Merge pull request #918 from Johann-PLW/main

Lava output updates

admin/docs/device_info_values.md

@@ -19,11 +19,20 @@ This document outlines the various device information collected by iLEAPP module
 | Backup Settings | Last iTunes Backup TZ | backupSettings |
 | Cellular | CDMA Network Phone Number ICCID | celWireless |
 | Cellular | IMEI | celWireless |
+| Cellular | Last Good IMSI | imeiImsi |
+| Cellular | Last Known ICCI | imeiImsi |
 | Cellular | Last Known ICCID | celWireless |
 | Cellular | MEID | celWireless |
+| Cellular | Phone Number | imeiImsi |
 | Cellular | Reported Phone Number | celWireless |
+| Cellular | Self Registration Update IMEI | imeiImsi |
+| Cellular | Self Registration Update IMSI | imeiImsi |
 | Device Information | Device Name | deviceName |
+| Device Information | Device/Computer Name | preferencesPlist |
+| Device Information | Host Name | preferencesPlist |
 | Device Information | IMEIs | deviceDatam |
+| Device Information | Local Host Name | preferencesPlist |
+| Device Information | Model | preferencesPlist |
 | Device Information | Model Number | deviceActivator |
 | Device Information | Product | lastBuild |
 | Device Information | ProductBuildVersion | lastBuild |
@@ -43,28 +52,19 @@ This document outlines the various device information collected by iLEAPP module
 |-----|----------------|
 | BuildID: {val} | Ph99SystemVersionPlist |
 | BuildVersion: {val} | Ph100UFEDdevcievaluesplist, Ph99SystemVersionPlist |
-| Device/Computer Name: {computername} | preferencesPlist |
 | DeviceName: {val} | Ph100UFEDdevcievaluesplist |
 | Find My iPhone Add Time: {addtime} | findMy |
 | Find My iPhone: Enabled | findMy |
 | HardwareModel: {val} | Ph100UFEDdevcievaluesplist |
-| Host Name: {hostname} | preferencesPlist |
 | InternationalMobileEquipmentIdentity: {val} | Ph100UFEDdevcievaluesplist |
 | Last Bootstrap Date: {times} | timezoneInfo |
 | Last Bootstrap Timezone: {val} | timezoneInfo |
-| Last Good IMSI: {lastgoodimsi} | imeiImsi |
-| Last Known ICCI: {lastknownicci} | imeiImsi |
 | MAC Address: {hexstring} - User Defined Name: {userdefinedname} - BSD Name: {bsdname} | wifiIdent |
-| Model: {localhostname} | preferencesPlist |
-| Model: {val} | preferencesPlist |
 | Obliterated Timestamp: {utc_modified_date} | obliterated |
 | PasswordProtected: {val} | Ph100UFEDdevcievaluesplist |
-| Phone Number: {val} | imeiImsi |
 | ProductName: {val} | Ph99SystemVersionPlist |
 | ProductType: {val} | Ph100UFEDdevcievaluesplist |
 | ReleaseType: {val} | Ph99SystemVersionPlist |
-| Self Registration Update IMEI: {selfregistrationupdateimei} | imeiImsi |
-| Self Registration Update IMSI: {selfregitrationupdateimsi} | imeiImsi |
 | Serial Number: {row[0]} | serialNumber |
 | SerialNumber: {val} | Ph100UFEDdevcievaluesplist |
 | SystemImageID: {val} | Ph99SystemVersionPlist |

scripts/artifacts/accountConfig.py

@@ -2,7 +2,7 @@
     "accountConfig": {
         "name": "Account Configuration",
         "description": "Extracts account configuration information",
-        "author": "@abrignoni",
+        "author": "@AlexisBrignoni",
         "version": "0.2.3",
         "date": "2020-04-30",
         "requirements": "none",

scripts/artifacts/accountData.py

@@ -1,7 +1,7 @@
 __artifacts_v2__ = {
     "accountData": {
         "name": "Account Data",
-        "description": "Extract information about configured user accounts",
+        "description": "Configured user accounts",
         "author": "@AlexisBrignoni",
         "version": "0.4.3",
         "date": "2020-04-30",
@@ -19,36 +19,36 @@
 @artifact_processor
 def accountData(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    data_headers = ()
-    source_path = ''
+    db_file = ''
 
     for file_found in files_found:
-        source_path = str(file_found)    
         if file_found.endswith('Accounts3.sqlite'):
+            db_file = file_found
             break
 
-    db = open_sqlite_db_readonly(file_found)
-    cursor = db.cursor()
-
-    cursor.execute('''
-    SELECT
-        datetime(zdate+978307200,'unixepoch'),
-        zaccounttypedescription,
-        zusername,
-        zaccountdescription,
-        zaccount.zidentifier,
-        zaccount.zowningbundleid
-    FROM zaccount, zaccounttype 
-    WHERE zaccounttype.z_pk=zaccount.zaccounttype
-    ''')
-
-    all_rows = cursor.fetchall()
-
-    for row in all_rows:
-        timestamp = convert_ts_human_to_timezone_offset(row[0], timezone_offset)
-        data_list.append((timestamp,row[1],row[2],row[3],row[4],row[5]))                
-
-    db.close()
+    if db_file:
+        db = open_sqlite_db_readonly(file_found)
+        cursor = db.cursor()
+
+        cursor.execute('''
+        SELECT
+            datetime(zdate+978307200,'unixepoch'),
+            zaccounttypedescription,
+            zusername,
+            zaccountdescription,
+            zaccount.zidentifier,
+            zaccount.zowningbundleid
+        FROM zaccount, zaccounttype 
+        WHERE zaccounttype.z_pk=zaccount.zaccounttype
+        ''')
+
+        all_rows = cursor.fetchall()
+
+        for row in all_rows:
+            timestamp = convert_ts_human_to_timezone_offset(row[0], timezone_offset)
+            data_list.append((timestamp,row[1],row[2],row[3],row[4],row[5]))                
+
+        db.close()
 
     data_headers = (
         ('Timestamp', 'datetime'), 
@@ -58,4 +58,4 @@ def accountData(files_found, report_folder, seeker, wrap_text, timezone_offset):
         'Identifier', 
         'Bundle ID'
         )
-    return data_headers, data_list, source_path
+    return data_headers, data_list, db_file

scripts/artifacts/advertisingID.py

@@ -29,4 +29,4 @@ def advertisingID(files_found, report_folder, seeker, wrap_text, timezone_offset
 
 
     # Return empty data since this artifact only collects device info
-    return (), [], ''
+    return (), [], source_path

scripts/artifacts/airdropId.py

@@ -28,4 +28,4 @@ def airdropId(files_found, report_folder, seeker, wrap_text, timezone_offset):
                 break
 
     # Return empty data since this artifact only collects device info
-    return (), [], ''
+    return (), [], source_path

scripts/artifacts/alarms.py

@@ -45,7 +45,6 @@ def decode_repeat_schedule(repeat_schedule_value):
 @artifact_processor
 def alarms(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    data_headers = ()
     source_path = str(files_found[0])
 
     with open(source_path, "rb") as plist_file:

scripts/artifacts/allTrails.py

@@ -26,7 +26,7 @@
 }
 
 
-from scripts.ilapfuncs import artifact_processor, logfunc, open_sqlite_db_readonly, convert_ts_human_to_timezone_offset
+from scripts.ilapfuncs import artifact_processor, open_sqlite_db_readonly, convert_ts_human_to_timezone_offset
 
 @artifact_processor
 def allTrails_trail_details(files_found, report_folder, seeker, wrap_text, timezone_offset):

scripts/artifacts/appleLocationd.py

@@ -3,8 +3,8 @@
         "name": "Location Services",
         "description": "Extracts location services settings",
         "author": "@AlexisBrignoni",
-        "version": "0.1",
-        "date": "2024-05-09",
+        "version": "0.2.3",
+        "date": "2023-10-03",
         "requirements": "none",
         "category": "Identifiers",
         "notes": "",
@@ -19,7 +19,6 @@
 @artifact_processor
 def get_applelocationd(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    data_headers = ()
     source_path = str(files_found[0])
 
     with open(source_path, "rb") as fp:
@@ -40,5 +39,5 @@ def get_applelocationd(files_found, report_folder, seeker, wrap_text, timezone_o
             else:
                 data_list.append((key, val))
 
-    data_headers = ('Property','Property Value')     
+    data_headers = ('Property', 'Property Value')     
     return data_headers, data_list, source_path

scripts/artifacts/preferencesPlist.py

@@ -1,48 +1,45 @@
-import datetime
-import os
-import plistlib
+__artifacts_v2__ = {
+    "preferencesPlist": {
+        "name": "Preferences PList",
+        "description": "Extract Device information",
+        "author": "@AlexisBrignoni",
+        "version": "0.2",
+        "date": "2023-09-30",
+        "requirements": "none",
+        "category": "Identifiers",
+        "notes": "",
+        "paths": ('*preferences/SystemConfiguration/preferences.plist', ),
+        "output_types": ["html", "tsv", "lava"]
+    }
+}
+
 
-from scripts.artifact_report import ArtifactHtmlReport
-from scripts.ilapfuncs import logfunc, logdevinfo, tsv, is_platform_windows 
+import plistlib
+from scripts.ilapfuncs import artifact_processor, device_info
 
-def get_preferencesPlist(files_found, report_folder, seeker, wrap_text, timezone_offset):
+@artifact_processor
+def preferencesPlist(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    file_found = str(files_found[0])
-    with open(file_found, "rb") as fp:
+    source_path = str(files_found[0])
+    with open(source_path, "rb") as fp:
         pl = plistlib.load(fp)
         for key, val in pl.items():
-
             if key == ("Model"):
                 data_list.append((key, val))
-                logfunc(f"Model: {val}")
-                logdevinfo(f"<b>Model: </b>{val}")
+                device_info("Device Information", "Model", val, source_path)
 
             if key == "System":
                 localhostname = val['Network']['HostNames']['LocalHostName']
                 data_list.append(('Local Host Name', localhostname ))
-                logdevinfo(f"<b>Model: </b>{localhostname }")
+                device_info("Device Information", "Local Host Name", localhostname, source_path)
 
                 computername = val['System']['ComputerName']
                 data_list.append(('Device/Computer Name', computername))
-                logdevinfo(f"<b>Device/Computer Name: </b>{computername}")
+                device_info("Device Information", "Device/Computer Name", computername, source_path)
 
                 hostname = val['System']['HostName']
                 data_list.append(('Host Name', hostname ))
-                logdevinfo(f"<b>Host Name: </b>{hostname }")
-
-    report = ArtifactHtmlReport('Device Preferences Plist')
-    report.start_artifact_report(report_folder, 'Device Preferences Plist')
-    report.add_script()
-    data_headers = ('Key','Values' )     
-    report.write_artifact_data_table(data_headers, data_list, file_found)
-    report.end_artifact_report()
-
-    tsvname = 'Device Preferences Plist'
-    tsv(report_folder, data_headers, data_list, tsvname)
+                device_info("Device Information", "Host Name", hostname, source_path)
 
-__artifacts__ = {
-    "preferencesPlist": (
-        "Identifiers",
-        ('*preferences/SystemConfiguration/preferences.plist'),
-        get_preferencesPlist)
-}
+    data_headers = ('Property','Property Value' )
+    return data_headers, data_list, source_path

scripts/artifacts/timezoneSet.py

@@ -0,0 +1,32 @@
+__artifacts_v2__ = {
+    "timezoneSet": {
+        "name": "Timezone Set",
+        "description": "Is the timezone set on the device?",
+        "author": "@AlexisBrignoni",
+        "version": "0.2",
+        "date": "2023-10-04",
+        "requirements": "none",
+        "category": "Identifiers",
+        "notes": "",
+        "paths": ('*/db/timed/Library/Preferences/com.apple.preferences.datetime.plist',),
+        "output_types": "none"
+    }
+}
+
+
+import plistlib
+from scripts.ilapfuncs import artifact_processor, device_info, logdevinfo
+
+@artifact_processor
+def timezoneSet(files_found, report_folder, seeker, wrap_text, timezone_offset):
+    source_path = str(files_found[0])
+
+    with open(source_path, "rb") as fp:
+        pl = plistlib.load(fp)
+        for key, val in pl.items():
+            if key == 'timezoneset':
+                device_info("Settings", "Timezone Set", val, source_path)
+                break
+
+    # Return empty data since this artifact only collects device info
+    return (), [], source_path

scripts/ilapfuncs.py

@@ -60,6 +60,7 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset):
         artifact_name = artifact_info.get('name', func_name)
         category = artifact_info.get('category', '')
         description = artifact_info.get('description', '')
+        output_types = artifact_info.get('output_types', ['html', 'tsv', 'timeline', 'lava', 'kml'])
 
         data_headers, data_list, source_path = func(files_found, report_folder, seeker, wrap_text, timezone_offset)
 
@@ -68,7 +69,6 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset):
 
         elif len(data_list):
             logfunc(f"Found {len(data_list)} records for {artifact_name}")
-            output_types = artifact_info.get('output_types', ['html', 'tsv', 'timeline', 'lava', 'kml'])
 
             # Strip tuples from headers for HTML, TSV, and timeline
             stripped_headers = strip_tuple_from_headers(data_headers)
@@ -94,7 +94,8 @@ def wrapper(files_found, report_folder, seeker, wrap_text, timezone_offset):
                 kmlgen(report_folder, artifact_name, data_list, stripped_headers)
 
         else:
-            logfunc(f"No {artifact_name} data available")
+            if output_types != 'none':
+                logfunc(f"No {artifact_name} data available")
 
         return data_headers, data_list, source_path
     return wrapper

scripts/report_icons.py

@@ -505,6 +505,7 @@
     'ICLOUD SHARED ALBUMS': 'cloud',
     'IDENTIFIERS': {
         'IOS MESSAGE RETENTION': 'message-circle',
+        'PREFERENCES PLIST': 'settings',
         'default': 'file',
     },
     'IDENTITY LOOKUP SERVICE': 'user-check',
@@ -791,7 +792,6 @@
     },
     'POWERLOG': 'power',
     'POWERLOG BACKUPS': 'power',
-    'PREFERENCES PLIST': 'file',
     'PRIVACY DASHBOARD': 'eye',
     'PROTON MAIL': 'mail',
     'PROTONMAIL': {