Merge pull request #987 from Johann-PLW/main

Update bluetoothPairedReg.py - Fix Last Seen timestamp

ileappGUI.py

@@ -135,7 +135,7 @@ def ValidateInput():
     else:
         ext_type = Path(i_path).suffix[1:].lower()
 
-        # check output now
+    # check output now
     if len(o_path) == 0:  # output folder
         tk_msgbox.showerror(title='Error', message='No OUTPUT folder selected!', parent=main_window)
         return False, ext_type
@@ -536,8 +536,6 @@ def load_case():
 log_text.grid(row=0, column=0, padx=4, pady=10, sticky='we')
 vlog.config(command=log_text.yview)
 
-close_frame = ttk.Frame(main_window)
-
 ### Progress bar
 progress_bar = ttk.Progressbar(main_window, orient='horizontal')
 

scripts/artifacts/bluetoothPairedReg.py

@@ -17,7 +17,7 @@
 import plistlib
 import datetime
 
-from scripts.ilapfuncs import artifact_processor, convert_unix_ts_to_utc
+from scripts.ilapfuncs import artifact_processor, convert_unix_ts_to_str
 
 
 @artifact_processor
@@ -31,7 +31,7 @@ def get_bluetoothPairedReg(files_found, report_folder, seeker, wrap_text, timezo
             for x in plist.items():
                 macaddress = x[0]
                 if 'LastSeenTime' in x[1]:
-                    lastseen = convert_unix_ts_to_utc(x[1]['LastSeenTime'])
+                    lastseen = convert_unix_ts_to_str(x[1]['LastSeenTime'])
                 else:
                     lastseen = ''
                 if 'UserNameKey' in x[1]:
@@ -54,6 +54,6 @@ def get_bluetoothPairedReg(files_found, report_folder, seeker, wrap_text, timezo
 
                 data_list.append((lastseen, macaddress, usernkey, nameu, deviceid, defname))
 
-        data_headers = ('Last Seen Time','MAC Address','Name Key','Name','Device Product ID','Default Name' )     
+        data_headers = ('Last Seen Time', 'MAC Address', 'Name Key', 'Name', 'Device Product ID', 'Default Name' )     
 
         return data_headers, data_list, file_found

scripts/ilapfuncs.py

@@ -178,21 +178,34 @@ def convert_ts_int_to_timezone(time, time_offset):
     #return the converted value
     return timezone_time
 
-def convert_cocoa_core_data_ts_to_utc(cocoa_core_data_ts):
-    if cocoa_core_data_ts:
-        unix_timestamp = cocoa_core_data_ts + 978307200
-        finaltime = datetime.fromtimestamp(unix_timestamp, tz=timezone.utc)
-        return(finaltime)
+def convert_unix_ts_in_seconds(ts):
+    digits = int(math.log10(ts))+1
+    if digits > 10:
+        extra_digits = digits - 10
+        ts = ts // 10**extra_digits
+    return ts
+
+def convert_unix_ts_to_utc(ts):
+    if ts:
+        ts = convert_unix_ts_in_seconds(ts)
+        return datetime.fromtimestamp(ts, tz=timezone.utc)
     else:
-        return cocoa_core_data_ts
+        return ts
 
-def convert_unix_ts_to_utc(ts): #This int timestamp to human format & utc
+def convert_unix_ts_to_str(ts):
     if ts:
-        timestamp = datetime.fromtimestamp(ts, tz=timezone.utc)
-        return timestamp
+        ts = convert_unix_ts_in_seconds(ts)
+        return datetime.fromtimestamp(ts, UTC).strftime('%Y-%m-%d %H:%M:%S')
     else:
         return ts
 
+def convert_cocoa_core_data_ts_to_utc(cocoa_core_data_ts):
+    if cocoa_core_data_ts:
+        unix_timestamp = cocoa_core_data_ts + 978307200
+        convert_unix_ts_to_utc(unix_timestamp)
+    else:
+        return cocoa_core_data_ts
+
 def webkit_timestampsconv(webkittime):
     unix_timestamp = webkittime + 978307200
     finaltime = datetime.fromtimestamp(unix_timestamp, tz=timezone.utc)