Merge pull request #971 from Johann-PLW/main

Update callHistory.py - Merging callHistoryTemp into callHistory
abrignoni · Dec 13, 2024 · aae5687 · aae5687
2 parents 0665cd4 + 39e690d
commit aae5687
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 160 deletions.
diff --git a/scripts/artifacts/callHistory.py b/scripts/artifacts/callHistory.py
@@ -2,13 +2,15 @@
     "callHistory": {
         "name": "Call History",
         "description": "Extract Call History",
-        "author": "@AlexisBrignoni",
-        "version": "0.7",
+        "author": "@AlexisBrignoni - @JohnHyla",
+        "version": "0.8",
         "date": "2020-04-30",
         "requirements": "none",
         "category": "Call History",
         "notes": "",
-        "paths": ('*/mobile/Library/CallHistoryDB/CallHistory.storedata*','*/mobile/Library/CallHistoryDB/call_history.db*',),
+        "paths": (
+            '*/mobile/Library/CallHistoryDB/CallHistory*', 
+            '*/mobile/Library/CallHistoryDB/call_history.db*'),
         "output_types": "standard",
         "artifact_icon": "phone-call"
     }
@@ -23,11 +25,15 @@
 
 @artifact_processor
 def callHistory(files_found, report_folder, seeker, wrap_text, timezone_offset):
-    source_path = ""
-    storedata_path = get_file_path(files_found, "CallHistory.storedata")
-    db_path = get_file_path(files_found, "call_history.db")
+    source_path = ''
     data_list = []
 
+    db_path = get_file_path(files_found, "CallHistory.storedata")
+    temp_db_path = get_file_path(files_found, "CallHistoryTemp.storedata")
+    old_db_path = get_file_path(files_found, "call_history.db")
+    records = []
+    records_in_both_db = False
+
     #call_history.db schema taken from here https://avi.alkalay.net/2011/12/iphone-call-history.html 
     query = '''
     select
@@ -69,7 +75,7 @@ def callHistory(files_found, report_folder, seeker, wrap_text, timezone_offset):
     from ZCALLRECORD
     '''
 
-    query_old = '''
+    old_query = '''
     select
     datetime(date, 'unixepoch'),
     CASE
@@ -98,15 +104,21 @@ def callHistory(files_found, report_folder, seeker, wrap_text, timezone_offset):
     from call
     '''
 
-    if storedata_path:
-        source_path = storedata_path
-    else:
-        source_path = db_path
-        query = query_old
-
-    db_records = get_sqlite_db_records(source_path, query)
-
-    for record in db_records:
+    db_records = get_sqlite_db_records(db_path, query)
+    temp_db_records = get_sqlite_db_records(temp_db_path, query)
+    if db_path or temp_db_path:
+        if db_records and temp_db_records:
+            source_path = "Source file path in the report below"
+            records_in_both_db = True
+            records = [tuple(list(record) + [db_path]) for record in db_records] + [tuple(list(record) + [temp_db_path]) for record in temp_db_records]
+        else:
+            records = db_records if db_records else temp_db_records
+            source_path = db_path if db_path else temp_db_path
+    elif old_db_path:
+        records = get_sqlite_db_records(old_db_path, old_query)
+        source_path = old_db_path if records else ''
+
+    for record in records:
         starting_time = convert_cocoa_core_data_ts_to_utc(record[0])
         ending_time = convert_cocoa_core_data_ts_to_utc(record[1])
 
@@ -116,10 +128,13 @@ def callHistory(files_found, report_folder, seeker, wrap_text, timezone_offset):
 
         facetime_data = convert_bytes_to_unit(record[8])
 
-        data_list.append((starting_time, ending_time, record[2], record[3], record[4], an, record[6], 
-                            record[7], facetime_data, record[9], record[10], record[11]))
+        record_data = [starting_time, ending_time, record[2], record[3], record[4], an, record[6], 
+                            record[7], facetime_data, record[9], record[10], record[11]]
+        if records_in_both_db:
+            record_data.append(record[12])
+        data_list.append(tuple(record_data))
 
-    data_headers = (
+    headers = [
         ('Starting Timestamp', 'datetime'), 
         ('Ending Timestamp', 'datetime'), 
         'Service Provider', 
@@ -132,5 +147,9 @@ def callHistory(files_found, report_folder, seeker, wrap_text, timezone_offset):
         'Disconnected Cause', 
         'ISO Country Code', 
         'Location'
-        )
+        ]
+    if records_in_both_db:
+        headers.append('Source File path')
+
+    data_headers = tuple(headers)
     return data_headers, data_list, source_path
diff --git a/scripts/artifacts/callHistoryTemp.py b/scripts/artifacts/callHistoryTemp.py