From 8f11f7c250e3b181fc0910c21eb49f67849d4906 Mon Sep 17 00:00:00 2001
From: "theAtropos4n6 (Evangelos D.)"
 <70748441+theAtropos4n6@users.noreply.github.com>
Date: Sun, 14 Jul 2024 18:52:29 +0300
Subject: [PATCH 01/11] Update notificationhistory.py

- The parser incorrectly reported the status of the 'notification history' feature when the corresponding value did not exist in settings_secure.xml.
- This issue has been fixed in this update.
---
 scripts/artifacts/notificationHistory.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/artifacts/notificationHistory.py b/scripts/artifacts/notificationHistory.py
index 238de5db..3919eca6 100644
--- a/scripts/artifacts/notificationHistory.py
+++ b/scripts/artifacts/notificationHistory.py
@@ -45,7 +45,7 @@ def get_notificationHistory(files_found, report_folder, seeker, wrap_text, time_
             for setting in root.findall(".//setting"):
                 if setting.attrib.get('name') == 'notification_history_enabled':
                     value = setting.attrib.get('value')
-                    value = "Disabled" if value == "0" else "Enabled"
+                    value = "Enabled" if value == "1" else "Disabled" if value == "0" else "Unknown"
                     data_list.append((value, user))
                 else:
                     pass # setting not available

From 9b192342f6bdf70ff5d52636ef086b9704d99bfd Mon Sep 17 00:00:00 2001
From: Brigs <abrignoni@gmail.com>
Date: Wed, 24 Jul 2024 08:38:00 +1200
Subject: [PATCH 02/11] Create sharedProto.py

SBrowser downloads as located in a levelDB store
---
 scripts/artifacts/sharedProto.py | 122 +++++++++++++++++++++++++++++++
 1 file changed, 122 insertions(+)
 create mode 100644 scripts/artifacts/sharedProto.py

diff --git a/scripts/artifacts/sharedProto.py b/scripts/artifacts/sharedProto.py
new file mode 100644
index 00000000..48c3176f
--- /dev/null
+++ b/scripts/artifacts/sharedProto.py
@@ -0,0 +1,122 @@
+__artifacts_v2__ = {
+    "sharedProto": {
+        "name": "Shared Proto Data",
+        "description": "Shared Proto data from Samsung Browser",
+        "author": "@AlexisBrignoni",
+        "version": "0.0.1",
+        "date": "2024-07-23",
+        "requirements": "none",
+        "category": "Samsung Browser",
+        "notes": "",
+        "paths": ('*/data/com.sec.android.app.sbrowser/app_sbrowser/Default/shared_proto_db/*'),
+        "function": "get_sharedProto"
+    }
+}
+import pathlib
+import sqlite3
+import textwrap
+import blackboxprotobuf
+import traceback
+import scripts.ccl_leveldb
+from datetime import datetime, timedelta
+
+from scripts.artifact_report import ArtifactHtmlReport
+from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows, open_sqlite_db_readonly, kmlgen, does_table_exist, convert_ts_human_to_utc, convert_utc_human_to_timezone
+
+def get_sharedProto(files_found, report_folder, seeker, wrap_text, time_offset):
+    
+    data_list = []
+
+    in_dirs = set(pathlib.Path(x).parent for x in files_found)
+    for in_db_dir in in_dirs:
+        leveldb_records = scripts.ccl_leveldb.RawLevelDb(in_db_dir)
+        
+        for record in leveldb_records.iterate_records_raw():
+            #print(record.seq, record.user_key, record.value)
+            record_sequence = record.seq
+            record_key = record.user_key
+            record_value = record.value
+            origin = str(record.origin_file)
+            
+            p = str(pathlib.Path(origin).parent.name)
+            f = str(pathlib.Path(origin).name)
+            pf = f'{p}/{f}'
+        
+            recordkey = record_key.decode()
+            #print(record_value)
+            protostuff, types = blackboxprotobuf.decode_message(record_value)
+            
+            data = (protostuff.get('1','nodata'))
+            if data == 'nodata':
+                pass
+            else:
+                #print(protostuff)
+                
+                try:
+                    #guid = protostuff['1']['1']
+                    #print(guid.decode())
+                    #print(protostuff)
+                    
+                    urlone = protostuff['1']['4']['1']
+                    if isinstance(urlone, list):
+                        agg = ''
+                        for url in urlone:
+                            
+                            agg = url.decode() + '<br><br>' + agg
+                    else:
+                        agg = urlone.decode()
+                        
+                    domain = protostuff['1']['4']['2']
+                    urltwo = protostuff['1']['4']['4'].decode()
+                    timestamp = protostuff['1']['4'].get('9','')
+                    timestamptwo = protostuff['1']['4'].get('16','')
+                    if timestamptwo != '':
+                        seconds = timestamptwo / 1000
+                        
+                        # Define the epoch start time (January 1, 1601)
+                        epoch_start = datetime(1601, 1, 1)
+                        
+                        # Calculate the final datetime
+                        timestamptwo = epoch_start + timedelta(seconds=seconds)
+                    """
+                    if isinstance(timestamp, bytes):
+                        timestamp = timestamp.decode()
+                        timestamp = timestamp.split(' ')
+                        
+                        year = timestamp[3]
+                        day = timestamp[1]
+                        time = timestamp[4]
+                        month = monthletter(timestamp[2])
+                        timestamp = (f'{year}-{month}-{day} {time}')
+                    else:
+                        pass
+                    """
+                    content = (protostuff['1']['4']['13'].decode())
+                    data_list.append((timestamptwo,timestamp,recordkey,record_sequence,agg,urltwo,domain,content,pf))
+                except:
+                    pass
+                    
+                    
+        
+        
+    if len(data_list) > 0:
+        maindirectory = str(pathlib.Path(in_db_dir).parent)
+        report = ArtifactHtmlReport('Samsung Browser Shared Proto')
+        report.start_artifact_report(report_folder, 'Samsung Browser Shared Proto')
+        report.add_script()
+        data_headers = ('Timestamp','Timestamp B','Record Key','Record Sequence','ULR One','URL Two','Domain','Data','Origin')
+        
+        report.write_artifact_data_table(data_headers, data_list, maindirectory,html_escape=False)
+        report.end_artifact_report()
+        
+        tsvname = f'Samsung Browser Shared Proto'
+        tsv(report_folder, data_headers, data_list, tsvname)
+        
+        tlactivity = f'Samsung Browser Shared Proto'
+        timeline(report_folder, tlactivity, data_list, data_headers)
+    
+        
+    else:
+        logfunc('No Samsung Browser Shared Proto data available')
+        
+    
\ No newline at end of file

From 51e86e1f5c8395b67108ce0ab01cfca2268e5db3 Mon Sep 17 00:00:00 2001
From: Brigs <abrignoni@gmail.com>
Date: Wed, 24 Jul 2024 08:41:38 +1200
Subject: [PATCH 03/11] Update report.py

Added Samsung browser icon.
---
 scripts/report.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/report.py b/scripts/report.py
index 22fb6988..390e2611 100644
--- a/scripts/report.py
+++ b/scripts/report.py
@@ -707,6 +707,7 @@
         'HOURLY': 'thermometer',
         '_mode': 'search',
     },
+    'SAMSUNG BROWSER': 'globe',
     'SAMSUNG_CMH': 'disc',
     'SCREENTIME': 'monitor',
     'SCRIPT LOGS': 'archive',

From 9f91fc47a8f3535953cbc9e49adf3a3101135ed5 Mon Sep 17 00:00:00 2001
From: "Yogesh Khatri (@swiftforensics)" <yogesh@swiftforensics.com>
Date: Wed, 14 Aug 2024 16:14:15 +1000
Subject: [PATCH 04/11] Remove python 3.12 warnings

---
 scripts/html_parts.py | 2 +-
 scripts/ilapfuncs.py  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/html_parts.py b/scripts/html_parts.py
index 2c2c35f8..fe77aea0 100755
--- a/scripts/html_parts.py
+++ b/scripts/html_parts.py
@@ -154,7 +154,7 @@
 """
 # body_main_data is a placeholder, replace content with real data
 body_main_data = \
-"""
+r"""
                 <h5>All dates and times are in UTC unless stated otherwise.</h5>
                 <div class="alert alert-warning" role="alert">
                     All dates and times are in UTC unless noted otherwise!
diff --git a/scripts/ilapfuncs.py b/scripts/ilapfuncs.py
index 671453a9..8bb9be59 100755
--- a/scripts/ilapfuncs.py
+++ b/scripts/ilapfuncs.py
@@ -97,7 +97,7 @@ def is_platform_windows():
     return sys.platform == 'win32'
 
 def sanitize_file_path(filename, replacement_char='_'):
-    '''
+    r'''
     Removes illegal characters (for windows) from the string passed. Does not replace \ or /
     '''
     return re.sub(r'[*?:"<>|\'\r\n]', replacement_char, filename)

From 4e2e46470bc307c47fa2d8cc53f3df7c278f1698 Mon Sep 17 00:00:00 2001
From: "Yogesh Khatri (@swiftforensics)" <yogesh@swiftforensics.com>
Date: Thu, 15 Aug 2024 00:04:26 +1000
Subject: [PATCH 05/11] Add support for sms & mms _backup files.

---
 scripts/artifacts/smsmmsBackup.py | 167 ++++++++++++++++++++++++++++++
 scripts/report.py                 |   1 +
 2 files changed, 168 insertions(+)
 create mode 100755 scripts/artifacts/smsmmsBackup.py

diff --git a/scripts/artifacts/smsmmsBackup.py b/scripts/artifacts/smsmmsBackup.py
new file mode 100755
index 00000000..f8214e9f
--- /dev/null
+++ b/scripts/artifacts/smsmmsBackup.py
@@ -0,0 +1,167 @@
+import datetime
+import json
+import zlib
+
+from scripts.artifact_report import ArtifactHtmlReport
+from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows
+
+# Backup agent code defined here:
+# https://cs.android.com/android/platform/superproject/main/+/main:packages/providers/TelephonyProvider/src/com/android/providers/telephony/TelephonyBackupAgent.java
+
+is_windows = is_platform_windows()
+slash = '\\' if is_windows else '/' 
+
+def ReadUnixTimeMs(unix_time): # Unix timestamp is time epoch beginning 1970/1/1
+    '''Returns datetime object, or empty string upon error'''
+    if unix_time not in ('0', 0, None, ''):
+        try:
+            if isinstance(unix_time, str):
+                unix_time = float(unix_time)
+            return datetime.datetime(1970, 1, 1) + datetime.timedelta(seconds=unix_time/1000)
+        except (ValueError, OverflowError, TypeError) as ex:
+            logfunc("ReadUnixTimeMs() Failed to convert timestamp from value " + str(unix_time) + " Error was: " + str(ex))
+    return ''
+
+def ReadUnixTime(unix_time): # Unix timestamp is time epoch beginning 1970/1/1
+    '''Returns datetime object, or empty string upon error'''
+    if unix_time not in ('0', 0, None, ''):
+        try:
+            if isinstance(unix_time, str):
+                unix_time = float(unix_time)
+            return datetime.datetime(1970, 1, 1) + datetime.timedelta(seconds=unix_time)
+        except (ValueError, OverflowError, TypeError) as ex:
+            logfunc("ReadUnixTime() Failed to convert timestamp from value " + str(unix_time) + " Error was: " + str(ex))
+    return ''
+
+def read_messages_from_backup(file_found):
+    logfunc(f'Processing file {file_found}')
+    with open(file_found, 'rb') as f:
+        file_content = f.read()
+        if file_content[0:1] == b'\x78': # zlib compressed
+            try:
+                data = zlib.decompress(file_content)  
+            except zlib.error as ex:
+                logfunc(ex)
+                return []
+            data_str = data.decode('utf8', 'ignore')
+            try:
+                msg_data = json.loads(data_str)
+                return msg_data
+            except json.JSONDecodeError as ex:
+                logfunc(str(ex))
+        else:
+            logfunc('Not the right format!')
+    return []
+
+def get_sms_mms_from_backup(files_found, report_folder, seeker, wrap_text, time_offset):
+    sms_messages = []
+    mms_messages = []
+
+    for file_found in files_found:
+        file_found = str(file_found)
+        if file_found.find('{0}mirror{0}'.format(slash)) >= 0:
+            # Skip sbin/.magisk/mirror/data/.. , it should be duplicate data
+            continue
+        
+        if file_found.endswith('sms_backup'):
+            messages = read_messages_from_backup(file_found)
+            sms_messages.extend(messages)
+        elif file_found.endswith('mms_backup'):
+            messages = read_messages_from_backup(file_found)
+            mms_messages.extend(messages)
+        else:
+            logfunc(f'unknown file found: {file_found}')
+            continue
+
+    if mms_messages:
+        report = ArtifactHtmlReport('MMS messages')
+        report.start_artifact_report(report_folder, 'MMS messages')
+        report.add_script()
+        data_headers = ('Date', 'Date sent', 'Content Location', 'Recipients', 'Subject',
+                        'Read', 'MMS Addresses', 'Transaction ID', 'MMS Version',
+                        'Body', 'Message Type', 'Message Box')
+        data_list = []
+        for mms in mms_messages:
+            mbox = mms.get('m_box')
+            if mbox == 0:
+                mbox = 'All messages'
+            elif mbox == 1:
+                mbox = 'Inbox'
+            elif mbox == 2:
+                mbox = 'Sent'
+            elif mbox == 3:
+                mbox = 'Drafts'
+            elif mbox == 4:
+                mbox = 'Outbox'
+            elif mbox == 5:
+                mbox = 'Failed'
+
+            body = mms.get('mms_body', '')
+            if wrap_text:
+                body = body.replace("\n", "")
+                
+            data_list.append((ReadUnixTime(mms.get('date', 0)),
+                             ReadUnixTime(mms.get('date_sent', 0)),
+                             mms.get('ct_l', ''),
+                             ', '.join(mms.get('recipients', [])),
+                             mms.get('sub', ''),
+                             mms.get('read', ''),
+                             str(mms.get('mms_addresses', [])),
+                             mms.get('tr_id', ''),
+                             mms.get('v', ''),
+                             body,
+                             mms.get('m_type', ''),
+                             mbox
+                             ),)
+            
+        logfunc(f'Total mms messages = {len(mms_messages)}')
+        report.write_artifact_data_table(data_headers, data_list, file_found)
+        report.end_artifact_report()
+        
+        tsvname = f'mms messages'
+        tsv(report_folder, data_headers, data_list, tsvname, file_found.replace(seeker.directory, ''))
+        
+        tlactivity = f'MMS Messages'
+        timeline(report_folder, tlactivity, data_list, data_headers)
+
+    if sms_messages:
+        report = ArtifactHtmlReport('SMS messages')
+        report.start_artifact_report(report_folder, 'SMS messages')
+        report.add_script()
+        data_headers = ('Date', 'Date sent', 'Read', 'Type', 'Body', 'recipients', 'Address', 'Status')
+        data_list = []
+
+        for sms in sms_messages:
+            body = sms.get('body', '')
+            if wrap_text:
+                body = body.replace("\n", "")
+            data_list.append((ReadUnixTimeMs(sms.get('date', 0)),
+                             ReadUnixTimeMs(sms.get('date_sent', 0)),
+                             sms.get('read', ''),
+                             sms.get('type', ''),
+                             body,
+                             ', '.join(sms.get('recipients', [])),
+                             sms.get('address', ''),
+                             sms.get('status', '')
+                            ),)
+        logfunc(f'Total sms messages = {len(sms_messages)}')
+        report.write_artifact_data_table(data_headers, data_list, file_found)
+        report.end_artifact_report()
+        
+        tsvname = f'sms messages'
+        tsv(report_folder, data_headers, data_list, tsvname, file_found.replace(seeker.directory, ''))
+        
+        tlactivity = f'SMS Messages'
+        timeline(report_folder, tlactivity, data_list, data_headers)
+    else:
+        logfunc('No SMS or MMS messages found!')
+        return False
+    return True
+
+__artifacts__ = {
+        "sms_mms_backup": (
+                "SMS & MMS from backup.ab",
+                ('*/com.android.providers.telephony/d_f/*_backup'),
+                get_sms_mms_from_backup
+        )
+}
\ No newline at end of file
diff --git a/scripts/report.py b/scripts/report.py
index 56f12891..568432fa 100644
--- a/scripts/report.py
+++ b/scripts/report.py
@@ -746,6 +746,7 @@
     },
     'SMS & IMESSAGE': 'message-square',
     'SMS & MMS': 'message-square',
+    'SMS & MMS FROM BACKUP.AB': 'message-square',
     'SNAPCHAT': 'bell',
     'SNAPCHAT ARCHIVE': 'camera',
     'SNAPCHAT RETURNS': 'camera',

From 4fe5178d6bd6754781f39c0ff921fd4671622da6 Mon Sep 17 00:00:00 2001
From: "Yogesh Khatri (@swiftforensics)" <yogesh@swiftforensics.com>
Date: Thu, 15 Aug 2024 00:10:57 +1000
Subject: [PATCH 06/11] minor bugfix for msg_box

---
 scripts/artifacts/smsmmsBackup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/artifacts/smsmmsBackup.py b/scripts/artifacts/smsmmsBackup.py
index f8214e9f..6e476039 100755
--- a/scripts/artifacts/smsmmsBackup.py
+++ b/scripts/artifacts/smsmmsBackup.py
@@ -82,7 +82,7 @@ def get_sms_mms_from_backup(files_found, report_folder, seeker, wrap_text, time_
                         'Body', 'Message Type', 'Message Box')
         data_list = []
         for mms in mms_messages:
-            mbox = mms.get('m_box')
+            mbox = mms.get('msg_box')
             if mbox == 0:
                 mbox = 'All messages'
             elif mbox == 1:

From ad87956e0e35ab9df9f6fd0d5aa5fabe86268d13 Mon Sep 17 00:00:00 2001
From: "Yogesh Khatri (@swiftforensics)" <yogesh@swiftforensics.com>
Date: Thu, 15 Aug 2024 00:14:56 +1000
Subject: [PATCH 07/11] on more bugfix for msg_box

---
 scripts/artifacts/smsmmsBackup.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/artifacts/smsmmsBackup.py b/scripts/artifacts/smsmmsBackup.py
index 6e476039..1f9c7959 100755
--- a/scripts/artifacts/smsmmsBackup.py
+++ b/scripts/artifacts/smsmmsBackup.py
@@ -82,18 +82,18 @@ def get_sms_mms_from_backup(files_found, report_folder, seeker, wrap_text, time_
                         'Body', 'Message Type', 'Message Box')
         data_list = []
         for mms in mms_messages:
-            mbox = mms.get('msg_box')
-            if mbox == 0:
+            mbox = mms.get('msg_box', '')
+            if mbox == '0':
                 mbox = 'All messages'
-            elif mbox == 1:
+            elif mbox == '1':
                 mbox = 'Inbox'
-            elif mbox == 2:
+            elif mbox == '2':
                 mbox = 'Sent'
-            elif mbox == 3:
+            elif mbox == '3':
                 mbox = 'Drafts'
-            elif mbox == 4:
+            elif mbox == '4':
                 mbox = 'Outbox'
-            elif mbox == 5:
+            elif mbox == '5':
                 mbox = 'Failed'
 
             body = mms.get('mms_body', '')

From 6fa8c258a0537e7588806af30d221a1d0aa4dff3 Mon Sep 17 00:00:00 2001
From: Thomas Preece <github@thomaspreece.com>
Date: Mon, 2 Sep 2024 17:53:25 +0100
Subject: [PATCH 08/11] fix error in calllog.py causing it to always fail

---
 scripts/artifacts/calllog.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/artifacts/calllog.py b/scripts/artifacts/calllog.py
index ef66d2f9..037aa7d9 100755
--- a/scripts/artifacts/calllog.py
+++ b/scripts/artifacts/calllog.py
@@ -8,7 +8,7 @@ def get_calllog(files_found, report_folder, seeker, wrap_text, time_offset):
     data_list = []
     
     for file_found in files_found:
-        file_found = str(files_found)
+        file_found = str(file_found)
         
         if file_found.endswith('calllog.db'):
             db = open_sqlite_db_readonly(file_found)

From 25a5ee02a636321b685631b16fdaf01bfdc5f0c3 Mon Sep 17 00:00:00 2001
From: Thomas Preece <github@thomaspreece.com>
Date: Mon, 2 Sep 2024 18:02:23 +0100
Subject: [PATCH 09/11] fix error on calllog.py data appending

---
 scripts/artifacts/calllog.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/artifacts/calllog.py b/scripts/artifacts/calllog.py
index 037aa7d9..b897c8fa 100755
--- a/scripts/artifacts/calllog.py
+++ b/scripts/artifacts/calllog.py
@@ -70,7 +70,7 @@ def get_calllog(files_found, report_folder, seeker, wrap_text, time_offset):
                     else:
                         call_type_html = call_type
 
-                    data_list.append((row[0], row[1], row[2], call_type_html, str(row[4]), row[5], row[6], row[7], row[8], row[9], str(row[10],file_found)))
+                    data_list.append((row[0], row[1], row[2], call_type_html, str(row[4]), row[5], row[6], row[7], row[8], row[9], str(row[10]), file_found))
             db.close()
             
     if data_list:

From 258117e342a94d96cce737c4bfdbf232ba8fda04 Mon Sep 17 00:00:00 2001
From: Thomas Preece <github@thomaspreece.com>
Date: Tue, 3 Sep 2024 08:00:54 +0100
Subject: [PATCH 10/11] Missing parameter from chromeCookies

---
 scripts/artifacts/chromeCookies.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/artifacts/chromeCookies.py b/scripts/artifacts/chromeCookies.py
index 3e166321..affb1efc 100755
--- a/scripts/artifacts/chromeCookies.py
+++ b/scripts/artifacts/chromeCookies.py
@@ -6,7 +6,7 @@
 from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows, get_next_unused_name, open_sqlite_db_readonly
 from scripts.artifacts.chrome import get_browser_name
 
-def get_chromeCookies(files_found, report_folder, seeker, wrap_text):
+def get_chromeCookies(files_found, report_folder, seeker, wrap_text, time_offset):
     
     for file_found in files_found:
         file_found = str(file_found)

From 0e9e8ca1c14a4d2a2db77d1f12bc4f9a1d821ff4 Mon Sep 17 00:00:00 2001
From: Maarten Aalbers <maarten.aalbers@politie.nl>
Date: Tue, 17 Sep 2024 16:43:24 +0200
Subject: [PATCH 11/11] Wrong join in the Waze parser #519

---
 scripts/artifacts/waze.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/artifacts/waze.py b/scripts/artifacts/waze.py
index 516809d7..93b381c2 100755
--- a/scripts/artifacts/waze.py
+++ b/scripts/artifacts/waze.py
@@ -19,7 +19,7 @@ def get_waze(files_found, report_folder, seeker, wrap_text, time_offset):
     round(PLACES.latitude*.000001,6),
     round(PLACES.longitude*.000001,6)
     from PLACES
-    join RECENTS on PLACES.id = RECENTS.id
+    join RECENTS on PLACES.id = RECENTS.place_id
     ''')
     
     all_rows = cursor.fetchall()