public static ForensicRulePackage GetRulePackageZhiBo8()
{
var t = new ForensicRulePackage()
{
Name = "android.zhibo8",
Desc = "直播吧",
Items = new List <ForensicRuleItemInfo>()
{
new FileCatchInfo()
{
Key = "File_History",
RelativePath = "databases/database.db",
},
new DataCatchInfo()
{
Key = "File_History",
Type = DataCatchInfo.DataType.Database,
DataPath = "t_history_record",
TableKey = "Table_History"
},
new DataMarkInfo()
{
Key = "Table_History",
TableDesc = "观看历史",
}
}
};
t.Init();
return(t);
}
public static ForensicRulePackage GetRulePackageYY()
{
var t = new ForensicRulePackage()
{
Name = "com.duowan.mobile",
Desc = "YY语音",
Items = new List <ForensicRuleItemInfo>()
{
new FileCatchInfo()
{
Key = "File_User",
IsRegEx = true,
RelativePath = @"databases/(\d+)\.db",
},
new FileCatchInfo()
{
Key = "File_Core",
RelativePath = @"databases/core.db",
},
new DataCatchInfo()
{
Key = "File_Core",
Type = DataCatchInfo.DataType.Database,
DataPath = "User_UserInfo",
TableKey = "Table_Users",
},
new DataCatchInfo()
{
Key = "File_User",
Type = DataCatchInfo.DataType.Database,
DataPath = "im_friend_list",
TableKey = "Table_Friends",
},
new DataCatchInfo()
{
Key = "File_User",
Type = DataCatchInfo.DataType.DatabaseWithRegEx,
DataPath = @"im_1v1_new_msg_\d+",
TableKey = "Table_Msgs",
},
new DataProcessInfo()
{
Key = "File_User",
Type = DataProcessInfo.ProcessType.RegEx,
ColumnName = "FileName",
Content = "(?<AccountID>\\d+)\\.db",
OutputColumnName = "AccountID",
},
new DataAssociateInfo()
{
ParentTableKey = "Table_Users",
ParentTableColumn = "userID",
ChildTableKey = "Table_Friends",
ChildFileTableAssociateColumn = "AccountID"
},
new DataAssociateInfo()
{
ParentTableKey = "Table_Friends",
ParentTableColumn = "id",
ChildTableKey = "Table_Msgs",
ChildTableAssociateColumn = "reverse2"
},
new DataMarkInfo()
{
Key = "Table_Users",
TableDesc = "登录用户"
},
new DataMarkInfo()
{
Key = "Table_Friends",
TableDesc = "好友列表",
NotShowAtRoot = true,
},
new DataMarkInfo()
{
Key = "Table_Msgs",
NotShowAtRoot = true,
TableDesc = "消息记录"
}
}
};
t.Init();
return(t);
}