Added Windows 10 push notification database plugin log2timeline#4458

joachimmetz · Jan 17, 2024 · 8374bc0 · 8374bc0
1 parent b001d70
commit 8374bc0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/plaso/parsers/sqlite_plugins/windows_push_notification.py b/plaso/parsers/sqlite_plugins/windows_push_notification.py
@@ -12,10 +12,12 @@ class WindowsPushNotificationEventData(events.EventData):
   Attributes:
     arrival_time (dfdatetime.DateTimeValues): date and time the push
         notification was received.
+    boot_time (dfdatetime.DateTimeValues): date and time the of the last boot.
     expiration_time (dfdatetime.DateTimeValues): date and time the push
         notification expires.
     handler_identifier (str): identifier of the corresponding notification
         handler.
+    notification_type (str): notification type.
     payload (dfdatetime.DateTimeValues): payload.
   """
 
@@ -26,8 +28,10 @@ def __init__(self):
     super(WindowsPushNotificationEventData, self).__init__(
         data_type=self.DATA_TYPE)
     self.arrival_time = None
+    self.boot_time = None
     self.expiration_time = None
     self.handler_identifier = None
+    self.notification_type = None
     self.payload = None
 
 
@@ -188,18 +192,28 @@ def ParseNotificationRow(
     """
     query_hash = hash(query)
 
-    payload = self._GetRowValue(query_hash, row, 'Payload')
+    payload = None
+    payload_type = self._GetRowValue(query_hash, row, 'PayloadType')
+
+    if payload_type.lower() == 'xml':
+      payload = self._GetRowValue(query_hash, row, 'Payload')
+      payload = payload.decode('utf-8')
+      # TODO: parse payload
+    else:
+      parser_mediator.ProduceExtractionWarning(
+          f'unsupported payload type: {payload_type:s}')
 
     event_data = WindowsPushNotificationEventData()
     event_data.arrival_time = self._GeFiletimeRowValue(
         query_hash, row, 'ArrivalTime')
+    event_data.boot_time = self._GeFiletimeRowValue(
+        query_hash, row, 'BootId')
     event_data.expiration_time = self._GeFiletimeRowValue(
         query_hash, row, 'ExpiryTime')
     event_data.handler_identifier = self._GetRowValue(
         query_hash, row, 'PrimaryId')
-    event_data.payload = payload.decode('utf-8')
-
-    # TODO: parse payload
+    event_data.notification_type = self._GetRowValue(query_hash, row, 'Type')
+    event_data.payload = payload
 
     parser_mediator.ProduceEventData(event_data)
 

diff --git a/tests/parsers/sqlite_plugins/windows_push_notification.py b/tests/parsers/sqlite_plugins/windows_push_notification.py
@@ -43,11 +43,13 @@ def testProcess(self):
 
     expected_event_values = {
         'arrival_time': '2020-12-11T19:11:35.9025799+00:00',
+        'boot_time': '2020-12-11T19:08:54.1636157+00:00',
         'data_type': 'windows:wpndatabase:notification',
         'expiration_time': '2020-12-11T19:12:35.9025799+00:00',
         'handler_identifier': (
             'windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.'
             'immersivecontrolpanel'),
+        'notification_type': 'toast',
         'payload': (
             '<toast activationType=\'protocol\' '
             'launch=\'ms-settings:connecteddevices\'><visual><binding '