Skip to content

Commit

Permalink
Merge pull request #876 from JamesHabben/lava-output
Browse files Browse the repository at this point in the history 
Lava output
  • Loading branch information
@JamesHabben
JamesHabben authored Oct 15, 2024
2 parents beb58f1 + e109e82 commit c52e438
Show file tree
Hide file tree
Showing 14 changed files with 498 additions and 115 deletions.
1 change: 0 additions & 1 deletion admin/data/temp.txt
View file

This file was deleted.

4 changes: 2 additions & 2 deletions admin/docs/module_info.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ Number of modules with errors or no recognized artifacts: 3
| [ATXDatastore.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/ATXDatastore.py) | get_atxDatastore | iOS ATXDatastore | html, tsv, timeline, lava, kml | Parses ATXDataStore and matches actions with Frequent locations, when available. | ``*DuetExpertCenter/_ATXDataStore.db*``, ``*routined/Local.sqlite*`` |
| [ControlCenter.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/ControlCenter.py) | controlcenter | Control Center Configuration | | Parses controls/apps added to the Control Center | ``*/mobile/Library/ControlCenter/ModuleConfiguration.plist`` |
| [DataUsage.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/DataUsage.py) | datausage | Data Usage | | Parses application network data usage | ``*/wireless/Library/Databases/DataUsage.sqlite*`` |
| [Gmail.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/Gmail.py) | get_Gmail_offline_search | Gmail - Offline Search | all | Parses Gmail offline search content | ``*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/searchsqlitedb*`` |
| [Gmail.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/Gmail.py) | get_Gmail_label_details | Gmail - Label Details | html, tsv, lava | Parses Gmail label details | ``*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/sqlitedb*`` |
| [Oops.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/Oops.py) | Oops | Oops: Make New Friends | | Parses Oops Message Database | ``*private/var/mobile/Containers/Data/Application/*/Library/Application Support/RongCloud/*/storage*`` |
| [Ph100UFEDdevcievaluesplist.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/Ph100UFEDdevcievaluesplist.py) | Ph100-UFED-device-values-Plist | UFED Adv Log Acquisition Ph100 UFED Device Values Plist | | Parses basic data from */device_values.plist which is a part of a UFED Advance Logical acquisitions with non-encrypted backups. The parsing of this fi | ``*/device_values.plist`` |
| [Ph10AssetParsedEmbeddedFiles.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/Ph10AssetParsedEmbeddedFiles.py) | Ph10-1-Assets have embedded files-PhDaPsql | PhDaPL Photos.sqlite Ph10.1 assets have embedded files | | Parses basic asset record data from Photos.sqlite for assets that have embedded files records for a variety of data. This parser should be used in con | ``*/PhotoData/Photos.sqlite*`` |
Expand Down Expand Up @@ -124,6 +122,8 @@ Number of modules with errors or no recognized artifacts: 3
| [cloudkitSharing.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/cloudkitSharing.py) | cloudkitsharing | Cloudkit Sharing | | This module processes data related to CloudKit sharing, encompassing information on notes shared via CloudKit and the accounts participating in CloudK | ``*NoteStore.sqlite*`` |
| [dmss.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dmss.py) | Dahua Technology (DMSS) | Dahua Technology (DMSS) | | Extract data from Dahua Technology (DMSS) Application | ``*/Library/Support/Devices.sqlite3*``, ``*/Library/Support/configFile1``, ``*/Library/Support/*/DMSSCloud.sqlite*``, ``*/Documents/Captures/*``, ``*/Documents/Videos/*`` |
| [filesApps.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/filesApps.py) | filesapp | Files App | | Items stored in iCloud Drive. | ``*/mobile/Library/Application Support/CloudDocs/session/db/client.db*``, ``*/mobile/Library/Application Support/CloudDocs/session/db/server.db*`` |
| [gmail.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/gmail.py) | gmailOfflineSearch | Gmail - Offline Search | html, tsv, lava, timeline | Parses Gmail offline search content | ``*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/searchsqlitedb*`` |
| [gmail.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/gmail.py) | gmailLabelDetails | Gmail - Label Details | html, tsv, lava | Parses Gmail label details | ``*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/sqlitedb*`` |
| [googleTranslate.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/googleTranslate.py) | googleTranslate | Google Translate | | History, Favorite translations and Text-To-Speech | ``*/mobile/Containers/Data/Application/*/Documents/translate.db*`` |
| [iTunesBackupInfo.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/iTunesBackupInfo.py) | iTunesBackupInfo | iTunes Backup Information | | Extract information from the Info.plist file of an iTunes backup | ``*Info.plist``, ``*info.plist`` |
| [idstatuscache.py](https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/idstatuscache.py) | idstatuscache | Identity Lookup Service | | iCloud sync, Email, FaceTime, more | ``*/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist``, ``*/mobile/Library/IdentityServices/idstatuscache.plist`` |
Expand Down
80 changes: 80 additions & 0 deletions admin/image_manifest.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"images": [
{
"image_name": "josh_ios15_ffs",
"description": "iPhone 8 extraction with sample data for testing",
"local_image_paths": [
"~/Documents/phone-images/Josh/iOS_15_Public_Image.tar.gz",
"/home/user/images/iphone_001.zip"
],
"file_path_list": "admin/data/filepath-lists/josh-hickman-ios15.csv.zip",
"download_url": "https://example.com/downloads/iphone_11_pro_001.zip",
"author": {
"name": "Josh Hickman"
},
"image_info": {
"creation_date": "2023-05-20",
"os_version": "iOS 15.3.1",
"device_model": "iPhone 8",
"extraction_method": "Full Filesystem",
"extraction_tool": "Cellebrite"
},
"file_info": {
"file_count": 474300,
"md5_hash": "b1ec40d5cd835621326b821d6fa12ff5"
},
"notes": ""
},
{
"image_name": "mvs_ios_2023",
"description": "Magnet Virtual Summit 2023 iOS image for forensic testing and training",
"local_image_paths": [
"~/Documents/phone-images/magnet/00008101-0010541A1130001E_files_full-001.zip",
"/home/user/images/magnet_mvs_2023_ios.zip"
],
"file_path_list": "admin/data/filepath-lists/magnet-mvs-2023-ios.csv.zip",
"download_url": "https://cfreds.nist.gov/all/MagnetForensics/MagnetVirtualSummit2023",
"author": {
"name": "Magnet Forensics",
"organization": "Magnet Forensics"
},
"image_info": {
"creation_date": "2023-01-01T00:00:00Z",
"os_version": "iOS 14.7.1",
"device_model": "Unknown",
"extraction_method": "Full Filesystem",
"extraction_tool": "Magnet"
},
"file_info": {
"file_count": 338104,
"md5_hash": "067606649297d7adcf6082e5ed0acbb9"
},
"notes": "Image from Magnet Virtual Summit 2023. Contains full file system data."
},
{
"image_name": "belkasoft_ctf6_ios_device1",
"description": "BelkaSoft CTF 6 iOS Device 1 image for forensic analysis and competition",
"local_image_paths": [
"~/Documents/phone-images/belkasoft/BelkaCTF_6_CASE240405_D201AP.tar"
],
"file_path_list": "admin/data/filepath-lists/belkasoft-ctf6-ios-device1.csv.zip",
"download_url": "https://cfreds.nist.gov/all/Belkasoft/BelkaCTF6BogusBill",
"author": {
"name": "BelkaSoft",
"organization": "BelkaSoft"
},
"image_info": {
"creation_date": "2023-01-01T00:00:00Z",
"os_version": "iOS",
"device_model": "Unknown",
"extraction_method": "Unknown",
"extraction_tool": "Unknown"
},
"file_info": {
"file_count": 65000,
"md5_hash": "0da3a6df28802cd19d41ef1fde884e7c"
},
"notes": "Image extracted from zip for BelkaSoft CTF 6, iOS Device 1. "
}
]
}
Binary file added admin/test/cases/data/testdata.gmail.gmailLabelDetails.josh_ios15_ffs.zip
View file
Binary file not shown.
Binary file added admin/test/cases/data/testdata.gmail.gmailLabelDetails.mvs_ios_2023.zip
View file
Binary file not shown.
Binary file added admin/test/cases/data/testdata.gmail.gmailOfflineSearch.josh_ios15_ffs.zip
View file
Binary file not shown.
Binary file added admin/test/cases/data/testdata.gmail.gmailOfflineSearch.mvs_ios_2023.zip
View file
Binary file not shown.
114 changes: 114 additions & 0 deletions admin/test/cases/testdata.gmail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
{
"josh_ios15_ffs": {
"description": "",
"maker": "",
"make_data": {
"input_data_path": "/Users/jameshabben/Documents/phone-images/Josh/iOS_15_Public_Image.tar.gz",
"os": "macOS-15.0-x86_64-i386-64bit",
"timestamp": "2024-10-15T16:07:56.063452",
"last_commit": {
"hash": "5edc9a916fd57fae3f9be628768aee79236863e4",
"author_name": "James Habben",
"author_email": "james@wmif.net",
"date": "2024-10-15T16:07:28-07:00",
"message": "Update gmail.py"
}
},
"artifacts": {
"gmailOfflineSearch": {
"search_patterns": [
"*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/searchsqlitedb*"
],
"file_count": 1,
"expected_output": {
"headers": [],
"data": []
}
},
"gmailLabelDetails": {
"search_patterns": [
"*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/sqlitedb*"
],
"file_count": 3,
"expected_output": {
"headers": [],
"data": []
}
}
},
"image_name": "josh_ios15_ffs"
},
"mvs_ios_2023": {
"description": "",
"maker": "",
"make_data": {
"input_data_path": "/Users/jameshabben/Documents/phone-images/magnet/00008101-0010541A1130001E_files_full-001.zip",
"os": "macOS-15.0-x86_64-i386-64bit",
"timestamp": "2024-10-15T16:10:47.231161",
"last_commit": {
"hash": "5edc9a916fd57fae3f9be628768aee79236863e4",
"author_name": "James Habben",
"author_email": "james@wmif.net",
"date": "2024-10-15T16:07:28-07:00",
"message": "Update gmail.py"
}
},
"artifacts": {
"gmailOfflineSearch": {
"search_patterns": [
"*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/searchsqlitedb*"
],
"file_count": 1,
"expected_output": {
"headers": [],
"data": []
}
},
"gmailLabelDetails": {
"search_patterns": [
"*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/sqlitedb*"
],
"file_count": 6,
"expected_output": {
"headers": [],
"data": []
}
}
},
"image_name": "mvs_ios_2023"
},
"belkasoft_ctf6_ios_device1": {
"description": "",
"maker": "",
"make_data": {
"input_data_path": "/Users/jameshabben/Documents/phone-images/belkasoft/BelkaCTF_6_CASE240405_D201AP.tar",
"os": "macOS-15.0-x86_64-i386-64bit",
"timestamp": "2024-10-15T16:10:59.816421",
"last_commit": {
"hash": "5edc9a916fd57fae3f9be628768aee79236863e4",
"author_name": "James Habben",
"author_email": "james@wmif.net",
"date": "2024-10-15T16:07:28-07:00",
"message": "Update gmail.py"
}
},
"artifacts": {
"gmailOfflineSearch": {
"search_patterns": [
"*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/searchsqlitedb*"
],
"file_count": 0,
"note": "No responsive files found for this artifact"
},
"gmailLabelDetails": {
"search_patterns": [
"*/mobile/Containers/Data/Application/*/Library/Application Support/data/*/sqlitedb*"
],
"file_count": 0,
"note": "No responsive files found for this artifact"
}
},
"image_name": "belkasoft_ctf6_ios_device1",
"note": "No responsive files found for any artifacts"
}
}
Loading

0 comments on commit c52e438

Please sign in to comment.