diff --git a/plaso/data/formatters/macos.yaml b/plaso/data/formatters/macos.yaml index 894513c700..1845fff829 100644 --- a/plaso/data/formatters/macos.yaml +++ b/plaso/data/formatters/macos.yaml @@ -10,7 +10,7 @@ message: - 'Device Model: {device_model}' - 'Exception Type: {exception_type}' - 'Incident Identifier: {incident_identifier}' -- 'OS Version: {os_version}' +- 'Operating system version: {operating_system_version}' - 'Parent Process: {parent_process}' - 'Parent Process Identifier: {parent_process_identifier}' - 'Process Identifier: {process_identifier}' @@ -20,7 +20,7 @@ short_message: - 'Bug Type: {bug_type}' - 'Device Model: {device_model}' - 'Incident Identifier: {incident_identifier}' -- 'OS version: {os_version}' +- 'Operating system version: {operating_system_version}' short_source: 'RecoveryLogd' source: 'Apple Recovery IPS' --- @@ -34,14 +34,14 @@ message: - 'Kernel Version: {kernel_version}' - 'Incident Identifier: {incident_identifier}' - 'Process List: {process_list}' -- 'OS Version: {os_version}' +- 'Operating system version: {operating_system_version}' - 'Reason: {reason}' short_message: - 'Bug Type: {bug_type}' - 'Crash Reporter_key: {crash_reporter_key}' - 'Device Model: {device_model}' - 'Incident Identifier: {incident_identifier}' -- 'OS Version: {os_version}' +- 'Operating system version: {operating_system_version}' - 'Reason: {reason}' short_source: 'StacksIPS' source: 'Apple Stacks IPS' diff --git a/plaso/parsers/ips_plugins/interface.py b/plaso/parsers/ips_plugins/interface.py index 4b052baab3..06d9d8bb1d 100644 --- a/plaso/parsers/ips_plugins/interface.py +++ b/plaso/parsers/ips_plugins/interface.py @@ -17,8 +17,8 @@ class IPSPlugin(plugins.BasePlugin): ENCODING = 'utf-8' - REQUIRED_HEADER_KEYS = [] - REQUIRED_CONTENT_KEYS = [] + REQUIRED_HEADER_KEYS = frozenset() + REQUIRED_CONTENT_KEYS = frozenset() _TWO_DIGITS = pyparsing.Word(pyparsing.nums, exact=2).set_parse_action( lambda tokens: int(tokens[0], 10)) @@ -37,7 +37,7 @@ class IPSPlugin(plugins.BasePlugin): _TWO_DIGITS.set_results_name('seconds') + pyparsing.Suppress('.') + _VARYING_DIGITS.set_results_name('fraction') + pyparsing.Word( - pyparsing.nums + '+' + '-').set_results_name('timezone_delta')) + pyparsing.nums + '+' + '-').set_results_name('time_zone_delta')) def _ParseTimestampValue(self, parser_mediator, timestamp_text): """Parses a timestamp string. @@ -47,8 +47,7 @@ def _ParseTimestampValue(self, parser_mediator, timestamp_text): timestamp_text (str): the timestamp to parse. Returns: - dfdatetime.TimeElements: date and time - or None if not available. + dfdatetime.TimeElements: date and time or None if not available. """ # dfDateTime takes the time zone offset as number of minutes relative from # UTC. So for Easter Standard Time (EST), which is UTC-5:00 the sign needs @@ -57,25 +56,28 @@ def _ParseTimestampValue(self, parser_mediator, timestamp_text): parsed_timestamp = self.TIMESTAMP_GRAMMAR.parseString(timestamp_text) try: - time_delta_hours = int(parsed_timestamp['timezone_delta'][:3], 10) - time_delta_minutes = int(parsed_timestamp['timezone_delta'][3:], 10) + time_delta_hours = int(parsed_timestamp['time_zone_delta'][:3], 10) + time_delta_minutes = int(parsed_timestamp['time_zone_delta'][3:], 10) except (TypeError, ValueError): parser_mediator.ProduceExtractionWarning( - 'unsupported timezone offset value') + 'unsupported time zone offset value') return None time_zone_offset = (time_delta_hours * 60) + time_delta_minutes try: - fraction_float = float(f"0.{parsed_timestamp['fraction']}") + fraction = parsed_timestamp['fraction'] + fraction_float = float(f'0.{fraction:s}') milliseconds = round(fraction_float * 1000) + time_elements_tuple = ( + parsed_timestamp['year'], parsed_timestamp['month'], + parsed_timestamp['day'], parsed_timestamp['hours'], + parsed_timestamp['minutes'], parsed_timestamp['seconds'], + milliseconds) + time_element_object = dfdatetime_time_elements.TimeElementsInMilliseconds( - time_elements_tuple=( - parsed_timestamp['year'], parsed_timestamp['month'], - parsed_timestamp['day'], parsed_timestamp['hours'], - parsed_timestamp['minutes'], parsed_timestamp['seconds'], - milliseconds), + time_elements_tuple=time_elements_tuple, time_zone_offset=time_zone_offset) except (TypeError, ValueError): @@ -85,11 +87,11 @@ def _ParseTimestampValue(self, parser_mediator, timestamp_text): return time_element_object def CheckRequiredKeys(self, ips_file): - """Checks if the ips file's header and content have the keys required by the - plugin. + """Checks the IPS header and content have the keys required for the plugin. Args: ips_file (IPSFile): the file for which the structure is checked. + Returns: bool: True if the file has the required keys defined by the plugin, or False if it does not, or if the plugin does not define required @@ -115,12 +117,12 @@ def CheckRequiredKeys(self, ips_file): # pylint: disable=arguments-differ @abc.abstractmethod def Process(self, parser_mediator, ips_file=None, **unused_kwargs): - """Extracts information from an ips log file. This is the main method that - an ips plugin needs to implement. + """Extracts events from an IPS log file. Args: parser_mediator (ParserMediator): parser mediator. ips_file (Optional[IPSFile]): database. + Raises: ValueError: If the file value is missing. """ diff --git a/plaso/parsers/ips_plugins/recovery_logd.py b/plaso/parsers/ips_plugins/recovery_logd.py index 62ce28d547..3aa2b86a9b 100644 --- a/plaso/parsers/ips_plugins/recovery_logd.py +++ b/plaso/parsers/ips_plugins/recovery_logd.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""IPS file parser plugin for Apple crash recovery report.""" +"""IPS log file parser plugin for Apple crash recovery report.""" from plaso.containers import events from plaso.parsers import ips_parser @@ -18,9 +18,9 @@ class AppleRecoveryLogdEvent(events.EventData): event_time (dfdatetime.DateTimeValues): date and time of the crash report. exception_type (str): type of the exception that caused the crash. incident_identifier (str): uuid for crash. - os_version (str): version of the operating system. - parent_process (str): parent process. + operating_system_version (str): version of the operating system. parent_process_identifier (int): process identifier of the parent process. + parent_process (str): parent process. process_identifier (int): process identifier. process_launch_time (dfdatetime.DateTimeValues): date and time when the process started. @@ -39,9 +39,9 @@ def __init__(self): self.event_time = None self.exception_type = None self.incident_identifier = None - self.os_version = None - self.parent_process = None + self.operating_system_version = None self.parent_process_identifier = None + self.parent_process = None self.process_identifier = None self.process_launch_time = None self.user_identifier = None @@ -53,36 +53,37 @@ class AppleRecoveryLogdIPSPlugin(interface.IPSPlugin): NAME = 'apple_recovery_ips' DATA_FORMAT = 'IPS recovery logd crash log' - REQUIRED_HEADER_KEYS = [ + REQUIRED_HEADER_KEYS = frozenset([ 'app_name', 'app_version', 'bug_type', 'incident_id', 'os_version', - 'timestamp'] - REQUIRED_CONTENT_KEYS = [ - 'captureTime', 'modelCode', 'pid', 'procLaunch'] + 'timestamp']) + REQUIRED_CONTENT_KEYS = frozenset([ + 'captureTime', 'modelCode', 'pid', 'procLaunch']) # pylint: disable=unused-argument def Process(self, parser_mediator, ips_file=None, **unused_kwargs): - """Extracts information from an IPS log file. This is the main method that - an IPS plugin needs to implement. + """Extracts events from an Apple Crash IPS log file. Args: parser_mediator (ParserMediator): parser mediator. ips_file (Optional[IpsFile]): database. + Raises: ValueError: If the file value is missing. """ if ips_file is None: raise ValueError('Missing ips_file value') + ips_exception = ips_file.content.get('exception', {}) + event_data = AppleRecoveryLogdEvent() event_data.application_name = ips_file.header.get('app_name') event_data.application_version = ips_file.header.get('app_version') event_data.bug_type = ips_file.header.get('bug_type') event_data.crash_reporter_key = ips_file.content.get('crashReporterKey') event_data.device_model = ips_file.content.get('modelCode') - event_data.exception_type = ips_file.content.get( - 'exception', {}).get('type') + event_data.exception_type = ips_exception.get('type') event_data.incident_identifier = ips_file.header.get('incident_id') - event_data.os_version = ips_file.header.get('os_version') + event_data.operating_system_version = ips_file.header.get('os_version') event_data.parent_process = ips_file.content.get('parentProc') event_data.parent_process_identifier = ips_file.content.get('parentPid') event_data.process_identifier = ips_file.content.get('pid') diff --git a/plaso/parsers/ips_plugins/stacks_ips.py b/plaso/parsers/ips_plugins/stacks_ips.py index 7fe67beba7..ba1f4a83c4 100644 --- a/plaso/parsers/ips_plugins/stacks_ips.py +++ b/plaso/parsers/ips_plugins/stacks_ips.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -"""IPS file parser plugin for Apple stacks report.""" +"""IPS log file parser plugin for Apple stacks report.""" from plaso.containers import events from plaso.parsers import ips_parser @@ -14,10 +14,10 @@ class AppleStacksIPSEvent(events.EventData): crash_reporter_key (str): Key of the crash reporter. device_model (str): model of the device. event_time (dfdatetime.DateTimeValues): date and time of the crash report. - kernel_version (str): kernel version. incident_identifier (str): uuid for crash. + kernel_version (str): kernel version. + operating_system_version (str): version of the operating system. process_list (str): list of process names running at the time of the crash. - os_version (str): version of the operating system. reason (str): reason for the crash. """ @@ -30,10 +30,10 @@ def __init__(self): self.crash_reporter_key = None self.device_model = None self.event_time = None - self.kernel_version = None self.incident_identifier = None + self.kernel_version = None + self.operating_system_version = None self.process_list = None - self.os_version = None self.reason = None @@ -43,18 +43,19 @@ class AppleStacksIPSPlugin(interface.IPSPlugin): NAME = 'apple_stacks_ips' DATA_FORMAT = 'IPS stacks crash log' - REQUIRED_HEADER_KEYS = ['bug_type', 'incident_id', 'os_version', 'timestamp'] - REQUIRED_CONTENT_KEYS = [ - 'build', 'crashReporterKey', 'kernel', 'product', 'reason'] + REQUIRED_HEADER_KEYS = frozenset([ + 'bug_type', 'incident_id', 'os_version', 'timestamp']) + REQUIRED_CONTENT_KEYS = frozenset([ + 'build', 'crashReporterKey', 'kernel', 'product', 'reason']) # pylint: disable=unused-argument def Process(self, parser_mediator, ips_file=None, **unused_kwargs): - """Extracts information from an IPS log file. This is the main method that - an IPS plugin needs to implement. + """Extracts information from an Apple stacks crash IPS log file. Args: parser_mediator (ParserMediator): parser mediator. ips_file (Optional[IpsFile]): database. + Raises: ValueError: If the file value is missing. """ @@ -67,7 +68,7 @@ def Process(self, parser_mediator, ips_file=None, **unused_kwargs): event_data.device_model = ips_file.content.get('product') event_data.kernel_version = ips_file.content.get('kernel') event_data.incident_identifier = ips_file.header.get('incident_id') - event_data.os_version = ips_file.header.get('os_version') + event_data.operating_system_version = ips_file.header.get('os_version') event_data.reason = ips_file.content.get('reason') process_list = [ diff --git a/tests/parsers/ips_plugins/recovery_logd.py b/tests/parsers/ips_plugins/recovery_logd.py index 5dbc39d6f8..1a9300791a 100644 --- a/tests/parsers/ips_plugins/recovery_logd.py +++ b/tests/parsers/ips_plugins/recovery_logd.py @@ -28,12 +28,12 @@ def testProcess(self): 'bug_type': '309', 'crash_reporter_key': 'c0dec0dec0dec0dec0dec0dec0dec0dec0de0001', 'device_model': 'iBridge2,14', - 'exception_type': 'EXC_CRASH', 'event_time': '2023-06-08T14:49:13.520+00:00', + 'exception_type': 'EXC_CRASH', 'incident_identifier': '9505C5CC-07DE-4E81-BCCE-60D07C96D1B1', - 'os_version': 'Bridge OS 7.5 (20P5058)', - 'parent_process': 'launchd', + 'operating_system_version': 'Bridge OS 7.5 (20P5058)', 'parent_process_identifier': 1, + 'parent_process': 'launchd', 'process_identifier': 74, 'process_launch_time': '2023-06-08T14:49:12.507+00:00', 'user_identifier': 501} diff --git a/tests/parsers/ips_plugins/stacks_ips.py b/tests/parsers/ips_plugins/stacks_ips.py index 08da5d6e20..eb6a4de274 100644 --- a/tests/parsers/ips_plugins/stacks_ips.py +++ b/tests/parsers/ips_plugins/stacks_ips.py @@ -12,6 +12,334 @@ class AppleRecoveryLogdIPSPluginTest(test_lib.IPSPluginTestCase): """Tests for the Apple stacks crash IPS file parser.""" + _PROCESS_LIST = [ + 'ACCHWComponentAuthService', + 'ASPCarryLog', + 'AccessibilityUIServer', + 'AccountSubscriber', + 'AirDrop', + 'AppPredictionIntentsHelperServi', + 'AppSSODaemon', + 'AppStore', + 'AppleCredentialManagerDaemon', + 'AssetCacheLocatorService', + 'AuthenticationServicesAgent', + 'BlueTool', + 'CAReportingService', + 'CMFSyncAgent', + 'CacheDeleteAppContainerCaches', + 'CacheDeleteExtension', + 'CalendarFocusConfigurationExten', + 'CalendarWidgetExtension', + 'Camera', + 'CategoriesService', + 'CloudKeychainProxy', + 'CommCenter', + 'CommCenterMobileHelper', + 'ContainerMetadataExtractor', + 'ContextService', + 'DesktopServicesHelper', + 'EnforcementService', + 'Family', + 'FamilyControlsAgent', + 'Files', + 'GSSCred', + 'GeneralMapsWidget', + 'GoogleNews', + 'HeuristicInterpreter', + 'IDSBlastDoorService', + 'IMDPersistenceAgent', + 'InteractiveLegacyProfilesSubscr', + 'KonaSynthesizer', + 'LegacyProfilesSubscriber', + 'MTLCompilerService', + 'MacinTalkAUSP', + 'MailShortcutsExtension', + 'MailWidgetExtension', + 'ManagedSettingsAgent', + 'ManagementTestSubscriber', + 'MessagesActionExtension', + 'MessagesBlastDoorService', + 'MessagesViewService', + 'MobileBackupCacheDeleteService', + 'MobileCal', + 'MobileGestaltHelper', + 'MobileMail', + 'MobileSMS', + 'MobileSafari', + 'NewsToday2', + 'OTACrashCopier', + 'OTATaskingAgent', + 'PasscodeSettingsSubscriber', + 'PerfPowerTelemetryClientRegistr', + 'PhotosReliveWidget', + 'PosterBoard', + 'PowerUIAgent', + 'Preferences', + 'ProtectedCloudKeySyncing', + 'RemindersWidgetExtension', + 'ReportCrash', + 'SBRendererService', + 'SCHelper', + 'SafariBookmarksSyncAgent', + 'SafariViewService', + 'ScreenTimeAgent', + 'ScreenTimeWidgetExtension', + 'ScreenshotService', + 'SharingXPCHelper', + 'Signal', + 'SiriTTSSynthesizerAU', + 'SnapchatHomeScreenWidget', + 'Spotlight', + 'SpringBoard', + 'StatusKitAgent', + 'StocksWidget', + 'TVRemoteConnectionService', + 'Telegram', + 'ThreeBarsXPCService', + 'ThumbnailExtension', + 'ThumbnailExtensionSecure', + 'TipsWidget', + 'TrustedPeersHelper', + 'UARPUpdaterServiceAFU', + 'UARPUpdaterServiceHID', + 'UARPUpdaterServiceLegacyAudio', + 'UARPUpdaterServiceUSBPD', + 'UsageTrackingAgent', + 'UserEventAgent', + 'UserFontManager', + 'WeatherWidget', + 'WiFiCloudAssetsXPCService', + 'WidgetKitExtension', + 'WirelessRadioManagerd', + 'WorldClockWidget', + 'accessoryupdaterd', + 'accountsd', + 'adid', + 'adprivacyd', + 'aggregated', + 'akd', + 'amfid', + 'amsaccountsd', + 'amsengagementd', + 'analyticsd', + 'aned', + 'announced', + 'apfs_iosd', + 'applecamerad', + 'appstorecomponentsd', + 'appstored', + 'apsd', + 'asd', + 'askpermissiond', + 'assetsd', + 'assistantd', + 'atc', + 'audioclocksyncd', + 'awdd', + 'axassetsd', + 'backboardd', + 'biomed', + 'biomesyncd', + 'biometrickitd', + 'bird', + 'bluetoothd', + 'bluetoothuserd', + 'bookassetd', + 'calaccessd', + 'callservicesd', + 'captiveagent', + 'cdpd', + 'cfprefsd', + 'chronod', + 'ckdiscretionaryd', + 'clipserviced', + 'cloudd', + 'cloudpaird', + 'cloudphotod', + 'com.apple.AppleUserHIDDrivers', + 'com.apple.CloudDocs.MobileDocum', + 'com.apple.DictionaryServiceHelp', + 'com.apple.DocumentManagerCore.D', + 'com.apple.DriverKit-AppleBCMWLA', + 'com.apple.FaceTime.FTConversati', + 'com.apple.MapKit.SnapshotServic', + 'com.apple.MobileSoftwareUpdate.', + 'c' + 'om.apple.PDFKit.PDFExtensionVi', + 'com.apple.Safari.History', + 'com.apple.Safari.SafeBrowsing.S', + 'com.apple.Safari.SandboxBroker', + 'com.apple.SiriTTSService.TrialP', + 'com.apple.StreamingUnzipService', + 'com.apple.VideoSubscriberAccoun', + 'com.apple.WebKit.GPU', + 'com.apple.WebKit.Networking', + 'com.apple.WebKit.WebContent', + 'com.apple.accessibility.mediaac', + 'com.apple.quicklook.ThumbnailsA', + 'com.apple.quicklook.extension.p', + 'com.apple.sbd', + 'com.apple.siri.embeddedspeech', + 'configd', + 'contactsd', + 'containermanagerd', + 'contentlinkingd', + 'contextstored', + 'coreauthd', + 'coreduetd', + 'coreidvd', + 'corespeechd', + 'coresymbolicationd', + 'countryd', + 'crash_mover', + 'ctkd', + 'dasd', + 'dataaccessd', + 'deleted', + 'deleted_helper', + 'destinationd', + 'diagnosticextensionsd', + 'distnoted', + 'dmd', + 'donotdisturbd', + 'dprivacyd', + 'driverkitd', + 'duetexpertd', + 'extensionkitservice', + 'fairplayd.A2', + 'familycircled', + 'familynotificationd', + 'filecoordinationd,' + ' fileproviderd', + 'financed', + 'findmydeviced', + 'fitnesscoachingd', + 'fmfd', + 'fmflocatord', + 'followupd', + 'fontservicesd', + 'fseventsd', + 'gamecontrollerd', + 'geod', + 'handwritingd', + 'healthd', + 'homed', + 'iconservicesagent', + 'identityservicesd', + 'imagent', + 'ind', + 'installcoordinationd', + 'intelligenceplatformd', + 'intents_helper', + 'itunescloudd', + 'itunesstored', + 'kbd', + 'kernel_task', + 'keybagd', + 'languageassetd', + 'launchd', + 'linkd', + 'localizationswitcherd', + 'locationd', + 'lockdownd', + 'logd', + 'logd_helper', + 'lsd,' + ' mDNSResponder', + 'maild', + 'mapspushd', + 'mediaanalysisd', + 'medialibraryd', + 'mediaremoted', + 'mediaserverd', + 'metrickitd', + 'misagent', + 'misd', + 'mmaintenanced', + 'mobileactivationd', + 'mobileassetd', + 'mobiletimerd', + 'navd,' + ' ndoagent', + 'nearbyd', + 'nehelper', + 'nesessionmanager', + 'networkserviceproxy,' + ' nfcd', + 'notifyd', + 'nsurlsessiond', + 'online-auth-agent', + 'osanalyticshelper,' + ' ospredictiond', + 'parsec-fbf', + 'parsecd', + 'passd', + 'passwordbreachd', + 'pasted,' + ' peopled', + 'pfd', + 'photoanalysisd', + 'pipelined', + 'pkd', + 'powerd', + 'privacyaccountingd', + 'profiled', + 'progressd', + 'promotedcontentd', + 'rapportd,' + ' recentsd', + 'remindd', + 'remoted', + 'remotemanagementd', + 'remotepairingdeviced', + 'replayd', + 'reversetemplated', + 'revisiond', + 'routined', + 'rtcreportingd', + 'runningboardd', + 'searchd', + 'searchpartyd', + 'securityd', + 'seld', + 'seserviced', + 'sessionkitd', + 'sharingd', + 'siriactionsd', + 'siriinferenced', + 'siriknowledged', + 'sociallayerd', + 'softwareupdated', + 'splashboardd', + 'storekitd', + 'studentd', + 'suggestd', + 'swcd', + 'symptomsd', + 'symptomsd-diag', + 'syncdefaultsd', + 'tailspind', + 'tccd', + 'thermalmonitord', + 'timed', + 'touchsetupd', + 'translationd', + 'transparencyd', + 'triald', + 'trustd', + 'useractivityd', + 'usermanagerd', + 'videosubscriptionsd', + 'voiced', + 'watchdogd,' + ' watchlistd', + 'weatherd', + 'webbookmarksd', + 'wifianalyticsd', + 'wifid', + 'wifip2pd'] + def testProcess(self): """Tests for the Process function.""" plugin = stacks_ips.AppleStacksIPSPlugin() @@ -27,98 +355,12 @@ def testProcess(self): 'crash_reporter_key': '5766d7cc74220076933d9cd16b3b7ade2754d67c', 'device_model': 'iPad11,1', 'event_time': '2023-02-10T10:07:16.000-05:00', - 'kernel_version': 'Darwin Kernel Version 22.1.0: Thu Oct 6 19:33:53 ' - 'PDT 2022; root:xnu-8792.42.7~1/RELEASE_ARM64_T8020', 'incident_identifier': '7749B4FF-840A-46F8-BE88-2B19FF8ABFF3', - 'process_list': ( - 'ACCHWComponentAuthService, ASPCarryLog, AccessibilityUIServer, ' - 'AccountSubscriber, AirDrop, AppPredictionIntentsHelperServi, ' - 'AppSSODaemon, AppStore, AppleCredentialManagerDaemon, ' - 'AssetCacheLocatorService, AuthenticationServicesAgent, BlueTool, ' - 'CAReportingService, CMFSyncAgent, CacheDeleteAppContainerCaches, ' - 'CacheDeleteExtension, CalendarFocusConfigurationExten, ' - 'CalendarWidgetExtension, Camera, CategoriesService, ' - 'CloudKeychainProxy, CommCenter, CommCenterMobileHelper, ' - 'ContainerMetadataExtractor, ContextService, DesktopServicesHelper, ' - 'EnforcementService, Family, FamilyControlsAgent, Files, GSSCred, ' - 'GeneralMapsWidget, GoogleNews, HeuristicInterpreter, ' - 'IDSBlastDoorService, IMDPersistenceAgent, ' - 'InteractiveLegacyProfilesSubscr, KonaSynthesizer, ' - 'LegacyProfilesSubscriber, MTLCompilerService, MacinTalkAUSP, ' - 'MailShortcutsExtension, MailWidgetExtension, ManagedSettingsAgent, ' - 'ManagementTestSubscriber, MessagesActionExtension, ' - 'MessagesBlastDoorService, MessagesViewService, ' - 'MobileBackupCacheDeleteService, MobileCal, MobileGestaltHelper, ' - 'MobileMail, MobileSMS, MobileSafari, NewsToday2, OTACrashCopier, ' - 'OTATaskingAgent, PasscodeSettingsSubscriber, ' - 'PerfPowerTelemetryClientRegistr, PhotosReliveWidget, PosterBoard, ' - 'PowerUIAgent, Preferences, ProtectedCloudKeySyncing, ' - 'RemindersWidgetExtension, ReportCrash, SBRendererService, SCHelper, ' - 'SafariBookmarksSyncAgent, SafariViewService, ScreenTimeAgent, ' - 'ScreenTimeWidgetExtension, ScreenshotService, SharingXPCHelper, ' - 'Signal, SiriTTSSynthesizerAU, SnapchatHomeScreenWidget, Spotlight, ' - 'SpringBoard, StatusKitAgent, StocksWidget, ' - 'TVRemoteConnectionService, Telegram, ThreeBarsXPCService, ' - 'ThumbnailExtension, ThumbnailExtensionSecure, TipsWidget, ' - 'TrustedPeersHelper, UARPUpdaterServiceAFU, UARPUpdaterServiceHID, ' - 'UARPUpdaterServiceLegacyAudio, UARPUpdaterServiceUSBPD, ' - 'UsageTrackingAgent, UserEventAgent, UserFontManager, WeatherWidget, ' - 'WiFiCloudAssetsXPCService, WidgetKitExtension, ' - 'WirelessRadioManagerd, WorldClockWidget, accessoryupdaterd, ' - 'accountsd, adid, adprivacyd, aggregated, akd, amfid, amsaccountsd, ' - 'amsengagementd, analyticsd, aned, announced, apfs_iosd, ' - 'applecamerad, appstorecomponentsd, appstored, apsd, asd, ' - 'askpermissiond, assetsd, assistantd, atc, audioclocksyncd, awdd, ' - 'axassetsd, backboardd, biomed, biomesyncd, biometrickitd, bird, ' - 'bluetoothd, bluetoothuserd, bookassetd, calaccessd, callservicesd, ' - 'captiveagent, cdpd, cfprefsd, chronod, ckdiscretionaryd, ' - 'clipserviced, cloudd, cloudpaird, cloudphotod, ' - 'com.apple.AppleUserHIDDrivers, com.apple.CloudDocs.MobileDocum, ' - 'com.apple.DictionaryServiceHelp, com.apple.DocumentManagerCore.D, ' - 'com.apple.DriverKit-AppleBCMWLA, com.apple.FaceTime.FTConversati, ' - 'com.apple.MapKit.SnapshotServic, com.apple.MobileSoftwareUpdate., c' - 'om.apple.PDFKit.PDFExtensionVi, com.apple.Safari.History, ' - 'com.apple.Safari.SafeBrowsing.S, com.apple.Safari.SandboxBroker, ' - 'com.apple.SiriTTSService.TrialP, com.apple.StreamingUnzipService, ' - 'com.apple.VideoSubscriberAccoun, com.apple.WebKit.GPU, ' - 'com.apple.WebKit.Networking, com.apple.WebKit.WebContent, ' - 'com.apple.accessibility.mediaac, com.apple.quicklook.ThumbnailsA, ' - 'com.apple.quicklook.extension.p, com.apple.sbd, ' - 'com.apple.siri.embeddedspeech, configd, contactsd, ' - 'containermanagerd, contentlinkingd, contextstored, coreauthd, ' - 'coreduetd, coreidvd, corespeechd, coresymbolicationd, countryd, ' - 'crash_mover, ctkd, dasd, dataaccessd, deleted, deleted_helper, ' - 'destinationd, diagnosticextensionsd, distnoted, dmd, donotdisturbd, ' - 'dprivacyd, driverkitd, duetexpertd, extensionkitservice, ' - 'fairplayd.A2, familycircled, familynotificationd, filecoordinationd,' - ' fileproviderd, financed, findmydeviced, fitnesscoachingd, fmfd, ' - 'fmflocatord, followupd, fontservicesd, fseventsd, gamecontrollerd, ' - 'geod, handwritingd, healthd, homed, iconservicesagent, ' - 'identityservicesd, imagent, ind, installcoordinationd, ' - 'intelligenceplatformd, intents_helper, itunescloudd, itunesstored, ' - 'kbd, kernel_task, keybagd, languageassetd, launchd, linkd, ' - 'localizationswitcherd, locationd, lockdownd, logd, logd_helper, lsd,' - ' mDNSResponder, maild, mapspushd, mediaanalysisd, medialibraryd, ' - 'mediaremoted, mediaserverd, metrickitd, misagent, misd, ' - 'mmaintenanced, mobileactivationd, mobileassetd, mobiletimerd, navd,' - ' ndoagent, nearbyd, nehelper, nesessionmanager, networkserviceproxy,' - ' nfcd, notifyd, nsurlsessiond, online-auth-agent, osanalyticshelper,' - ' ospredictiond, parsec-fbf, parsecd, passd, passwordbreachd, pasted,' - ' peopled, pfd, photoanalysisd, pipelined, pkd, powerd, ' - 'privacyaccountingd, profiled, progressd, promotedcontentd, rapportd,' - ' recentsd, remindd, remoted, remotemanagementd, ' - 'remotepairingdeviced, replayd, reversetemplated, revisiond, ' - 'routined, rtcreportingd, runningboardd, searchd, searchpartyd, ' - 'securityd, seld, seserviced, sessionkitd, sharingd, siriactionsd, ' - 'siriinferenced, siriknowledged, sociallayerd, softwareupdated, ' - 'splashboardd, storekitd, studentd, suggestd, swcd, symptomsd, ' - 'symptomsd-diag, syncdefaultsd, tailspind, tccd, thermalmonitord, ' - 'timed, touchsetupd, translationd, transparencyd, triald, trustd, ' - 'useractivityd, usermanagerd, videosubscriptionsd, voiced, watchdogd,' - ' watchlistd, weatherd, webbookmarksd, wifianalyticsd, wifid, ' - 'wifip2pd' - ), - 'os_version': 'iPhone OS 16.1 (20B82)', + 'kernel_version': ( + 'Darwin Kernel Version 22.1.0: Thu Oct 6 19:33:53 ' + 'PDT 2022; root:xnu-8792.42.7~1/RELEASE_ARM64_T8020'), + 'operating_system_version': 'iPhone OS 16.1 (20B82)', + 'process_list': ', '.join(self._PROCESS_LIST), 'reason': 'sysdiagnose (stackshot only) trigger: Power + Volume Up'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)