Merge pull request #1045 from stark4n6/main

Minor Fixes

scripts/artifacts/DataUsage.py

@@ -4,7 +4,8 @@
         "description": "Parses application network data usage",
         "author": "@KevinPagano3",
         "version": "0.0.1",
-        "date": "2023-10-10",
+        "creation_date": "2023-10-10",
+        "last_update_date": "2025-02-04",
         "requirements": "none",
         "category": "Network Usage",
         "notes": "",
@@ -16,7 +17,7 @@
 import sqlite3
 
 from scripts.ilapfuncs import artifact_processor
-from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows, open_sqlite_db_readonly, convert_ts_human_to_utc, convert_utc_human_to_timezone
+from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows, open_sqlite_db_readonly, does_column_exist_in_db, convert_cocoa_core_data_ts_to_utc
 
 @artifact_processor
 def get_DataUsage(files_found, report_folder, seeker, wrap_text, timezone_offset):
@@ -29,43 +30,78 @@ def get_DataUsage(files_found, report_folder, seeker, wrap_text, timezone_offset
         if file_found.endswith('.sqlite'):
             db = open_sqlite_db_readonly(file_found)
             cursor = db.cursor()
-            cursor.execute('''
-            select
-            datetime(ZLIVEUSAGE.ZTIMESTAMP + 978307200,'unixepoch'),
-            datetime(ZPROCESS.ZFIRSTTIMESTAMP + 978307200,'unixepoch'),
-            datetime(ZPROCESS.ZTIMESTAMP + 978307200,'unixepoch'),
-            ZPROCESS.ZBUNDLENAME,
-            ZPROCESS.ZPROCNAME,
-            case ZLIVEUSAGE.ZKIND
-                when 0 then 'Process'
-                when 1 then 'App'
-                else ZLIVEUSAGE.ZKIND
-            end,
-            ZLIVEUSAGE.ZWIFIIN,
-            ZLIVEUSAGE.ZWIFIOUT,
-            ZLIVEUSAGE.ZWWANIN,
-            ZLIVEUSAGE.ZWWANOUT
-            from ZLIVEUSAGE
-            left join ZPROCESS on ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS
-            ''')
+            if does_column_exist_in_db(file_found,'ZLIVEUSAGE','ZWIFIIN'):
+                cursor.execute('''
+                select
+                ZLIVEUSAGE.ZTIMESTAMP,
+                ZPROCESS.ZFIRSTTIMESTAMP,
+                ZPROCESS.ZTIMESTAMP,
+                ZPROCESS.ZBUNDLENAME,
+                ZPROCESS.ZPROCNAME,
+                case ZLIVEUSAGE.ZKIND
+                    when 0 then 'Process'
+                    when 1 then 'App'
+                    else ZLIVEUSAGE.ZKIND
+                end,
+                ZLIVEUSAGE.ZWIFIIN,
+                ZLIVEUSAGE.ZWIFIOUT,
+                ZLIVEUSAGE.ZWWANIN,
+                ZLIVEUSAGE.ZWWANOUT
+                from ZLIVEUSAGE
+                left join ZPROCESS on ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS
+                where ZLIVEUSAGE.ZKIND != 257
+                ''')
 
-            all_rows = cursor.fetchall()
-
-            for row in all_rows:
-                firstused = convert_utc_human_to_timezone(convert_ts_human_to_utc(row[0]),timezone_offset)
-                lastused = convert_utc_human_to_timezone(convert_ts_human_to_utc(row[1]),timezone_offset)
-                lastconnected = convert_utc_human_to_timezone(convert_ts_human_to_utc(row[2]),timezone_offset)
+                all_rows = cursor.fetchall()
+
+                for row in all_rows:
+                    firstused = convert_cocoa_core_data_ts_to_utc(row[0])
+                    lastused = convert_cocoa_core_data_ts_to_utc(row[1])
+                    lastconnected = convert_cocoa_core_data_ts_to_utc(row[2])
+
+                    process_split = row[4].split('/')
+                    data_list.append((lastconnected,firstused,lastused,row[3],process_split[0],row[5],row[6],row[7],row[8],row[9]))
 
-                process_split = row[4].split('/')
-                data_list.append((lastconnected,firstused,lastused,row[3],process_split[0],row[5],row[6],row[7],row[8],row[9]))
+                data_headers = ((('Last Connect Timestamp','datetime'),('First Usage Timestamp','datetime'),('Last Usage Timestamp','datetime'),'Bundle Name','Process Name','Entry Type','Wifi In (Bytes)','Wifi Out (Bytes)','Mobile/WWAN In (Bytes)','Mobile/WWAN Out (Bytes)'))
+                return data_headers, data_list, file_found
+
+            else:
+                cursor.execute('''
+                select
+                ZLIVEUSAGE.ZTIMESTAMP,
+                ZPROCESS.ZFIRSTTIMESTAMP,
+                ZPROCESS.ZTIMESTAMP,
+                ZPROCESS.ZBUNDLENAME,
+                ZPROCESS.ZPROCNAME,
+                case ZLIVEUSAGE.ZKIND
+                    when 0 then 'Process'
+                    when 1 then 'App'
+                    else ZLIVEUSAGE.ZKIND
+                end,
+                ZLIVEUSAGE.ZWWANIN,
+                ZLIVEUSAGE.ZWWANOUT
+                from ZLIVEUSAGE
+                left join ZPROCESS on ZPROCESS.Z_PK = ZLIVEUSAGE.ZHASPROCESS
+                where ZLIVEUSAGE.ZKIND != 257
+                ''')
+
+                all_rows = cursor.fetchall()
 
+                for row in all_rows:
+                    firstused = convert_cocoa_core_data_ts_to_utc(row[0])
+                    lastused = convert_cocoa_core_data_ts_to_utc(row[1])
+                    lastconnected = convert_cocoa_core_data_ts_to_utc(row[2])
+
+                    process_split = row[4].split('/')
+                    data_list.append((lastconnected,firstused,lastused,row[3],process_split[0],row[5],row[6],row[7]))
+
+                data_headers = ((('Last Connect Timestamp','datetime'),('First Usage Timestamp','datetime'),('Last Usage Timestamp','datetime'),'Bundle Name','Process Name','Entry Type','Mobile/WWAN In (Bytes)','Mobile/WWAN Out (Bytes)'))
+                return data_headers, data_list, file_found
+
             db.close()
 
         else:
             continue
 
     if not data_list:
-        logfunc('No Network Usage (DataUsage) - App Data available')
-
-    data_headers = ((('Last Connect Timestamp','datetime'),('First Usage Timestamp','datetime'),('Last Usage Timestamp','datetime'),'Bundle Name','Process Name','Entry Type','Wifi In (Bytes)','Wifi Out (Bytes)','Mobile/WWAN In (Bytes)','Mobile/WWAN Out (Bytes)'))
-    return data_headers, data_list, file_found
+        logfunc('No Network Usage (DataUsage) - App Data available')

scripts/artifacts/cloudkitCache.py

@@ -42,7 +42,6 @@ def get_cloudkitCache(files_found, report_folder, seeker, wrap_text, timezone_of
     files_dictionary = {}
     for file_found in files_found:
         file_found = str(file_found)
-        logfunc(file_found)
         if file_found.endswith('cloudkit_cache.db'):
             logfunc(f"Running artifact on: {file_found}")
             db = open_sqlite_db_readonly(file_found)

scripts/artifacts/imeiImsi.py

@@ -2,9 +2,10 @@
     "imeiImsi": {
         "name": "IMEI - IMSI",
         "description": "Extracts Cellular information",
-        "author": "@AlexisBrignoni",
-        "version": "0.2",
-        "date": "2023-10-03",
+        "author": "@AlexisBrignoni - @KevinPagano3",
+        "version": "0.3",
+        "creation_date": "2023-10-03",
+        "last_update_date": "2025-02-04",
         "requirements": "none",
         "category": "Identifiers",
         "notes": "",
@@ -27,15 +28,15 @@ def imeiImsi(files_found, report_folder, seeker, wrap_text, timezone_offset):
         for key, val in pl.items():
             if key == 'PersonalWallet':
                 val = (list(val.values())[0])
-                lastgoodimsi = val['CarrierEntitlements']['lastGoodImsi']
+                lastgoodimsi = val['CarrierEntitlements'].get('lastGoodImsi','')
                 data_list.append(('Last Good IMSI', lastgoodimsi))
                 device_info("Cellular", "Last Good IMSI", lastgoodimsi, source_path)
 
-                selfregitrationupdateimsi = val['CarrierEntitlements']['kEntitlementsSelfRegistrationUpdateImsi']
+                selfregitrationupdateimsi = val['CarrierEntitlements'].get('kEntitlementsSelfRegistrationUpdateImsi','')
                 data_list.append(('Self Registration Update IMSI', selfregitrationupdateimsi))
                 device_info("Cellular", "Self Registration Update IMSI", selfregitrationupdateimsi, source_path)
 
-                selfregistrationupdateimei = val['CarrierEntitlements']['kEntitlementsSelfRegistrationUpdateImei']
+                selfregistrationupdateimei = val['CarrierEntitlements'].get('kEntitlementsSelfRegistrationUpdateImei','')
                 data_list.append(('Self Registration Update IMEI', selfregistrationupdateimei))
                 device_info("Cellular", "Self Registration Update IMEI", selfregistrationupdateimei, source_path)