diff --git a/scripts/artifacts/callHistory.py b/scripts/artifacts/callHistory.py new file mode 100644 index 00000000..1b4ad4e0 --- /dev/null +++ b/scripts/artifacts/callHistory.py @@ -0,0 +1,68 @@ +import sqlite3 +from scripts.artifact_report import ArtifactHtmlReport +from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows, open_sqlite_db_readonly + +def get_callHistory(files_found, report_folder, seeker): + + for file_found in files_found: + file_found = str(file_found) + + if file_found.endswith('.storedata'): + break + + db = open_sqlite_db_readonly(file_found) + cursor = db.cursor() + cursor.execute(''' + select + datetime(ZDATE+978307200,'unixepoch'), + ZADDRESS, + case ZANSWERED + when 0 then 'No' + when 1 then 'Yes' + end, + case ZCALLTYPE + when 1 then 'Phone' + when 8 then 'FaceTime Video' + when 16 then 'FaceTime Audio' + else ZCALLTYPE + end, + case ZORIGINATED + when 0 then 'Incoming' + when 1 then 'Outgoing' + end, + strftime('%H:%M:%S',ZDURATION, 'unixepoch'), + upper(ZISO_COUNTRY_CODE), + ZLOCATION, + ZSERVICE_PROVIDER + from ZCALLRECORD + ''') + + all_rows = cursor.fetchall() + usageentries = len(all_rows) + data_list = [] + + if usageentries > 0: + + for row in all_rows: + an = str(row[1]) + an = an.replace("b'", "") + an = an.replace("'", "") + data_list.append((row[0], an, row[2], row[3], row[4], row[5], row[6], row[7], row[8])) + + report = ArtifactHtmlReport('Call Logs') + report.start_artifact_report(report_folder, 'Call Logs') + report.add_script() + data_headers = ('Timestamp', 'Phone Number', 'Answered', 'Call Type', 'Call Direction', 'Call Duration', 'ISO Country Code', 'Location', 'Service Provider') + report.write_artifact_data_table(data_headers, data_list, file_found) + report.end_artifact_report() + + tsvname = 'Call History' + tsv(report_folder, data_headers, data_list, tsvname) + + tlactivity = 'Call History' + timeline(report_folder, tlactivity, data_list, data_headers) + else: + logfunc('No Call History data available') + + db.close() + return diff --git a/scripts/ilap_artifacts.py b/scripts/ilap_artifacts.py index 4c42e37e..fa196205 100644 --- a/scripts/ilap_artifacts.py +++ b/scripts/ilap_artifacts.py @@ -25,6 +25,7 @@ from scripts.artifacts.bluetooth import get_bluetooth from scripts.artifacts.cacheRoutesGmap import get_cacheRoutesGmap from scripts.artifacts.calendarAll import get_calendarAll +from scripts.artifacts.callHistory import get_callHistory from scripts.artifacts.cashApp import get_cashApp from scripts.artifacts.celWireless import get_celWireless from scripts.artifacts.cloudkitSharing import get_cloudkitSharing @@ -144,6 +145,7 @@ 'bluetooth': ('Bluetooth', '**/com.apple.MobileBluetooth.*'), 'cacheRoutesGmap': ('Locations', '**/Library/Application Support/CachedRoutes/*.plist'), 'calendarAll': ('Calendar', '**/Calendar.sqlitedb'), + 'callHistory': ('Call Logs', '**/CallHistory.storedata*'), 'cashApp': ('Cash App', '**private/var/mobile/Containers/Shared/AppGroup/*/CCEntitySync-api.squareup.com.sqlite*'), 'celWireless': ('Cellular Wireless', '*wireless/Library/Preferences/com.apple.*'), 'cloudkitSharing': ('Cloudkit', '*NoteStore.sqlite*'), diff --git a/scripts/report.py b/scripts/report.py index f2568505..2e845a9a 100644 --- a/scripts/report.py +++ b/scripts/report.py @@ -61,7 +61,7 @@ def get_icon_name(category, artifact): elif category == 'CALENDAR': icon = 'calendar' elif category == 'CALL LOGS': - icon = 'phone' + icon = 'phone-call' elif category == 'CELLULAR WIRELESS': icon = 'bar-chart' elif category == 'CLOUDKIT':