Add timestamp conversion.

Author: casework

case.py

@@ -1,7 +1,8 @@
 """An API to the CASE ontology."""
 
 import rdflib
-from rdflib import RDF
+from rdflib import RDF, XSD
+import rdflib.term
 
 CASE = rdflib.Namespace('http://case.example.org/core#')
 

case_plaso/event_exporters/android_calls.py

@@ -1,5 +1,5 @@
 
-from case_plaso import event_exporter
+from case_plaso import event_exporter, lib
 
 
 @event_exporter.register
@@ -15,7 +15,6 @@ class AndroidCallExporter(event_exporter.EventExporter):
     def __init__(self, document):
         super(AndroidCallExporter, self).__init__(document)
         self._contacts = {}
-        self._phone_calls = {}
 
     def export_event_data(self, event):
         phone_call_pb = self.document.create_trace().create_property_bundle(
@@ -43,6 +42,6 @@ def export_event_data(self, event):
 
     def export_timestamp(self, event, pb):
         try:
-            pb.add(self.TIMESTAMP_MAP[event.timestamp_desc], event.timestamp)
+            pb.add(self.TIMESTAMP_MAP[event.timestamp_desc], lib.convert_timestamp(event.timestamp))
         except KeyError:
             pass

case_plaso/event_exporters/ntfs.py

@@ -1,7 +1,7 @@
 
 from plaso.lib.eventdata import EventTimestamp
 
-from case_plaso import event_exporter
+from case_plaso import event_exporter, lib
 
 
 @event_exporter.register
@@ -28,7 +28,7 @@ def export_event_data(self, event):
 
     def export_timestamp(self, event, pb):
         try:
-            pb.add(self.TIMESTAMP_MAP[event.timestamp_desc], event.timestamp)
+            pb.add(self.TIMESTAMP_MAP[event.timestamp_desc], lib.convert_timestamp(event.timestamp))
         except KeyError:
             # TODO: Log this or something.
             pass

case_plaso/lib.py

@@ -1,4 +1,17 @@
 
+import rdflib
+from plaso.lib import timelib
+import pytz
+
+
+def convert_timestamp(timestamp):
+    """Converts a plaso timestamp into a valid rdflib Literal."""
+    # TODO: Extract timezone from knowledge base in plaso storage file. Assuming UTC for now.
+    # TODO: Create binding for XSD.dateTimeStamp. It's unavailable in rdflib.
+    #  - Binding should allow direct conversion from Iso format.
+    timestamp = timelib.Timestamp.CopyToDatetime(timestamp, timezone=pytz.UTC)
+    return rdflib.Literal(timestamp, datatype=rdflib.XSD.dateTime)
+
 
 def hash_dict(dictionary):
     # NOTE: If we have a recursive dictionary, we have bigger problems.

plaso_case_output.py

@@ -26,6 +26,7 @@
 
     document = case.Document()
     exporter = plaso_exporter.PlasoExporter(document)
+    print 'Exporting storage file...'
     exporter.export_storage_file(options.storage_file)
-
+    print 'Serializing graph...'
     document.serialize(format='json-ld', destination='test.json')