "Alignment padding" + format: binary_data diff --git a/dtformats/alias_data.py b/dtformats/alias_data.py new file mode 100644 index 0000000..559afd0 --- /dev/null +++ b/dtformats/alias_data.py @@ -0,0 +1,156 @@ +# -*- coding: utf-8 -*- +"""Mac OS com.apple.loginitems.plist Alias data.""" + +from dfdatetime import hfs_time as dfdatetime_hfs_time + +from dtformats import data_format +from dtformats import errors + + +class MacOSLoginItemAliasData(data_format.BinaryDataFile): + """Mac OS com.apple.loginitems.plist Alias data.""" + + # Using a class constant significantly speeds up the time required to load + # the dtFabric and dtFormats definition files. + _FABRIC = data_format.BinaryDataFile.ReadDefinitionFile('alias_data.yaml') + + _DEBUG_INFORMATION = data_format.BinaryDataFile.ReadDebugInformationFile( + 'alias_data.debug.yaml', custom_format_callbacks={ + 'array_of_decimals': '_FormatArrayOfIntegersAsDecimals', + 'hfs_time': '_FormatIntegerAsHFSTime', + 'hfs_time_64bit': '_FormatIntegerAsHFSTime64bit'}) + + def __init__(self, debug=False, output_writer=None): + """Initializes Mac OS com.apple.loginitems.plist Alias data. + + Args: + debug (Optional[bool]): True if debug information should be written. + output_writer (Optional[OutputWriter]): output writer. + """ + super(MacOSLoginItemAliasData, self).__init__( + debug=debug, output_writer=output_writer) + + def _FormatIntegerAsHFSTime64bit(self, integer): + """Formats an integer as a HFS date and time value. + + Args: + integer (int): integer. + + Returns: + str: integer formatted as a HFS date and time value. + """ + if integer == 0: + return 'Not set (0)' + + number_of_seconds, fraction_of_second = divmod(integer, 65536) + + date_time = dfdatetime_hfs_time.HFSTime(timestamp=number_of_seconds) + date_time_string = date_time.CopyToDateTimeString() + if not date_time_string: + return f'0x{integer:08x}' + + return f'{date_time_string:s}.{fraction_of_second:03d} UTC' + + def _ReadRecordHeader(self, file_object, file_offset): + """Reads a record header. + + Args: + file_object (file): file-like object. + file_offset (int): offset of the record header relative to the start of + the file. + + Returns: + alias_data_record_header: record header. + + Raises: + ParseError: if the record header cannot be read. + """ + data_type_map = self._GetDataTypeMap('alias_data_record_header') + + record_header, _ = self._ReadStructureFromFileObject( + file_object, file_offset, data_type_map, 'record header') + + if self._debug: + debug_info = self._DEBUG_INFORMATION.get('alias_data_record_header', None) + self._DebugPrintStructureObject(record_header, debug_info) + + if record_header.application_information != b'\x00\x00\x00\x00': + raise errors.ParseError('Unsupported application information') + + return record_header + + def _ReadRecordV3(self, file_object, file_offset): + """Reads a version 3 record. + + Args: + file_object (file): file-like object. + file_offset (int): offset of the record data relative to the start of the + file. + + Returns: + alias_data_record_v3: record. + + Raises: + ParseError: if the record cannot be read. + """ + data_type_map = self._GetDataTypeMap('alias_data_record_v3') + + record, _ = self._ReadStructureFromFileObject( + file_object, file_offset, data_type_map, 'record data') + + if self._debug: + debug_info = self._DEBUG_INFORMATION.get('alias_data_record_v3', None) + self._DebugPrintStructureObject(record, debug_info) + + return record + + def _ReadTaggedValue(self, file_object, file_offset): + """Reads a tagged value. + + Args: + file_object (file): file-like object. + file_offset (int): offset of the tagged value relative to the start of the + file. + + Returns: + tuple[alias_data_tagged_value, int]: tagged value and the number of bytes + read. + + Raises: + ParseError: if the tagged value cannot be read. + """ + data_type_map = self._GetDataTypeMap('alias_data_tagged_value') + + tagged_value, bytes_read = self._ReadStructureFromFileObject( + file_object, file_offset, data_type_map, 'tagged value') + + if self._debug: + debug_info = self._DEBUG_INFORMATION.get('alias_data_tagged_value', None) + self._DebugPrintStructureObject(tagged_value, debug_info) + + return tagged_value, bytes_read + + def ReadFileObject(self, file_object): + """Reads a Mac OS com.apple.loginitems.plist Alias data file-like object. + + Args: + file_object (file): file-like object. + + Raises: + ParseError: if the file cannot be read. + """ + record_header = self._ReadRecordHeader(file_object, 0) + + record_offset = 8 + + if record_header.record_size != self._file_size: + raise errors.ParseError('Unsupported AliasData record size') + + if record_header.format_version == 3: + _ = self._ReadRecordV3(file_object, record_offset) + record_offset += 50 + + while record_offset < record_header.record_size: + _, bytes_read = self._ReadTaggedValue(file_object, record_offset) + + record_offset += bytes_read diff --git a/dtformats/alias_data.yaml b/dtformats/alias_data.yaml new file mode 100644 index 0000000..0c9a168 --- /dev/null +++ b/dtformats/alias_data.yaml @@ -0,0 +1,181 @@ +# dtFabric format specification. +--- +name: alias_data +type: format +description: Mac OS com.apple.loginitems.plist Alias and AliasData values data format +urls: ["https://github.com/libyal/dtformats/blob/main/documentation/Mac%20OS%20login%20item%20alias%20data%20format.asciidoc"] +--- +name: byte +type: integer +attributes: + format: unsigned + size: 1 + units: bytes +--- +name: uint16 +type: integer +attributes: + format: unsigned + size: 2 + units: bytes +--- +name: uint32 +type: integer +attributes: + format: unsigned + size: 4 + units: bytes +--- +name: uint64 +type: integer +attributes: + format: unsigned + size: 8 + units: bytes +--- +name: alias_data_record_header +type: structure +attributes: + byte_order: big-endian +members: +- name: application_information + type: stream + element_data_type: byte + elements_data_size: 4 +- name: record_size + data_type: uint16 +- name: format_version + data_type: uint16 + values: [2, 3] +--- +name: alias_data_record_v3 +type: structure +attributes: + byte_order: big-endian +members: +- name: alias_type + data_type: uint16 +- name: volume_creation_time + data_type: uint64 +- name: file_system_type + type: stream + element_data_type: byte + elements_data_size: 4 +- name: disk_type + data_type: uint16 +- name: parent_fsid + data_type: uint32 +- name: target_fsid + data_type: uint32 +- name: target_creation_time + data_type: uint64 +- name: volume_flags + data_type: uint32 +- name: unknown1 + type: stream + element_data_type: byte + elements_data_size: 14 +--- +name: alias_data_tagged_value_base +type: structure +attributes: + byte_order: big-endian +members: +- name: value_tag + data_type: uint16 +- name: value_data_size + data_type: uint16 +# TODO: change dtFabric and _ReadStructureFromFileObject to support +# base structure without value_data and alignment_padding +- name: value_data + type: stream + element_data_type: byte + elements_data_size: alias_data_tagged_value_base.value_data_size +- name: alignment_padding + type: padding + alignment_size: 2 +--- +name: alias_data_tagged_value_with_data +type: structure +attributes: + byte_order: big-endian +members: +- name: value_tag + data_type: uint16 +- name: value_data_size + data_type: uint16 +- name: value_data + type: stream + element_data_type: byte + elements_data_size: alias_data_tagged_value_with_data.value_data_size +- name: alignment_padding + type: padding + alignment_size: 2 +--- +name: alias_data_tagged_value_with_uint32_array +type: structure +attributes: + byte_order: big-endian +members: +- name: value_tag + data_type: uint16 + value: 0x0001 +- name: value_data_size + data_type: uint16 +- name: integers + type: sequence + element_data_type: uint32 + elements_data_size: alias_data_tagged_value_with_uint32_array.value_data_size +- name: alignment_padding + type: padding + alignment_size: 2 +--- +name: alias_data_tagged_value_with_utf8_string +type: structure +attributes: + byte_order: big-endian +members: +- name: value_tag + data_type: uint16 + values: [0x0000, 0x0002, 0x0006, 0x0012, 0x0013] +- name: value_data_size + data_type: uint16 +- name: string + type: string + encoding: utf8 + element_data_type: byte + elements_data_size: alias_data_tagged_value_with_utf8_string.value_data_size +- name: alignment_padding + type: padding + alignment_size: 2 +--- +name: alias_data_tagged_value_with_utf16_string +type: structure +attributes: + byte_order: big-endian +members: +- name: value_tag + data_type: uint16 + values: [0x000e, 0x000f] +- name: value_data_size + data_type: uint16 +- name: number_of_characters + data_type: uint16 +- name: string + type: string + encoding: utf-16-be + element_data_type: uint16 + number_of_elements: alias_data_tagged_value_with_utf16_string.number_of_characters +- name: alignment_padding + type: padding + alignment_size: 2 +--- +name: alias_data_tagged_value +type: structure-group +base: alias_data_tagged_value_base +identifier: value_tag +default: alias_data_tagged_value_with_data +members: +- alias_data_tagged_value_with_uint32_array +- alias_data_tagged_value_with_utf8_string +- alias_data_tagged_value_with_utf16_string diff --git a/dtformats/data_format.py b/dtformats/data_format.py index 1db5f8b..d669016 100644 --- a/dtformats/data_format.py +++ b/dtformats/data_format.py @@ -5,6 +5,7 @@ import os from dfdatetime import filetime as dfdatetime_filetime +from dfdatetime import hfs_time as dfdatetime_hfs_time from dfdatetime import posix_time as dfdatetime_posix_time from dtfabric import errors as dtfabric_errors @@ -358,6 +359,25 @@ def _FormatIntegerAsHexadecimal8(self, integer): """ return f'0x{integer:08x}', False + def _FormatIntegerAsHFSTime(self, integer): + """Formats an integer as a HFS date and time value. + + Args: + integer (int): integer. + + Returns: + str: integer formatted as a HFS date and time value. + """ + if integer == 0: + return 'Not set (0)' + + date_time = dfdatetime_hfs_time.HFSTime(timestamp=integer) + date_time_string = date_time.CopyToDateTimeString() + if not date_time_string: + return f'0x{integer:08x}' + + return f'{date_time_string:s} UTC' + def _FormatIntegerAsPosixTime(self, integer): """Formats an integer as a POSIX date and time value. diff --git a/dtformats/dfvfs_helpers.py b/dtformats/dfvfs_helpers.py index 4b1b385..36d1313 100644 --- a/dtformats/dfvfs_helpers.py +++ b/dtformats/dfvfs_helpers.py @@ -233,8 +233,6 @@ def AddDFVFSCLIArguments(argument_parser): 'as: "1,3..5". The first volume is 1. All volumes can be specified ' 'with: "all".')) - # TODO: add image path - def ParseDFVFSCLIArguments(options): """Parses dfVFS command line arguments. diff --git a/dtformats/firefox_cache1.debug.yaml b/dtformats/firefox_cache1.debug.yaml index c377097..f87a8d1 100644 --- a/dtformats/firefox_cache1.debug.yaml +++ b/dtformats/firefox_cache1.debug.yaml @@ -58,10 +58,10 @@ attributes: format: decimal - name: eviction_ranks description: "Eviction ranks" - format: custrom:array_of_decimals + format: custom:array_of_decimals - name: bucket_usage description: "Bucket usage" - format: custrom:array_of_decimals + format: custom:array_of_decimals --- data_type_map: firefox_cache1_map_record attributes: diff --git a/dtformats/firefox_cache1.py b/dtformats/firefox_cache1.py index 8d7b63b..ec99dfb 100644 --- a/dtformats/firefox_cache1.py +++ b/dtformats/firefox_cache1.py @@ -16,7 +16,7 @@ class CacheMapFile(data_format.BinaryDataFile): _DEBUG_INFORMATION = data_format.BinaryDataFile.ReadDebugInformationFile( 'firefox_cache1.debug.yaml', custom_format_callbacks={ - 'array_of_decimal': '_FormatArrayOfIntegersAsDecimals', + 'array_of_decimals': '_FormatArrayOfIntegersAsDecimals', 'cache_location': '_FormatCacheLocation'}) def __init__(self, debug=False, output_writer=None): diff --git a/scripts/alias_data.py b/scripts/alias_data.py new file mode 100755 index 0000000..8943a7b --- /dev/null +++ b/scripts/alias_data.py @@ -0,0 +1,75 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +"""Script to parse Mac OS com.apple.loginitems.plist Alias value.""" + +import argparse +import logging +import sys + +from dtformats import alias_data +from dtformats import output_writers + + +def Main(): + """The main program function. + + Returns: + bool: True if successful or False if not. + """ + argument_parser = argparse.ArgumentParser(description=( + 'Extracts information from Mac OS com.apple.loginitems.plist Alias ' + 'values.')) + + argument_parser.add_argument( + '-d', '--debug', dest='debug', action='store_true', default=False, + help='enable debug output.') + + argument_parser.add_argument( + 'source', nargs='?', action='store', metavar='PATH', default=None, help=( + 'path of the Mac OS com.apple.loginitems.plist Alias or AliasData ' + 'value data.')) + + options = argument_parser.parse_args() + + if not options.source: + print('Source file missing.') + print('') + argument_parser.print_help() + print('') + return False + + logging.basicConfig( + level=logging.INFO, format='[%(levelname)s] %(message)s') + + output_writer = output_writers.StdoutWriter() + + try: + output_writer.Open() + except IOError as exception: + print(f'Unable to open output writer with error: {exception!s}') + print('') + return False + + alias = alias_data.MacOSLoginItemAliasData( + debug=options.debug, output_writer=output_writer) + alias.Open(options.source) + + output_writer.WriteText( + 'Mac OS com.apple.loginitems.plist Alias information:\n') + + # TODO: print more information. + + output_writer.WriteText('\n') + + alias.Close() + + output_writer.Close() + + return True + + +if __name__ == '__main__': + if not Main(): + sys.exit(1) + else: + sys.exit(0) diff --git a/test_data/com.apple.loginitems.plist.alias_data b/test_data/com.apple.loginitems.plist.alias_data new file mode 100644 index 0000000000000000000000000000000000000000..23174eb48cdd10db93eb23f26fbcbea8dd4ede66 GIT binary patch literal 216 zcmXYrJqp555QM*IrAQQQf>p54LP$z$(IQPqVJ;BD0|VjZnV(~L6~S`|*51U