Merge pull request #1002 from Johann-PLW/main

Update wire.py for lava output
abrignoni · Jan 5, 2025 · b4863d5 · b4863d5
2 parents a5e793f + cfbcc0a
commit b4863d5
Showing 1 changed file with 74 additions and 94 deletions.
diff --git a/scripts/artifacts/wire.py b/scripts/artifacts/wire.py
@@ -1,85 +1,78 @@
 __artifacts_v2__ = {
-    "wire": {
-        "name": "Wire Artifacts",
-        "description": "Get Wire",
+    "wireAccount": {
+        "name": "Wire Account",
+        "description": "Wire account details",
         "author": "Elliot Glendye",
-        "version": "0.0.1",
-        "date": "2024-01-17",
+        "creation_date": "2024-01-21",
+        "last_update_date": "2025-01-03",
         "requirements": "",
         "category": "Wire",
-        "notes": "No notes at present.",
-        "paths": ('**/store.wiredatabase*'),
-        "function": "get_wire"
+        "notes": "",
+        "paths": ('*/mobile/Containers/Shared/AppGroup/*/AccountData/*/store/store.wiredatabase*'),
+        "output_types": "all",
+        "artifact_icon": "user"
+    },
+    "wireMessages": {
+        "name": "Wire Messages",
+        "description": "Wire messages, including message sender, associated user identifiers and message type",
+        "author": "Elliot Glendye",
+        "creation_date": "2024-01-21",
+        "last_update_date": "2025-01-03",
+        "requirements": "",
+        "category": "Wire",
+        "notes": "",
+        "paths": ('*/mobile/Containers/Shared/AppGroup/*/AccountData/*/store/store.wiredatabase*'),
+        "output_types": "standard",
+        "artifact_icon": "message-circle"
     }
 }
 
-import scripts.artifacts.artGlobals
-import sqlite3
-from packaging import version
-from scripts.artifact_report import ArtifactHtmlReport
-from scripts.ilapfuncs import logfunc, tsv, open_sqlite_db_readonly
+from scripts.ilapfuncs import artifact_processor, get_file_path, get_sqlite_db_records, convert_cocoa_core_data_ts_to_utc
 
-def get_wire(files_found, report_folder, seeker, wrap_text, timezone_offset):
-
-    for file_found in files_found:
-        file_found = str(file_found)
-
-        iOSversion = scripts.artifacts.artGlobals.versionf
-        if version.parse(iOSversion) < version.parse('15'):
-            logfunc('Wire parsing has not been tested on iOS version ' + iOSversion)
-
-        if file_found.endswith('store.wiredatabase'):
-            break
-
-        else:
-            continue
-
-    db = open_sqlite_db_readonly(file_found)
-
-    account_query = ('''
-    SELECT DISTINCT
-        ZUSER.ZHANDLE AS 'User ID',
+@artifact_processor
+def wireAccount(files_found, report_folder, seeker, wrap_text, timezone_offset):
+    source_path = get_file_path(files_found, "store.wiredatabase")
+    data_list = []
+
+    query = '''
+    SELECT
+        DISTINCT ZUSER.ZHANDLE AS 'User ID',
         ZUSER.ZNAME AS 'Display Name',
-        datetime(ZUSERCLIENT.ZACTIVATIONDATE + 978307200, 'unixepoch') AS 'Activation Date',
+        ZUSERCLIENT.ZACTIVATIONDATE AS 'Activation Date',
         ZUSER.ZPHONENUMBER AS 'Phone Number',
         ZUSER.ZEMAILADDRESS AS 'Email Address',
         ZUSERCLIENT.ZACTIVATIONLOCATIONLATITUDE AS 'Activation Latitude',
         ZUSERCLIENT.ZACTIVATIONLOCATIONLONGITUDE AS 'Activation Longitude'
     FROM ZUSER
-        LEFT JOIN ZUSERCLIENT ON ZUSER.Z_PK = ZUSERCLIENT.ZUSER;
-    ''')
-
-    cursor = db.cursor()
-    cursor.execute(account_query)
-
-    all_rows = cursor.fetchall()
-    usageentries = len(all_rows)
-    data_list = []
-    print(data_list)
-
-    if usageentries > 0:
-        for row in all_rows:
-            data_list.append((row[0], row[1], row[2], row[3], row[4], row[5], row[6]))
-
-            description = 'A report of Wire account details.'
+    LEFT JOIN ZUSERCLIENT ON ZUSER.Z_PK = ZUSERCLIENT.ZUSER;
+    '''
 
-            report = ArtifactHtmlReport('Wire Account')
-            report.start_artifact_report(report_folder, 'Wire Account', description)
-            report.add_script()
-            data_headers = ('User ID', 'Display Name', 'Activation Date', 'Phone Number', 'Email Address', 'Activation Latitude', 'Activation Longitude')
-            report.write_artifact_data_table(data_headers, data_list, file_found)
-            report.end_artifact_report()
-
-            tsvname = 'Wire Account'
-            tsv(report_folder, data_headers, data_list, tsvname)
+    data_headers = (
+        'User ID', 
+        'Display Name', 
+        ('Activation Date', 'datetime'), 
+        ('Phone Number', 'phonenumber'), 
+        'Email Address', 
+        'Latitude', 
+        'Longitude'
+        )
+
+    db_records = get_sqlite_db_records(source_path, query)
+
+    for record in db_records:
+        activation_date = convert_cocoa_core_data_ts_to_utc(record[2])
+        data_list.append((record[0], record[1], activation_date, record[3], record[4], record[5], record[6]))
 
-    else:
-        logfunc('No Wire account details present')
-
+    return data_headers, data_list, source_path    
 
-    message_query = ('''
+@artifact_processor
+def wireMessages(files_found, report_folder, seeker, wrap_text, timezone_offset):
+    source_path = get_file_path(files_found, "store.wiredatabase")
+    data_list = []
+
+    query = '''
     SELECT
-        datetime(ZMESSAGE.ZSERVERTIMESTAMP + 978307200, 'unixepoch') AS 'Date / Time',
+        ZMESSAGE.ZSERVERTIMESTAMP AS 'Date / Time',
         ZUSER.ZHANDLE AS 'User ID',
         ZUSER.ZNAME AS 'Display Name',
         ZMESSAGE.ZNORMALIZEDTEXT AS 'Message',
@@ -91,35 +84,22 @@ def get_wire(files_found, report_folder, seeker, wrap_text, timezone_offset):
         END AS 'Message Type',
         ZMESSAGE.ZDURATION AS 'Call Duration (seconds)'
     FROM ZMESSAGE
-        LEFT Join ZUSER On ZUSER.Z_PK = ZMESSAGE.ZSENDER
-        WHERE ZMESSAGE.ZCACHEDCATEGORY != 1;
-    ''')
+    LEFT Join ZUSER On ZUSER.Z_PK = ZMESSAGE.ZSENDER
+    WHERE ZMESSAGE.ZCACHEDCATEGORY != 1;
+    '''
 
-    cursor = db.cursor()
-    cursor.execute(message_query)
-
-    all_rows = cursor.fetchall()
-    usageentries = len(all_rows)
-    data_list = []
+    data_headers = (
+        ('Date / Time', 'datetime'), 
+        'User ID', 
+        'Display Name', 
+        'Message', 
+        'Message Type', 
+        'Call Duration (seconds)')
+
+    db_records = get_sqlite_db_records(source_path, query)
 
-    if usageentries > 0:
-        for row in all_rows:
-            data_list.append((row[0], row[1], row[2], row[3], row[4], row[5]))
-
-            description = 'A report of Wire messages, including message sender, associated user identifiers and message type.'
-
-            report = ArtifactHtmlReport('Wire Messages')
-            report.start_artifact_report(report_folder, 'Wire Messages', description)
-            report.add_script()
-            data_headers = ('Date / Time', 'User ID', 'Display Name', 'Message', 'Message Type', 'Call Duration (seconds)')
-            report.write_artifact_data_table(data_headers, data_list, file_found)
-            report.end_artifact_report()
-
-            tsvname = 'Wire Messages'
-            tsv(report_folder, data_headers, data_list, tsvname)
-
-    else:
-        logfunc('No Wire messages present')
-
-    db.close()
-    return
+    for record in db_records:
+        date_time = convert_cocoa_core_data_ts_to_utc(record[0])
+        data_list.append((date_time, record[1], record[2], record[3], record[4], record[5]))
+
+    return data_headers, data_list, source_path