Call History

vince342 · Oct 13, 2021 · 3c05a12 · 3c05a12
1 parent d850d85
commit 3c05a12
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 1 deletion.
diff --git a/scripts/artifacts/callHistory.py b/scripts/artifacts/callHistory.py
@@ -0,0 +1,68 @@
+import sqlite3
+from scripts.artifact_report import ArtifactHtmlReport
+from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows, open_sqlite_db_readonly
+
+def get_callHistory(files_found, report_folder, seeker):
+
+    for file_found in files_found:
+        file_found = str(file_found)
+
+        if file_found.endswith('.storedata'):
+            break
+
+    db = open_sqlite_db_readonly(file_found)
+    cursor = db.cursor()
+    cursor.execute('''
+    select
+    datetime(ZDATE+978307200,'unixepoch'),
+    ZADDRESS,
+    case ZANSWERED
+        when 0 then 'No'
+        when 1 then 'Yes'
+    end,
+    case ZCALLTYPE
+        when 1 then 'Phone'
+        when 8 then 'FaceTime Video'
+        when 16 then 'FaceTime Audio'
+        else ZCALLTYPE
+    end, 
+    case ZORIGINATED
+        when 0 then 'Incoming'
+        when 1 then 'Outgoing'
+    end,  
+    strftime('%H:%M:%S',ZDURATION, 'unixepoch'),
+    upper(ZISO_COUNTRY_CODE),
+    ZLOCATION, 
+    ZSERVICE_PROVIDER
+    from ZCALLRECORD
+    ''')
+
+    all_rows = cursor.fetchall()
+    usageentries = len(all_rows)
+    data_list = []
+
+    if usageentries > 0:
+
+        for row in all_rows:
+            an = str(row[1])
+            an = an.replace("b'", "")
+            an = an.replace("'", "")
+            data_list.append((row[0], an, row[2], row[3], row[4], row[5], row[6], row[7], row[8]))
+
+        report = ArtifactHtmlReport('Call Logs')
+        report.start_artifact_report(report_folder, 'Call Logs')
+        report.add_script()
+        data_headers = ('Timestamp', 'Phone Number', 'Answered', 'Call Type', 'Call Direction', 'Call Duration', 'ISO Country Code', 'Location', 'Service Provider')
+        report.write_artifact_data_table(data_headers, data_list, file_found)
+        report.end_artifact_report()
+
+        tsvname = 'Call History'
+        tsv(report_folder, data_headers, data_list, tsvname)
+
+        tlactivity = 'Call History'
+        timeline(report_folder, tlactivity, data_list, data_headers)
+    else:
+        logfunc('No Call History data available')
+
+    db.close()
+    return
diff --git a/scripts/ilap_artifacts.py b/scripts/ilap_artifacts.py
@@ -25,6 +25,7 @@
 from scripts.artifacts.bluetooth import get_bluetooth
 from scripts.artifacts.cacheRoutesGmap import get_cacheRoutesGmap
 from scripts.artifacts.calendarAll import get_calendarAll
+from scripts.artifacts.callHistory import get_callHistory
 from scripts.artifacts.cashApp import get_cashApp
 from scripts.artifacts.celWireless import get_celWireless
 from scripts.artifacts.cloudkitSharing import get_cloudkitSharing
@@ -144,6 +145,7 @@
             'bluetooth': ('Bluetooth', '**/com.apple.MobileBluetooth.*'),
             'cacheRoutesGmap': ('Locations', '**/Library/Application Support/CachedRoutes/*.plist'),
             'calendarAll': ('Calendar', '**/Calendar.sqlitedb'),
+            'callHistory': ('Call Logs', '**/CallHistory.storedata*'),
             'cashApp': ('Cash App', '**private/var/mobile/Containers/Shared/AppGroup/*/CCEntitySync-api.squareup.com.sqlite*'),
             'celWireless': ('Cellular Wireless', '*wireless/Library/Preferences/com.apple.*'),
             'cloudkitSharing': ('Cloudkit', '*NoteStore.sqlite*'),

diff --git a/scripts/report.py b/scripts/report.py
@@ -61,7 +61,7 @@ def get_icon_name(category, artifact):
     elif category == 'CALENDAR':
         icon = 'calendar'
     elif category == 'CALL LOGS':
-        icon = 'phone'
+        icon = 'phone-call'
     elif category == 'CELLULAR WIRELESS':
         icon = 'bar-chart'
     elif category == 'CLOUDKIT':