Bumped version

Fixed idevicebackup2 syntax

docs/ios/backup/libimobiledevice.md

@@ -3,10 +3,10 @@
 If you have correctly [installed libimobiledevice](../install.md) you can easily generate an iTunes backup using the `idevicebackup2` tool included in the suite. First, you might want to ensure that backup encryption is enabled (**note: encrypted backup contain more data than unencrypted backups**):
 
 ```bash
-idevicebackup2 -i backup encryption on
+idevicebackup2 -i encryption on
 ```
 
-Note that if a backup password was previously set on this device, you might need to use the same or change it. You can try changing password using `idevicebackup2 -i backup changepw`, or by turning off encryption (`idevicebackup2 -i backup encryption off`) and turning it back on again.
+Note that if a backup password was previously set on this device, you might need to use the same or change it. You can try changing password using `idevicebackup2 -i changepw`, or by turning off encryption (`idevicebackup2 -i encryption off`) and turning it back on again.
 
 If you are not able to recover or change the password, you should try to disable encryption and obtain an unencrypted backup.
 

mvt/android/modules/adb/base.py

@@ -272,8 +272,8 @@ class AndroidExtraction(MVTModule):
         self._adb_command(f"rm -f {new_remote_path}")
 
     def _generate_backup(self, package_name: str) -> bytes:
-        self.log.warning("Please check phone and accept Android backup prompt. "
-                         "You may need to set a backup password. \a")
+        self.log.info("Please check phone and accept Android backup prompt. "
+                      "You may need to set a backup password. \a")
 
         # TODO: Base64 encoding as temporary fix to avoid byte-mangling over
         #       the shell transport...
@@ -300,7 +300,7 @@ class AndroidExtraction(MVTModule):
             except InvalidBackupPassword:
                 self.log.error("You provided the wrong password! Please try again...")
 
-        self.log.warn("All attempts to decrypt backup with password failed!")
+        self.log.error("All attempts to decrypt backup with password failed!")
 
         return None
 

mvt/android/modules/adb/packages.py

@@ -192,7 +192,6 @@ class Packages(AndroidExtraction):
 
     @staticmethod
     def parse_package_for_details(output: str) -> dict:
-        # Get only the package information
         lines = []
         in_packages = False
         for line in output.splitlines():

mvt/android/modules/adb/sms.py

@@ -158,7 +158,7 @@ class SMS(AndroidExtraction):
         except InsufficientPrivileges:
             pass
 
-        self.log.warn("No SMS database found. Trying extraction of SMS data "
+        self.log.info("No SMS database found. Trying extraction of SMS data "
                       "using Android backup feature.")
         self._extract_sms_adb()
 

mvt/android/modules/bugreport/packages.py

@@ -6,10 +6,10 @@
 import logging
 from typing import Optional, Union
 
-from mvt.android.parsers.dumpsys import parse_dumpsys_packages
 from mvt.android.modules.adb.packages import (DANGEROUS_PERMISSIONS,
                                               DANGEROUS_PERMISSIONS_THRESHOLD,
                                               ROOT_PACKAGES)
+from mvt.android.parsers.dumpsys import parse_dumpsys_packages
 
 from .base import BugReportModule
 

mvt/common/indicators.py

@@ -44,7 +44,6 @@ class Indicators:
 
         paths = os.environ["MVT_STIX2"].split(":")
         for path in paths:
-            print(path)
             if os.path.isfile(path):
                 self.parse_stix2(path)
             else:
@@ -437,6 +436,27 @@ class Indicators:
 
         return None
 
+    def check_file_path_process(self, file_path: str) -> Union[dict, None]:
+        """Check the provided file path contains a process name from the
+        list of indicators
+
+        :param file_path: File path or file name to check against file
+        indicators
+        :type file_path: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if not file_path:
+            return None
+
+        for ioc in self.get_iocs("processes"):
+            parts = file_path.split("/")
+            if ioc["value"] in parts:
+                self.log.warning("Found known suspicious process name mentioned in file at "
+                                  "path \"%s\" matching indicators from \"%s\"",
+                                  file_path, ioc["name"])
+                return ioc
+
     def check_profile(self, profile_uuid: str) -> Union[dict, None]:
         """Check the provided configuration profile UUID against the list of
         indicators.

mvt/common/version.py

@@ -3,4 +3,4 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-MVT_VERSION = "2.1.5"
+MVT_VERSION = "2.1.6"

mvt/ios/modules/backup/profile_events.py

@@ -11,6 +11,7 @@ from mvt.common.utils import convert_datetime_to_iso
 
 from ..base import IOSExtraction
 
+# CONF_PROFILES_EVENTS_ID = "aeb25de285ea542f7ac7c2070cddd1961e369df1"
 CONF_PROFILES_EVENTS_RELPATH = "Library/ConfigurationProfiles/MCProfileEvents.plist"
 
 

mvt/ios/modules/base.py

@@ -107,8 +107,12 @@ class IOSExtraction(MVTModule):
                             (relative_path, domain))
             else:
                 if relative_path:
-                    cur.execute(f"{base_sql} relativePath = ?;",
-                                (relative_path,))
+                    if "*" in relative_path:
+                        cur.execute(f"{base_sql} relativePath LIKE ?;",
+                                    (relative_path.replace("*", "%"),))
+                    else:
+                        cur.execute(f"{base_sql} relativePath = ?;",
+                                    (relative_path,))
                 elif domain:
                     cur.execute(f"{base_sql} domain = ?;", (domain,))
         except Exception as exc:

mvt/ios/modules/fs/filesystem.py

@@ -57,14 +57,10 @@ class Filesystem(IOSExtraction):
             if self.fast_mode:
                 continue
 
-            for ioc in self.indicators.get_iocs("processes"):
-                parts = result["path"].split("/")
-                if ioc["value"] in parts:
-                    self.log.warning("Found known suspicious process name mentioned in file at "
-                                     "path \"%s\" matching indicators from \"%s\"",
-                                     result["path"], ioc["name"])
-                    result["matched_indicator"] = ioc
-                    self.detected.append(result)
+            ioc = self.indicators.check_file_path_process(result["path"])
+            if ioc:
+                result["matched_indicator"] = ioc
+                self.detected.append(result)
 
     def run(self) -> None:
         for root, dirs, files in os.walk(self.target_path):

tests/ios_fs/test_filesystem.py

@@ -0,0 +1,34 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2022 Claudio Guarnieri.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+
+from mvt.common.indicators import Indicators
+from mvt.common.module import run_module
+from mvt.ios.modules.fs.filesystem import Filesystem
+
+from ..utils import get_ios_backup_folder
+
+
+class TestFilesystem:
+
+    def test_filesystem(self):
+        m = Filesystem(target_path=get_ios_backup_folder())
+        run_module(m)
+        assert len(m.results) == 10
+        assert len(m.timeline) == 10
+        assert len(m.detected) == 0
+
+    def test_detection(self, indicator_file):
+        m = Filesystem(target_path=get_ios_backup_folder())
+        ind = Indicators(log=logging.getLogger())
+        ind.parse_stix2(indicator_file)
+        # Adds a filename that exist in the folder
+        ind.ioc_collections[0]["processes"].append("64d0019cb3d46bfc8cce545a8ba54b93e7ea9347")
+        m.indicators = ind
+        run_module(m)
+        assert len(m.results) == 10
+        assert len(m.timeline) == 10
+        assert len(m.detected) == 1