def checkPostURL(flow, results):
flow.source = 'Canvas'
if (flow.url == 'https://my.champlain.edu/auth/login'):
flow.source = 'Canvas Login'
type = 'User Info: Canvas Username'
info = AppDefault.findFormEntry(flow.requestContent, 'username')
results.append(Result.Result(flow, type, info))
#type = 'User Info: Canvas Password'
#info = AppDefault.findFormEntry(flow.requestContent, 'password')
#results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/login/oauth2/token') == 0):
type = 'System Info: Canvas Client ID'
info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
results.append(Result.Result(flow, type, info))
type = 'System Info: Canvas Client Secret'
info = AppDefault.findFormEntry(flow.requestContent, 'client_secret')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/calendar_events/?calendar_event') == 0):
type = 'User Action: Created Calendar Event'
info = flow.responseContent
results.append(Result.Result(flow, type, info))
def checkPutURL(flow, results):
if (flow.url.find('https://www.googleapis.com/drive/v2internal/files') == 0
):
flow.source = 'Google Drive'
if (flow.requestContent.find('"title":') > -1):
type = 'User Action'
info = flow.requestContent[flow.requestContent.find('"title":') +
8:]
info = info[:info.find('\n')].strip()
info = info[1:len(info) - 1]
docID = flow.url[50:]
docID = docID[:docID.find('?')]
info = 'Rename File: ' + docID + ' (' + info + ')'
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find('"lastViewedByMeDate":')):
type = 'User Action'
info = flow.requestContent[flow.requestContent.
find('"lastViewedByMeDate":'):]
info = info[:info.find('\n')]
info = info.split(' ')[1]
info = info[1:len(info) - 1]
docID = flow.url[50:]
docID = docID[:docID.find('?')]
info = "Document Opened: " + docID + ' @ ' + info
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://photos.googleapis.com/data/upload') == 0):
flow.source = 'Google Photos Upload'
def checkResponseHeadersDefault(flow, headers, results):
if ('Set-Cookie' in headers.keys()):
info = headers['Set-Cookie']
type = 'System Info: Cookie'
results.append(Result.Result(flow, type, info))
if ('Set-Cookie-1' in headers.keys()):
info = headers['Set-Cookie-1']
type = 'System Info: Cookie'
results.append(Result.Result(flow, type, info))
if ('Set-Cookie-2' in headers.keys()):
info = headers['Set-Cookie-2']
type = 'System Info: Cookie'
results.append(Result.Result(flow, type, info))
if ('Content-Type' in headers.keys()
and headers['Content-Type'][:5] == 'image'
and flow.url.find('app-measurement.com') < 0):
if (flow.source != 'Google Analytics'):
if (len(flow.source) > 0):
flow.source = flow.source + ' Image Download'
else:
flow.source = 'Image Download'
elif ('Content-Type' in headers.keys()
and headers['Content-Type'][:4] == 'font'):
if (len(flow.source) > 0):
flow.source = flow.source + ' Font Download'
else:
flow.source = 'Font Download'
def checkPostURL(flow, results):
if (flow.url.find('https://graph.facebook.com') == 0):
if (flow.requestContent.find('anon_id:') > -1):
type = 'Facebook Anonymous ID'
info = AppDefault.findFormEntry(flow.requestContent, 'anon_id')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('advertiser_id:') > -1):
type = 'Ad ID'
info = AppDefault.findFormEntry(flow.requestContent,
'advertiser_id')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('installer_package:') > -1):
type = 'App Installer'
info = AppDefault.findFormEntry(flow.requestContent,
'installer_package')
results.append(Result.Result(flow, type, info))
if (flow.url.find('/activities') > -1):
type = 'User Action: ' + AppDefault.findFormEntry(
flow.requestContent, 'application_package_name')
if (AppDefault.findFormEntry(flow.requestContent,
'event') == 'CUSTOM_APP_EVENTS'):
info = AppDefault.findFormEntry(flow.requestContent,
'custom_events')
else:
info = AppDefault.findFormEntry(flow.requestContent, 'event')
results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
if 'User-Agent' in headers.keys():
if (headers['User-Agent'].find('com.linkedin.android') > -1
and flow.source == ''):
flow.source = 'LinkedIn'
if ('x-li-track' in headers.keys()):
type = 'System Info: OS Version'
info = headers['x-li-track'][headers['x-li-track'].find('"osVersion":'
) + 13:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
info = headers['x-li-track'][headers['x-li-track'].find('"model":') +
9:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: LinkedIn Version'
info = headers['x-li-track'][headers['x-li-track'].
find('"clientVersion":') + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if ('x-udid' in headers.keys()):
type = 'System Info: Device ID'
info = headers['x-udid']
results.append(Result.Result(flow, type, info))
if ('csrf-token' in headers.keys()):
type = 'LinkedIn Session ID'
info = headers['csrf-token']
results.append(Result.Result(flow, type, info))
def checkResponseHeaders(flow, headers, results):
if ('x-reddit-loid' in headers.keys()):
type = 'User Info: Reddit LOID'
info = headers['x-reddit-loid']
results.append(Result.Result(flow, type, info))
if ('x-reddit-session' in headers.keys()):
type = 'User Info: Reddit Session ID'
info = headers['x-reddit-session']
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
flow.source = 'RocketChat'
if (flow.url.find('https://certify.alexametrics.com/atrk') == 0):
type = 'RocketChat AlexaMetrics Session Cookie'
info = AppDefault.findFormEntry(flow.requestContent, 'sess_cookie')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://q.stripe.com/?event') == 0):
type = 'Stripe Key'
info = AppDefault.findFormEntry(flow.requestContent, 'key')
results.append(Result.Result(flow, type, info))
type = 'Stripe JS ID'
info = AppDefault.findFormEntry(flow.requestContent, 'stripe_js_id')
results.append(Result.Result(flow, type, info))
type = 'Stripe Event'
info = AppDefault.findFormEntry(flow.requestContent, 'event')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://open.rocket.chat/api/v1/settings.public') == 0
and flow.url.find('RegistrationForm') > -1):
type = 'User Action: RocketChat Screen View'
info = 'Viewed Registration Form'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://open.rocket.chat/api/v1/me'):
type = 'User Action: Viewed Profile'
info = 'Viewed own profile'
results.append(Result.Result(flow, type, info))
type = 'RocketChat ID'
info = flow.responseContent[flow.responseContent.find('id":') + 6:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://open.rocket.chat/api/v1/spotlight') == 0):
type = 'User Action: RocketChat Search'
info = AppDefault.findFormEntry(flow.requestContent, 'query')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://open.rocket.chat/api/v1/channels.getAllUserMentionsByChannel'
) == 0):
type = 'User Action: Viewed Channel Mentions'
info = AppDefault.findFormEntry(flow.requestContent, 'roomId')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://open.rocket.chat/api/v1/channels.files') == 0
):
type = 'User Action: Viewed Channel Files'
info = AppDefault.findFormEntry(flow.requestContent, 'roomId')
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://graph.facebook.com') == 0):
if (flow.requestContent.find('advertiser_id:') > -1):
type = 'Ad ID'
info = AppDefault.findFormEntry(flow.requestContent,
'advertiser_id')
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find('device_id:') > -1):
type = 'Ad ID'
info = AppDefault.findFormEntry(flow.requestContent, 'device_id')
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://wss-mobile.slack.com') == 0):
flow.source = 'Slack'
if (len(AppDefault.findFormEntry(flow.requestContent, 'token')) > 25):
type = 'Slack Token'
info = AppDefault.findFormEntry(flow.requestContent, 'token')
results.append(Result.Result(flow, type, info))
if (len(AppDefault.findFormEntry(flow.requestContent, 'push_token')) > 25):
type = 'Slack Push Token'
info = AppDefault.findFormEntry(flow.requestContent, 'push_token')
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
flow.source = 'Netflix'
if (flow.url.find(
'https://android.prod.cloud.netflix.com/android/samurai/config') ==
0):
type = 'System Info: Build'
info = AppDefault.findFormEntry(flow.requestContent, 'osDisplay')
results.append(Result.Result(flow, type, info))
type = 'System Info: Chipset'
info = AppDefault.findFormEntry(flow.requestContent, 'chipsetHardware')
results.append(Result.Result(flow, type, info))
def checkDeleteURL(flow, results):
if (flow.url.find('https://discordapp.com/api/v6/channels') == 0):
flow.source = 'Discord Channel Delete'
type = 'Discord Channel'
info = flow.url[flow.url.find('channels/') + 9:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discordapp.com/api/v6/users/@me/guilds') == 0
):
flow.source = 'Discord Server Delete'
type = 'Discord Channel'
info = flow.url[flow.url.find('guilds/') + 7:]
results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
if ('User-Agent' in headers.keys()):
if (headers['User-Agent'][:6] == 'Reddit' and flow.source == ''):
flow.source = 'Reddit'
if ('x-reddit-device-id' in headers.keys()):
type = 'User Info: Reddit Device ID'
info = headers['x-reddit-device-id']
results.append(Result.Result(flow, type, info))
if ('x-dev-ad-id' in headers.keys()):
type = 'User Info: Ad ID'
info = headers['x-dev-ad-id']
results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
if 'User-Agent' in headers.keys():
if (headers['User-Agent'].find('Venmo') == 0 and flow.source == ''):
flow.source = 'Venmo'
if ('device-id' in headers.keys()):
type = 'Venmo Device ID'
info = headers['device-id']
results.append(Result.Result(flow, type, info))
if 'VENMO-OTP-SECRET' in headers.keys():
type = 'Venmo OTP Secret'
info = headers['VENMO-OTP-SECRET']
results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
if ('User-Agent' in headers.keys()):
if (headers['User-Agent'].find('Discord-Android') == 0
and flow.source == ''):
flow.source = 'Discord'
if ('x-fingerprint' in headers.keys()):
type = 'Discord Fingerprint'
info = headers['x-fingerprint']
results.append(Result.Result(flow, type, info))
if ('Sec-WebSocket-Key' in headers.keys()):
type = 'Discord Web Socket Key'
info = headers['Sec-WebSocket-Key']
results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
if ('User-Agent' in headers.keys()):
if (headers['User-Agent'][:26] == 'com.google.android.youtube'
and flow.source == ''):
flow.source = 'Youtube'
if ('x-goog-device-auth' in headers.keys()):
type = 'System Info: Google API Device Authentication'
info = headers['x-goog-device-auth']
results.append(Result.Result(flow, type, info))
if ('x-goog-visitor-id' in headers.keys()):
type = 'User Info: Google Visitor ID'
info = headers['x-goog-visitor-id']
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://oauth.reddit.com/api/subreddit_autocomplete') ==
0):
type = 'User Action: Typed in Search'
info = '"' + AppDefault.findFormEntry(flow.requestContent,
'query') + '"'
results.append(Result.Result(flow, type, info))
def analyzeHeadRequestDefault(flow, results):
if (checkFlowResults('IP Address', results) == False):
info = flow.address
type = 'IP Address'
results.append(
Result.Result(flow.source, flow.destination, flow.source, type,
info, flow.all))
def checkRequestHeaders(flow, headers, results):
if ('User-Agent' in headers.keys()):
if (headers['User-Agent'][:22] == 'AndroidDownloadManager'):
if (flow.url[:36] == 'https://play.googleapis.com/download' \
or flow.url.find('play-apps-download') > -1):
flow.source = 'Play Store Download'
else:
flow.source = 'File Download'
type = 'IP Address'
info = flow.address
results.append(Result.Result(flow, type, info))
elif (headers['User-Agent'][:10] == 'DroidGuard'):
flow.source = 'DroidGuard'
elif (headers['User-Agent'][:14] == 'Android-Finsky'
and flow.source == ''):
flow.source = 'Google Play Store'
elif (headers['User-Agent'].find('Chrome') > -1 and flow.source == ''):
if ('referer' in headers.keys() and headers['referer'].find(
'android-app://com.google.android.googlequicksearchbox')
== 0):
flow.source = 'News Feed Article'
else:
flow.source = 'Google Chrome'
elif (headers['User-Agent'][:11] == 'Crashlytics'):
flow.source = 'Crashlytics'
if ('authorization' in headers.keys()):
type = 'User Info: Authorization Token'
info = flow.requestHeaders['authorization']
results.append(Result.Result(flow, type, info))
if ('X-CRASHLYTICS-DEVICE-MODEL' in headers.keys()):
type = 'System Info: Model'
info = headers['X-CRASHLYTICS-DEVICE-MODEL']
results.append(Result.Result(flow, type, info))
if ('X-CRASHLYTICS-OS-DISPLAY-VERSION' in headers.keys()):
type = 'System Info: OS Version'
info = headers['X-CRASHLYTICS-OS-DISPLAY-VERSION']
results.append(Result.Result(flow, type, info))
if ('X-CRASHLYTICS-INSTALLATION-ID' in headers.keys()):
type = 'System Info: Crashlytics ID'
info = headers['X-CRASHLYTICS-INSTALLATION-ID']
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results): flow.source = 'Keeper Security' if (flow.url == 'https://keepersecurity.com/emergency_check'): type = 'System Info: Brand' info = AppDefault.findFormEntry(flow.requestContent, 'mfg') results.append(Result.Result(flow, type, info)) type = 'System Info: Chipset' info = AppDefault.findFormEntry(flow.requestContent, 'product') results.append(Result.Result(flow, type, info)) type = 'System Info: Model' info = AppDefault.findFormEntry(flow.requestContent, 'model') results.append(Result.Result(flow, type, info)) type = 'Keeper Security Session Token' info = AppDefault.findFormEntry(flow.requestContent, 'session_token') results.append(Result.Result(flow, type, info)) type = 'User Info: Adjust.com Ad ID' info = AppDefault.findFormEntry(flow.requestContent, 'adjust_adid') results.append(Result.Result(flow, type, info)) type = 'User Info: Keeper UID' info = AppDefault.findFormEntry(flow.requestContent, 'uid') results.append(Result.Result(flow, type, info)) type = 'User Info: Email Address' info = AppDefault.findFormEntry(flow.requestContent, 'email') results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
if ('User-Agent' in headers.keys()):
if (headers['User-Agent'].find('com.netflix.mediaclient') == 0):
flow.source = 'Netflix'
if ('x-netflix.request.client.user.guid' in headers.keys()):
type = 'User Info: Netflix UUID'
info = headers['x-netflix.request.client.user.guid']
results.append(Result.Result(flow, type, info))
def checkDeleteURL(flow, results):
if (flow.url.find(
'https://www.googleapis.com/calendar/v3internal/calendars') == 0):
flow.source = 'Google Calendar'
type = 'User Action'
info = flow.url[flow.url.find('/events/') + 8:]
info = info[:info.find('?')]
info = 'Event Deletion: ' + info
results.append(Result.Result(flow, type, info))
def checkRequestHeaders(flow, headers, results):
if ('User-Agent' in headers.keys()):
if (headers['User-Agent'][:5] == 'slack' and flow.source == ''):
flow.source = 'Slack'
if ('uuid' in headers.keys()):
type = 'Slack UUID'
info = headers['uuid']
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://dl.discordapp.net') == 0):
flow.source = 'Discord'
elif (flow.url.find('https://discordapp.com') == 0):
flow.source = 'Discord'
elif (flow.url.find('https://gateway.discord.gg') == 0):
flow.source = 'Discord'
if (flow.url.find('https://discordapp.com/api/v6/channels') == 0):
if (flow.url.find('messages') > -1):
flow.source = 'Discord Messages Sync'
type = 'Discord Channel'
info = flow.url[flow.url.find('channels/') + 9:]
info = info[:info.find('/messages')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('pins') > -1):
flow.source = 'Discord Pins Lookup'
type = 'Discord Channel'
info = flow.url[flow.url.find('channels/') + 9:]
info = info[:info.find('/pins')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discordapp.com/api/v6/users') == 0
and flow.url.find('profile') > -1):
type = 'User Action: View Discord User Profile'
temp = flow.responseContent[flow.responseContent.find('"username":'******'"')]
info = temp
temp = flow.responseContent[flow.responseContent.
find('"discriminator":') + 18:]
temp = temp[:temp.find('"')]
info = info + '#' + temp
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discordapp.com/api/v6/guilds') == 0
and flow.url.find('search') > -1):
flow.source = 'Discord Channel Search'
type = 'Discord Channel'
info = flow.url[flow.url.find('guilds/') + 7:]
info = info[:info.find('/messages')]
results.append(Result.Result(flow, type, info))
def checkDeleteURL(flow, results):
flow.source = 'Hulu'
if (flow.url.find(
'https://home.hulu.com/v1/users/self/profiles/self/viewed_entities'
) == 0):
type = 'User Action: Delete Watch History'
info = flow.url[flow.url.find('viewed_entities/') + 16:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
def checkDeleteURL(flow, results):
if (flow.url.find(
'https://www.linkedin.com/voyager/api/messaging/conversations') ==
0):
type = 'User Action: Delete LinkedIn Conversation'
info = flow.url[flow.url.find('conversations/') + 14:]
if (info.find('/') > -1 and info.find('/') < info.find('?')):
info = info[:info.find('/')]
elif (info.find('?') > -1):
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
def checkPutURL(flow, results):
flow.source = 'Hulu'
if (flow.url.find(
'https://home.hulu.com/v2/users/self/profiles/self/saves') == 0):
type = flow.requestContent[flow.requestContent.find('"entity_type":') +
16:]
type = type[:type.find('"')]
type = 'User Action: Saved ' + type
info = flow.requestContent[flow.requestContent.find('"entity_id":') +
14:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
def searchFlow(flow, results, items):
infos = []
content = flow.all
for result in results:
infos.append(result.info)
while len(content) > 1:
for key, value in items.items():
if (content[0:len(key)] == key and key not in infos):
type = value + ' (RAWDATASEARCH)'
info = key
results.append(Result.Result(flow, type, info))
infos.append(key)
content = content[1:]
def checkPostURL(flow, results):
flow.source = 'Netflix'
if (flow.url.find('https://android-appboot.netflix.com/appboot') == 0):
type = 'User Action: App Launch'
info = 'Netflix opened'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://android.prod.cloud.netflix.com/ichnaea/log')
== 0):
type = 'Netflix Event'
info = flow.requestContent[flow.requestContent.find('"event_type":') +
15:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'Ad ID'
info = flow.requestContent[flow.requestContent.find('"advdevtag_id":'
) + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://android.prod.cloud.netflix.com/aui/pathEvaluator') == 0):
type = 'Secure Netflix ID'
info = AppDefault.findFormEntry(flow.requestContent, 'secureNetflixId')
results.append(Result.Result(flow, type, info))
type = 'Netflix ID'
info = AppDefault.findFormEntry(flow.requestContent, 'netflixId')
results.append(Result.Result(flow, type, info))
type = 'Netflix FLWSSN'
info = AppDefault.findFormEntry(flow.requestContent, 'flwssn')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://android.prod.cloud.netflix.com/android') == 0
):
if (flow.requestContent.find('path:') > -1
and AppDefault.findFormEntry(
flow.requestContent, 'path').find('"logBillboardActivity"')
== -1):
type = 'Netflix Browsing Path'
info = AppDefault.findFormEntry(flow.requestContent, 'path')
results.append(Result.Result(flow, type, info))
def checkRequestHeadersDefault(flow, headers, results):
if ('User-Agent' in headers.keys()
and checkFlowResults('System Info: User-Agent', results) == False):
info = headers['User-Agent']
type = 'System Info: User-Agent'
results.append(Result.Result(flow, type, info))
if ('Cookie' in headers.keys()
and checkFlowResults('System Info: Cookie', results) == False):
info = headers['Cookie']
type = 'System Info: Cookie'
results.append(Result.Result(flow, type, info))
if ('x-dfe-device-id' in headers.keys()
and checkFlowResults('System Info: Device ID', results) == False):
info = headers['x-dfe-device-id']
type = 'System Info: Device ID'
results.append(Result.Result(flow, type, info))
if ('x-dfe-device-config-token' in headers.keys() and checkFlowResults(
'System Info: Config Token', results) == False):
info = headers['x-dfe-device-config-token']
type = 'System Info: Config Token'
results.append(Result.Result(flow, type, info))
if ('x-ad-id' in headers.keys()):
info = headers['x-ad-id']
type = 'User Info: Ad ID'
results.append(Result.Result(flow, type, info))
if ('Authorization' in headers.keys()):
info = headers['Authorization']
type = 'Authorization'
results.append(Result.Result(flow, type, info))
if ('x-device-boot-count' in headers.keys()):
info = headers['x-device-boot-count']
type = 'System Info: Boot Count'
results.append(Result.Result(flow, type, info))
if ('x-device-id' in headers.keys()):
info = headers['x-device-id']
type = 'System Info: Device ID'
results.append(Result.Result(flow, type, info))
def checkResponseHeaders(flow, headers, results):
if ('Content-Type' in headers.keys()
and headers['Content-Type'][:5] == 'image'):
if ('User-Agent' in flow.requestHeaders.keys()
and flow.requestHeaders['User-Agent'][:30]
== 'com.google.android.apps.photos'):
flow.source = 'Google Photos'
if (flow.url.find('https://ap2.googleusercontent.com') == 0 or \
flow.url.find('https://lh3.googleusercontent.com/a') == 0):
if (AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '246 x 328 px' or \
AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '38 x 50 px' or \
AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '50 x 38 px' or \
AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '28 x 50 px' or \
AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '328 x 328 px'):
flow.source = 'Google Photos Thumbnail'
type = 'User Action'
picName = flow.responseHeaders['content-disposition'][
flow.responseHeaders['content-disposition'].
find('filename=') + 10:]
picName = picName[:picName.find('"')]
info = 'Image Viewed: ' + picName
results.append(Result.Result(flow, type, info))