diff --git a/scripts/artifacts/FacebookMessenger.py b/scripts/artifacts/FacebookMessenger.py index 925dc820..1f792be0 100755 --- a/scripts/artifacts/FacebookMessenger.py +++ b/scripts/artifacts/FacebookMessenger.py @@ -6,6 +6,8 @@ def get_FacebookMessenger(files_found, report_folder, seeker, wrap_text): + slash = '\\' if is_platform_windows() else '/' + #logfunc(str(files_found)) for file_found in files_found: file_found = str(file_found) @@ -18,7 +20,7 @@ def get_FacebookMessenger(files_found, report_folder, seeker, wrap_text): if 'user' in file_found: - usernum = file_found.split("/") + usernum = file_found.split(slash) usernum = '_'+str(usernum[-4]) else: usernum = '' diff --git a/scripts/artifacts/googleCallScreen.py b/scripts/artifacts/googleCallScreen.py index 92974a0e..b0ee53ed 100755 --- a/scripts/artifacts/googleCallScreen.py +++ b/scripts/artifacts/googleCallScreen.py @@ -11,6 +11,9 @@ def get_googleCallScreen(files_found, report_folder, seeker, wrap_text): + is_windows = is_platform_windows() + slash = '\\' if is_windows else '/' + for file_found in files_found: file_found = str(file_found) if not file_found.endswith('callscreen_transcripts'): @@ -45,6 +48,11 @@ def get_googleCallScreen(files_found, report_folder, seeker, wrap_text): 'name': '', 'type': 'message'}} + if report_folder[-1] == slash: + folder_name = os.path.basename(report_folder[:-1]) + else: + folder_name = os.path.basename(report_folder) + if usageentries > 0: for row in all_rows: @@ -65,15 +73,9 @@ def get_googleCallScreen(files_found, report_folder, seeker, wrap_text): conversation += convo_timestamp + convo_transcript for match in files_found: - if recording_filename in match: + if str(recording_filename) in match: shutil.copy2(match, report_folder) - audio_file_path = os.path.abspath(match) - audio_clip = ''' - - '''.format(audio_file_path) + audio_clip = f'' data_list.append((lm_ts,recording_path,conversation,audio_clip)) diff --git a/scripts/artifacts/googleChat.py b/scripts/artifacts/googleChat.py index 52b65d58..0db15be4 100755 --- a/scripts/artifacts/googleChat.py +++ b/scripts/artifacts/googleChat.py @@ -15,130 +15,132 @@ def get_googleChat(files_found, report_folder, seeker, wrap_text): for file_found in files_found: - file_found = str(file_found) - if not file_found.endswith('dynamite.db'): + file_found = str(file_found) + if file_found.endswith('dynamite.db'): + break + else: continue # Skip all other files - db = open_sqlite_db_readonly(file_found) - cursor = db.cursor() - cursor.execute(''' - SELECT - datetime(topic_messages.create_time/1000000,'unixepoch') AS "Message Time (UTC)", - Groups.name AS "Group Name", - users.name AS "Sender", - topic_messages.text_body AS "Message", - topic_messages.annotation AS "Message Attachment" - FROM - topic_messages - JOIN Groups on Groups.group_id=topic_messages.group_id - JOIN users ON users.user_id=topic_messages.creator_id - ORDER BY "Timestamp (UTC)" ASC - ''') + db = open_sqlite_db_readonly(file_found) + cursor = db.cursor() + cursor.execute(''' + SELECT + datetime(topic_messages.create_time/1000000,'unixepoch') AS "Message Time (UTC)", + Groups.name AS "Group Name", + users.name AS "Sender", + topic_messages.text_body AS "Message", + topic_messages.annotation AS "Message Attachment" + FROM + topic_messages + JOIN Groups on Groups.group_id=topic_messages.group_id + JOIN users ON users.user_id=topic_messages.creator_id + ORDER BY "Timestamp (UTC)" ASC + ''') - all_rows = cursor.fetchall() - usageentries = len(all_rows) - data_list = [] - if usageentries > 0: - for x in all_rows: - values = blackboxprotobuf.decode_message(x[4]) - if x[4] == b'': - data_list.append((x[0], x[1], x[2], x[3], '', '', '', '','','','','')) - else: - #images section - try: - item11 = (values[0]['1']['10'].get('3').decode('utf-8')) - item12 = (values[0]['1']['10'].get('4').decode('utf-8')) - item13 = (values[0]['1']['10']['5']['1']) - item14 = (values[0]['1']['10']['5']['2']) - data_list.append((x[0], x[1], x[2], x[3], '', '', '', '', item11, item12, item13, item14)) - continue - except: - pass - #meeting plain section - try: - item8 = (values[0]['1']['12']['1']['1'].decode('utf-8')) - item9 = (values[0]['1']['12']['1']['3'].decode('utf-8')) - item10 = (values[0]['1']['12']['1']['2'].decode('utf-8')) - data_list.append((x[0], x[1], x[2], x[3], item9, item10, '', '','','','','')) - continue - except: - pass - - #meeting with sender name - try: - item4 = (values[0]['1'][0]['12']['1']['1'].decode('utf-8')) - item5 = (values[0]['1'][0]['12']['1']['3'].decode('utf-8')) - item6 = (values[0]['1'][0]['12']['1']['6']['16']['1'].decode('utf-8')) - item7 = (values[0]['1'][0]['12']['1']['6']['16']['2'].decode('utf-8')) - data_list.append((x[0], x[1], x[2], x[3], item5, item6, item7, '','','','','')) - continue - except: - pass - - try: - item1 = (values[0]['1'][0]['12']['1']['1'].decode('utf-8')) - item2 = (values[0]['1'][0]['12']['1']['3'].decode('utf-8')) - item3 = (values[0]['1'][0]['12']['1']['2'].decode('utf-8')) - data_list.append((x[0], x[1], x[2], x[3], item2, item3, '','','','','','')) - except: - pass + all_rows = cursor.fetchall() + usageentries = len(all_rows) + data_list = [] + if usageentries > 0: + for x in all_rows: + values = blackboxprotobuf.decode_message(x[4]) + if x[4] == b'': + data_list.append((x[0], x[1], x[2], x[3], '', '', '', '','','','','')) + else: + #images section + try: + item11 = (values[0]['1']['10'].get('3').decode('utf-8')) + item12 = (values[0]['1']['10'].get('4').decode('utf-8')) + item13 = (values[0]['1']['10']['5']['1']) + item14 = (values[0]['1']['10']['5']['2']) + data_list.append((x[0], x[1], x[2], x[3], '', '', '', '', item11, item12, item13, item14)) + continue + except: + pass + #meeting plain section + try: + item8 = (values[0]['1']['12']['1']['1'].decode('utf-8')) + item9 = (values[0]['1']['12']['1']['3'].decode('utf-8')) + item10 = (values[0]['1']['12']['1']['2'].decode('utf-8')) + data_list.append((x[0], x[1], x[2], x[3], item9, item10, '', '','','','','')) + continue + except: + pass - if usageentries > 0: - report = ArtifactHtmlReport('Google Chat Messages') - report.start_artifact_report(report_folder, 'Chat Messages') - report.add_script() - data_headers = ('Message Timestamp (UTC)','Group Name','Sender','Message','Meeting Code', 'Meeting URL','Meeting Sender','Meeting Sender Profile Pic URL','Filename','File Type','Width','Height') + #meeting with sender name + try: + item4 = (values[0]['1'][0]['12']['1']['1'].decode('utf-8')) + item5 = (values[0]['1'][0]['12']['1']['3'].decode('utf-8')) + item6 = (values[0]['1'][0]['12']['1']['6']['16']['1'].decode('utf-8')) + item7 = (values[0]['1'][0]['12']['1']['6']['16']['2'].decode('utf-8')) + data_list.append((x[0], x[1], x[2], x[3], item5, item6, item7, '','','','','')) + continue + except: + pass + + try: + item1 = (values[0]['1'][0]['12']['1']['1'].decode('utf-8')) + item2 = (values[0]['1'][0]['12']['1']['3'].decode('utf-8')) + item3 = (values[0]['1'][0]['12']['1']['2'].decode('utf-8')) + data_list.append((x[0], x[1], x[2], x[3], item2, item3, '','','','','','')) + except: + pass + + if usageentries > 0: + report = ArtifactHtmlReport('Google Chat Messages') + report.start_artifact_report(report_folder, 'Chat Messages') + report.add_script() + data_headers = ('Message Timestamp (UTC)','Group Name','Sender','Message','Meeting Code', 'Meeting URL','Meeting Sender','Meeting Sender Profile Pic URL','Filename','File Type','Width','Height') - report.write_artifact_data_table(data_headers, data_list, file_found) - report.end_artifact_report() - - tsvname = f'Google Chat Messages' - tsv(report_folder, data_headers, data_list, tsvname) - - tlactivity = f'Google Chat Messages' - timeline(report_folder, tlactivity, data_list, data_headers) - else: - logfunc('No Google Chat Messages data available') + report.write_artifact_data_table(data_headers, data_list, file_found) + report.end_artifact_report() + + tsvname = f'Google Chat Messages' + tsv(report_folder, data_headers, data_list, tsvname) + + tlactivity = f'Google Chat Messages' + timeline(report_folder, tlactivity, data_list, data_headers) + else: + logfunc('No Google Chat Messages data available') - cursor.execute(''' - SELECT - datetime(Groups.create_time/1000000,'unixepoch') AS "Group Created Time (UTC)", - Groups.name AS "Group Name", - users.name AS "Group Creator", - datetime(Groups.last_view_time/1000000,'unixepoch') AS "Time Group Last Viewed (UTC)" - FROM - Groups - JOIN users ON users.user_id=Groups.creator_id - ORDER BY "Group Created Time (UTC)" ASC - ''') + cursor.execute(''' + SELECT + datetime(Groups.create_time/1000000,'unixepoch') AS "Group Created Time (UTC)", + Groups.name AS "Group Name", + users.name AS "Group Creator", + datetime(Groups.last_view_time/1000000,'unixepoch') AS "Time Group Last Viewed (UTC)" + FROM + Groups + JOIN users ON users.user_id=Groups.creator_id + ORDER BY "Group Created Time (UTC)" ASC + ''') - all_rows = cursor.fetchall() - usageentries = len(all_rows) - if usageentries > 0: - report = ArtifactHtmlReport('Google Chat Group Information') - report.start_artifact_report(report_folder, 'Group Information') - report.add_script() - data_headers = ('Group Created Time (UTC)','Group Name','Group Creator','Time Group Last Viewed (UTC)') - data_list = [] - for row in all_rows: - data_list.append((row[0],row[1],row[2],row[3])) + all_rows = cursor.fetchall() + usageentries = len(all_rows) + if usageentries > 0: + report = ArtifactHtmlReport('Google Chat Group Information') + report.start_artifact_report(report_folder, 'Group Information') + report.add_script() + data_headers = ('Group Created Time (UTC)','Group Name','Group Creator','Time Group Last Viewed (UTC)') + data_list = [] + for row in all_rows: + data_list.append((row[0],row[1],row[2],row[3])) - report.write_artifact_data_table(data_headers, data_list, file_found) - report.end_artifact_report() - - tsvname = f'Google Chat Group Information' - tsv(report_folder, data_headers, data_list, tsvname) + report.write_artifact_data_table(data_headers, data_list, file_found) + report.end_artifact_report() + + tsvname = f'Google Chat Group Information' + tsv(report_folder, data_headers, data_list, tsvname) + + tlactivity = f'Google Chat Group Information' + timeline(report_folder, tlactivity, data_list, data_headers) + else: + logfunc('No Google Chat Group Information data available') - tlactivity = f'Google Chat Group Information' - timeline(report_folder, tlactivity, data_list, data_headers) - else: - logfunc('No Google Chat Group Information data available') - - db.close() + db.close() __artifacts__ = { "GoogleChat": ( "Google Chat", - ('*/com.google.android.gm/databases/user_accounts/*/dynamite*.db','*/com.google.android.apps.dynamite/databases/dynamite*.db'), + ('*/com.google.android.gm/databases/user_accounts/*/dynamite.db*','*/com.google.android.apps.dynamite/databases/dynamite.db*'), get_googleChat) } \ No newline at end of file diff --git a/scripts/artifacts/imo.py b/scripts/artifacts/imo.py index 3a0e1ccc..0bba5e1b 100755 --- a/scripts/artifacts/imo.py +++ b/scripts/artifacts/imo.py @@ -76,6 +76,7 @@ def get_imo(files_found, report_folder, seeker, wrap_text): for row in all_rows: from_id = '' to_id = '' + attachmentPath = '' if row[4] == "Incoming": from_id = row[0] else: diff --git a/scripts/artifacts/installedappsGass.py b/scripts/artifacts/installedappsGass.py index efba7567..f884a5d5 100755 --- a/scripts/artifacts/installedappsGass.py +++ b/scripts/artifacts/installedappsGass.py @@ -1,9 +1,12 @@ import sqlite3 from scripts.artifact_report import ArtifactHtmlReport -from scripts.ilapfuncs import logfunc, tsv, open_sqlite_db_readonly +from scripts.ilapfuncs import logfunc, tsv, is_platform_windows, open_sqlite_db_readonly def get_installedappsGass(files_found, report_folder, seeker, wrap_text): + + slash = '\\' if is_platform_windows() else '/' + for file_found in files_found: file_found = str(file_found) if file_found.endswith('.db'): @@ -12,13 +15,15 @@ def get_installedappsGass(files_found, report_folder, seeker, wrap_text): cursor = db.cursor() cursor.execute(''' SELECT - distinct(package_name) + distinct(package_name), + version_code, + digest_sha256 FROM app_info ''') if 'user' in file_found: - usernum = file_found.split("/") + usernum = file_found.split(slash) usernum = '_'+str(usernum[-4]) else: usernum = '' @@ -29,10 +34,10 @@ def get_installedappsGass(files_found, report_folder, seeker, wrap_text): report = ArtifactHtmlReport('Installed Apps') report.start_artifact_report(report_folder, f'Installed Apps (GMS){usernum}') report.add_script() - data_headers = ('Bundle ID',) # Don't remove the comma, that is required to make this a tuple as there is only 1 element + data_headers = ('Bundle ID','Version Code','SHA-256 Hash') # Don't remove the comma, that is required to make this a tuple as there is only 1 element data_list = [] for row in all_rows: - data_list.append((row[0],)) + data_list.append((row[0],row[1],row[2])) report.write_artifact_data_table(data_headers, data_list, file_found) report.end_artifact_report() diff --git a/scripts/artifacts/smyfilescache.py b/scripts/artifacts/smyfilescache.py index cf4d7a9c..fa4095d4 100755 --- a/scripts/artifacts/smyfilescache.py +++ b/scripts/artifacts/smyfilescache.py @@ -6,12 +6,8 @@ def get_smyfilescache(files_found, report_folder, seeker, text_wrap): - platform = is_platform_windows() - if platform: - media_path = media_path.replace('/', '\\') - splitter = '\\' - else: - splitter = '/' + is_windows = is_platform_windows() + splitter = '\\' if is_windows else '/' for file_found in files_found: file_found = str(file_found) @@ -38,7 +34,6 @@ def get_smyfilescache(files_found, report_folder, seeker, text_wrap): for row in all_rows: thumb = media_to_html(splitter + str(row[1]) + '.jpg', files_found, report_folder) - data_list.append((row[0], thumb, row[1], row[2], row[3], row[4])) if usageentries > 0: diff --git a/scripts/artifacts/wellbeing.py b/scripts/artifacts/wellbeing.py index abc19895..42748fc6 100755 --- a/scripts/artifacts/wellbeing.py +++ b/scripts/artifacts/wellbeing.py @@ -7,7 +7,10 @@ def get_wellbeing(files_found, report_folder, seeker, wrap_text): for file_found in files_found: file_found = str(file_found) - if not file_found.endswith('app_usage'): + + if file_found.endswith('app_usage'): + break + else: continue # Skip all other files db = open_sqlite_db_readonly(file_found) diff --git a/scripts/report.py b/scripts/report.py index 32b29c9c..a5d3473a 100755 --- a/scripts/report.py +++ b/scripts/report.py @@ -107,7 +107,7 @@ def get_icon_name(category, artifact): elif artifact.find('APP EMAILS') >= 0: icon = 'at-sign' elif artifact.find('DOWNLOAD REQUESTS') >= 0: icon = 'download-cloud' elif artifact.find('LABEL DETAILS') >= 0: icon = 'mail' - elif category == 'GOOGLE MAPS VOICE GUIDANCE': icon = 'map' + elif category == 'GOOGLE CALL SCREEN': icon = 'phone-incoming' elif category == 'GOOGLE CHAT': if artifact.find('GROUP INFORMATION') >= 0: icon = 'users' elif artifact.find('CHAT MESSAGES') >= 0: icon = 'message-circle' @@ -119,6 +119,7 @@ def get_icon_name(category, artifact): elif category == 'GOOGLE FIT (GMS)': icon = 'activity' elif category == 'GOOGLE KEEP': icon = 'list' elif category == 'GBOARD KEYBOARD': icon = 'edit-3' + elif category == 'GOOGLE MAPS VOICE GUIDANCE': icon = 'map' elif category == 'GOOGLE MESSAGES': icon = 'message-circle' elif category == 'GOOGLE NOW & QUICKSEARCH': icon = 'search' elif category == 'GOOGLE PHOTOS':