From 9a831b5930da09e640542b5f6869592680260a3f Mon Sep 17 00:00:00 2001 From: tek Date: Wed, 2 Aug 2023 15:28:16 +0200 Subject: [PATCH] Adds GlobalPreferences iOS module --- docs/ios/records.md | 10 +++ mvt/ios/modules/mixed/__init__.py | 2 + mvt/ios/modules/mixed/global_preferences.py | 63 ++++++++++++++++++ .../0dc926a1810f7aee4e8f38793ed788701f93bf9d | Bin 0 -> 727 bytes tests/ios_backup/test_global_preferences.py | 20 ++++++ tests/ios_backup/test_tcc.py | 2 +- tests/ios_fs/test_filesystem.py | 8 +-- 7 files changed, 100 insertions(+), 5 deletions(-) create mode 100644 mvt/ios/modules/mixed/global_preferences.py create mode 100644 tests/artifacts/ios_backup/0d/0dc926a1810f7aee4e8f38793ed788701f93bf9d create mode 100644 tests/ios_backup/test_global_preferences.py diff --git a/docs/ios/records.md b/docs/ios/records.md index 3cdfa8f..17be192 100644 --- a/docs/ios/records.md +++ b/docs/ios/records.md @@ -142,6 +142,16 @@ If indicators are provided through the command-line, they are checked against th --- +### `global_preferences.json` + +!!! info "Availability" + Backup: :material-check: + Full filesystem dump: :material-check: + +This JSON file is created by mvt-ios' `GlobalPreferences` module. The module extracts records from a Plist file located at */private/var/mobile/Library/Preferences/.GlobalPreferences.plist*, which contains a system preferences including if Lockdown Mode is enabled. + +--- + ### `id_status_cache.json` !!! info "Availability" diff --git a/mvt/ios/modules/mixed/__init__.py b/mvt/ios/modules/mixed/__init__.py index 5bc2dea..de6f808 100644 --- a/mvt/ios/modules/mixed/__init__.py +++ b/mvt/ios/modules/mixed/__init__.py @@ -11,6 +11,7 @@ from .chrome_history import ChromeHistory from .contacts import Contacts from .firefox_favicon import FirefoxFavicon from .firefox_history import FirefoxHistory +from .global_preferences import GlobalPreferences from .idstatuscache import IDStatusCache from .interactionc import InteractionC from .locationd import LocationdClients @@ -49,4 +50,5 @@ MIXED_MODULES = [ Shortcuts, Applications, Calendar, + GlobalPreferences, ] diff --git a/mvt/ios/modules/mixed/global_preferences.py b/mvt/ios/modules/mixed/global_preferences.py new file mode 100644 index 0000000..02c7445 --- /dev/null +++ b/mvt/ios/modules/mixed/global_preferences.py @@ -0,0 +1,63 @@ +# Mobile Verification Toolkit (MVT) +# Copyright (c) 2021-2023 Claudio Guarnieri. +# Use of this software is governed by the MVT License 1.1 that can be found at +# https://license.mvt.re/1.1/ + +import logging +import plistlib +from typing import Optional + +from ..base import IOSExtraction + +GLOBAL_PREFERENCES_BACKUP_IDS = ["0dc926a1810f7aee4e8f38793ed788701f93bf9d"] +GLOBAL_PREFERENCES_ROOT_PATHS = [ + "private/var/mobile/Library/Preferences/.GlobalPreferences.plist", +] + + +class GlobalPreferences(IOSExtraction): + """This module extracts Global Preferences to check if Lockdown mode is enabled.""" + + def __init__( + self, + file_path: Optional[str] = None, + target_path: Optional[str] = None, + results_path: Optional[str] = None, + module_options: Optional[dict] = None, + log: logging.Logger = logging.getLogger(__name__), + results: Optional[list] = None, + ) -> None: + super().__init__( + file_path=file_path, + target_path=target_path, + results_path=results_path, + module_options=module_options, + log=log, + results=results, + ) + + def check_indicators(self) -> None: + for entry in self.results: + if entry["entry"] == "LDMGlobalEnabled": + if entry["value"]: + self.log.info("Lockdown mode enabled") + else: + self.log.info("Lockdown mode disabled") + + def process_file(self, file_path: str) -> None: + with open(file_path, "rb") as handle: + data = plistlib.load(handle) + + for entry in data: + self.results.append({"entry": entry, "value": data[entry]}) + + def run(self) -> None: + self._find_ios_database( + backup_ids=GLOBAL_PREFERENCES_BACKUP_IDS, + root_paths=GLOBAL_PREFERENCES_ROOT_PATHS, + ) + self.log.info("Found Global Preference database at path: %s", self.file_path) + + self.process_file(self.file_path) + + self.log.info("Extracted a total of %d Global Preferences", len(self.results)) diff --git a/tests/artifacts/ios_backup/0d/0dc926a1810f7aee4e8f38793ed788701f93bf9d b/tests/artifacts/ios_backup/0d/0dc926a1810f7aee4e8f38793ed788701f93bf9d new file mode 100644 index 0000000000000000000000000000000000000000..387e796c5639bc128a384876b10cfde1c9823e9a GIT binary patch literal 727 zcmY*XJ#W)M7``)K4ux`Qlh8J_fLdTcjUqn80F^L`8&I4owFwmk#hmSHeAK=(J|}^V zf&TzA`3Woxz<`7h6A}wdz#l+N2nGhuPK1;jPP+H`c;DyMIZ;4GQmuYN2r7H_?%RJr z%^jRNba?s*%FoOeilzC5a=yHHa%N%KMx`y{G-zV^d|*(v+lon_l7X<%yykh7b@hXjTW_rfkmQ+m8&zB$R&Z)u(HKp~ ztyl?lcS&p#SGE-uD+;ji$7&m`v>FEQZt#TeP!}iC(IRo5y2Ki@Eh3ay5Gxjv?B+#-`Bqt>hk+`)m)up`%YXB25X^~k-2g>bo-Zq4Co z7d3ZYdw1n?Z+5eVK>J*^e(B=#qjPP-R@cq;PAu;Nm^f1}C1|gk2&%)S<0sNb{hDOT zQk$g9Kx%Hda_Y2=j%CnQF<9H&(#@NaYVt_yj(ML--25hHv0|_yK-|pWqkx75;?3 i;BWW`{#6u3Ri+iB