From 35a6f6ec9ae07238de776bc8c0a575949d29d652 Mon Sep 17 00:00:00 2001 From: dozenfossil Date: Mon, 13 Sep 2021 20:02:48 +0200 Subject: [PATCH 1/2] fix multi path/file issue --- mvt/ios/modules/mixed/idstatuscache.py | 18 +++++++++++++----- mvt/ios/modules/mixed/locationd.py | 18 +++++++++++++----- mvt/ios/modules/mixed/safari_browserstate.py | 18 ++++++++++-------- 3 files changed, 36 insertions(+), 18 deletions(-) diff --git a/mvt/ios/modules/mixed/idstatuscache.py b/mvt/ios/modules/mixed/idstatuscache.py index 1ab91c9..7203050 100644 --- a/mvt/ios/modules/mixed/idstatuscache.py +++ b/mvt/ios/modules/mixed/idstatuscache.py @@ -51,11 +51,7 @@ class IDStatusCache(IOSExtraction): result.get("user")) self.detected.append(result) - def run(self): - self._find_ios_database(backup_ids=IDSTATUSCACHE_BACKUP_IDS, - root_paths=IDSTATUSCACHE_ROOT_PATHS) - self.log.info("Found IDStatusCache plist at path: %s", self.file_path) - + def extract_idstatuscache_entries(self): with open(self.file_path, "rb") as handle: file_plist = plistlib.load(handle) @@ -84,4 +80,16 @@ class IDStatusCache(IOSExtraction): entry["occurrences"] = entry_counter[entry["user"]] self.results.append(entry) + def run(self): + + if self.is_backup: + self._find_ios_database(backup_ids=IDSTATUSCACHE_BACKUP_IDS) + self.log.info("Found IDStatusCache plist at path: %s", self.file_path) + self.extract_idstatuscache_entries() + elif self.is_fs_dump: + for idstatuscache_path in self._get_fs_files_from_patterns(IDSTATUSCACHE_ROOT_PATHS): + self.file_path = idstatuscache_path + self.log.info("Found IDStatusCache plist at path: %s", self.file_path) + self.extract_idstatuscache_entries() + self.log.info("Extracted a total of %d ID Status Cache entries", len(self.results)) diff --git a/mvt/ios/modules/mixed/locationd.py b/mvt/ios/modules/mixed/locationd.py index 6784fdb..5caafd9 100644 --- a/mvt/ios/modules/mixed/locationd.py +++ b/mvt/ios/modules/mixed/locationd.py @@ -59,11 +59,7 @@ class LocationdClients(IOSExtraction): if self.indicators.check_process(proc_name): self.detected.append(result) - def run(self): - self._find_ios_database(backup_ids=LOCATIOND_BACKUP_IDS, - root_paths=LOCATIOND_ROOT_PATHS) - self.log.info("Found Locationd Clients plist at path: %s", self.file_path) - + def extract_locationd_entries(self): with open(self.file_path, "rb") as handle: file_plist = plistlib.load(handle) @@ -76,4 +72,16 @@ class LocationdClients(IOSExtraction): self.results.append(result) + def run(self): + + if self.is_backup: + self._find_ios_database(backup_ids=LOCATIOND_BACKUP_IDS) + self.log.info("Found Locationd Clients plist at path: %s", self.file_path) + self.extract_locationd_entries() + elif self.is_fs_dump: + for locationd_path in self._get_fs_files_from_patterns(LOCATIOND_ROOT_PATHS): + self.file_path = locationd_path + self.log.info("Found Locationd Clients plist at path: %s", self.file_path) + self.extract_locationd_entries() + self.log.info("Extracted a total of %d Locationd Clients entries", len(self.results)) diff --git a/mvt/ios/modules/mixed/safari_browserstate.py b/mvt/ios/modules/mixed/safari_browserstate.py index c1edd3e..54739f0 100644 --- a/mvt/ios/modules/mixed/safari_browserstate.py +++ b/mvt/ios/modules/mixed/safari_browserstate.py @@ -13,9 +13,6 @@ from mvt.common.utils import (convert_mactime_to_unix, from ..base import IOSExtraction -SAFARI_BROWSER_STATE_BACKUP_IDS = [ - "3a47b0981ed7c10f3e2800aa66bac96a3b5db28e", -] SAFARI_BROWSER_STATE_BACKUP_RELPATH = "Library/Safari/BrowserState.db" SAFARI_BROWSER_STATE_ROOT_PATHS = [ "private/var/mobile/Library/Safari/BrowserState.db", @@ -101,12 +98,17 @@ class SafariBrowserState(IOSExtraction): }) def run(self): - # TODO: Is there really only one BrowserState.db in a device? - self._find_ios_database(backup_ids=SAFARI_BROWSER_STATE_BACKUP_IDS, - root_paths=SAFARI_BROWSER_STATE_ROOT_PATHS) - self.log.info("Found Safari browser state database at path: %s", self.file_path) - self._process_browser_state_db(self.file_path) + if self.is_backup: + for backup_file in self._get_backup_files_from_manifest(relative_path=SAFARI_BROWSER_STATE_BACKUP_RELPATH): + self.file_path = self._get_backup_file_from_id(backup_file["file_id"]) + self.log.info("Found Safari browser state database at path: %s", self.file_path) + self._process_browser_state_db(self.file_path) + elif self.is_fs_dump: + for safari_browserstate_path in self._get_fs_files_from_patterns(SAFARI_BROWSER_STATE_ROOT_PATHS): + self.file_path = safari_browserstate_path + self.log.info("Found Safari browser state database at path: %s", self.file_path) + self._process_browser_state_db(self.file_path) self.log.info("Extracted a total of %d tab records and %d session history entries", len(self.results), self._session_history_count) From 032b229eb817234c1abbb91dba36537b6c690643 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 14 Sep 2021 14:29:04 +0200 Subject: [PATCH 2/2] Minor changes for consistency --- mvt/ios/modules/mixed/idstatuscache.py | 8 ++++---- mvt/ios/modules/mixed/locationd.py | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/mvt/ios/modules/mixed/idstatuscache.py b/mvt/ios/modules/mixed/idstatuscache.py index 7203050..4a5781d 100644 --- a/mvt/ios/modules/mixed/idstatuscache.py +++ b/mvt/ios/modules/mixed/idstatuscache.py @@ -51,8 +51,8 @@ class IDStatusCache(IOSExtraction): result.get("user")) self.detected.append(result) - def extract_idstatuscache_entries(self): - with open(self.file_path, "rb") as handle: + def _extract_idstatuscache_entries(self, file_path): + with open(file_path, "rb") as handle: file_plist = plistlib.load(handle) id_status_cache_entries = [] @@ -85,11 +85,11 @@ class IDStatusCache(IOSExtraction): if self.is_backup: self._find_ios_database(backup_ids=IDSTATUSCACHE_BACKUP_IDS) self.log.info("Found IDStatusCache plist at path: %s", self.file_path) - self.extract_idstatuscache_entries() + self._extract_idstatuscache_entries(self.file_path) elif self.is_fs_dump: for idstatuscache_path in self._get_fs_files_from_patterns(IDSTATUSCACHE_ROOT_PATHS): self.file_path = idstatuscache_path self.log.info("Found IDStatusCache plist at path: %s", self.file_path) - self.extract_idstatuscache_entries() + self._extract_idstatuscache_entries(self.file_path) self.log.info("Extracted a total of %d ID Status Cache entries", len(self.results)) diff --git a/mvt/ios/modules/mixed/locationd.py b/mvt/ios/modules/mixed/locationd.py index 5caafd9..c2c5dfa 100644 --- a/mvt/ios/modules/mixed/locationd.py +++ b/mvt/ios/modules/mixed/locationd.py @@ -59,8 +59,8 @@ class LocationdClients(IOSExtraction): if self.indicators.check_process(proc_name): self.detected.append(result) - def extract_locationd_entries(self): - with open(self.file_path, "rb") as handle: + def _extract_locationd_entries(self, file_path): + with open(file_path, "rb") as handle: file_plist = plistlib.load(handle) for key, values in file_plist.items(): @@ -77,11 +77,11 @@ class LocationdClients(IOSExtraction): if self.is_backup: self._find_ios_database(backup_ids=LOCATIOND_BACKUP_IDS) self.log.info("Found Locationd Clients plist at path: %s", self.file_path) - self.extract_locationd_entries() + self._extract_locationd_entries(self.file_path) elif self.is_fs_dump: for locationd_path in self._get_fs_files_from_patterns(LOCATIOND_ROOT_PATHS): self.file_path = locationd_path self.log.info("Found Locationd Clients plist at path: %s", self.file_path) - self.extract_locationd_entries() + self._extract_locationd_entries(self.file_path) self.log.info("Extracted a total of %d Locationd Clients entries", len(self.results))