2021-07-16 06:05:01 +00:00
|
|
|
# Mobile Verification Toolkit (MVT)
|
2022-05-08 12:53:50 +00:00
|
|
|
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
2021-08-01 19:11:08 +00:00
|
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
|
|
|
# https://license.mvt.re/1.1/
|
2021-07-16 06:05:01 +00:00
|
|
|
|
2022-06-17 20:30:46 +00:00
|
|
|
import logging
|
2021-07-16 06:05:01 +00:00
|
|
|
import os
|
|
|
|
|
import sqlite3
|
|
|
|
|
|
2021-08-15 11:14:18 +00:00
|
|
|
from ..base import IOSExtraction
|
2021-07-16 06:05:01 +00:00
|
|
|
|
2021-07-30 09:40:09 +00:00
|
|
|
|
2021-07-16 06:05:01 +00:00
|
|
|
class CacheFiles(IOSExtraction):
|
|
|
|
|
|
2022-06-17 20:30:46 +00:00
|
|
|
def __init__(self, file_path: str = None, target_path: str = None,
|
|
|
|
|
results_path: str = None, fast_mode: bool = False,
|
|
|
|
|
log: logging.Logger = None, results: list = []) -> None:
|
2022-06-16 13:18:50 +00:00
|
|
|
super().__init__(file_path=file_path, target_path=target_path,
|
|
|
|
|
results_path=results_path, fast_mode=fast_mode,
|
2021-07-16 06:05:01 +00:00
|
|
|
log=log, results=results)
|
|
|
|
|
|
2022-06-17 20:30:46 +00:00
|
|
|
def serialize(self, record: dict) -> None:
|
2021-07-16 06:05:01 +00:00
|
|
|
records = []
|
|
|
|
|
for item in self.results[record]:
|
|
|
|
|
records.append({
|
|
|
|
|
"timestamp": item["isodate"],
|
|
|
|
|
"module": self.__class__.__name__,
|
|
|
|
|
"event": "cache_response",
|
|
|
|
|
"data": f"{record} recorded visit to URL {item['url']}"
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
return records
|
|
|
|
|
|
2022-06-17 20:30:46 +00:00
|
|
|
def check_indicators(self) -> None:
|
2021-07-16 06:05:01 +00:00
|
|
|
if not self.indicators:
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
self.detected = {}
|
2022-01-21 15:26:58 +00:00
|
|
|
for key, values in self.results.items():
|
|
|
|
|
for value in values:
|
2022-01-23 14:01:49 +00:00
|
|
|
ioc = self.indicators.check_domain(value["url"])
|
|
|
|
|
if ioc:
|
|
|
|
|
value["matched_indicator"] = ioc
|
2021-07-16 06:05:01 +00:00
|
|
|
if key not in self.detected:
|
2022-01-21 15:26:58 +00:00
|
|
|
self.detected[key] = [value, ]
|
2021-07-16 06:05:01 +00:00
|
|
|
else:
|
2022-01-21 15:26:58 +00:00
|
|
|
self.detected[key].append(value)
|
2021-07-16 06:05:01 +00:00
|
|
|
|
|
|
|
|
def _process_cache_file(self, file_path):
|
|
|
|
|
self.log.info("Processing cache file at path: %s", file_path)
|
|
|
|
|
|
|
|
|
|
conn = sqlite3.connect(file_path)
|
|
|
|
|
cur = conn.cursor()
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
cur.execute("SELECT * FROM cfurl_cache_response;")
|
|
|
|
|
except sqlite3.OperationalError:
|
|
|
|
|
return
|
|
|
|
|
|
2022-06-16 13:18:50 +00:00
|
|
|
key_name = os.path.relpath(file_path, self.target_path)
|
2021-11-19 14:27:51 +00:00
|
|
|
if key_name not in self.results:
|
2021-07-16 06:05:01 +00:00
|
|
|
self.results[key_name] = []
|
|
|
|
|
|
|
|
|
|
for row in cur:
|
2021-08-15 17:05:15 +00:00
|
|
|
self.results[key_name].append({
|
|
|
|
|
"entry_id": row[0],
|
|
|
|
|
"version": row[1],
|
|
|
|
|
"hash_value": row[2],
|
|
|
|
|
"storage_policy": row[3],
|
|
|
|
|
"url": row[4],
|
|
|
|
|
"isodate": row[5],
|
|
|
|
|
})
|
2021-07-16 06:05:01 +00:00
|
|
|
|
2022-06-17 20:30:46 +00:00
|
|
|
def run(self) -> None:
|
2021-07-16 06:05:01 +00:00
|
|
|
self.results = {}
|
2022-06-16 13:18:50 +00:00
|
|
|
for root, dirs, files in os.walk(self.target_path):
|
2021-07-16 06:05:01 +00:00
|
|
|
for file_name in files:
|
|
|
|
|
if file_name != "Cache.db":
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
file_path = os.path.join(root, file_name)
|
|
|
|
|
self._process_cache_file(file_path)
|
