def checkPostURL(flow, results):
	flow.source = 'Canvas'

	if (flow.url == 'https://my.champlain.edu/auth/login'):
		flow.source = 'Canvas Login'
		type = 'User Info: Canvas Username'
		info = AppDefault.findFormEntry(flow.requestContent, 'username')
		results.append(Result.Result(flow, type, info))

		#type = 'User Info: Canvas Password'
		#info = AppDefault.findFormEntry(flow.requestContent, 'password')
		#results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/login/oauth2/token') == 0):
		type = 'System Info: Canvas Client ID'
		info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
		results.append(Result.Result(flow, type, info))

		type = 'System Info: Canvas Client Secret'
		info = AppDefault.findFormEntry(flow.requestContent, 'client_secret')
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/calendar_events/?calendar_event') == 0):
		type = 'User Action: Created Calendar Event'
		info = flow.responseContent
		results.append(Result.Result(flow, type, info))
def checkPutURL(flow, results):
    if (flow.url.find('https://www.googleapis.com/drive/v2internal/files') == 0
        ):
        flow.source = 'Google Drive'
        if (flow.requestContent.find('"title":') > -1):
            type = 'User Action'
            info = flow.requestContent[flow.requestContent.find('"title":') +
                                       8:]
            info = info[:info.find('\n')].strip()
            info = info[1:len(info) - 1]
            docID = flow.url[50:]
            docID = docID[:docID.find('?')]
            info = 'Rename File: ' + docID + ' (' + info + ')'
            results.append(Result.Result(flow, type, info))

        elif (flow.requestContent.find('"lastViewedByMeDate":')):
            type = 'User Action'
            info = flow.requestContent[flow.requestContent.
                                       find('"lastViewedByMeDate":'):]
            info = info[:info.find('\n')]
            info = info.split(' ')[1]
            info = info[1:len(info) - 1]
            docID = flow.url[50:]
            docID = docID[:docID.find('?')]
            info = "Document Opened: " + docID + ' @ ' + info
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://photos.googleapis.com/data/upload') == 0):
        flow.source = 'Google Photos Upload'
def checkResponseHeadersDefault(flow, headers, results):
    if ('Set-Cookie' in headers.keys()):
        info = headers['Set-Cookie']
        type = 'System Info: Cookie'
        results.append(Result.Result(flow, type, info))
    if ('Set-Cookie-1' in headers.keys()):
        info = headers['Set-Cookie-1']
        type = 'System Info: Cookie'
        results.append(Result.Result(flow, type, info))
    if ('Set-Cookie-2' in headers.keys()):
        info = headers['Set-Cookie-2']
        type = 'System Info: Cookie'
        results.append(Result.Result(flow, type, info))
    if ('Content-Type' in headers.keys()
            and headers['Content-Type'][:5] == 'image'
            and flow.url.find('app-measurement.com') < 0):
        if (flow.source != 'Google Analytics'):
            if (len(flow.source) > 0):
                flow.source = flow.source + ' Image Download'
            else:
                flow.source = 'Image Download'
    elif ('Content-Type' in headers.keys()
          and headers['Content-Type'][:4] == 'font'):
        if (len(flow.source) > 0):
            flow.source = flow.source + ' Font Download'
        else:
            flow.source = 'Font Download'
def checkPostURL(flow, results):
    if (flow.url.find('https://graph.facebook.com') == 0):
        if (flow.requestContent.find('anon_id:') > -1):
            type = 'Facebook Anonymous ID'
            info = AppDefault.findFormEntry(flow.requestContent, 'anon_id')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('advertiser_id:') > -1):
            type = 'Ad ID'
            info = AppDefault.findFormEntry(flow.requestContent,
                                            'advertiser_id')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('installer_package:') > -1):
            type = 'App Installer'
            info = AppDefault.findFormEntry(flow.requestContent,
                                            'installer_package')
            results.append(Result.Result(flow, type, info))

        if (flow.url.find('/activities') > -1):
            type = 'User Action: ' + AppDefault.findFormEntry(
                flow.requestContent, 'application_package_name')
            if (AppDefault.findFormEntry(flow.requestContent,
                                         'event') == 'CUSTOM_APP_EVENTS'):
                info = AppDefault.findFormEntry(flow.requestContent,
                                                'custom_events')
            else:
                info = AppDefault.findFormEntry(flow.requestContent, 'event')
            results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
    if 'User-Agent' in headers.keys():
        if (headers['User-Agent'].find('com.linkedin.android') > -1
                and flow.source == ''):
            flow.source = 'LinkedIn'

    if ('x-li-track' in headers.keys()):
        type = 'System Info: OS Version'
        info = headers['x-li-track'][headers['x-li-track'].find('"osVersion":'
                                                                ) + 13:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Model'
        info = headers['x-li-track'][headers['x-li-track'].find('"model":') +
                                     9:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: LinkedIn Version'
        info = headers['x-li-track'][headers['x-li-track'].
                                     find('"clientVersion":') + 17:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    if ('x-udid' in headers.keys()):
        type = 'System Info: Device ID'
        info = headers['x-udid']
        results.append(Result.Result(flow, type, info))

    if ('csrf-token' in headers.keys()):
        type = 'LinkedIn Session ID'
        info = headers['csrf-token']
        results.append(Result.Result(flow, type, info))
def checkResponseHeaders(flow, headers, results):
    if ('x-reddit-loid' in headers.keys()):
        type = 'User Info: Reddit LOID'
        info = headers['x-reddit-loid']
        results.append(Result.Result(flow, type, info))

    if ('x-reddit-session' in headers.keys()):
        type = 'User Info: Reddit Session ID'
        info = headers['x-reddit-session']
        results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
    flow.source = 'RocketChat'

    if (flow.url.find('https://certify.alexametrics.com/atrk') == 0):
        type = 'RocketChat AlexaMetrics Session Cookie'
        info = AppDefault.findFormEntry(flow.requestContent, 'sess_cookie')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://q.stripe.com/?event') == 0):
        type = 'Stripe Key'
        info = AppDefault.findFormEntry(flow.requestContent, 'key')
        results.append(Result.Result(flow, type, info))

        type = 'Stripe JS ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'stripe_js_id')
        results.append(Result.Result(flow, type, info))

        type = 'Stripe Event'
        info = AppDefault.findFormEntry(flow.requestContent, 'event')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://open.rocket.chat/api/v1/settings.public') == 0
          and flow.url.find('RegistrationForm') > -1):
        type = 'User Action: RocketChat Screen View'
        info = 'Viewed Registration Form'
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://open.rocket.chat/api/v1/me'):
        type = 'User Action: Viewed Profile'
        info = 'Viewed own profile'
        results.append(Result.Result(flow, type, info))

        type = 'RocketChat ID'
        info = flow.responseContent[flow.responseContent.find('id":') + 6:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://open.rocket.chat/api/v1/spotlight') == 0):
        type = 'User Action: RocketChat Search'
        info = AppDefault.findFormEntry(flow.requestContent, 'query')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://open.rocket.chat/api/v1/channels.getAllUserMentionsByChannel'
    ) == 0):
        type = 'User Action: Viewed Channel Mentions'
        info = AppDefault.findFormEntry(flow.requestContent, 'roomId')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://open.rocket.chat/api/v1/channels.files') == 0
          ):
        type = 'User Action: Viewed Channel Files'
        info = AppDefault.findFormEntry(flow.requestContent, 'roomId')
        results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
    if (flow.url.find('https://graph.facebook.com') == 0):
        if (flow.requestContent.find('advertiser_id:') > -1):
            type = 'Ad ID'
            info = AppDefault.findFormEntry(flow.requestContent,
                                            'advertiser_id')
            results.append(Result.Result(flow, type, info))
        elif (flow.requestContent.find('device_id:') > -1):
            type = 'Ad ID'
            info = AppDefault.findFormEntry(flow.requestContent, 'device_id')
            results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
	if (flow.url.find('https://wss-mobile.slack.com') == 0):
		flow.source = 'Slack'

		if (len(AppDefault.findFormEntry(flow.requestContent, 'token')) > 25):
			type = 'Slack Token'
			info = AppDefault.findFormEntry(flow.requestContent, 'token')
			results.append(Result.Result(flow, type, info))

		if (len(AppDefault.findFormEntry(flow.requestContent, 'push_token')) > 25):
			type = 'Slack Push Token'
			info = AppDefault.findFormEntry(flow.requestContent, 'push_token')
			results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
    flow.source = 'Netflix'

    if (flow.url.find(
            'https://android.prod.cloud.netflix.com/android/samurai/config') ==
            0):
        type = 'System Info: Build'
        info = AppDefault.findFormEntry(flow.requestContent, 'osDisplay')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Chipset'
        info = AppDefault.findFormEntry(flow.requestContent, 'chipsetHardware')
        results.append(Result.Result(flow, type, info))
Exemple #11
0
def checkDeleteURL(flow, results):
    if (flow.url.find('https://discordapp.com/api/v6/channels') == 0):
        flow.source = 'Discord Channel Delete'
        type = 'Discord Channel'
        info = flow.url[flow.url.find('channels/') + 9:]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discordapp.com/api/v6/users/@me/guilds') == 0
          ):
        flow.source = 'Discord Server Delete'
        type = 'Discord Channel'
        info = flow.url[flow.url.find('guilds/') + 7:]
        results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
    if ('User-Agent' in headers.keys()):
        if (headers['User-Agent'][:6] == 'Reddit' and flow.source == ''):
            flow.source = 'Reddit'

    if ('x-reddit-device-id' in headers.keys()):
        type = 'User Info: Reddit Device ID'
        info = headers['x-reddit-device-id']
        results.append(Result.Result(flow, type, info))

    if ('x-dev-ad-id' in headers.keys()):
        type = 'User Info: Ad ID'
        info = headers['x-dev-ad-id']
        results.append(Result.Result(flow, type, info))
Exemple #13
0
def checkRequestHeaders(flow, headers, results):
    if 'User-Agent' in headers.keys():
        if (headers['User-Agent'].find('Venmo') == 0 and flow.source == ''):
            flow.source = 'Venmo'

    if ('device-id' in headers.keys()):
        type = 'Venmo Device ID'
        info = headers['device-id']
        results.append(Result.Result(flow, type, info))

    if 'VENMO-OTP-SECRET' in headers.keys():
        type = 'Venmo OTP Secret'
        info = headers['VENMO-OTP-SECRET']
        results.append(Result.Result(flow, type, info))
Exemple #14
0
def checkRequestHeaders(flow, headers, results):
    if ('User-Agent' in headers.keys()):
        if (headers['User-Agent'].find('Discord-Android') == 0
                and flow.source == ''):
            flow.source = 'Discord'

    if ('x-fingerprint' in headers.keys()):
        type = 'Discord Fingerprint'
        info = headers['x-fingerprint']
        results.append(Result.Result(flow, type, info))

    if ('Sec-WebSocket-Key' in headers.keys()):
        type = 'Discord Web Socket Key'
        info = headers['Sec-WebSocket-Key']
        results.append(Result.Result(flow, type, info))
Exemple #15
0
def checkRequestHeaders(flow, headers, results):
    if ('User-Agent' in headers.keys()):
        if (headers['User-Agent'][:26] == 'com.google.android.youtube'
                and flow.source == ''):
            flow.source = 'Youtube'

    if ('x-goog-device-auth' in headers.keys()):
        type = 'System Info: Google API Device Authentication'
        info = headers['x-goog-device-auth']
        results.append(Result.Result(flow, type, info))

    if ('x-goog-visitor-id' in headers.keys()):
        type = 'User Info: Google Visitor ID'
        info = headers['x-goog-visitor-id']
        results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
    if (flow.url.find('https://oauth.reddit.com/api/subreddit_autocomplete') ==
            0):
        type = 'User Action: Typed in Search'
        info = '"' + AppDefault.findFormEntry(flow.requestContent,
                                              'query') + '"'
        results.append(Result.Result(flow, type, info))
def analyzeHeadRequestDefault(flow, results):
    if (checkFlowResults('IP Address', results) == False):
        info = flow.address
        type = 'IP Address'
        results.append(
            Result.Result(flow.source, flow.destination, flow.source, type,
                          info, flow.all))
Exemple #18
0
def checkRequestHeaders(flow, headers, results):
    if ('User-Agent' in headers.keys()):
        if (headers['User-Agent'][:22] == 'AndroidDownloadManager'):
            if (flow.url[:36] == 'https://play.googleapis.com/download' \
            or flow.url.find('play-apps-download') > -1):
                flow.source = 'Play Store Download'
            else:
                flow.source = 'File Download'
            type = 'IP Address'
            info = flow.address
            results.append(Result.Result(flow, type, info))
        elif (headers['User-Agent'][:10] == 'DroidGuard'):
            flow.source = 'DroidGuard'
        elif (headers['User-Agent'][:14] == 'Android-Finsky'
              and flow.source == ''):
            flow.source = 'Google Play Store'
        elif (headers['User-Agent'].find('Chrome') > -1 and flow.source == ''):
            if ('referer' in headers.keys() and headers['referer'].find(
                    'android-app://com.google.android.googlequicksearchbox')
                    == 0):
                flow.source = 'News Feed Article'
            else:
                flow.source = 'Google Chrome'
        elif (headers['User-Agent'][:11] == 'Crashlytics'):
            flow.source = 'Crashlytics'

    if ('authorization' in headers.keys()):
        type = 'User Info: Authorization Token'
        info = flow.requestHeaders['authorization']
        results.append(Result.Result(flow, type, info))

    if ('X-CRASHLYTICS-DEVICE-MODEL' in headers.keys()):
        type = 'System Info: Model'
        info = headers['X-CRASHLYTICS-DEVICE-MODEL']
        results.append(Result.Result(flow, type, info))

    if ('X-CRASHLYTICS-OS-DISPLAY-VERSION' in headers.keys()):
        type = 'System Info: OS Version'
        info = headers['X-CRASHLYTICS-OS-DISPLAY-VERSION']
        results.append(Result.Result(flow, type, info))

    if ('X-CRASHLYTICS-INSTALLATION-ID' in headers.keys()):
        type = 'System Info: Crashlytics ID'
        info = headers['X-CRASHLYTICS-INSTALLATION-ID']
        results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
	flow.source = 'Keeper Security'

	if (flow.url == 'https://keepersecurity.com/emergency_check'):
		type = 'System Info: Brand'
		info = AppDefault.findFormEntry(flow.requestContent, 'mfg')
		results.append(Result.Result(flow, type, info))

		type = 'System Info: Chipset'
		info = AppDefault.findFormEntry(flow.requestContent, 'product')
		results.append(Result.Result(flow, type, info))

		type = 'System Info: Model'
		info = AppDefault.findFormEntry(flow.requestContent, 'model')
		results.append(Result.Result(flow, type, info))

		type = 'Keeper Security Session Token'
		info = AppDefault.findFormEntry(flow.requestContent, 'session_token')
		results.append(Result.Result(flow, type, info))

		type = 'User Info: Adjust.com Ad ID'
		info = AppDefault.findFormEntry(flow.requestContent, 'adjust_adid')
		results.append(Result.Result(flow, type, info))

		type = 'User Info: Keeper UID'
		info = AppDefault.findFormEntry(flow.requestContent, 'uid')
		results.append(Result.Result(flow, type, info))

		type = 'User Info: Email Address'
		info = AppDefault.findFormEntry(flow.requestContent, 'email')
		results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
    if ('User-Agent' in headers.keys()):
        if (headers['User-Agent'].find('com.netflix.mediaclient') == 0):
            flow.source = 'Netflix'

    if ('x-netflix.request.client.user.guid' in headers.keys()):
        type = 'User Info: Netflix UUID'
        info = headers['x-netflix.request.client.user.guid']
        results.append(Result.Result(flow, type, info))
def checkDeleteURL(flow, results):
    if (flow.url.find(
            'https://www.googleapis.com/calendar/v3internal/calendars') == 0):
        flow.source = 'Google Calendar'
        type = 'User Action'
        info = flow.url[flow.url.find('/events/') + 8:]
        info = info[:info.find('?')]
        info = 'Event Deletion: ' + info
        results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
	if ('User-Agent' in headers.keys()):
		if (headers['User-Agent'][:5] == 'slack' and flow.source == ''):
			flow.source = 'Slack'

	if ('uuid' in headers.keys()):
		type = 'Slack UUID'
		info = headers['uuid']
		results.append(Result.Result(flow, type, info))
Exemple #23
0
def checkGetURL(flow, results):
    if (flow.url.find('https://dl.discordapp.net') == 0):
        flow.source = 'Discord'

    elif (flow.url.find('https://discordapp.com') == 0):
        flow.source = 'Discord'

    elif (flow.url.find('https://gateway.discord.gg') == 0):
        flow.source = 'Discord'

    if (flow.url.find('https://discordapp.com/api/v6/channels') == 0):
        if (flow.url.find('messages') > -1):
            flow.source = 'Discord Messages Sync'
            type = 'Discord Channel'
            info = flow.url[flow.url.find('channels/') + 9:]
            info = info[:info.find('/messages')]
            results.append(Result.Result(flow, type, info))
        elif (flow.url.find('pins') > -1):
            flow.source = 'Discord Pins Lookup'
            type = 'Discord Channel'
            info = flow.url[flow.url.find('channels/') + 9:]
            info = info[:info.find('/pins')]
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discordapp.com/api/v6/users') == 0
          and flow.url.find('profile') > -1):
        type = 'User Action: View Discord User Profile'
        temp = flow.responseContent[flow.responseContent.find('"username":'******'"')]
        info = temp
        temp = flow.responseContent[flow.responseContent.
                                    find('"discriminator":') + 18:]
        temp = temp[:temp.find('"')]
        info = info + '#' + temp
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discordapp.com/api/v6/guilds') == 0
          and flow.url.find('search') > -1):
        flow.source = 'Discord Channel Search'
        type = 'Discord Channel'
        info = flow.url[flow.url.find('guilds/') + 7:]
        info = info[:info.find('/messages')]
        results.append(Result.Result(flow, type, info))
Exemple #24
0
def checkDeleteURL(flow, results):
    flow.source = 'Hulu'

    if (flow.url.find(
            'https://home.hulu.com/v1/users/self/profiles/self/viewed_entities'
    ) == 0):
        type = 'User Action: Delete Watch History'
        info = flow.url[flow.url.find('viewed_entities/') + 16:]
        info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))
def checkDeleteURL(flow, results):
    if (flow.url.find(
            'https://www.linkedin.com/voyager/api/messaging/conversations') ==
            0):
        type = 'User Action: Delete LinkedIn Conversation'
        info = flow.url[flow.url.find('conversations/') + 14:]
        if (info.find('/') > -1 and info.find('/') < info.find('?')):
            info = info[:info.find('/')]
        elif (info.find('?') > -1):
            info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))
Exemple #26
0
def checkPutURL(flow, results):
    flow.source = 'Hulu'

    if (flow.url.find(
            'https://home.hulu.com/v2/users/self/profiles/self/saves') == 0):
        type = flow.requestContent[flow.requestContent.find('"entity_type":') +
                                   16:]
        type = type[:type.find('"')]
        type = 'User Action: Saved ' + type
        info = flow.requestContent[flow.requestContent.find('"entity_id":') +
                                   14:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))
def searchFlow(flow, results, items):
    infos = []
    content = flow.all

    for result in results:
        infos.append(result.info)

    while len(content) > 1:
        for key, value in items.items():
            if (content[0:len(key)] == key and key not in infos):
                type = value + ' (RAWDATASEARCH)'
                info = key
                results.append(Result.Result(flow, type, info))
                infos.append(key)
        content = content[1:]
def checkPostURL(flow, results):
    flow.source = 'Netflix'

    if (flow.url.find('https://android-appboot.netflix.com/appboot') == 0):
        type = 'User Action: App Launch'
        info = 'Netflix opened'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://android.prod.cloud.netflix.com/ichnaea/log')
          == 0):
        type = 'Netflix Event'
        info = flow.requestContent[flow.requestContent.find('"event_type":') +
                                   15:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'Ad ID'
        info = flow.requestContent[flow.requestContent.find('"advdevtag_id":'
                                                            ) + 17:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://android.prod.cloud.netflix.com/aui/pathEvaluator') == 0):
        type = 'Secure Netflix ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'secureNetflixId')
        results.append(Result.Result(flow, type, info))

        type = 'Netflix ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'netflixId')
        results.append(Result.Result(flow, type, info))

        type = 'Netflix FLWSSN'
        info = AppDefault.findFormEntry(flow.requestContent, 'flwssn')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://android.prod.cloud.netflix.com/android') == 0
          ):
        if (flow.requestContent.find('path:') > -1
                and AppDefault.findFormEntry(
                    flow.requestContent, 'path').find('"logBillboardActivity"')
                == -1):
            type = 'Netflix Browsing Path'
            info = AppDefault.findFormEntry(flow.requestContent, 'path')
            results.append(Result.Result(flow, type, info))
def checkRequestHeadersDefault(flow, headers, results):
    if ('User-Agent' in headers.keys()
            and checkFlowResults('System Info: User-Agent', results) == False):
        info = headers['User-Agent']
        type = 'System Info: User-Agent'
        results.append(Result.Result(flow, type, info))
    if ('Cookie' in headers.keys()
            and checkFlowResults('System Info: Cookie', results) == False):
        info = headers['Cookie']
        type = 'System Info: Cookie'
        results.append(Result.Result(flow, type, info))
    if ('x-dfe-device-id' in headers.keys()
            and checkFlowResults('System Info: Device ID', results) == False):
        info = headers['x-dfe-device-id']
        type = 'System Info: Device ID'
        results.append(Result.Result(flow, type, info))
    if ('x-dfe-device-config-token' in headers.keys() and checkFlowResults(
            'System Info: Config Token', results) == False):
        info = headers['x-dfe-device-config-token']
        type = 'System Info: Config Token'
        results.append(Result.Result(flow, type, info))
    if ('x-ad-id' in headers.keys()):
        info = headers['x-ad-id']
        type = 'User Info: Ad ID'
        results.append(Result.Result(flow, type, info))
    if ('Authorization' in headers.keys()):
        info = headers['Authorization']
        type = 'Authorization'
        results.append(Result.Result(flow, type, info))
    if ('x-device-boot-count' in headers.keys()):
        info = headers['x-device-boot-count']
        type = 'System Info: Boot Count'
        results.append(Result.Result(flow, type, info))
    if ('x-device-id' in headers.keys()):
        info = headers['x-device-id']
        type = 'System Info: Device ID'
        results.append(Result.Result(flow, type, info))
def checkResponseHeaders(flow, headers, results):
    if ('Content-Type' in headers.keys()
            and headers['Content-Type'][:5] == 'image'):
        if ('User-Agent' in flow.requestHeaders.keys()
                and flow.requestHeaders['User-Agent'][:30]
                == 'com.google.android.apps.photos'):
            flow.source = 'Google Photos'
            if (flow.url.find('https://ap2.googleusercontent.com') == 0 or \
             flow.url.find('https://lh3.googleusercontent.com/a') == 0):
                if (AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '246 x 328 px' or \
                 AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '38 x 50 px' or \
                 AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '50 x 38 px' or \
                 AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '28 x 50 px' or \
                 AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '328 x 328 px'):
                    flow.source = 'Google Photos Thumbnail'
                type = 'User Action'
                picName = flow.responseHeaders['content-disposition'][
                    flow.responseHeaders['content-disposition'].
                    find('filename=') + 10:]
                picName = picName[:picName.find('"')]
                info = 'Image Viewed: ' + picName
                results.append(Result.Result(flow, type, info))