Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update #31

Merged
merged 5 commits into from
Jan 26, 2021
Merged

update #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a1374ec
Merge pull request #9 from abrignoni/master
stark4n6 Jan 25, 2021
9ce5f9f
Add files via upload
stark4n6 Jan 25, 2021
94dc10d
Merge pull request #108 from stark4n6/master
abrignoni Jan 26, 2021
64728b0
App roles
abrignoni Jan 26, 2021
b6c8dfb
Merge pull request #110 from abrignoni/Brigs-working
abrignoni Jan 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 61 additions & 41 deletions scripts/artifacts/Viber.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,20 @@ def get_Viber(files_found, report_folder, seeker, wrap_text):
cursor = db.cursor()
try:
cursor.execute('''
SELECT canonized_number, case type when 2 then "Outgoing" else "Incoming" end AS direction,
duration as duration_in_seconds, date AS start_time,
case viber_call_type when 1 then "Audio Call" when 4 then "Video Call" else "Unknown" end AS call_type
FROM calls
SELECT
datetime(date/1000, 'unixepoch') AS start_time,
canonized_number,
case type
when 2 then "Outgoing"
else "Incoming"
end AS direction,
strftime('%H:%M:%S',duration, 'unixepoch') as duration,
case viber_call_type
when 1 then "Audio Call"
when 4 then "Video Call"
else "Unknown"
end AS viber_call_type
FROM calls
''')

all_rows = cursor.fetchall()
Expand All @@ -32,30 +42,33 @@ def get_Viber(files_found, report_folder, seeker, wrap_text):
usageentries = 0

if usageentries > 0:
report = ArtifactHtmlReport('Viber - call logs')
report.start_artifact_report(report_folder, 'Viber - call logs')
report = ArtifactHtmlReport('Viber - Call Logs')
report.start_artifact_report(report_folder, 'Viber - Call Logs')
report.add_script()
data_headers = ('canonized_number','call_direction', 'duration_in_seconds', 'start_time', 'call_type') # Don't remove the comma, that is required to make this a tuple as there is only 1 element
data_headers = ('Call Start Time', 'Phone Number','Call Direction', 'Call Duration', 'Call Type') # Don't remove the comma, that is required to make this a tuple as there is only 1 element
data_list = []
for row in all_rows:
data_list.append((row[0], row[1], row[2], row[3], row[4]))

report.write_artifact_data_table(data_headers, data_list, file_found)
report.end_artifact_report()

tsvname = f'Viber - call logs'
tsvname = f'Viber - Call Logs'
tsv(report_folder, data_headers, data_list, tsvname)

tlactivity = f'Viber - call logs'
tlactivity = f'Viber - Call Logs'
timeline(report_folder, tlactivity, data_list, data_headers)

else:
logfunc('No Viber Call Logs found')

try:
cursor.execute('''
SELECT C.display_name, coalesce(D.data2, D.data1, D.data3) as phone_number
FROM phonebookcontact AS C JOIN phonebookdata AS D ON C._id = D.contact_id
SELECT
C.display_name,
coalesce(D.data2, D.data1, D.data3) as phone_number
FROM phonebookcontact AS C
JOIN phonebookdata AS D ON C._id = D.contact_id
''')

all_rows = cursor.fetchall()
Expand All @@ -67,7 +80,7 @@ def get_Viber(files_found, report_folder, seeker, wrap_text):
report = ArtifactHtmlReport('Viber - Contacts')
report.start_artifact_report(report_folder, 'Viber - Contacts')
report.add_script()
data_headers = ('display_name','phone_number') # Don't remove the comma, that is required to make this a tuple as there is only 1 element
data_headers = ('Display Name','Phone Number') # Don't remove the comma, that is required to make this a tuple as there is only 1 element
data_list = []
for row in all_rows:
data_list.append((row[0], row[1]))
Expand All @@ -87,34 +100,41 @@ def get_Viber(files_found, report_folder, seeker, wrap_text):
cursor = db.cursor()
try:
cursor.execute('''
SELECT convo_participants.from_number AS from_number,
convo_participants.recipients AS recipients,
M.conversation_id AS thread_id,
M.body AS msg_content,
case M.send_type when 1 then "Outgoing" else "Incoming" end AS direction,
M.msg_date AS msg_date,
case M.unread when 0 then "Read" else "Unread" end AS read_status,
M.extra_uri AS file_attachment
FROM (SELECT *,
group_concat(TO_RESULT.number) AS recipients
FROM (SELECT P._id AS FROM_ID,
P.conversation_id,
PI.number AS FROM_NUMBER
FROM participants AS P
JOIN participants_info AS PI
ON P.participant_info_id = PI._id) AS FROM_RESULT
JOIN (SELECT P._id AS TO_ID,
P.conversation_id,
PI.number
FROM participants AS P
JOIN participants_info AS PI
ON P.participant_info_id = PI._id) AS TO_RESULT
ON FROM_RESULT.from_id != TO_RESULT.to_id
AND FROM_RESULT.conversation_id = TO_RESULT.conversation_id
GROUP BY FROM_RESULT.from_id) AS convo_participants
JOIN messages AS M
ON M.participant_id = convo_participants.from_id
AND M.conversation_id = convo_participants.conversation_id
SELECT
datetime(M.msg_date/1000, 'unixepoch') AS msg_date,
convo_participants.from_number AS from_number,
convo_participants.recipients AS recipients,
M.conversation_id AS thread_id,
M.body AS msg_content,
case M.send_type
when 1 then "Outgoing"
else "Incoming"
end AS direction,
case M.unread
when 0 then "Read"
else "Unread"
end AS read_status,
M.extra_uri AS file_attachment
FROM (SELECT *,
group_concat(TO_RESULT.number) AS recipients
FROM (SELECT P._id AS FROM_ID,
P.conversation_id,
PI.number AS FROM_NUMBER
FROM participants AS P
JOIN participants_info AS PI
ON P.participant_info_id = PI._id) AS FROM_RESULT
JOIN (SELECT P._id AS TO_ID,
P.conversation_id,
PI.number
FROM participants AS P
JOIN participants_info AS PI
ON P.participant_info_id = PI._id) AS TO_RESULT
ON FROM_RESULT.from_id != TO_RESULT.to_id
AND FROM_RESULT.conversation_id = TO_RESULT.conversation_id
GROUP BY FROM_RESULT.from_id) AS convo_participants
JOIN messages AS M
ON M.participant_id = convo_participants.from_id
AND M.conversation_id = convo_participants.conversation_id
''')

all_rows = cursor.fetchall()
Expand All @@ -126,7 +146,7 @@ def get_Viber(files_found, report_folder, seeker, wrap_text):
report = ArtifactHtmlReport('Viber - Messages')
report.start_artifact_report(report_folder, 'Viber - Messages')
report.add_script()
data_headers = ('from_number','recipients', 'thread_id', 'msg_content', 'direction', 'msg_date', 'read_status', 'file_attachment') # Don't remove the comma, that is required to make this a tuple as there is only 1 element
data_headers = ('Message Date', 'From Phone Number','Recipients', 'Thread ID', 'Message', 'Direction', 'Read Status', 'File Attachment') # Don't remove the comma, that is required to make this a tuple as there is only 1 element
data_list = []
for row in all_rows:
data_list.append((row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7]))
Expand Down
60 changes: 60 additions & 0 deletions scripts/artifacts/roles.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
import xml.etree.ElementTree as ET

from scripts.artifact_report import ArtifactHtmlReport
from scripts.ilapfuncs import logfunc, tsv, is_platform_windows

def get_roles(files_found, report_folder, seeker, wrap_text):

run = 0
slash = '\\' if is_platform_windows() else '/'

for file_found in files_found:
file_found = str(file_found)

data_list = []
run = run + 1
err = 0


parts = file_found.split(slash)
if 'mirror' in parts:
user = 'mirror'
elif 'users' in parts:
user = parts[-2]
elif 'misc_de' in parts:
user = parts[-4]

if user == 'mirror':
continue
else:
try:
ET.parse(file_found)
except ET.ParseError:
print('Parse error - Non XML file.') #change to logfunc
err = 1

if err == 0:
tree = ET.parse(file_found)
root = tree.getroot()

for elem in root:
holder = ''
role = elem.attrib['name']
for subelem in elem:
holder = subelem.attrib['name']

data_list.append((role, holder))

if len(data_list) > 0:
report = ArtifactHtmlReport('App Roles')
report.start_artifact_report(report_folder, f'App Roles_{user}')
report.add_script()
data_headers = ('Role', 'Holder')
report.write_artifact_data_table(data_headers, data_list, file_found)
report.end_artifact_report()

tsvname = f'App Roles_{user}'
tsv(report_folder, data_headers, data_list, tsvname)



2 changes: 1 addition & 1 deletion scripts/artifacts/runtimePerms.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ def get_runtimePerms(files_found, report_folder, seeker, wrap_text):
try:
ET.parse(file_found)
except ET.ParseError:
print('Parse error - Non XML file.') #change to logfunc
logfunc('Parse error - Non XML file.')
err = 1

if err == 0:
Expand Down
17 changes: 5 additions & 12 deletions scripts/ilap_artifacts.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@

import traceback

from time import process_time, gmtime, strftime
from scripts.artifacts.adb_hosts import get_adb_hosts
from scripts.artifacts.etc_hosts import get_etc_hosts
from scripts.artifacts.BashHistory import get_BashHistory
Expand All @@ -31,8 +30,6 @@
from scripts.artifacts.cmh import get_cmh
from scripts.artifacts.DocList import get_DocList
from scripts.artifacts.emulatedSmeta import get_emulatedSmeta
from scripts.artifacts.FilesByGoogle_FilesMaster import get_FilesByGoogle_FilesMaster
from scripts.artifacts.FilesByGoogle_SearchHistory import get_FilesByGoogle_SearchHistory
from scripts.artifacts.gboard import get_gboardCache
from scripts.artifacts.googleNowPlaying import get_googleNowPlaying
from scripts.artifacts.googlePlaySearches import get_googlePlaySearches
Expand All @@ -45,6 +42,7 @@
from scripts.artifacts.packageInfo import get_package_info
from scripts.artifacts.recentactivity import get_recentactivity
from scripts.artifacts.lgRCS import get_lgRCS
from scripts.artifacts.roles import get_roles
from scripts.artifacts.runtimePerms import get_runtimePerms
from scripts.artifacts.scontextLog import get_scontextLog
from scripts.artifacts.settingsSecure import get_settingsSecure
Expand Down Expand Up @@ -94,7 +92,7 @@
'build':('Device Info', '**/vendor/build.prop'),
'calllog': ('Call Logs', '**/com.android.providers.contacts/databases/calllog.db'),
'Cast':('Cast', '**/com.google.android.gms/databases/cast.db'),
'Cello': ('Google Drive', ('*/com.google.android.apps.docs/app_cello/*/cello.db*', '*/com.google.android.apps.docs/files/shiny_blobs/blobs/*')),
'Cello': ('Google Docs', ('*/com.google.android.apps.docs/app_cello/*/cello.db*', '*/com.google.android.apps.docs/files/shiny_blobs/blobs/*')),
'chrome':('Chrome', ('**/app_chrome/Default/History*', '**/app_sbrowser/Default/History*')),
'chromeBookmarks':('Chrome', ('**/app_chrome/Default/Bookmarks*', '**/app_sbrowser/Default/Bookmarks*')),
'chromeCookies':('Chrome', ('**/app_chrome/Default/Cookies*', '**/app_sbrowser/Default/Cookies*')),
Expand All @@ -105,10 +103,8 @@
'chromeTopSites':('Chrome', ('**/app_chrome/Default/Top Sites*', '**/app_sbrowser/Default/Top Sites*')),
'chromeWebsearch':('Chrome', ('**/app_chrome/Default/History*', '**/app_sbrowser/Default/History*')),
'cmh':('Samsung_CMH', '**/cmh.db'),
'DocList':('Google Drive', '**/com.google.android.apps.docs/databases/DocList.db*'),
'DocList':('Google Docs', '**/com.google.android.apps.docs/databases/DocList.db*'),
'emulatedSmeta':('Emulated Storage Metadata', '**/com.google.android.providers.media.module/databases/external.db*'),
'FilesByGoogle_FilesMaster':('Files By Google', '**/com.google.android.apps.nbu.files/databases/files_master_database*'),
'FilesByGoogle_SearchHistory':('Files By Google','**/com.google.android.apps.nbu.files/databases/search_history_database*'),
'gboardCache':('Gboard Keyboard', '**/com.google.android.inputmethod.latin/databases/trainingcache*.db'),
'googleNowPlaying':('Now Playing', '**/com.google.intelligence.sense/db/history_db*'),
'googlePlaySearches':('Google Play', '**/com.android.vending/databases/suggestions.db*'),
Expand All @@ -121,6 +117,7 @@
'quicksearch_recent':('Google Now & QuickSearch', '**/com.google.android.googlequicksearchbox/files/recently/*'),
'recentactivity':('Recent Activity', '**/system_ce/*'),
'lgRCS':('RCS Chats', '*/mmssms.db*'),
'roles':('App Roles',('*/system/users/*/roles.xml','*/misc_de/*/apexdata/com.android.permission/roles.xml')),
'runtimePerms':('Runtime Permissions',('*/system/users/*/runtime-permissions.xml','*/misc_de/*/apexdata/com.android.permission/runtime-permissions.xml')),
'scontextLog':('App Interaction', '**/com.samsung.android.providers.context/databases/ContextLog.db'),
'settingsSecure':('Device Info', '**/system/users/*/settings_secure.xml'),
Expand Down Expand Up @@ -168,7 +165,6 @@ def process_artifact(files_found, artifact_func, artifact_name, seeker, report_f

wrap_text: whether the text data will be wrapped or not using textwrap. Useful for tools that want to parse the data.
'''
start_time = process_time()
logfunc('{} [{}] artifact executing'.format(artifact_name, artifact_func))
report_folder = os.path.join(report_folder_base, artifact_name) + slash
try:
Expand All @@ -190,7 +186,4 @@ def process_artifact(files_found, artifact_func, artifact_name, seeker, report_f
logfunc('Exception Traceback: {}'.format(traceback.format_exc()))
return

end_time = process_time()
run_time_secs = end_time - start_time
# run_time_HMS = strftime('%H:%M:%S', gmtime(run_time_secs))
logfunc('{} [{}] artifact completed in time {} seconds'.format(artifact_name, artifact_func, run_time_secs))
logfunc('{} [{}] artifact completed'.format(artifact_name, artifact_func))
4 changes: 2 additions & 2 deletions scripts/report.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,8 @@ def get_icon_name(category, artifact):
else: icon = 'info'
elif category == 'ETC HOSTS': icon = 'globe'
elif category == 'EMULATED STORAGE METADATA': icon = 'database'
elif category == 'FILES BY GOOGLE': icon = 'file'
elif category == 'GBOARD KEYBOARD': icon = 'edit-3'
elif category == 'GOOGLE DRIVE': icon = 'file'
elif category == 'GOOGLE DOCS': icon = 'file'
elif category == 'GOOGLE NOW & QUICKSEARCH': icon = 'search'
elif category == 'GOOGLE PLAY':
if artifact == 'GOOGLE PLAY SEARCHES': icon = 'search'
Expand All @@ -67,6 +66,7 @@ def get_icon_name(category, artifact):
else: icon = 'layers'
elif category == 'WIFI PROFILES': icon = 'wifi'
elif category == 'RUNTIME PERMISSIONS': icon = 'check'
elif category == 'APP ROLES': icon = 'tool'

return icon

Expand Down