class SyncAccounts(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_DEVINFO
title = Label("Accounts", "accounts")
relative_directories = ["system", "sync"]
knownfiles = {
"accounts.xml":
KnownFile(
ParserType.TYPE_XML, {
Label("Sync Accounts", "sync_accounts"): [
KnownFieldXML(
FieldType.TYPE_ARRAY,
"./authority",
"sync_accounts",
contents=[
KnownFieldXML(FieldType.TYPE_STR,
".",
"account_id",
"Id",
read_type=ReadTypeXML.READ_ATTR,
attr="id"),
KnownFieldXML(FieldType.TYPE_STR,
".",
"account_name",
"Account",
read_type=ReadTypeXML.READ_ATTR,
attr="account"),
KnownFieldXML(FieldType.TYPE_STR,
".",
"owning_user",
"Owning User",
read_type=ReadTypeXML.READ_ATTR,
attr="user"),
KnownFieldXML(FieldType.TYPE_STR,
".", "account_type"
"Account Type",
read_type=ReadTypeXML.READ_ATTR,
attr="type"),
KnownFieldXML(FieldType.TYPE_STR,
".",
"authority",
"Authority",
read_type=ReadTypeXML.READ_ATTR,
attr="authority"),
KnownFieldXML(FieldType.TYPE_STR,
".",
"enabled",
"Enabled",
read_type=ReadTypeXML.READ_ATTR,
attr="enabled"),
KnownFieldXML(FieldType.TYPE_STR,
".",
"sync_enabled",
"Sync Enabled",
read_type=ReadTypeXML.READ_ATTR,
attr="syncable"),
])
]
})
}
class UserAccounts(IMiscSource):
version = [18, 19, 20, 21]
catalog_id = Catalog.CATALOG_DEVINFO
title = Label("Accounts", "accounts")
relative_directories = ["system", "users", re.compile("^\d+$")]
knownfiles = {
"accounts.db":
KnownFile(
ParserType.TYPE_SQLITE3, {
Label("Accounts", "accounts"): [
KnownFieldSQL(
FieldType.TYPE_ARRAY,
"""
SELECT *
FROM accounts
""",
contents=[
KnownFieldSQL(FieldType.TYPE_STR, None,
"Account ID", "_id"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Name",
"name"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Type",
"type"),
KnownFieldSQL(FieldType.TYPE_STR, None,
"Password (Hash)", "password"),
]),
],
})
}
class ContactsAccounts(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_DEVINFO
title = Label("Accounts", "accounts")
relative_directories = ["data", "com.android.providers", "databases"]
knownfiles = {
"contacts2.db":
KnownFile(
ParserType.TYPE_SQLITE3, {
Label("Contacts Accounts", "contacts_accounts"): [
KnownFieldSQL(FieldType.TYPE_ARRAY,
"""
SELECT *
FROM accounts
""",
contents=[
KnownFieldSQL(FieldType.TYPE_STR, None,
"Account ID", "_id"),
KnownFieldSQL(FieldType.TYPE_STR, None,
"Name", "account_name"),
KnownFieldSQL(FieldType.TYPE_STR, None,
"Type", "account_type"),
]),
],
})
}
class UserAccountsOld(IMiscSource):
version = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]
catalog_id = Catalog.CATALOG_DEVINFO
title = Label("Accounts", "accounts")
relative_directories = ["system"]
knownfiles = {
"accounts.db":
KnownFile(
ParserType.TYPE_SQLITE3, {
Label("Accounts", "accounts"): [
KnownFieldSQL(
FieldType.TYPE_ARRAY,
"""
SELECT *
FROM accounts
""",
contents=[
KnownFieldSQL(FieldType.TYPE_STR, None,
"Account ID", "_id"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Name",
"name"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Type",
"type"),
KnownFieldSQL(FieldType.TYPE_STR, None,
"Password (Hash)", "password"),
]),
],
})
}
class UsageStats(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_LOGS
title = Label("Usage Stats", "usage_stats")
relative_directories = ["system", "usagestats"]
knownfiles = {
"usage-history.xml":
KnownFile(
ParserType.TYPE_XML, {
Label("Usage Stats", "usage_stats"): [
KnownFieldXML(
FieldType.TYPE_ARRAY,
"./pkg/comp",
"usage_stats",
contents=[
KnownFieldXML(FieldType.TYPE_STR,
".",
"activity_name",
"Activity",
read_type=ReadTypeXML.READ_ATTR,
attr="name"),
KnownFieldXML(FieldType.TYPE_DATE,
".",
"last_run",
"Last Run Time",
read_type=ReadTypeXML.READ_ATTR,
attr="lrt",
converter=ConvertUtils.JsToUnix)
])
]
})
}
class SmsMms(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_COMMS
title = Label("Telephony", "telephony")
relative_directories = [
"data", "com.android.providers.telephony", "databases"
]
knownfiles = {
"mmssms.db":
KnownFile(
ParserType.TYPE_SQLITE3, {
Label("SMS Messages", "sms_messages"): [
KnownFieldSQL(
FieldType.TYPE_ARRAY,
"""SELECT * FROM sms""",
contents=[
KnownFieldSQL(FieldType.TYPE_STR, None,
"Message ID", "_id"),
KnownFieldSQL(FieldType.TYPE_STR,
None,
"Status",
"status",
converter=SMS_TP_Status2text),
KnownFieldSQL(FieldType.TYPE_STR,
None,
"Type",
"type",
converter=lambda val: "Outgoing"
if val == 2 else "Incoming"),
KnownFieldSQL(FieldType.TYPE_DATE,
None,
"Date Send",
"date_sent",
converter=sendDateParse),
KnownFieldSQL(FieldType.TYPE_DATE,
None,
"Local Date",
"date",
converter=ConvertUtils.JsToUnix),
KnownFieldSQL(FieldType.TYPE_STR, None, "From/To",
"address"),
KnownFieldSQL(FieldType.TYPE_STR,
None,
"Seen",
"seen",
converter=lambda val: "Yes"
if val == 1 else "No"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Message",
"body"),
]),
],
})
}
class LockSettings(IMiscSource):
version = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17]
catalog_id = Catalog.CATALOG_DEVINFO
title = Label("Screen Lock", "screen_lock")
relative_directories = [
"data", "com.android.providers.settings", "databases"
]
knownfiles = {
"settings.db":
KnownFile(
ParserType.TYPE_SQLITE3, {
Label("Lock Settings", "lock_settings"): [
KnownFieldSQL(
FieldType.TYPE_STR,
"""
SELECT value FROM
secure
WHERE name = 'lock_screen_owner_info'
""",
"Owner Info",
"lock_screen_owner_info",
),
KnownFieldSQL(
FieldType.TYPE_STR,
"""
SELECT value FROM
secure
WHERE name = 'lockscreen.password_salt'
""",
"Password Salt",
"password_salt",
),
KnownFieldSQL(FieldType.TYPE_STR,
"""
SELECT value FROM
locksettings
WHERE name = 'lockscreen.password_type'
""",
"Password Quality",
"lockscreen.password_type",
converter=password_type_tostr),
]
})
}
class Calls(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_COMMS
title = Label("Telephony", "telephony")
relative_directories = [
"data", "com.android.providers.contacts", "databases"
]
knownfiles = {
"contacts2.db":
KnownFile(
ParserType.TYPE_SQLITE3, {
Label("Calls", "calls"): [
KnownFieldSQL(
FieldType.TYPE_ARRAY,
"""SELECT * FROM calls""",
contents=[
KnownFieldSQL(FieldType.TYPE_DATE,
None,
"Date",
"date",
converter=ConvertUtils.JsToUnix),
KnownFieldSQL(FieldType.TYPE_INT,
None,
"Type",
"type",
converter=callTypeToStr),
KnownFieldSQL(FieldType.TYPE_STR, None, "Number",
"number"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Contact",
"name"),
KnownFieldSQL(FieldType.TYPE_STR, None,
"Duration (seconds)", "duration"),
KnownFieldSQL(FieldType.TYPE_STR, None,
"Number Geolocation",
"geocoded_location"),
])
]
})
}
def begin(self):
ok = False
self.pq.put("[FacebookContacts]: Scanning contacts")
store = self.extract_store
catalog = store.get_misccatalog(Catalog.CATALOG_COMMS)
section_label = Label("Internet Chats", "internet_chats")
threadsdb = store.query_appstore(
"com.facebook.orca/databases/threads_db2")
if threadsdb != None:
ok = self._gensubsection(
catalog, section_label,
Label("Facebook Messenger Chats", "facebook_messenger_chats"),
threadsdb)
threadsdb = store.query_appstore(
"com.facebook.katana/databases/threads_db2")
if threadsdb != None:
ok = self._gensubsection(
catalog, section_label,
Label("Facebook App Chats", "facebook_app_chats"), threadsdb)
return ok
class Bluetooth(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_NETWORKING
title = Label("Bluetooth Information", "bluetooth_info")
relative_directories = ["misc", "bluedroid"]
knownfiles = {
"bt_config.xml":
KnownFile(
ParserType.TYPE_XML, {
Label("Device Info", "device_info"): [
KnownFieldXML(
FieldType.TYPE_STR,
"*[@Tag='Local']/*[@Tag='Adapter']/*[@Tag='Address']",
"device_hardware_address", "Device Hardware Address"),
],
Label("Paired Devices", "paired_devices"): [
KnownFieldXML(
FieldType.TYPE_CONTAINER,
"*[@Tag='Remote']",
"paired_devices",
contents=[
KnownFieldXML(FieldType.TYPE_STR,
".",
"device_hardware_address",
"Device Hardware Address",
read_type=ReadTypeXML.READ_ATTR,
attr="Tag"),
KnownFieldXML(FieldType.TYPE_DATE,
"./*[@Tag='Timestamp']", "pair_date",
"Pair Date"),
KnownFieldXML(FieldType.TYPE_STR,
"./*[@Tag='Name']", "device_name",
"Device Name")
])
]
})
}
def begin(self):
self.selfprint("Scanning contacts")
store = self.extract_store
contactsdb = store.query_appstore(
"com.linkedin.android/databases/linkedin.db")
if contactsdb == None:
self.selfprint("Error: Could not locate database file")
return False
if contactsdb.ftype != ExtractStore.TYPE_MULTI:
self.selfprint("Error: Contacts db not a database")
return False
contacts = contactsdb.get_multicontent("connections")
if contacts == None:
self.selfprint("Error: Could not locate connections table")
return False
if contacts.ctype != ExtractStore.TYPE_TABLE:
self.selfprint("Error: connections table not a table")
return False
contact_items = []
for contact in contacts.content:
contact_info = [
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Name",
contact["display_name"],
item_name="name"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Headline",
contact["headline"],
item_name="headline"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"LinkedIn Member ID",
contact["member_id"],
item_name="member_id"),
]
contact_items.append(
ExtractStore.MiscItem(ExtractStore.TYPE_MULTI,
item_contents=contact_info,
item_name="contact"))
if len(contact_items) != 0:
catalog = store.get_misccatalog(Catalog.CATALOG_COMMS)
section = catalog.get_section_by_internalname("contacts")
if section == None:
section = catalog.get_section(Label("Contacts", "contacts"),
True)
section.add_subsection(
ExtractStore.MiscSubSection(
Label("LinkedIn Connections", "linkedin_connections"),
contact_items))
self.selfprint("Retrieving Messages")
messages = contactsdb.get_multicontent("messages")
if messages == None or len(messages.content) == 0:
self.selfprint("None or empty LinkedIn Messages")
message_items = []
for message in messages.content:
message_info = [
ExtractStore.MiscItem(ExtractStore.TYPE_DATE,
"Date",
message["timestamp"],
item_name="date"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"From",
message["from_display_name"],
item_name="from"),
ExtractStore.MiscItem(ExtractStore.TYPE_DATE,
"Subject",
message["subject"],
item_name="subject"),
ExtractStore.MiscItem(ExtractStore.TYPE_DATE,
"Partial Message",
message["body"],
item_name="partial_message"),
]
message_items.append(
ExtractStore.MiscItem(ExtractStore.TYPE_MULTI,
item_contents=message_info,
item_name="message"))
if len(message_items) != 0:
self.selfprint("Populating LinkedIn Messages section")
catalog = store.get_misccatalog(Catalog.CATALOG_COMMS)
section = catalog.get_section(
Label("Internet Chats", "internet_chats"), True)
section.add_subsection(
ExtractStore.MiscSubSection(
Label("LinkedIn Messages", "linkedin_messages"),
message_items))
return True
class LockSettings(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_DEVINFO
title = Label("Screen Lock", "screen_lock")
relative_directories = ["system"]
knownfiles = {
"locksettings.db":
KnownFile(
ParserType.TYPE_SQLITE3, {
Label("Lock Settings", "lock_settings"): [
KnownFieldSQL(FieldType.TYPE_STR,
"""
SELECT value FROM
locksettings
WHERE name = 'lock_screen_owner_info_enabled'
""",
"Owner Info Display",
"lock_screen_owner_info_enabled",
converter=lambda val: "Enabled"
if val == '1' else "Disabled"),
KnownFieldSQL(
FieldType.TYPE_STR,
"""
SELECT value FROM
locksettings
WHERE name = 'lock_screen_owner_info'
""",
"Owner Info",
"lock_screen_owner_info",
),
KnownFieldSQL(FieldType.TYPE_STR,
"""
SELECT value FROM
locksettings
WHERE name = 'lockscreen.disabled'
""",
"Lock Screen",
"lockscreen.disabled",
converter=lambda val: "Disabled"
if val == '1' else "Enabled"),
KnownFieldSQL(
FieldType.TYPE_STR,
"""
SELECT value FROM
locksettings
WHERE name = 'lockscreen.password_salt'
""",
"Password Salt",
"password_salt",
),
KnownFieldSQL(FieldType.TYPE_STR,
"""
SELECT value FROM
locksettings
WHERE name = 'lockscreen.password_type'
""",
"Password Quality",
"lockscreen.password_type",
converter=password_type_tostr),
]
}),
"password.key":
KnownFile(
ParserType.TYPE_REGEX, {
Label("Lock Settings", "lock_settings"): [
KnownField(FieldType.TYPE_STR, "(.*)", "password_hash",
"Password Hash")
]
}),
"gesture.key":
KnownFile(
ParserType.TYPE_BINARY, {
Label("Lock Settings", "lock_settings"): [
KnownFieldBin(BinaryClass.ASCII_STRING, BinaryRead.EOF,
"gesture_hash", "Gesture Hash",
ConvertUtils.BintoASCII)
]
}),
"device_policies.xml":
KnownFile(
ParserType.TYPE_XML, {
Label("Lock Settings", "lock_settings"): [
KnownFieldXML(FieldType.TYPE_STR,
"./active-password", "password_length"
"Password Length",
read_type=ReadTypeXML.READ_ATTR,
attr="length"),
KnownFieldXML(FieldType.TYPE_STR,
"./active-password",
"password_quality_journal",
"Password Quality (Journal)",
read_type=ReadTypeXML.READ_ATTR,
attr="quality",
converter=password_type_tostr),
KnownFieldXML(FieldType.TYPE_STR,
"./active-password",
"num_letters",
"Letter Digits #",
read_type=ReadTypeXML.READ_ATTR,
attr="letters"),
KnownFieldXML(FieldType.TYPE_STR,
"./active-password",
"num_nonletter",
"Non-letter Digits #",
read_type=ReadTypeXML.READ_ATTR,
attr="length"),
KnownFieldXML(FieldType.TYPE_STR,
"./active-password",
"num_lowercase",
"Lowercase Digits #",
read_type=ReadTypeXML.READ_ATTR,
attr="lowercase"),
KnownFieldXML(FieldType.TYPE_STR,
"./active-password",
"num_uppercase",
"Uppercase Digits #",
read_type=ReadTypeXML.READ_ATTR,
attr="uppercase"),
KnownFieldXML(FieldType.TYPE_STR,
"./active-password",
"num_numbers",
"Numeric Digits #",
read_type=ReadTypeXML.READ_ATTR,
attr="numeric"),
KnownFieldXML(FieldType.TYPE_STR,
"./active-password",
"num_symbols",
"Symbol Digits #",
read_type=ReadTypeXML.READ_ATTR,
attr="symbols"),
]
})
}
def begin(self):
self.selfprint("Scanning messages")
store = self.extract_store
ok = False
subsection_label = Label("Skype Messages", "skype_messages")
skypefiles = store.query_appstore("com.skype.raider/files")
if skypefiles == None:
self.selfprint("Error: No Skype files found")
return False
maindbs = skypefiles.find_all_files("main.db")
if maindbs == None:
self.selfprint("Error: Could not find main.db")
return False
message_items = []
for maindb in maindbs:
accnt = maindb.get_multicontent("Accounts",
ExtractStore.TYPE_TABLE)
if accnt == None:
self.selfprint("No account table found, treating as unknown")
accnt_name = "Unknown Account"
else:
accnt_name = accnt.content[0]['skypename']
messages = maindb.get_multicontent("Messages",
ExtractStore.TYPE_TABLE)
if messages == None:
self.selfprint("Messages table not found")
continue
for msg in messages.content:
if msg['chatmsg_status'] in self.SKYPE_STATUS:
status = self.SKYPE_STATUS[msg['chatmsg_status']]
else:
status = msg['chatmsg_status']
if msg['type'] in self.SKYPE_MSGTYPE:
msgtype = self.SKYPE_MSGTYPE[msg['type']]
else:
msgtype = msg['type']
msg_info = [
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Account",
accnt_name,
item_name="account"),
ExtractStore.MiscItem(ExtractStore.TYPE_DATE,
"Date",
msg['timestamp'],
item_name="date"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Type",
msgtype,
item_name="type"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Status",
status,
item_name="status"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"From",
u"{} ({})".format(
msg['from_dispname'],
msg['author']),
item_name="from"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Message",
msg["body_xml"],
item_name="message"),
]
message_items.append(
ExtractStore.MiscItem(ExtractStore.TYPE_MULTI,
item_contents=msg_info,
item_name="message"))
if len(message_items) != 0:
catalog = store.get_misccatalog(Catalog.CATALOG_COMMS)
section = catalog.get_section(
Label("Internet Chats", "internet_chats"), True)
section.add_subsection(
ExtractStore.MiscSubSection(subsection_label, message_items))
ok = True
return ok
class Contacts(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_COMMS
title = Label("Contacts", "contacts")
relative_directories = [
"data", "com.android.providers.contacts", "databases"
]
knownfiles = {
"contacts2.db":
KnownFile(
ParserType.TYPE_SQLITE3, {
Label("Contacts", "contacts"): [
KnownFieldSQL(
FieldType.TYPE_ARRAY,
"""
SELECT DISTINCT
data._id AS _id,
data.raw_contact_id AS person,
data.is_primary AS isprimary,
data.data1 AS number,
data.data2 AS num_type,
data.data3 AS label,
data.data1 AS number_key,
name.data1 AS name,
raw_contacts.display_name AS display_name,
note.data1 AS notes,
view_v1_people.account_name,
view_v1_people.account_type,
raw_contacts.times_contacted AS times_contacted,
raw_contacts.last_time_contacted AS last_time_contacted,
raw_contacts.custom_ringtone AS custom_ringtone,
raw_contacts.send_to_voicemail AS send_to_voicemail,
raw_contacts.starred AS starred,
raw_contacts.deleted AS deleted,
organization._id AS primary_organization,
email._id AS primary_email,
phone._id AS primary_phone,
phone.data1 AS pnumber,
phone.data2 AS ptype,
phone.data3 AS plabel,
phone.data1 AS pnumber_key
FROM data
JOIN phone_lookup
ON ( data._id = phone_lookup.data_id )
JOIN mimetypes
ON ( mimetypes._id = data.mimetype_id )
JOIN raw_contacts
ON ( raw_contacts._id = data.raw_contact_id )
JOIN view_v1_people
ON ( raw_contacts._id = view_v1_people._id )
LEFT OUTER JOIN data name
ON ( raw_contacts._id = name.raw_contact_id
AND (
SELECT mimetype
FROM mimetypes
WHERE mimetypes._id = name.mimetype_id
) = 'vnd.android.cursor.item/name' )
LEFT OUTER JOIN data organization
ON ( raw_contacts._id = organization.raw_contact_id
AND (
SELECT mimetype
FROM mimetypes
WHERE mimetypes._id =
organization.mimetype_id
) = 'vnd.android.cursor.item/organization'
AND organization.is_primary )
LEFT OUTER JOIN data email
ON ( raw_contacts._id = email.raw_contact_id
AND
(
SELECT mimetype
FROM mimetypes
WHERE mimetypes._id =
email.mimetype_id
) = 'vnd.android.cursor.item/email_v2'
AND email.is_primary )
LEFT OUTER JOIN data note
ON ( raw_contacts._id = note.raw_contact_id
AND (
SELECT mimetype
FROM mimetypes
WHERE mimetypes._id = note.mimetype_id
) = 'vnd.android.cursor.item/note' )
LEFT OUTER JOIN data phone
ON ( raw_contacts._id = phone.raw_contact_id
AND (
SELECT mimetype
FROM mimetypes
WHERE mimetypes._id =
phone.mimetype_id
) = 'vnd.android.cursor.item/phone_v2'
AND phone.is_primary )
WHERE
mimetypes.mimetype = 'vnd.android.cursor.item/phone_v2'
""",
contents=[
KnownFieldSQL(FieldType.TYPE_STR, None,
"Person ID", "person"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Name",
"name"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Number",
"number"),
KnownFieldSQL(FieldType.TYPE_INT,
None,
"Type",
"num_type",
converter=phoneType2Text),
KnownFieldSQL(FieldType.TYPE_STR, None, "Label",
"label"),
KnownFieldSQL(FieldType.TYPE_STR, None,
"Times Contacted",
"times_contacted"),
KnownFieldSQL(
FieldType.TYPE_DATE,
None,
"Last Contact Date",
"last_time_contacted",
converter=ConvertUtils.JsToUnix),
KnownFieldSQL(FieldType.TYPE_STR, None, "Notes",
"notes"),
KnownFieldSQL(FieldType.TYPE_STR, None, "Account",
"account_name"),
KnownFieldSQL(FieldType.TYPE_STR, None,
"Account Type", "account_type")
])
]
})
}
class SELinuxLog(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_LOGS
title = Label("SELinux Audit Log", "selinux")
relative_directories = ["misc", "audit"]
knownfiles = {
"audit.log":
KnownFile(
ParserType.TYPE_REGEX, {
Label("File System Logs", "filesyste_logs"): [
KnownField(
FieldType.TYPE_CONTAINER,
"(.*?tclass=(dir|file|ipc|fifo_file|chr_file|" +
"filesystem|lnk_file|association|fd|" +
"sock_file|unix_stream_socket|netlink_nflog_socket))\n",
"logs_container",
contents=[
KnownField(FieldType.TYPE_DATE, "msg=audit\((\d*)",
"date", "Date"),
KnownField(FieldType.TYPE_STR, "avc:\s+?(\w+)",
"action", "Action"),
KnownField(FieldType.TYPE_STR, "\{\s+?(\w+)\s+}",
"permission", "Permission"),
KnownField(FieldType.TYPE_STR, "pid=(\d+)", "pid",
"PID"),
KnownField(FieldType.TYPE_STR, "comm=\"(.*?)\"",
"command", "Command"),
KnownField(FieldType.TYPE_STR,
"name=\"(.*?)\"|group=\"(.*?)\"",
"name", "Name/Path"),
KnownField(FieldType.TYPE_STR, "dev=(\w+)\s",
"dev", "Device"),
KnownField(FieldType.TYPE_STR, "ino=(\d+)\s",
"inode", "inode"),
KnownField(FieldType.TYPE_STR, "scontext=(.*?)\s",
"source_context", "Source Context"),
KnownField(FieldType.TYPE_STR, "tcontext=(.*?)\s",
"target_context", "Target Context"),
KnownField(FieldType.TYPE_STR, "tclass=(.*)",
"target_class", "Target Class")
])
],
Label("Networking", "networking_logs"): [
KnownField(
FieldType.TYPE_CONTAINER,
"(.*?tclass=(key_socket|netif|netlink_socket|" +
"netlink_audit_socket|netlink_ip6fw_socket|" +
"netlink_kobject_uevent_socket|" +
"netlink_route_socket|" + "netlink_selinux_socket|" +
"netlink_tcpdiag_socket|netlink_xfrm_socket|" +
"node|packet|packet_socket|peer|rawip_socket|" +
"socket|tcp_socket|tun_socket|udp_socket|" +
"unix_dgram_socket))\n",
"logs_container",
contents=[
KnownField(FieldType.TYPE_DATE, "msg=audit\((\d*)",
"date", "Date"),
KnownField(FieldType.TYPE_STR, "avc:\s+?(\w+)",
"action", "Action"),
KnownField(FieldType.TYPE_STR, "\{\s+?(\w+)\s+}",
"permission", "Permission"),
KnownField(FieldType.TYPE_STR, "pid=(\d+)", "pid",
"PID"),
KnownField(FieldType.TYPE_STR, "comm=\"(.*?)\"",
"command", "Command"),
KnownField(FieldType.TYPE_STR,
"src=(\d+)|lport=(\d+)", "source",
"Source/Bind Port"),
KnownField(FieldType.TYPE_STR, "dest=(\d+)",
"dest", "Destination"),
KnownField(FieldType.TYPE_STR, "scontext=(.*?)\s",
"source_context", "Source Context"),
KnownField(FieldType.TYPE_STR, "tcontext=(.*?)\s",
"target_context", "Target Context"),
KnownField(FieldType.TYPE_STR, "tclass=(.*)",
"target_class", "Target Class")
])
],
}),
}
def begin(self):
self.selfprint("Scanning contacts")
store = self.extract_store
subsection_label = Label("Whatsapp Contacts", "whatsapp_contacts")
wadb = store.query_appstore("com.whatsapp/databases/wa.db")
if wadb == None:
self.selfprint("Error: Could not locate database file")
return False
if wadb.ftype != ExtractStore.TYPE_MULTI:
self.selfprint("Error: Contacts db not a database")
return False
contacts = wadb.get_multicontent("wa_contacts")
if contacts == None:
self.selfprint("Error: Could not locate contacts table")
return False
if contacts.ctype != ExtractStore.TYPE_TABLE:
self.selfprint("Error: contacts table not a table")
return False
contact_items = []
for contact in contacts.content:
phone_type = contact["phone_type"]
if phone_type in NUMBER_TYPES:
phone_type = NUMBER_TYPES[phone_type]
isuser = contact["is_whatsapp_user"]
if isuser == 1:
isuser = "******"
else:
isuser = "******"
contact_info = [
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Whatsapp Name",
contact["wa_name"],
item_name="wa_name"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Display Name",
contact["display_name"],
item_name="display_name"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Number",
contact["number"],
item_name="number"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Phone Type",
phone_type,
item_name="phone_type"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Whatsapp ID",
contact["jid"],
item_name="jid"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Whatsapp User",
isuser,
item_name="isuser"),
]
contact_items.append(
ExtractStore.MiscItem(ExtractStore.TYPE_MULTI,
item_contents=contact_info,
item_name="contact"))
if len(contact_items) != 0:
catalog = store.get_misccatalog(Catalog.CATALOG_COMMS)
section = catalog.get_section(Label("Contacts", "contacts"), True)
section.add_subsection(
ExtractStore.MiscSubSection(subsection_label, contact_items))
return True
class WiFi(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_NETWORKING
title = Label("Wifi Information", "wifi_info")
relative_directories = ["misc", "wifi"]
knownfiles = {
"wpa_supplicant.conf":
KnownFile(
ParserType.TYPE_REGEX, {
Label("Device Info", "device_info"): [
KnownField(FieldType.TYPE_STR, "ctrl_interface=(.*?)\n",
"interface", "Wifi Interface"),
KnownField(FieldType.TYPE_STR, "device_name=(.*?)\n",
"dev_name"
"Device Name"),
KnownField(FieldType.TYPE_STR, "manufacturer=(.*?)\n",
"manufacturer", "Manufacturer")
],
Label("Connected Networks", "connected_networks"): [
KnownField(
FieldType.TYPE_CONTAINER,
"network=\{[\s\S.]*?\}",
"connected_networks",
"networks_container",
contents=[
KnownField(FieldType.TYPE_STR, "ssid=(.*?)\n",
"ssid", "Network SSID"),
KnownField(FieldType.TYPE_STR, "bssid=(.*?)\n",
"ap_address", "AP Address"),
KnownField(FieldType.TYPE_STR, "key_mgmt=(.*?)\n",
"security", "Security"),
KnownField(FieldType.TYPE_STR, "psk=(.*?)\n",
"password", "Password"),
KnownField(FieldType.TYPE_STR, "priority=(.*?)\n",
"priority", "Network Priority")
])
]
}),
"hostapd.conf":
KnownFile(
ParserType.TYPE_REGEX, {
Label("Wifi Tethering", "wifi_tethering"): [
KnownField(FieldType.TYPE_STR, "interface=(.*?)\n",
"tethering_interface", "Tethering Interface"),
KnownField(FieldType.TYPE_STR, "ssid=(.*?)\n",
"network_name", "Network Name"),
KnownField(FieldType.TYPE_STR, "channel=(.*?)\n",
"channel", "Channel"),
KnownField(FieldType.TYPE_STR, "wpa_psk=(.*?)\n",
"wpa_passkey", "WPA Passkey")
]
}),
"softap.conf":
KnownFile(
ParserType.TYPE_BINARY, {
Label("Wifi Tethering", "wifi_tethering"): [
KnownFieldBin(BinaryClass.ENUMERATION, BinaryRead.INTEGER,
"file_version", "File Version",
{1: "VERSION 1"}),
KnownFieldBin(BinaryClass.CONSUME, BinaryRead.SHORT,
"ssidlength", None),
KnownFieldBin(BinaryClass.UTF8, "ssidlength", "ap_name",
"AP Network Name (Software)"),
KnownFieldBin(
BinaryClass.ENUMERATION, BinaryRead.INTEGER,
"auth_type", "Security", {
0: "NONE",
1: "WPA_PSK",
2: "WPA_EAP",
3: "IEEE8021X",
4: "WPA2_PSK"
}),
KnownFieldBin(BinaryClass.CONSUME, BinaryRead.SHORT,
"passlength", None),
KnownFieldBin(BinaryClass.UTF8, "passlength", "pass",
"Password (Plain)")
]
})
}
def begin(self):
self.selfprint("Scanning messages")
store = self.extract_store
subsection_label = Label("Whatsapp Messages", "whatsapp_messages")
msgsdb = store.query_appstore("com.whatsapp/databases/msgstore.db")
if msgsdb == None:
self.selfprint("Error: Could not locate database file")
return False
if msgsdb.ftype != ExtractStore.TYPE_MULTI:
self.selfprint("Error: Messages db not a database")
return False
msgs = msgsdb.get_multicontent("messages")
if msgs == None:
self.selfprint("Error: Could not locate messages table")
return False
if msgs.ctype != ExtractStore.TYPE_TABLE:
self.selfprint("Error: messages table not a table")
return False
message_items = []
for msg in msgs.content: #XXX need to add more columns
msg_info = [
ExtractStore.MiscItem( #XXX need to convert this
ExtractStore.TYPE_STRING,
"Origin",
msg["origin"],
item_name="wa_name"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Send Date",
msg["send_timestamp"],
item_name="send_timestamp"),
ExtractStore.MiscItem(ExtractStore.TYPE_DATE,
"Received Date",
msg["received_timestamp"],
item_name="received_timestamp"),
ExtractStore.MiscItem( #XXX need to convert this
ExtractStore.TYPE_STRING,
"Status",
msg["status"],
item_name="status"),
ExtractStore.MiscItem( #XXX need to join Message/Raw Message
ExtractStore.TYPE_STRING,
"Message",
msg["data"],
item_name="data"),
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Raw Message",
msg["raw_data"],
item_name="raw_data"),
]
message_items.append(
ExtractStore.MiscItem(ExtractStore.TYPE_MULTI,
item_contents=msg_info,
item_name="message"))
if len(message_items) != 0:
catalog = store.get_misccatalog(Catalog.CATALOG_COMMS)
section = catalog.get_section(
Label("Internet Chats", "internet_chats"), True)
section.add_subsection(
ExtractStore.MiscSubSection(subsection_label, message_items))
return True
class Packages(IMiscSource):
version = []
catalog_id = Catalog.CATALOG_APPS
title = Label("Packages & Permissions", "packages")
relative_directories = ["system"]
knownfiles = {
"packages.xml":
KnownFile(
ParserType.TYPE_XML,
{
Label(STR_INSTALLED_APPLICATIONS, "installed_apps"):
[ #XXX add signatures as well?
KnownFieldXML(
FieldType.TYPE_ARRAY,
["./package", "./updated-package", "./shared-user"],
"applications",
contents=[
KnownFieldXML(FieldType.TYPE_STR,
".",
"name",
"Package Name",
read_type=ReadTypeXML.READ_ATTR,
attr="name"),
KnownFieldXML(FieldType.TYPE_STR,
".",
"codePath",
"APK Path",
read_type=ReadTypeXML.READ_ATTR,
attr="codePath"),
#Flags information can be found under
#/frameworks/base/core/java/android/content/pm/ApplicationInfo.java:34
KnownFieldXML(FieldType.TYPE_INT,
".",
"flags",
"Flags",
read_type=ReadTypeXML.READ_ATTR,
attr="flags"),
KnownFieldXML(FieldType.TYPE_DATE,
".",
"ft",
"First Install Time",
read_type=ReadTypeXML.READ_ATTR,
attr="ft",
converter=ConvertUtils.HexToUnix),
KnownFieldXML(FieldType.TYPE_DATE,
".",
"it",
"Install Time",
read_type=ReadTypeXML.READ_ATTR,
attr="it",
converter=ConvertUtils.HexToUnix),
KnownFieldXML(FieldType.TYPE_DATE,
".",
"ut",
"Update Time",
read_type=ReadTypeXML.READ_ATTR,
attr="ut",
converter=ConvertUtils.HexToUnix),
KnownFieldXML(
FieldType.TYPE_STR,
".",
"version",
"Version",
read_type=ReadTypeXML.READ_ATTR,
attr="version",
),
KnownFieldXML(
FieldType.TYPE_STR,
".",
"userId",
"User ID",
read_type=ReadTypeXML.READ_ATTR,
attr="userId",
),
KnownFieldXML(
FieldType.TYPE_STR,
".",
"installer",
"Installer",
read_type=ReadTypeXML.READ_ATTR,
attr="installer",
),
KnownFieldXML(
FieldType.TYPE_CONTAINER,
"./perms",
"permissions",
"Permissions",
contents=[
KnownFieldXML(
FieldType.TYPE_STR,
".",
"name",
"Permission",
read_type=ReadTypeXML.READ_ATTR,
attr="name")
])
])
],
Label(STR_AVAILABLE_PERMISSIONS, "available_permissions"): [
KnownFieldXML(FieldType.TYPE_CONTAINER,
"./permissions",
"available_permissions",
contents=[
KnownFieldXML(
FieldType.TYPE_STR,
".",
"name",
"Name",
read_type=ReadTypeXML.READ_ATTR,
attr="name"),
KnownFieldXML(
FieldType.TYPE_STR,
".",
"package",
"Package",
read_type=ReadTypeXML.READ_ATTR,
attr="package"),
KnownFieldXML(
FieldType.TYPE_STR,
".",
"protection",
"Protection",
read_type=ReadTypeXML.READ_ATTR,
attr="protection",
converter=protectionToFlags)
])
],
Label(STR_PLATFORM_VERSION, "platform_version"): [
KnownFieldXML(FieldType.TYPE_STR,
"./last-platform-version",
"platform_version",
"Platform Version",
read_type=ReadTypeXML.READ_ATTR,
attr="internal"),
]
})
}
def begin(self):
self.pq.put("[FacebookContacts]: Scanning contacts")
store = self.extract_store
contactsdb = store.query_appstore(
"com.facebook.orca/databases/contacts_db2")
if contactsdb == None:
contactsdb = store.query_appstore(
"com.facebook.katana/databases/contacts_db2")
if contactsdb == None:
self.selfprint("Error: Facebook not installed")
return False
if contactsdb.ftype != ExtractStore.TYPE_MULTI:
self.selfprint("Error: Contacts db not a database")
return False
contacts = contactsdb.get_multicontent("contacts")
if contacts == None:
self.selfprint("Error: Could not locate contacts table")
return False
if contacts.ctype != ExtractStore.TYPE_TABLE:
self.selfprint("Error: Contacts table not a table")
return False
contact_items = []
for contact in contacts.content:
contactjson = contact["data"] #column name = "data"
try:
cont_obj = json.loads(contactjson)
except:
self.selfprint("JSON Error at contact:" + contactjson)
continue
contact_info = []
name = "N/A"
if "name" in cont_obj:
name = cont_obj["name"]["displayName"]
contact_info.append(
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Name",
name,
item_name="name"))
if "phones" in cont_obj:
phones = []
for phone in cont_obj["phones"]:
txt = "Not Verified"
if phone["isVerified"]: txt = "Verified"
phones.append("{}: {} ({})".format(phone["label"],
phone["displayNumber"],
txt))
contact_numbers = ', '.join(phones)
contact_info.append(
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Phone Number(s)",
contact_numbers,
item_name="phone_numbers"))
else:
contact_info.append(
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Phone Number(s)",
"N/A",
item_name="phone_numbers"))
contact_type = "N/A"
if "contactType" in cont_obj:
contact_type = cont_obj["contactType"]
contact_info.append(
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Type",
contact_type,
item_name="type"))
fbid = "N/A"
if "profileFbid" in cont_obj:
fbid = cont_obj["profileFbid"]
contact_info.append(
ExtractStore.MiscItem(ExtractStore.TYPE_STRING,
"Profile ID",
cont_obj["profileFbid"],
item_name="fbid"))
contact_items.append(
ExtractStore.MiscItem(ExtractStore.TYPE_MULTI,
item_contents=contact_info,
item_name="contact"))
if len(contact_items) == 0: return True
catalog = store.get_misccatalog(Catalog.CATALOG_COMMS)
section = catalog.get_section_by_internalname("contacts")
if section == None:
section = catalog.get_section(Label("Contacts", "contacts"), True)
section.add_subsection(
ExtractStore.MiscSubSection(
Label("Facebook Contacts", "facebook_contacts"),
contact_items))
return True