Code polishing for lava output

admin/docs/device_info_values.md

@@ -19,11 +19,20 @@ This document outlines the various device information collected by iLEAPP module
 | Backup Settings | Last iTunes Backup TZ | backupSettings |
 | Cellular | CDMA Network Phone Number ICCID | celWireless |
 | Cellular | IMEI | celWireless |
+| Cellular | Last Good IMSI | imeiImsi |
+| Cellular | Last Known ICCI | imeiImsi |
 | Cellular | Last Known ICCID | celWireless |
 | Cellular | MEID | celWireless |
+| Cellular | Phone Number | imeiImsi |
 | Cellular | Reported Phone Number | celWireless |
+| Cellular | Self Registration Update IMEI | imeiImsi |
+| Cellular | Self Registration Update IMSI | imeiImsi |
 | Device Information | Device Name | deviceName |
+| Device Information | Device/Computer Name | preferencesPlist |
+| Device Information | Host Name | preferencesPlist |
 | Device Information | IMEIs | deviceDatam |
+| Device Information | Local Host Name | preferencesPlist |
+| Device Information | Model | preferencesPlist |
 | Device Information | Model Number | deviceActivator |
 | Device Information | Product | lastBuild |
 | Device Information | ProductBuildVersion | lastBuild |
@@ -43,28 +52,19 @@ This document outlines the various device information collected by iLEAPP module
 |-----|----------------|
 | BuildID: {val} | Ph99SystemVersionPlist |
 | BuildVersion: {val} | Ph100UFEDdevcievaluesplist, Ph99SystemVersionPlist |
-| Device/Computer Name: {computername} | preferencesPlist |
 | DeviceName: {val} | Ph100UFEDdevcievaluesplist |
 | Find My iPhone Add Time: {addtime} | findMy |
 | Find My iPhone: Enabled | findMy |
 | HardwareModel: {val} | Ph100UFEDdevcievaluesplist |
-| Host Name: {hostname} | preferencesPlist |
 | InternationalMobileEquipmentIdentity: {val} | Ph100UFEDdevcievaluesplist |
 | Last Bootstrap Date: {times} | timezoneInfo |
 | Last Bootstrap Timezone: {val} | timezoneInfo |
-| Last Good IMSI: {lastgoodimsi} | imeiImsi |
-| Last Known ICCI: {lastknownicci} | imeiImsi |
 | MAC Address: {hexstring} - User Defined Name: {userdefinedname} - BSD Name: {bsdname} | wifiIdent |
-| Model: {localhostname} | preferencesPlist |
-| Model: {val} | preferencesPlist |
 | Obliterated Timestamp: {utc_modified_date} | obliterated |
 | PasswordProtected: {val} | Ph100UFEDdevcievaluesplist |
-| Phone Number: {val} | imeiImsi |
 | ProductName: {val} | Ph99SystemVersionPlist |
 | ProductType: {val} | Ph100UFEDdevcievaluesplist |
 | ReleaseType: {val} | Ph99SystemVersionPlist |
-| Self Registration Update IMEI: {selfregistrationupdateimei} | imeiImsi |
-| Self Registration Update IMSI: {selfregitrationupdateimsi} | imeiImsi |
 | Serial Number: {row[0]} | serialNumber |
 | SerialNumber: {val} | Ph100UFEDdevcievaluesplist |
 | SystemImageID: {val} | Ph99SystemVersionPlist |

scripts/artifacts/accountConfig.py

@@ -2,7 +2,7 @@
     "accountConfig": {
         "name": "Account Configuration",
         "description": "Extracts account configuration information",
-        "author": "@abrignoni",
+        "author": "@AlexisBrignoni",
         "version": "0.2.3",
         "date": "2020-04-30",
         "requirements": "none",

scripts/artifacts/accountData.py

@@ -1,7 +1,7 @@
 __artifacts_v2__ = {
     "accountData": {
         "name": "Account Data",
-        "description": "Extract information about configured user accounts",
+        "description": "Configured user accounts",
         "author": "@AlexisBrignoni",
         "version": "0.4.3",
         "date": "2020-04-30",
@@ -19,36 +19,36 @@
 @artifact_processor
 def accountData(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    data_headers = ()
-    source_path = ''
+    db_file = ''
 
     for file_found in files_found:
-        source_path = str(file_found)    
         if file_found.endswith('Accounts3.sqlite'):
+            db_file = file_found
             break
 
-    db = open_sqlite_db_readonly(file_found)
-    cursor = db.cursor()
-
-    cursor.execute('''
-    SELECT
-        datetime(zdate+978307200,'unixepoch'),
-        zaccounttypedescription,
-        zusername,
-        zaccountdescription,
-        zaccount.zidentifier,
-        zaccount.zowningbundleid
-    FROM zaccount, zaccounttype 
-    WHERE zaccounttype.z_pk=zaccount.zaccounttype
-    ''')
-
-    all_rows = cursor.fetchall()
-
-    for row in all_rows:
-        timestamp = convert_ts_human_to_timezone_offset(row[0], timezone_offset)
-        data_list.append((timestamp,row[1],row[2],row[3],row[4],row[5]))                
-
-    db.close()
+    if db_file:
+        db = open_sqlite_db_readonly(file_found)
+        cursor = db.cursor()
+
+        cursor.execute('''
+        SELECT
+            datetime(zdate+978307200,'unixepoch'),
+            zaccounttypedescription,
+            zusername,
+            zaccountdescription,
+            zaccount.zidentifier,
+            zaccount.zowningbundleid
+        FROM zaccount, zaccounttype 
+        WHERE zaccounttype.z_pk=zaccount.zaccounttype
+        ''')
+
+        all_rows = cursor.fetchall()
+
+        for row in all_rows:
+            timestamp = convert_ts_human_to_timezone_offset(row[0], timezone_offset)
+            data_list.append((timestamp,row[1],row[2],row[3],row[4],row[5]))                
+
+        db.close()
 
     data_headers = (
         ('Timestamp', 'datetime'), 
@@ -58,4 +58,4 @@ def accountData(files_found, report_folder, seeker, wrap_text, timezone_offset):
         'Identifier', 
         'Bundle ID'
         )
-    return data_headers, data_list, source_path
+    return data_headers, data_list, db_file

scripts/artifacts/advertisingID.py

@@ -29,4 +29,4 @@ def advertisingID(files_found, report_folder, seeker, wrap_text, timezone_offset
 
 
     # Return empty data since this artifact only collects device info
-    return (), [], ''
+    return (), [], source_path

scripts/artifacts/airdropId.py

@@ -28,4 +28,4 @@ def airdropId(files_found, report_folder, seeker, wrap_text, timezone_offset):
                 break
 
     # Return empty data since this artifact only collects device info
-    return (), [], ''
+    return (), [], source_path

scripts/artifacts/alarms.py

@@ -45,7 +45,6 @@ def decode_repeat_schedule(repeat_schedule_value):
 @artifact_processor
 def alarms(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    data_headers = ()
     source_path = str(files_found[0])
 
     with open(source_path, "rb") as plist_file:

scripts/artifacts/allTrails.py

@@ -26,7 +26,7 @@
 }
 
 
-from scripts.ilapfuncs import artifact_processor, logfunc, open_sqlite_db_readonly, convert_ts_human_to_timezone_offset
+from scripts.ilapfuncs import artifact_processor, open_sqlite_db_readonly, convert_ts_human_to_timezone_offset
 
 @artifact_processor
 def allTrails_trail_details(files_found, report_folder, seeker, wrap_text, timezone_offset):

scripts/artifacts/appleLocationd.py

@@ -3,8 +3,8 @@
         "name": "Location Services",
         "description": "Extracts location services settings",
         "author": "@AlexisBrignoni",
-        "version": "0.1",
-        "date": "2024-05-09",
+        "version": "0.2.3",
+        "date": "2023-10-03",
         "requirements": "none",
         "category": "Identifiers",
         "notes": "",
@@ -19,7 +19,6 @@
 @artifact_processor
 def get_applelocationd(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    data_headers = ()
     source_path = str(files_found[0])
 
     with open(source_path, "rb") as fp:
@@ -40,5 +39,5 @@ def get_applelocationd(files_found, report_folder, seeker, wrap_text, timezone_o
             else:
                 data_list.append((key, val))
 
-    data_headers = ('Property','Property Value')     
+    data_headers = ('Property', 'Property Value')     
     return data_headers, data_list, source_path

scripts/ilapfuncs.py

@@ -60,6 +60,7 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset):
         artifact_name = artifact_info.get('name', func_name)
         category = artifact_info.get('category', '')
         description = artifact_info.get('description', '')
+        output_types = artifact_info.get('output_types', ['html', 'tsv', 'timeline', 'lava', 'kml'])
 
         data_headers, data_list, source_path = func(files_found, report_folder, seeker, wrap_text, timezone_offset)
 
@@ -68,7 +69,6 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset):
 
         elif len(data_list):
             logfunc(f"Found {len(data_list)} records for {artifact_name}")
-            output_types = artifact_info.get('output_types', ['html', 'tsv', 'timeline', 'lava', 'kml'])
 
             # Strip tuples from headers for HTML, TSV, and timeline
             stripped_headers = strip_tuple_from_headers(data_headers)
@@ -94,7 +94,8 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset):
                 kmlgen(report_folder, artifact_name, data_list, stripped_headers)
 
         else:
-            logfunc(f"No {artifact_name} data available")
+            if output_types != 'none':
+                logfunc(f"No {artifact_name} data available")
 
         return data_headers, data_list, source_path
     return wrapper