Merge pull request #896 from JamesHabben/lava-output

update conDev

admin/test/cases/testdata.connectedDevices.json

@@ -0,0 +1,31 @@
+{
+  "belkasoft_ctf6_ios_device1": {
+    "description": "",
+    "maker": "",
+    "make_data": {
+      "input_data_path": "/Users/jameshabben/Documents/phone-images/belkasoft/BelkaCTF_6_CASE240405_D201AP.tar",
+      "os": "macOS-15.0-x86_64-i386-64bit",
+      "timestamp": "2024-10-23T09:45:39.397150",
+      "last_commit": {
+        "hash": "69ac7b29473ce1c743e18b67d635970f1d54742a",
+        "author_name": "James Habben",
+        "author_email": "james@wmif.net",
+        "date": "2024-10-23T09:34:15-07:00",
+        "message": "Update connectedDevices.py"
+      }
+    },
+    "artifacts": {
+      "conDev": {
+        "search_patterns": [
+          "*/iTunes_Control/iTunes/iTunesPrefs"
+        ],
+        "file_count": 1,
+        "expected_output": {
+          "headers": [],
+          "data": []
+        }
+      }
+    },
+    "image_name": "belkasoft_ctf6_ios_device1"
+  }
+}

admin/test/results/connectedDevices/connectedDevices.conDev.belkasoft_ctf6_ios_device1.20241023174502.json

@@ -0,0 +1,42 @@
+{
+  "metadata": {
+    "module_name": "connectedDevices",
+    "artifact_name": "Connected Devices",
+    "function_name": "conDev",
+    "case_number": "belkasoft_ctf6_ios_device1",
+    "number_of_columns": 4,
+    "number_of_rows": 2,
+    "total_data_size_bytes": 66,
+    "input_zip_path": "admin/test/cases/data/connectedDevices/testdata.connectedDevices.conDev.belkasoft_ctf6_ios_device1.zip",
+    "start_time": "2024-10-23T17:45:02.496483+00:00",
+    "end_time": "2024-10-23T17:45:02.541042+00:00",
+    "run_time_seconds": 0.00015616416931152344,
+    "last_commit": {
+      "hash": "69ac7b29473ce1c743e18b67d635970f1d54742a",
+      "author_name": "James Habben",
+      "author_email": "james@wmif.net",
+      "date": "2024-10-23T09:34:15-07:00",
+      "message": "Update connectedDevices.py"
+    }
+  },
+  "headers": [
+    "User Name",
+    "Computer Name",
+    "File Offset",
+    "Source File"
+  ],
+  "data": [
+    [
+      "user",
+      "DESKTOP-0CBP2ID",
+      "384",
+      "iTunesPrefs"
+    ],
+    [
+      "user",
+      "DESKTOP-0CBP2ID",
+      "661",
+      "iTunesPrefs"
+    ]
+  ]
+}

admin/test/scripts/test_module.py

@@ -4,6 +4,7 @@
 import importlib
 import json
 from unittest.mock import MagicMock, patch
+from contextlib import ExitStack
 from pathlib import Path
 from datetime import datetime, timezone, date
 import time
@@ -16,16 +17,13 @@
 sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..')))
 import scripts.ilapfuncs as ilapfuncs
 
-def mock_environment():
-    # Create mock objects for things we want to fake
-    mock_seeker = MagicMock()
-    mock_wrap_text = MagicMock()
-    mock_logdevinfo = MagicMock()
-
-    return mock_seeker, mock_wrap_text, mock_logdevinfo
+def mock_logdevinfo(message):
+    print(f"[LOGDEVINFO] {message}")
+
+def mock_logfunc(message):
+    print(f"[LOGFUNC] {message}")
 
 def process_artifact(zip_path, module_name, artifact_name, artifact_data):
-    # Import the module
     module = importlib.import_module(f'scripts.artifacts.{module_name}')
 
     # Get the function to test
@@ -38,10 +36,10 @@ def process_artifact(zip_path, module_name, artifact_name, artifact_data):
 
     # Prepare mock objects
     mock_report_folder = 'mock_report_folder'
-    mock_seeker, mock_wrap_text, mock_logdevinfo = mock_environment()
+    mock_seeker = MagicMock()
+    mock_wrap_text = MagicMock()
     timezone_offset = 'UTC'
 
-    # Prepare a list to hold all files
     all_files = []
 
     # Create the base temp directory if it doesn't exist
@@ -54,7 +52,6 @@ def process_artifact(zip_path, module_name, artifact_name, artifact_data):
     # Get the module file path
     module_file_path = module.__file__
 
-    # Get the last commit information
     last_commit_info = get_last_commit_info(module_file_path)
 
     try:
@@ -67,17 +64,23 @@ def process_artifact(zip_path, module_name, artifact_name, artifact_data):
                 for file in files:
                     all_files.append(os.path.join(root, file))
 
-        # Call the original function directly, with mocked logdevinfo
-        with patch('scripts.ilapfuncs.logdevinfo', mock_logdevinfo), \
-             patch('scripts.artifacts.{}.logdevinfo'.format(module_name), mock_logdevinfo):
+        patches = [
+            patch('scripts.ilapfuncs.logdevinfo', mock_logdevinfo),
+            patch(f'scripts.artifacts.{module_name}.logdevinfo', mock_logdevinfo, create=True),
+            patch(f'scripts.artifacts.{module_name}.logfunc', mock_logfunc, create=True)
+        ]
+
+        with ExitStack() as stack:
+            for p in patches:
+                stack.enter_context(p)
+
             start_time = time.time()
             data_headers, data_list, _ = original_func(all_files, mock_report_folder, mock_seeker, mock_wrap_text, timezone_offset)
             end_time = time.time()
 
         return data_headers, data_list, end_time - start_time, last_commit_info
 
     finally:
-        # Clean up temp directory
         if temp_dir.exists():
             shutil.rmtree(temp_dir, ignore_errors=True)
 

scripts/artifacts/connectedDevices.py

@@ -0,0 +1,75 @@
+__artifacts_v2__ = {
+    "conDev": {
+        "name": "Connected Devices",
+        "description": "Extracts information about connected devices from iTunes preferences",
+        "author": "",
+        "version": "1.0",
+        "date": "2024-10-23",
+        "requirements": "none",
+        "category": "Connected Devices",
+        "notes": "",
+        "paths": ('*/iTunes_Control/iTunes/iTunesPrefs',),
+        "output_types": "standard"
+    }
+}
+
+from scripts.ilapfuncs import logfunc, artifact_processor
+import os
+
+MAGIC_BYTES = b"\x01\x01\x80\x00\x00"
+MAGIC_OFFSET = 92
+NAME_OFFSET = 157
+
+@artifact_processor
+def conDev(files_found, report_folder, seeker, wrap_text, timezone_offset):
+    data_list = []
+    data_headers = ('User Name', 'Computer Name', 'File Offset', 'Source File')
+    source_path = ''
+
+    for file_found in files_found:
+        source_path = file_found
+        with open(file_found, "rb") as f:
+            data = f.read()
+
+        logfunc(f"Data being interpreted for FRPD is of type: {type(data)}")
+
+        magic_index = data.find(MAGIC_BYTES)
+        if magic_index == -1:
+            logfunc("Magic bytes not found in iTunes Prefs FRPD")
+            continue
+
+        logfunc("Found magic bytes in iTunes Prefs FRPD... Finding Usernames and Desktop names now")
+
+        names = []
+        current_name = bytearray()
+        name_start_offset = magic_index + MAGIC_OFFSET
+        for i, byte in enumerate(data[name_start_offset:]):
+            if byte == 0:
+                if current_name:
+                    names.append((current_name.decode(), name_start_offset + i - len(current_name)))
+                    current_name = bytearray()
+                    name_start_offset = name_start_offset + i + 1
+            else:
+                current_name.append(byte)
+
+        # Process names in pairs
+        for i in range(0, len(names), 2):
+            if i + 1 < len(names):
+                user_name, user_offset = names[i]
+                computer_name, _ = names[i+1]
+                data_list.append((
+                    user_name,
+                    computer_name,
+                    str(user_offset),
+                    os.path.basename(file_found)
+                ))
+            else:
+                user_name, user_offset = names[i]
+                data_list.append((
+                    user_name,
+                    '',
+                    str(user_offset),
+                    os.path.basename(file_found)
+                ))
+
+    return data_headers, data_list, source_path