-
Notifications
You must be signed in to change notification settings - Fork 169
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updated for LAVA and ios17-18 updates
Photos.sqlite Parsers updated for LAVA tool. Updates for iOS 17.6 schema change and GA iOS 18 schema Developer betas not supported. working on errors for plist parsers. update tested on FFS, Adv Log, Log + ios 14-ios 18
- Loading branch information
1 parent
3cc8a13
commit a7b7d6f
Showing
42 changed files
with
44,914 additions
and
37,756 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,88 +1,77 @@ | ||
| # Author: Scott Koenig https://theforensicscooter.com/ | ||
| # Version: 1.0 | ||
| # | ||
| # Description: | ||
| # Parses basic data from */device_values.plist which is a part of a UFED Advance Logical acquisitions | ||
| # with non-encrypted backups. The parsing of this file will allow for iLEAPP to parse some basic information | ||
| # such as */PhotoData/Photos.sqlite. | ||
| # Based on research and published blogs written by Scott Koenig https://theforensicscooter.com/ | ||
|
|
||
| __artifacts_v2__ = { | ||
| 'Ph100UFEDdevicevaluesPlist': { | ||
| 'name': 'Ph100-UFED-device-values-Plist', | ||
| 'description': 'Parses basic data from */device_values.plist which is a part of a UFED Advance Logical' | ||
| ' acquisitions with non-encrypted backups. The parsing of this file will allow for iLEAPP' | ||
| ' to parse some basic information such as */PhotoData/Photos.sqlite.' | ||
| ' Based on research and published blogs written by Scott Koenig https://theforensicscooter.com/', | ||
| 'author': 'Scott Koenig', | ||
| 'version': '5.0', | ||
| 'date': '2025-01-05', | ||
| 'requirements': 'Acquisition that contains device_values.plist', | ||
| 'category': 'Photos-Z-Settings', | ||
| 'notes': '', | ||
| 'paths': ('*/device_values.plist',), | ||
| "output_types": ["standard", "tsv", "none"] | ||
| } | ||
| } | ||
| import os | ||
| import plistlib | ||
| import biplist | ||
| import nska_deserialize as nd | ||
| from scripts.builds_ids import OS_build | ||
| import scripts.artifacts.artGlobals | ||
| from scripts.artifact_report import ArtifactHtmlReport | ||
| from scripts.ilapfuncs import logfunc, logdevinfo, tsv, is_platform_windows | ||
|
|
||
| from scripts.ilapfuncs import artifact_processor, logfunc, device_info, get_file_path | ||
|
|
||
| def get_ph100ufeddevicevaluesplist(files_found, report_folder, seeker, wrap_text, timezone_offset): | ||
| versionnum = 0 | ||
| @artifact_processor | ||
| def Ph100UFEDdevicevaluesPlist(files_found, report_folder, seeker, wrap_text, timezone_offset): | ||
| data_list = [] | ||
| file_found = str(files_found[0]) | ||
| with open(file_found, "rb") as fp: | ||
| source_path = str(files_found[0]) | ||
|
|
||
| with open(source_path, "rb") as fp: | ||
| pl = plistlib.load(fp) | ||
| for key, val in pl.items(): | ||
| data_list.append((key, val)) | ||
| data_list.append((key, str(val))) | ||
|
|
||
| if key == "ProductVersion": | ||
| scripts.artifacts.artGlobals.versionf = val | ||
| scripts.artifacts.artGlobals.versionf = str(val) | ||
| logfunc(f"iOS version: {val}") | ||
| logdevinfo(f"<b>iOS version: </b>{val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "Product Version", str(val), source_path) | ||
|
|
||
| if key == "BuildVersion": | ||
| logdevinfo(f"<b>BuildVersion: </b>{val}") | ||
| logfunc(f"Build Version: {val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "Build Version", str(val), source_path) | ||
|
|
||
| if key == "ProductType": | ||
| logfunc(f"ProductType: {val}") | ||
| logdevinfo(f"<b>ProductType: </b>{val}") | ||
| logfunc(f"Product Type: {val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "Product Type", str(val), source_path) | ||
|
|
||
| if key == "HardwareModel": | ||
| logdevinfo(f"<b>HardwareModel: </b>{val}") | ||
| logfunc(f"Hardware Model: {val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "Hardware Model", str(val), source_path) | ||
|
|
||
| if key == "InternationalMobileEquipmentIdentity": | ||
| logdevinfo(f"<b>InternationalMobileEquipmentIdentity: </b>{val}") | ||
| logfunc(f"IMEI: {val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "IMEI", str(val), source_path) | ||
|
|
||
| if key == "SerialNumber": | ||
| logdevinfo(f"<b>SerialNumber: </b>{val}") | ||
| logfunc(f"Serial Number: {val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "Serial Number", str(val), source_path) | ||
|
|
||
| if key == "DeviceName": | ||
| logdevinfo(f"<b>DeviceName: </b>{val}") | ||
| logfunc(f"Device Name: {val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "Device Name", str(val), source_path) | ||
|
|
||
| if key == "PasswordProtected": | ||
| logdevinfo(f"<b>PasswordProtected: </b>{val}") | ||
| logfunc(f"Password Protected: {val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "Password Protected", str(val), source_path) | ||
|
|
||
| if key == "TimeZone": | ||
| logdevinfo(f"<b>TimeZone: </b>{val}") | ||
|
|
||
| description = ('Parses basic data from */device_values.plist which is a part of a UFED Advance Logical' | ||
| ' acquisitions with non-encrypted backups. The parsing of this file will allow for iLEAPP' | ||
| ' to parse some basic information such as */PhotoData/Photos.sqlite.' | ||
| ' Based on research and published blogs written by Scott Koenig https://theforensicscooter.com/') | ||
| report = ArtifactHtmlReport('Ph100-UFED-device-values-Plist') | ||
| report.start_artifact_report(report_folder, 'Ph100-UFED-device-values-Plist', description) | ||
| report.add_script() | ||
| data_headers = ('Key', 'Values') | ||
| report.write_artifact_data_table(data_headers, data_list, file_found) | ||
| report.end_artifact_report() | ||
| logfunc(f"TimeZone: {val}") | ||
| device_info("devicevaluesplist-ufedadvlog", "TimeZone", str(val), source_path) | ||
|
|
||
| tsvname = 'Ph100-UFED-device-values-Plist' | ||
| tsv(report_folder, data_headers, data_list, tsvname) | ||
| else: | ||
| data_list.append((key, str(val))) | ||
|
|
||
|
|
||
| __artifacts_v2__ = { | ||
| 'Ph100-UFED-device-values-Plist': { | ||
| 'name': 'UFED Adv Log Acquisition Ph100 UFED Device Values Plist', | ||
| 'description': 'Parses basic data from */device_values.plist which is a part of a UFED Advance Logical' | ||
| ' acquisitions with non-encrypted backups. The parsing of this file will allow for iLEAPP' | ||
| ' to parse some basic information such as */PhotoData/Photos.sqlite.' | ||
| ' Based on research and published blogs written by Scott Koenig https://theforensicscooter.com/', | ||
| 'author': 'Scott Koenig https://theforensicscooter.com/', | ||
| 'version': '1.0', | ||
| 'date': '2024-06-10', | ||
| 'requirements': 'Acquisition that contains device_values.plist', | ||
| 'category': 'Photos-Z-Settings', | ||
| 'notes': '', | ||
| 'paths': '*/device_values.plist', | ||
| 'function': 'get_ph100ufeddevicevaluesplist' | ||
| } | ||
| } | ||
| data_headers = ('Property','Property Value') | ||
| return data_headers, data_list, source_path |
Oops, something went wrong.