mirror of https://github.com/mvt-project/mvt.git
120 lines
4.1 KiB
Python
120 lines
4.1 KiB
Python
|
# Mobile Verification Toolkit (MVT)
|
||
|
# Copyright (c) 2021 The MVT Project Authors.
|
||
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||
|
# https://license.mvt.re/1.1/
|
||
|
|
||
|
import plistlib
|
||
|
import sqlite3
|
||
|
|
||
|
from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso
|
||
|
|
||
|
from ..base import IOSExtraction
|
||
|
|
||
|
ANALYTICS_DB_PATH = [
|
||
|
"private/var/Keychains/Analytics/*.db",
|
||
|
]
|
||
|
|
||
|
class Analytics(IOSExtraction):
|
||
|
"""This module extracts information from the private/var/Keychains/Analytics/*.db files."""
|
||
|
|
||
|
def __init__(self, file_path=None, base_folder=None, output_folder=None,
|
||
|
fast_mode=False, log=None, results=[]):
|
||
|
super().__init__(file_path=file_path, base_folder=base_folder,
|
||
|
output_folder=output_folder, fast_mode=fast_mode,
|
||
|
log=log, results=results)
|
||
|
|
||
|
def serialize(self, record):
|
||
|
return {
|
||
|
"timestamp": record["timestamp"],
|
||
|
"module": self.__class__.__name__,
|
||
|
"event": record["artifact"],
|
||
|
"data": f"{record}",
|
||
|
}
|
||
|
|
||
|
def check_indicators(self):
|
||
|
if not self.indicators:
|
||
|
return
|
||
|
|
||
|
for result in self.results:
|
||
|
for ioc in self.indicators.ioc_processes:
|
||
|
for key in result.keys():
|
||
|
if ioc == result[key]:
|
||
|
self.log.warning("Found mention of a malicious process \"%s\" in %s file at %s",
|
||
|
ioc, result["artifact"], result["timestamp"])
|
||
|
self.detected.append(result)
|
||
|
break
|
||
|
for ioc in self.indicators.ioc_domains:
|
||
|
for key in result.keys():
|
||
|
if ioc in str(result[key]):
|
||
|
self.log.warning("Found mention of a malicious domain \"%s\" in %s file at %s",
|
||
|
ioc, result["artifact"], result["timestamp"])
|
||
|
self.detected.append(result)
|
||
|
break
|
||
|
|
||
|
def _extract_analytics_data(self):
|
||
|
artifact = self.file_path.split("/")[-1]
|
||
|
|
||
|
conn = sqlite3.connect(self.file_path)
|
||
|
cur = conn.cursor()
|
||
|
|
||
|
try:
|
||
|
cur.execute("""
|
||
|
SELECT
|
||
|
timestamp,
|
||
|
data
|
||
|
FROM hard_failures
|
||
|
UNION
|
||
|
SELECT
|
||
|
timestamp,
|
||
|
data
|
||
|
FROM soft_failures
|
||
|
UNION
|
||
|
SELECT
|
||
|
timestamp,
|
||
|
data
|
||
|
FROM all_events;
|
||
|
""")
|
||
|
except sqlite3.OperationalError:
|
||
|
cur.execute("""
|
||
|
SELECT
|
||
|
timestamp,
|
||
|
data
|
||
|
FROM hard_failures
|
||
|
UNION
|
||
|
SELECT
|
||
|
timestamp,
|
||
|
data
|
||
|
FROM soft_failures;
|
||
|
""")
|
||
|
|
||
|
|
||
|
for row in cur:
|
||
|
if row[0] and row[1]:
|
||
|
timestamp = convert_timestamp_to_iso(convert_mactime_to_unix(row[0], False))
|
||
|
data = plistlib.loads(row[1])
|
||
|
data["timestamp"] = timestamp
|
||
|
elif row[0]:
|
||
|
timestamp = convert_timestamp_to_iso(convert_mactime_to_unix(row[0], False))
|
||
|
data = {}
|
||
|
data["timestamp"] = timestamp
|
||
|
elif row[1]:
|
||
|
timestamp = ""
|
||
|
data = plistlib.loads(row[1])
|
||
|
data["timestamp"] = timestamp
|
||
|
data["artifact"] = artifact
|
||
|
|
||
|
self.results.append(data)
|
||
|
|
||
|
self.results = sorted(self.results, key=lambda entry: entry["timestamp"])
|
||
|
|
||
|
cur.close()
|
||
|
conn.close()
|
||
|
|
||
|
self.log.info("Extracted information on %d analytics data from %s", len(self.results), artifact)
|
||
|
|
||
|
def run(self):
|
||
|
for file_path in self._get_fs_files_from_patterns(ANALYTICS_DB_PATH):
|
||
|
self.file_path = file_path
|
||
|
self.log.info("Found Analytics database file at path: %s", file_path)
|
||
|
self._extract_analytics_data()
|