Added Android application usage SQLite parser plugin (#4881)

Author: rick-slin

plaso/data/formatters/android.yaml

@@ -121,6 +121,15 @@ short_source: 'LOG'
 source: 'Android SMS messages'
 ---
 type: 'conditional'
+data_type: 'android:sqlite:app_usage'
+message:
+- 'Package Name: {package_name}'
+short_message:
+- 'Package Name: {package_name}'
+short_source: 'Android app usage'
+source: 'Android SQLite App Usage'
+---
+type: 'conditional'
 data_type: 'android:tango:contact'
 message:
 - '{first_name}'

plaso/data/presets.yaml

@@ -6,6 +6,7 @@ parsers:
 - android_app_usage
 - chrome_cache
 - filestat
+- sqlite/android_app_usage
 - sqlite/android_calls
 - sqlite/android_sms
 - sqlite/android_turbo

plaso/data/timeliner.yaml

@@ -48,6 +48,12 @@ attribute_mappings:
   description: 'Last Active Time'
 place_holder_event: false
 ---
+data_type: 'android:sqlite:app_usage'
+attribute_mappings:
+- name: 'start_time'
+  description: 'Start Time'
+place_holder_event: false
+---
 data_type: 'android:tango:conversation'
 place_holder_event: true
 ---

plaso/parsers/sqlite_plugins/__init__.py

@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 """Imports for the SQLite database parser plugins."""
 
+from plaso.parsers.sqlite_plugins import android_app_usage
 from plaso.parsers.sqlite_plugins import android_calls
 from plaso.parsers.sqlite_plugins import android_hangouts
 from plaso.parsers.sqlite_plugins import android_sms

plaso/parsers/sqlite_plugins/android_app_usage.py

@@ -0,0 +1,77 @@
+# -*- coding: utf-8 -*-
+"""SQLite parser plugin for Android app_usage database files."""
+
+from dfdatetime import posix_time as dfdatetime_posix_time
+
+from plaso.containers import events
+from plaso.parsers import sqlite
+from plaso.parsers.sqlite_plugins import interface
+
+
+class AndroidAppUsage(events.EventData):
+  """Android app usage event data.
+
+  Attributes:
+    package_name (str): name of the launched package.
+    start_time (dfdatetime.DateTimeValues): date and time when the application
+        was launched.
+  """
+
+  DATA_TYPE = 'android:sqlite:app_usage'
+
+  def __init__(self):
+    """Initializes event data."""
+    super(AndroidAppUsage, self).__init__(data_type=self.DATA_TYPE)
+    self.package_name = None
+    self.start_time = None
+
+
+class AndroidSQLiteAppUsage(interface.SQLitePlugin):
+  """SQLite parser plugin for Android application usage database files."""
+
+  NAME = 'android_app_usage'
+  DATA_FORMAT = 'Android app_usage SQLite database (app_usage) file'
+
+  REQUIRED_STRUCTURE = {
+      'events': frozenset(['_id', 'timestamp', 'package_id']),
+      'packages': frozenset(['_id', 'package_name'])
+  }
+
+  QUERIES = [
+      ('SELECT events.timestamp, packages.package_name FROM events JOIN '
+       'packages ON packages._id = events.package_id', 'ParseAppUsageRow')]
+
+  SCHEMAS = [{
+      'events': (
+          'CREATE TABLE "events" (_id INTEGER PRIMARY KEY,timestamp INTEGER '
+          'NOT NULL,type INTEGER NOT NULL,package_id INTEGER NOT NULL '
+          'REFERENCES packages(_id) ON UPDATE CASCADE ON DELETE CASCADE, '
+          'instance_id INTEGER DEFAULT NULL, task_root_package_id INTEGER '
+          'DEFAULT NULL REFERENCES packages(_id) ON UPDATE CASCADE ON DELETE '
+          'CASCADE)'),
+      'packages': (
+          'CREATE TABLE packages (_id INTEGER PRIMARY KEY,package_name TEXT, '
+          'UNIQUE(package_name) ON CONFLICT ABORT)')}]
+
+  def ParseAppUsageRow(self, parser_mediator, query, row, **unused_kwargs):
+    """Parses an event record row.
+
+    Args:
+      parser_mediator (ParserMediator): mediates interactions between parsers
+          and other components, such as storage and dfVFS.
+      query (str): query that created the row.
+      row (sqlite3.Row): row.
+    """
+    query_hash = hash(query)
+
+    event_data = AndroidAppUsage()
+    event_data.package_name = self._GetRowValue(query_hash, row, 'package_name')
+
+    timestamp = self._GetRowValue(query_hash, row, 'timestamp')
+    event_data.start_time = dfdatetime_posix_time.PosixTimeInMilliseconds(
+        timestamp=timestamp)
+
+    parser_mediator.ProduceEventData(event_data)
+
+
+sqlite.SQLiteParser.RegisterPlugin(AndroidSQLiteAppUsage)

test_data/android_app_usage

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Tests for the Android turbo plugin."""
+
+import unittest
+
+from plaso.parsers.sqlite_plugins import android_app_usage
+
+from tests.parsers.sqlite_plugins import test_lib
+
+
+class AndroidSQLiteAppUsagePluginTest(test_lib.SQLitePluginTestCase):
+  """Tests for the Android app_usage database plugin."""
+
+  def testProcess(self):
+    """Tests the Process function on an Android app_usage file."""
+    plugin = android_app_usage.AndroidSQLiteAppUsage()
+    storage_writer = self._ParseDatabaseFileWithPlugin(
+        ['android_app_usage'], plugin)
+
+    number_of_event_data = storage_writer.GetNumberOfAttributeContainers(
+        'event_data')
+    self.assertEqual(number_of_event_data, 11545)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'extraction_warning')
+    self.assertEqual(number_of_warnings, 0)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'recovery_warning')
+    self.assertEqual(number_of_warnings, 0)
+
+    expected_event_values = {
+      'package_name': 'com.whatsapp',
+      'start_time': '2023-05-31T01:29:31.577+00:00'
+    }
+    event_data = storage_writer.GetAttributeContainerByIndex('event_data', 339)
+    self.CheckEventData(event_data, expected_event_values)
+
+    expected_event_values = {
+      'package_name': 'com.spotify.music',
+      'start_time': '2023-06-18T19:29:02.869+00:00'
+    }
+    event_data = storage_writer.GetAttributeContainerByIndex('event_data', 8589)
+    self.CheckEventData(event_data, expected_event_values)
+
+
+if __name__ == '__main__':
+  unittest.main()