-
Notifications
You must be signed in to change notification settings - Fork 79
/
knowledge_disk_subsystem_access.txt
104 lines (87 loc) · 4.32 KB
/
knowledge_disk_subsystem_access.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# --------------------------------------------------------------------------------
# Copyright (c) 2018-2020 Sarah Edwards (Station X Labs, LLC,
# @iamevltwin, mac4n6.com). All rights reserved.
# This software is provided "as is," without warranty of any kind,
# express or implied. In no event shall the author or contributors
# be held liable for any damages arising in any way from the use of
# this software.
# The contents of this file are DUAL-LICENSED. You may modify and/or
# redistribute this software according to the terms of one of the
# following two licenses (at your option):
# LICENSE 1 ("BSD-like with acknowledgment clause"):
# Permission is granted to anyone to use this software for any purpose,
# including commercial applications, and to alter it and redistribute
# it freely, subject to the following restrictions:
# 1. Redistributions of source code must retain the above copyright
# notice, disclaimer, and this list of conditions.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, disclaimer, and this list of conditions in the documenta-
# tion and/or other materials provided with the distribution.
# 3. All advertising, training, and documentation materials mentioning
# features or use of this software must display the following
# acknowledgment. Character-limited social media may abbreviate this
# acknowledgment to include author and APOLLO name ie: "This new
# feature brought to you by @iamevltwin's APOLLO". Please make an
# effort credit the appropriate authors on specific APOLLO modules.
# The spirit of this clause is to give public acknowledgment to
# researchers where credit is due.
# This product includes software developed by Sarah Edwards
# (Station X Labs, LLC, @iamevltwin, mac4n6.com) and other
# contributors as part of APOLLO (Apple Pattern of Life Lazy
# Output'er).
# LICENSE 2 (GNU GPL v3 or later):
# This file is part of APOLLO (Apple Pattern of Life Lazy Output'er).
# APOLLO is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# APOLLO is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with APOLLO. If not, see <https://www.gnu.org/licenses/>.
# --------------------------------------------------------------------------------
[Module Metadata]
AUTHOR=Sarah Edwards/mac4n6.com/@iamevltwin
MODULE_NOTES=Disk Subsystem Access
[Database Metadata]
DATABASE=knowledgeC.db
PLATFORM=IOS
VERSIONS=13,14
[Query Metadata]
QUERY_NAME=knowledge_disk_subsystem_access
ACTIVITY=Disk Subsystem Access
KEY_TIMESTAMP=START
[SQL Query 13,14]
QUERY=
SELECT
DATETIME(ZOBJECT.ZSTARTDATE+978307200,'UNIXEPOCH') AS "START",
DATETIME(ZOBJECT.ZENDDATE+978307200,'UNIXEPOCH') AS "END",
ZSOURCE.ZBUNDLEID AS "BUNDLE ID",
ZOBJECT.ZVALUESTRING,
(ZOBJECT.ZENDDATE - ZOBJECT.ZSTARTDATE) AS "USAGE IN SECONDS",
(ZOBJECT.ZENDDATE - ZOBJECT.ZSTARTDATE)/60.00 AS "USAGE IN MINUTES",
CASE ZOBJECT.ZSTARTDAYOFWEEK
WHEN "1" THEN "Sunday"
WHEN "2" THEN "Monday"
WHEN "3" THEN "Tuesday"
WHEN "4" THEN "Wednesday"
WHEN "5" THEN "Thursday"
WHEN "6" THEN "Friday"
WHEN "7" THEN "Saturday"
END "DAY OF WEEK",
ZOBJECT.ZSECONDSFROMGMT/3600 AS "GMT OFFSET",
DATETIME(ZOBJECT.ZCREATIONDATE+978307200,'UNIXEPOCH') AS "ENTRY CREATION",
ZOBJECT.ZUUID AS "UUID",
ZOBJECT.Z_PK AS "ZOBJECT TABLE ID"
FROM
ZOBJECT
LEFT JOIN
ZSTRUCTUREDMETADATA
ON ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK
LEFT JOIN
ZSOURCE
ON ZOBJECT.ZSOURCE = ZSOURCE.Z_PK
WHERE
ZSTREAMNAME is "/disk/subsystemAccess"