From 97af6339dcc50e08d2c75dc2577e60a8fe956eda Mon Sep 17 00:00:00 2001 From: Johann POLEWCZYK Date: Fri, 20 Dec 2024 08:02:46 +0100 Subject: [PATCH 1/4] Update appGrouplisting.py - artifact_v2 and Plist files handling functions --- scripts/artifacts/appGrouplisting.py | 64 +++++++++------------------- 1 file changed, 19 insertions(+), 45 deletions(-) diff --git a/scripts/artifacts/appGrouplisting.py b/scripts/artifacts/appGrouplisting.py index 34ae0d81..3e15d49b 100644 --- a/scripts/artifacts/appGrouplisting.py +++ b/scripts/artifacts/appGrouplisting.py @@ -1,64 +1,38 @@ __artifacts_v2__ = { - "get_appGrouplisting": { + "appGrouplisting": { "name": "Bundle ID by AppGroup & PluginKit IDs", "description": "List can included once installed but not present apps. Each file is named .com.apple.mobile_container_manager.metadata.plist", "author": "@AlexisBrignoni", - "version": "0.3", - "date": "2020-09-22", + "creation_date": "2020-09-22", + "last_update_date": "2024-12-20", "requirements": "none", "category": "Installed Apps", "notes": "", "paths": ('*/Containers/Shared/AppGroup/*/.com.apple.mobile_container_manager.metadata.plist', '**/PluginKitPlugin/*.metadata.plist',), - "function": "get_appGrouplisting", - "output_types": ["html", "tsv", "lava"] + "output_types": ["html", "tsv", "lava"], + "artifact_icon": "package" } } -import biplist import pathlib -import plistlib -import sys - -#from scripts.artifact_report import ArtifactHtmlReport -#from scripts.ilapfuncs import logfunc, tsv, is_platform_windows -from scripts.ilapfuncs import artifact_processor +from scripts.ilapfuncs import artifact_processor, get_plist_file_content @artifact_processor -def get_appGrouplisting(files_found, report_folder, seeker, wrap_text, timezone_offset): +def appGrouplisting(files_found, report_folder, seeker, wrap_text, timezone_offset): + source_path = 'Path column in the report' data_list = [] + for file_found in files_found: - file_found = str(file_found) - with open(file_found, "rb") as fp: - if sys.version_info >= (3, 9): - plist = plistlib.load(fp) - else: - plist = biplist.readPlist(fp) - bundleid = plist['MCMMetadataIdentifier'] - - p = pathlib.Path(file_found) - appgroupid = p.parent.name - fileloc = str(p.parents[1]) - typedir = str(p.parents[1].name) - - data_list.append((bundleid, typedir, appgroupid, fileloc)) - - if len(data_list) > 0: + plist = get_plist_file_content(file_found) + bundleid = plist['MCMMetadataIdentifier'] - filelocdesc = 'Path column in the report' - """ - description = 'List can included once installed but not present apps. Each file is named .com.apple.mobile_container_manager.metadata.plist' - report = ArtifactHtmlReport('Bundle ID by AppGroup & PluginKit IDs') - report.start_artifact_report(report_folder, 'Bundle ID by AppGroup & PluginKit IDs', description) - report.add_script() - data_headers = ('Bundle ID','Type','Directory GUID','Path') - report.write_artifact_data_table(data_headers, data_list, filelocdesc) - report.end_artifact_report() + p = pathlib.Path(file_found) + appgroupid = p.parent.name + fileloc = str(p.parents[1]) + typedir = str(p.parents[1].name) - tsvname = 'Bundle ID - AppGroup ID - PluginKit ID' - tsv(report_folder, data_headers, data_list, tsvname) - else: - logfunc('No data on Bundle ID - AppGroup ID - PluginKit ID') - """ - data_headers = ('Bundle ID', 'Type', 'Directory GUID', 'Path') - return data_headers, data_list, filelocdesc + data_list.append((bundleid, typedir, appgroupid, fileloc)) + + data_headers = ('Bundle ID', 'Type', 'Directory GUID', 'Path') + return data_headers, data_list, source_path \ No newline at end of file From aa8c8a088241e48ebee5a16b1568ab5540d683b7 Mon Sep 17 00:00:00 2001 From: Johann POLEWCZYK Date: Fri, 20 Dec 2024 08:08:18 +0100 Subject: [PATCH 2/4] Update appGrouplisting.py - Update paths --- scripts/artifacts/appGrouplisting.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/artifacts/appGrouplisting.py b/scripts/artifacts/appGrouplisting.py index 3e15d49b..03d71faa 100644 --- a/scripts/artifacts/appGrouplisting.py +++ b/scripts/artifacts/appGrouplisting.py @@ -8,7 +8,9 @@ "requirements": "none", "category": "Installed Apps", "notes": "", - "paths": ('*/Containers/Shared/AppGroup/*/.com.apple.mobile_container_manager.metadata.plist', '**/PluginKitPlugin/*.metadata.plist',), + "paths": ( + '*/Containers/Shared/AppGroup/*/.com.apple.mobile_container_manager.metadata.plist', + '*/Containers/Data/PluginKitPlugin/*/.com.apple.mobile_container_manager.metadata.plist'), "output_types": ["html", "tsv", "lava"], "artifact_icon": "package" } From 49edbe09d3e2ac96818a39b783842a4fa2943818 Mon Sep 17 00:00:00 2001 From: Johann POLEWCZYK Date: Fri, 20 Dec 2024 19:01:34 +0100 Subject: [PATCH 3/4] Update artifact_v2 and Plist files handling functions --- scripts/artifacts/appleLocationd.py | 5 +- scripts/artifacts/appleMapsApplication.py | 80 ++++++++--------------- 2 files changed, 30 insertions(+), 55 deletions(-) diff --git a/scripts/artifacts/appleLocationd.py b/scripts/artifacts/appleLocationd.py index 963940e6..1b8293b1 100644 --- a/scripts/artifacts/appleLocationd.py +++ b/scripts/artifacts/appleLocationd.py @@ -3,8 +3,8 @@ "name": "Location Services", "description": "Extracts location services settings", "author": "@AlexisBrignoni", - "version": "0.2.3", - "date": "2023-10-03", + "creation_date": "2023-10-03", + "last_update_date": "2024-12-20", "requirements": "none", "category": "Identifiers", "notes": "", @@ -14,7 +14,6 @@ } } -import plistlib from scripts.ilapfuncs import artifact_processor, get_file_path, get_plist_file_content, device_info, convert_cocoa_core_data_ts_to_utc @artifact_processor diff --git a/scripts/artifacts/appleMapsApplication.py b/scripts/artifacts/appleMapsApplication.py index c4d3c0d0..9b09047e 100644 --- a/scripts/artifacts/appleMapsApplication.py +++ b/scripts/artifacts/appleMapsApplication.py @@ -1,68 +1,44 @@ __artifacts_v2__ = { "appleMapsApplication": { "name": "Apple Maps Last Activity Camera", - "description": " ", + "description": "", "author": "@AlexisBrignoni", - "version": "0.2", - "date": "2020-08-03", + "creation_date": "2020-08-03", + "last_update_date": "2024-12-20", "requirements": "none", "category": "Locations", "notes": "", "paths": ('*/Data/Application/*/Library/Preferences/com.apple.Maps.plist'), - "function": "get_appleMapsApplication", - "output_types": ["html", "tsv", "lava"] + "output_types": ["html", "tsv", "lava"], + "artifact_icon": "map-pin" } } -import plistlib import blackboxprotobuf -import scripts.artifacts.artGlobals +from scripts.ilapfuncs import artifact_processor, get_file_path, get_plist_file_content -#from scripts.artifact_report import ArtifactHtmlReport -from scripts.ilapfuncs import logfunc, tsv, lava_process_artifact, lava_insert_sqlite_data - -def get_appleMapsApplication(files_found, report_folder, seeker, wrap_text, timezone_offset): - versionnum = 0 - file_found = str(files_found[0]) +@artifact_processor +def appleMapsApplication(files_found, report_folder, seeker, wrap_text, timezone_offset): + source_path = get_file_path(files_found, "com.apple.Maps.plist") + data_list = [] - with open(file_found, 'rb') as f: - plist = plistlib.load(f) - - types = {'1': {'type': 'double', 'name': 'Latitude'}, - '2': {'type': 'double', 'name': 'Longitude'}, - '3': {'type': 'double', 'name': ''}, - '4': {'type': 'fixed64', 'name': ''}, - '5': {'type': 'double', 'name': ''} - } - protobuf = plist.get('__internal__LastActivityCamera', None) - if protobuf: - internal_plist, di = blackboxprotobuf.decode_message(protobuf,types) - latitude = (internal_plist['Latitude']) - longitude = (internal_plist['Longitude']) - - data_list = [] - data_list.append((latitude, longitude)) - - report = ArtifactHtmlReport('Apple Maps Last Activity Camera') - report.start_artifact_report(report_folder, 'Apple Maps Last Activity Camera') - report.add_script() - data_headers = ('Latitude','Longitude' ) - report.write_artifact_data_table(data_headers, data_list, file_found) - report.end_artifact_report() - - tsvname = 'Apple Maps Last Activity Camera' - tsv(report_folder, data_headers, data_list, tsvname) - - category = "Apple Maps Last Activity Camera" - module_name = "get_appleMapsApplication" - - data_headers = ['Latitude','Longitude'] - - - table_name1, object_columns1, column_map1 = lava_process_artifact( - category, module_name, 'Apple Maps Last Activity Camera', data_headers, len(data_list)) - lava_insert_sqlite_data(table_name1, data_list, object_columns1, data_headers, column_map1) + plist = get_plist_file_content(source_path) + + types = {'1': {'type': 'double', 'name': 'Latitude'}, + '2': {'type': 'double', 'name': 'Longitude'}, + '3': {'type': 'double', 'name': ''}, + '4': {'type': 'fixed64', 'name': ''}, + '5': {'type': 'double', 'name': ''} + } + + protobuf = plist.get('__internal__LastActivityCamera', None) + if protobuf: + internal_plist, _ = blackboxprotobuf.decode_message(protobuf,types) + latitude = (internal_plist['Latitude']) + longitude = (internal_plist['Longitude']) - else: - logfunc(f"No Apple Maps Last Activity Camera data available") \ No newline at end of file + data_list.append((latitude, longitude)) + + data_headers = ('Latitude','Longitude') + return data_headers, data_list, source_path From f37f88684dab05f6b95087d554b2099ad82998f0 Mon Sep 17 00:00:00 2001 From: Johann POLEWCZYK Date: Mon, 23 Dec 2024 20:56:06 +0100 Subject: [PATCH 4/4] Update artifact_v2 --- scripts/artifacts/backupSettings.py | 4 ++-- scripts/artifacts/blockedContacts.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/artifacts/backupSettings.py b/scripts/artifacts/backupSettings.py index 103fd7a6..07557177 100644 --- a/scripts/artifacts/backupSettings.py +++ b/scripts/artifacts/backupSettings.py @@ -3,8 +3,8 @@ "name": "Backup Settings", "description": "Extracts Backup settings", "author": "@AlexisBrignoni", - "version": "0.2", - "date": "2023-10-04", + "creation_date": "2023-10-04", + "last_update_date": "2024-12-20", "requirements": "none", "category": "Identifiers", "notes": "", diff --git a/scripts/artifacts/blockedContacts.py b/scripts/artifacts/blockedContacts.py index 07154895..99289835 100644 --- a/scripts/artifacts/blockedContacts.py +++ b/scripts/artifacts/blockedContacts.py @@ -3,8 +3,8 @@ "name": "Blocked contacts", "description": "Extract blocked contacts", "author": "@JohannPLW", - "version": "0.1", - "date": "2023-12-08", + "creation_date": "2023-12-08", + "last_update_date": "2024-12-20", "requirements": "none", "category": "Contacts", "notes": "",