From 98020f748c0facde0a9acf96249e7ad6fbfb5131 Mon Sep 17 00:00:00 2001 From: Johann Polewczyk Date: Sun, 10 Nov 2024 12:39:20 +0100 Subject: [PATCH] Code polishing for lava output --- admin/docs/device_info_values.md | 18 +++++----- scripts/artifacts/accountConfig.py | 2 +- scripts/artifacts/accountData.py | 54 ++++++++++++++--------------- scripts/artifacts/advertisingID.py | 2 +- scripts/artifacts/airdropId.py | 2 +- scripts/artifacts/alarms.py | 1 - scripts/artifacts/allTrails.py | 2 +- scripts/artifacts/appleLocationd.py | 7 ++-- scripts/ilapfuncs.py | 5 +-- 9 files changed, 46 insertions(+), 47 deletions(-) diff --git a/admin/docs/device_info_values.md b/admin/docs/device_info_values.md index 12db1d17..5ffc057f 100644 --- a/admin/docs/device_info_values.md +++ b/admin/docs/device_info_values.md @@ -19,11 +19,20 @@ This document outlines the various device information collected by iLEAPP module | Backup Settings | Last iTunes Backup TZ | backupSettings | | Cellular | CDMA Network Phone Number ICCID | celWireless | | Cellular | IMEI | celWireless | +| Cellular | Last Good IMSI | imeiImsi | +| Cellular | Last Known ICCI | imeiImsi | | Cellular | Last Known ICCID | celWireless | | Cellular | MEID | celWireless | +| Cellular | Phone Number | imeiImsi | | Cellular | Reported Phone Number | celWireless | +| Cellular | Self Registration Update IMEI | imeiImsi | +| Cellular | Self Registration Update IMSI | imeiImsi | | Device Information | Device Name | deviceName | +| Device Information | Device/Computer Name | preferencesPlist | +| Device Information | Host Name | preferencesPlist | | Device Information | IMEIs | deviceDatam | +| Device Information | Local Host Name | preferencesPlist | +| Device Information | Model | preferencesPlist | | Device Information | Model Number | deviceActivator | | Device Information | Product | lastBuild | | Device Information | ProductBuildVersion | lastBuild | @@ -43,28 +52,19 @@ This document outlines the various device information collected by iLEAPP module |-----|----------------| | BuildID: {val} | Ph99SystemVersionPlist | | BuildVersion: {val} | Ph100UFEDdevcievaluesplist, Ph99SystemVersionPlist | -| Device/Computer Name: {computername} | preferencesPlist | | DeviceName: {val} | Ph100UFEDdevcievaluesplist | | Find My iPhone Add Time: {addtime} | findMy | | Find My iPhone: Enabled | findMy | | HardwareModel: {val} | Ph100UFEDdevcievaluesplist | -| Host Name: {hostname} | preferencesPlist | | InternationalMobileEquipmentIdentity: {val} | Ph100UFEDdevcievaluesplist | | Last Bootstrap Date: {times} | timezoneInfo | | Last Bootstrap Timezone: {val} | timezoneInfo | -| Last Good IMSI: {lastgoodimsi} | imeiImsi | -| Last Known ICCI: {lastknownicci} | imeiImsi | | MAC Address: {hexstring} - User Defined Name: {userdefinedname} - BSD Name: {bsdname} | wifiIdent | -| Model: {localhostname} | preferencesPlist | -| Model: {val} | preferencesPlist | | Obliterated Timestamp: {utc_modified_date} | obliterated | | PasswordProtected: {val} | Ph100UFEDdevcievaluesplist | -| Phone Number: {val} | imeiImsi | | ProductName: {val} | Ph99SystemVersionPlist | | ProductType: {val} | Ph100UFEDdevcievaluesplist | | ReleaseType: {val} | Ph99SystemVersionPlist | -| Self Registration Update IMEI: {selfregistrationupdateimei} | imeiImsi | -| Self Registration Update IMSI: {selfregitrationupdateimsi} | imeiImsi | | Serial Number: {row[0]} | serialNumber | | SerialNumber: {val} | Ph100UFEDdevcievaluesplist | | SystemImageID: {val} | Ph99SystemVersionPlist | diff --git a/scripts/artifacts/accountConfig.py b/scripts/artifacts/accountConfig.py index c2bbcc6b..98c2f493 100644 --- a/scripts/artifacts/accountConfig.py +++ b/scripts/artifacts/accountConfig.py @@ -2,7 +2,7 @@ "accountConfig": { "name": "Account Configuration", "description": "Extracts account configuration information", - "author": "@abrignoni", + "author": "@AlexisBrignoni", "version": "0.2.3", "date": "2020-04-30", "requirements": "none", diff --git a/scripts/artifacts/accountData.py b/scripts/artifacts/accountData.py index dc3579ea..fe00e46d 100644 --- a/scripts/artifacts/accountData.py +++ b/scripts/artifacts/accountData.py @@ -1,7 +1,7 @@ __artifacts_v2__ = { "accountData": { "name": "Account Data", - "description": "Extract information about configured user accounts", + "description": "Configured user accounts", "author": "@AlexisBrignoni", "version": "0.4.3", "date": "2020-04-30", @@ -19,36 +19,36 @@ @artifact_processor def accountData(files_found, report_folder, seeker, wrap_text, timezone_offset): data_list = [] - data_headers = () - source_path = '' + db_file = '' for file_found in files_found: - source_path = str(file_found) if file_found.endswith('Accounts3.sqlite'): + db_file = file_found break - db = open_sqlite_db_readonly(file_found) - cursor = db.cursor() - - cursor.execute(''' - SELECT - datetime(zdate+978307200,'unixepoch'), - zaccounttypedescription, - zusername, - zaccountdescription, - zaccount.zidentifier, - zaccount.zowningbundleid - FROM zaccount, zaccounttype - WHERE zaccounttype.z_pk=zaccount.zaccounttype - ''') - - all_rows = cursor.fetchall() - - for row in all_rows: - timestamp = convert_ts_human_to_timezone_offset(row[0], timezone_offset) - data_list.append((timestamp,row[1],row[2],row[3],row[4],row[5])) - - db.close() + if db_file: + db = open_sqlite_db_readonly(file_found) + cursor = db.cursor() + + cursor.execute(''' + SELECT + datetime(zdate+978307200,'unixepoch'), + zaccounttypedescription, + zusername, + zaccountdescription, + zaccount.zidentifier, + zaccount.zowningbundleid + FROM zaccount, zaccounttype + WHERE zaccounttype.z_pk=zaccount.zaccounttype + ''') + + all_rows = cursor.fetchall() + + for row in all_rows: + timestamp = convert_ts_human_to_timezone_offset(row[0], timezone_offset) + data_list.append((timestamp,row[1],row[2],row[3],row[4],row[5])) + + db.close() data_headers = ( ('Timestamp', 'datetime'), @@ -58,4 +58,4 @@ def accountData(files_found, report_folder, seeker, wrap_text, timezone_offset): 'Identifier', 'Bundle ID' ) - return data_headers, data_list, source_path + return data_headers, data_list, db_file diff --git a/scripts/artifacts/advertisingID.py b/scripts/artifacts/advertisingID.py index 29c8cbf8..98d97305 100644 --- a/scripts/artifacts/advertisingID.py +++ b/scripts/artifacts/advertisingID.py @@ -29,4 +29,4 @@ def advertisingID(files_found, report_folder, seeker, wrap_text, timezone_offset # Return empty data since this artifact only collects device info - return (), [], '' + return (), [], source_path diff --git a/scripts/artifacts/airdropId.py b/scripts/artifacts/airdropId.py index df1dd1f5..98f442e3 100644 --- a/scripts/artifacts/airdropId.py +++ b/scripts/artifacts/airdropId.py @@ -28,4 +28,4 @@ def airdropId(files_found, report_folder, seeker, wrap_text, timezone_offset): break # Return empty data since this artifact only collects device info - return (), [], '' + return (), [], source_path diff --git a/scripts/artifacts/alarms.py b/scripts/artifacts/alarms.py index 24c99eca..3540b90f 100644 --- a/scripts/artifacts/alarms.py +++ b/scripts/artifacts/alarms.py @@ -45,7 +45,6 @@ def decode_repeat_schedule(repeat_schedule_value): @artifact_processor def alarms(files_found, report_folder, seeker, wrap_text, timezone_offset): data_list = [] - data_headers = () source_path = str(files_found[0]) with open(source_path, "rb") as plist_file: diff --git a/scripts/artifacts/allTrails.py b/scripts/artifacts/allTrails.py index b336c56b..844f6f21 100644 --- a/scripts/artifacts/allTrails.py +++ b/scripts/artifacts/allTrails.py @@ -26,7 +26,7 @@ } -from scripts.ilapfuncs import artifact_processor, logfunc, open_sqlite_db_readonly, convert_ts_human_to_timezone_offset +from scripts.ilapfuncs import artifact_processor, open_sqlite_db_readonly, convert_ts_human_to_timezone_offset @artifact_processor def allTrails_trail_details(files_found, report_folder, seeker, wrap_text, timezone_offset): diff --git a/scripts/artifacts/appleLocationd.py b/scripts/artifacts/appleLocationd.py index 49a429b8..db23d2d2 100644 --- a/scripts/artifacts/appleLocationd.py +++ b/scripts/artifacts/appleLocationd.py @@ -3,8 +3,8 @@ "name": "Location Services", "description": "Extracts location services settings", "author": "@AlexisBrignoni", - "version": "0.1", - "date": "2024-05-09", + "version": "0.2.3", + "date": "2023-10-03", "requirements": "none", "category": "Identifiers", "notes": "", @@ -19,7 +19,6 @@ @artifact_processor def get_applelocationd(files_found, report_folder, seeker, wrap_text, timezone_offset): data_list = [] - data_headers = () source_path = str(files_found[0]) with open(source_path, "rb") as fp: @@ -40,5 +39,5 @@ def get_applelocationd(files_found, report_folder, seeker, wrap_text, timezone_o else: data_list.append((key, val)) - data_headers = ('Property','Property Value') + data_headers = ('Property', 'Property Value') return data_headers, data_list, source_path diff --git a/scripts/ilapfuncs.py b/scripts/ilapfuncs.py index 2b2a8807..2cf6345f 100644 --- a/scripts/ilapfuncs.py +++ b/scripts/ilapfuncs.py @@ -60,6 +60,7 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset): artifact_name = artifact_info.get('name', func_name) category = artifact_info.get('category', '') description = artifact_info.get('description', '') + output_types = artifact_info.get('output_types', ['html', 'tsv', 'timeline', 'lava', 'kml']) data_headers, data_list, source_path = func(files_found, report_folder, seeker, wrap_text, timezone_offset) @@ -68,7 +69,6 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset): elif len(data_list): logfunc(f"Found {len(data_list)} records for {artifact_name}") - output_types = artifact_info.get('output_types', ['html', 'tsv', 'timeline', 'lava', 'kml']) # Strip tuples from headers for HTML, TSV, and timeline stripped_headers = strip_tuple_from_headers(data_headers) @@ -94,7 +94,8 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset): kmlgen(report_folder, artifact_name, data_list, stripped_headers) else: - logfunc(f"No {artifact_name} data available") + if output_types != 'none': + logfunc(f"No {artifact_name} data available") return data_headers, data_list, source_path return wrapper