Merge pull request #616 from Johann-PLW/main

Fix SQLite db path
abrignoni · Nov 22, 2023 · 3b97801 · 3b97801
2 parents a87fd6d + 7ab5db7
commit 3b97801
Show file tree

Hide file tree

Showing 15 changed files with 673 additions and 664 deletions.
diff --git a/scripts/artifacts/accs.py b/scripts/artifacts/accs.py
@@ -1,16 +1,34 @@
-import os
-import plistlib
-import sqlite3
-from datetime import datetime, timezone
+__artifacts_v2__ = {
+    "accs": {
+        "name": "Account Data",
+        "description": "Extract information about configured user accounts",
+        "author": "@AlexisBrignoni",
+        "version": "0.2",
+        "date": "2023-11-21",
+        "requirements": "none",
+        "category": "Accounts",
+        "notes": "",
+        "paths": ('*/mobile/Library/Accounts/Accounts3.sqlite*'),
+        "function": "get_accs"
+    }
+}
+
+
 from scripts.artifact_report import ArtifactHtmlReport
-from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows, open_sqlite_db_readonly, convert_ts_human_to_utc, convert_utc_human_to_timezone 
+from scripts.ilapfuncs import logfunc, tsv, timeline, open_sqlite_db_readonly, convert_ts_human_to_utc, convert_utc_human_to_timezone 
 
 
 def get_accs(files_found, report_folder, seeker, wrap_text, timezone_offset):
-    file_found = str(files_found[0])
+    for file_found in files_found:
+        file_found = str(file_found)
+
+        if file_found.endswith('/Accounts3.sqlite'):
+            break
+
     db = open_sqlite_db_readonly(file_found)
     cursor = db.cursor()
-    cursor.execute("""
+
+    cursor.execute('''
     select
     datetime(zdate+978307200,'unixepoch'),
     zaccounttypedescription,
@@ -20,24 +38,25 @@ def get_accs(files_found, report_folder, seeker, wrap_text, timezone_offset):
     zaccount.zowningbundleid
     from zaccount, zaccounttype 
     where zaccounttype.z_pk=zaccount.zaccounttype
-    """
+    '''
     )
 
     all_rows = cursor.fetchall()
     usageentries = len(all_rows)
+
     if usageentries > 0:
         data_list = []
         for row in all_rows:
             timestamp = row[0]
-            if timestamp is None:
-                pass
-            else:
+            if timestamp:
                 timestamp = convert_ts_human_to_utc(timestamp)
                 timestamp = convert_utc_human_to_timezone(timestamp,timezone_offset)
 
             data_list.append((timestamp,row[1],row[2],row[3],row[4],row[5]))                
+
+        description = "Configured user accounts"
         report = ArtifactHtmlReport('Account Data')
-        report.start_artifact_report(report_folder, 'Account Data')
+        report.start_artifact_report(report_folder, 'Account Data', description)
         report.add_script()
         data_headers = ('Timestamp','Account Desc.','Username','Description','Identifier','Bundle ID' )     
         report.write_artifact_data_table(data_headers, data_list, file_found)
@@ -52,10 +71,4 @@ def get_accs(files_found, report_folder, seeker, wrap_text, timezone_offset):
     else:
         logfunc("No Account Data available")
 
-__artifacts__ = {
-    "accs": (
-        "Accounts",
-        ('**/Accounts3.sqlite'),
-        get_accs)
-}
-
+    db.close()
diff --git a/scripts/artifacts/applicationstate.py b/scripts/artifacts/applicationstate.py
@@ -1,17 +1,37 @@
+__artifacts_v2__ = {
+    "applicationstate": {
+        "name": "Application State",
+        "description": "Extract information about bundle container path and data path for Applications",
+        "author": "@AlexisBrignoni",
+        "version": "0.2",
+        "date": "2023-11-21",
+        "requirements": "none",
+        "category": "Installed Apps",
+        "notes": "",
+        "paths": ('*/mobile/Library/FrontBoard/applicationState.db*'),
+        "function": "get_applicationstate"
+    }
+}
+
+
 import biplist
 import io
 import nska_deserialize as nd
 import plistlib
-import sqlite3
 import sys
-
 from scripts.artifact_report import ArtifactHtmlReport
-from scripts.ilapfuncs import logfunc, tsv, is_platform_windows, open_sqlite_db_readonly
+from scripts.ilapfuncs import logfunc, tsv, open_sqlite_db_readonly
 
 def get_applicationstate(files_found, report_folder, seeker, wrap_text, timezone_offset):
-    file_found = str(files_found[0])
+    for file_found in files_found:
+        file_found = str(file_found)
+
+        if file_found.endswith('/applicationState.db'):
+            break
+
     db = open_sqlite_db_readonly(file_found)
     cursor = db.cursor()
+
     cursor.execute('''
     select ait.application_identifier as ai, kvs.value as compat_info,
     (SELECT kvs.value from kvs left join application_identifier_tab on application_identifier_tab.id = kvs.application_identifier
@@ -28,11 +48,11 @@ def get_applicationstate(files_found, report_folder, seeker, wrap_text, timezone
 
     all_rows = cursor.fetchall()
     usageentries = len(all_rows)
+
     if usageentries > 0:
         data_list = []
         snap_info_list = []
         for row in all_rows:
-            bundleid = str(row[0])
             plist_file_object = io.BytesIO(row[1])
             if row[1].find(b'NSKeyedArchiver') == -1:
                 if sys.version_info >= (3, 9):
@@ -45,6 +65,7 @@ def get_applicationstate(files_found, report_folder, seeker, wrap_text, timezone
                 except (nd.DeserializeError, nd.biplist.NotBinaryPlistException, nd.biplist.InvalidPlistException,
                         nd.plistlib.InvalidFileException, nd.ccl_bplist.BplistError, ValueError, TypeError, OSError, OverflowError) as ex:
                     logfunc(f'Failed to read plist for {row[0]}, error was:' + str(ex))
+
             if plist:
                 if type(plist) is dict:
                     var1 = plist.get('bundleIdentifier', '')
@@ -57,24 +78,19 @@ def get_applicationstate(files_found, report_folder, seeker, wrap_text, timezone
                     logfunc(f'For {row[0]} Unexpected type "' + str(type(plist)) + '" found as plist root, can\'t process')
             else:
                 logfunc(f'For {row[0]}, plist could not be read!')
+
+        description = "Bundle container path and sandbox data path for installed applications"
         report = ArtifactHtmlReport('Application State')
-        report.start_artifact_report(report_folder, 'Application State DB')
+        report.start_artifact_report(report_folder, 'Application State DB', description)
         report.add_script()
         data_headers = ('Bundle ID','Bundle Path','Sandbox Path')     
         report.write_artifact_data_table(data_headers, data_list, file_found)
         report.end_artifact_report()
 
         tsvname = 'Application State'
         tsv(report_folder, data_headers, data_list, tsvname)
+
     else:
         logfunc('No Application State data available')
 
-    db.close()
-    return      
-
-__artifacts__ = {
-    "applicationstate": (
-        "Installed Apps",
-        ('**/applicationState.db'),
-        get_applicationstate)
-}
+    db.close()