abrignoni · Johann-PLW · Oct 3, 2024 · Oct 3, 2024 · Oct 3, 2024
diff --git a/scripts/artifacts/accountConfig.py b/scripts/artifacts/accountConfig.py
@@ -8,22 +8,26 @@
         "requirements": "none",
         "category": "Accounts",
         "notes": "",
-        "paths": ('**/com.apple.accounts.exists.plist',),
+        "paths": ('*/com.apple.accounts.exists.plist',),
         "output_types": "all"
     }
 }
 
 import plistlib
-from scripts.ilapfuncs import artifact_processor
+from scripts.ilapfuncs import artifact_processor, logfunc
 
 @artifact_processor
 def get_confaccts(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    file_found = str(files_found[0])
-    with open(file_found, "rb") as fp:
+    source_path = str(files_found[0])
+
+    with open(source_path, "rb") as fp:
         pl = plistlib.load(fp)
-        for key, val in pl.items():
-            data_list.append((key, val))
+        if len(pl) > 0:
+            for key, val in pl.items():
+                data_list.append((key, val))
+        else:
+            logfunc("No Account Configuration available")
 
-    data_headers = ('Key', 'Values')
-    return data_headers, data_list, file_found
+    data_headers = ('Key', 'Data')
+    return data_headers, data_list, source_path
diff --git a/scripts/artifacts/accountData.py b/scripts/artifacts/accountData.py
@@ -14,18 +14,15 @@
 }
 
 
-#from scripts.artifact_report import ArtifactHtmlReport
 from scripts.ilapfuncs import artifact_processor, logfunc, open_sqlite_db_readonly, convert_ts_human_to_utc, convert_utc_human_to_timezone 
 
 @artifact_processor
 def get_accs(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    data_headers = ()
     source_path = ''
 
     for file_found in files_found:
-        source_path = str(file_found)
-
+        source_path = str(file_found)    
         if file_found.endswith('Accounts3.sqlite'):
             break
 

diff --git a/scripts/artifacts/adId.py b/scripts/artifacts/adId.py
@@ -1,32 +1,35 @@
 __artifacts_v2__ = {
-    "adId": {
+    "get_adId": {
+        "name": "Advertiser Identifier",
+        "description": "Extracts Advertisier Identifier from the device",
+        "author": "@AlexisBrignoni",
+        "version": "0.2",
+        "date": "2024-05-09",
+        "requirements": "none",
         "category": "Identifiers",
+        "notes": "",
         "paths": ('*/containers/Shared/SystemGroup/*/Library/Caches/com.apple.lsdidentifiers.plist',),
-        "function": 'get_adId'
+        "output_types": "all"
     }
 }
 
-import datetime
-import os
 import plistlib
+from scripts.ilapfuncs import artifact_processor, logfunc, logdevinfo 
 
-from scripts.artifact_report import ArtifactHtmlReport
-from scripts.ilapfuncs import logfunc, logdevinfo, tsv, is_platform_windows 
-
+@artifact_processor
 def get_adId(files_found, report_folder, seeker, wrap_text, timezone_offset):
-
-    file_found = str(files_found[0])
-    with open(file_found, "rb") as fp:
+    data_list = []
+    source_path = str(files_found[0])
+
+    with open(source_path, "rb") as fp:
         pl = plistlib.load(fp)
-        for key, val in pl.items():
-
-            if key == 'LSAdvertiserIdentifier':
-                adId = val
-                logdevinfo(f"<b>Advertiser Identifier: </b>{adId}")
-
-# __artifacts__ = {
-#     "adId": (
-#         "Identifiers",
-#         ('*/containers/Shared/SystemGroup/*/Library/Caches/com.apple.lsdidentifiers.plist'),
-#         get_adId)
-# }
+        if len(pl) > 0:
+            for key, val in pl.items():
+                if key == 'LSAdvertiserIdentifier':
+                    data_list.append(('Advertiser Identifier', val))
+                    logdevinfo(f"<b>Advertiser Identifier: </b>{adId}")
+        else:
+            logfunc("No Advertiser Identifier available")
+
+    data_headers = ('Key', 'Data')
+    return data_headers, data_list, source_path
diff --git a/scripts/artifacts/backupSettings.py b/scripts/artifacts/backupSettings.py
@@ -1,58 +1,53 @@
-from datetime import datetime
-import os
-import plistlib
-
-from scripts.artifact_report import ArtifactHtmlReport
-from scripts.ilapfuncs import logfunc, logdevinfo, tsv, is_platform_windows 
+__artifacts_v2__ = {
+    "get_backupSettings": {
+        "name": "Backup Settings",
+        "description": "Extracts Backup settings from the device",
+        "author": "@AlexisBrignoni",
+        "version": "0.2",
+        "date": "2024-05-09",
+        "requirements": "none",
+        "category": "Identifiers",
+        "notes": "",
+        "paths": ('*/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist',),
+        "output_types": "all"
+    }
+}
 
-def timestampsconv(webkittime):
-    unix_timestamp = webkittime + 978307200
-    finaltime = datetime.utcfromtimestamp(unix_timestamp)
-    return(finaltime)
+import plistlib
+from datetime import datetime
+from scripts.ilapfuncs import artifact_processor, logfunc, logdevinfo, timestampsconv
 
+@artifact_processor
 def get_backupSettings(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    file_found = str(files_found[0])
+    source_path = str(files_found[0])
+
     with open(file_found, "rb") as fp:
         pl = plistlib.load(fp)
-        for key, val in pl.items():
-
-            if key == 'LastiTunesBackupDate':
-                lastime = timestampsconv(val)
-                data_list.append(('Last iTunes Backup Date', lastime))
-                logdevinfo(f"<b>Last iTunes Backup Date: </b>{lastime}")
-            elif key == 'LastiTunesBackupTZ':
-                data_list.append((key, val))
-                logdevinfo(f"<b>Last iTunes Backup TZ: </b>{val}")
-            elif key == 'LastCloudBackupDate':
-                lastcloudtime = timestampsconv(val)
-                data_list.append(('Last Cloud iTunes Backup Date', lastcloudtime))
-                logdevinfo(f"<b>Last Cloud iTunes Backup Date: </b>{lastcloudtime}")
-            elif key == 'LastCloudBackupTZ':
-                data_list.append((key, val))
-                logdevinfo(f"<b>Last Cloud iTunes Backup TZ: </b>{val}")
-            elif key == 'CloudBackupEnabled':
-                data_list.append((key,val))
-                logdevinfo(f"<b>Cloud Backup Enabled: </b>{val}")
-            else:
-                data_list.append((key, val ))
+        if len(pl) > 0:
+            for key, val in pl.items():
+                if key == 'LastiTunesBackupDate':
+                    lastime = timestampsconv(val)
+                    data_list.append(('Last iTunes Backup Date', lastime))
+                    logdevinfo(f"<b>Last iTunes Backup Date: </b>{lastime}")
+                elif key == 'LastiTunesBackupTZ':
+                    data_list.append((key, val))
+                    logdevinfo(f"<b>Last iTunes Backup TZ: </b>{val}")
+                elif key == 'LastCloudBackupDate':
+                    lastcloudtime = timestampsconv(val)
+                    data_list.append(('Last Cloud iTunes Backup Date', lastcloudtime))
+                    logdevinfo(f"<b>Last Cloud iTunes Backup Date: </b>{lastcloudtime}")
+                elif key == 'LastCloudBackupTZ':
+                    data_list.append((key, val))
+                    logdevinfo(f"<b>Last Cloud iTunes Backup TZ: </b>{val}")
+                elif key == 'CloudBackupEnabled':
+                    data_list.append((key,val))
+                    logdevinfo(f"<b>Cloud Backup Enabled: </b>{val}")
+                else:
+                    data_list.append((key, val ))
+        else:
+            logfunc('No iPhone Backup Settings available')
 
-    if len(data_list) > 0:
-        report = ArtifactHtmlReport('iPhone Backup Settings')
-        report.start_artifact_report(report_folder, 'iPhone Backup Settings')
-        report.add_script()
-        data_headers = ('Key','Values' )     
-        report.write_artifact_data_table(data_headers, data_list, file_found)
-        report.end_artifact_report()
-
-        tsvname = 'iPhone Backup Settings'
-        tsv(report_folder, data_headers, data_list, tsvname)
-    else:
-        logfunc('No Find iPhone Backup Settings')
+        data_headers = ('Key', 'Data')
+        return data_headers, data_list, source_path
 
-__artifacts__ = {
-    "backupSettings": (
-        "Identifiers",
-        ('*/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist'),
-        get_backupSettings)
-}
diff --git a/scripts/artifacts/callHistory.py b/scripts/artifacts/callHistory.py
@@ -1,5 +1,5 @@
 __artifacts_v2__ = {
-    "callhistory": {
+    "get_callHistory": {
         "name": "Call History",
         "description": "Parses and extract Call History",
         "author": "",
@@ -9,7 +9,7 @@
         "category": "Call History",
         "notes": "",
         "paths": ('**/CallHistory.storedata*','**/call_history.db',),
-        "function": "get_callHistory"
+        "output_types": "all"
     }
 }
 
@@ -18,17 +18,17 @@
 # The Call Ending Timestamp provides an "at-a-glance" review of call lengths during analysis and review
 # Additional details published within "Maximizing iOS Call Log Timestamps and Call Duration Effectiveness: Will You Answer the Call?" at https://sqlmcgee.wordpress.com/2022/11/30/maximizing-ios-call-log-timestamps-and-call-duration-effectiveness-will-you-answer-the-call/
 
-from scripts.artifact_report import ArtifactHtmlReport
-from scripts.ilapfuncs import logfunc, tsv, timeline, open_sqlite_db_readonly, convert_ts_human_to_utc, convert_utc_human_to_timezone, convert_bytes_to_unit
+from scripts.ilapfuncs import artifact_processor ,logfunc, open_sqlite_db_readonly, convert_ts_human_to_utc, convert_utc_human_to_timezone, convert_bytes_to_unit
 
+@artifact_processor
 def get_callHistory(files_found, report_folder, seeker, wrap_text, timezone_offset):
 
     #call_history.db schema taken from here https://avi.alkalay.net/2011/12/iphone-call-history.html 
     query = '''
     select
     datetime(ZDATE+978307200,'unixepoch'),
     CASE
-        WHEN ((datetime(ZDATE+978307200,'unixepoch')) = (datetime(((ZDATE) + (ZDURATION))+978307200,'unixepoch'))) then 'No Call Duration'
+        WHEN ((datetime(ZDATE+978307200,'unixepoch')) = (datetime(((ZDATE) + (ZDURATION))+978307200,'unixepoch'))) then NULL
         ELSE (datetime(((ZDATE) + (ZDURATION))+978307200,'unixepoch'))
     END, 
     ZSERVICE_PROVIDER,
@@ -68,7 +68,7 @@ def get_callHistory(files_found, report_folder, seeker, wrap_text, timezone_offs
     select
     datetime(date, 'unixepoch'),
     CASE
-        WHEN datetime(date,'unixepoch') = datetime((date + duration),'unixepoch') then 'No Call Duration'
+        WHEN datetime(date,'unixepoch') = datetime((date + duration),'unixepoch') then NULL
         ELSE datetime((date + duration), 'unixepoch')
     END,
     'N/A' as ZSERVICE_PROVIDER,
@@ -93,8 +93,11 @@ def get_callHistory(files_found, report_folder, seeker, wrap_text, timezone_offs
     from call
     '''
 
+    data_list = []
+    source_path = ''
+
     for file_found in files_found:
-        file_found = str(file_found)
+        source_path = str(file_found)
 
         if file_found.endswith('.storedata'):
             break
@@ -107,17 +110,14 @@ def get_callHistory(files_found, report_folder, seeker, wrap_text, timezone_offs
     cursor.execute(query)
 
     all_rows = cursor.fetchall()
-    usageentries = len(all_rows)
-    data_list = []
 
-    if usageentries > 0:
-
+    if len(all_rows) > 0:
         for row in all_rows:
             starting_time = convert_ts_human_to_utc(row[0])
             starting_time = convert_utc_human_to_timezone(starting_time,timezone_offset)
 
             ending_time = row[1]
-            if ending_time != 'No Call Duration':
+            if ending_time:
                 ending_time = convert_ts_human_to_utc(row[1])
                 ending_time = convert_utc_human_to_timezone(ending_time,timezone_offset)
 
@@ -133,20 +133,13 @@ def get_callHistory(files_found, report_folder, seeker, wrap_text, timezone_offs
             data_list.append((starting_time, ending_time, row[2], row[3], row[4], an, row[6], 
                               row[7], facetime_data, row[9], row[10], row[11]))
 
-        report = ArtifactHtmlReport('Call History')
-        report.start_artifact_report(report_folder, 'Call History')
-        report.add_script()
-        data_headers = ('Starting Timestamp', 'Ending Timestamp', 'Service Provider', 'Call Type', 'Call Direction', 
-                        'Phone Number', 'Answered', 'Call Duration', 'FaceTime Data', 'Disconnected Cause', 
-                        'ISO Country Code', 'Location')
-        report.write_artifact_data_table(data_headers, data_list, file_found)
-        report.end_artifact_report()
-
-        tsvname = 'Call History'
-        tsv(report_folder, data_headers, data_list, tsvname)
-
-        tlactivity = 'Call History'
-        timeline(report_folder, tlactivity, data_list, data_headers)
     else:
         logfunc('No Call History data available')
+
+    db.close()
 
+    data_headers = (('Starting Timestamp', 'datetime'), ('Ending Timestamp', 'datetime'), 'Service Provider', 
+                    'Call Type', 'Call Direction', ('Phone Number', 'phonenumber'), 'Answered', 'Call Duration', 
+                    'FaceTime Data', 'Disconnected Cause', 'ISO Country Code', 'Location')
+
+    return data_headers, data_list, source_path