2021-07-16 06:05:01 +00:00
|
|
|
# Mobile Verification Toolkit (MVT)
|
2021-08-01 19:11:08 +00:00
|
|
|
# Copyright (c) 2021 The MVT Project Authors.
|
|
|
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
|
|
|
# https://license.mvt.re/1.1/
|
2021-07-16 06:05:01 +00:00
|
|
|
|
2021-08-16 08:50:35 +00:00
|
|
|
import sqlite3
|
|
|
|
|
|
2021-08-15 11:14:18 +00:00
|
|
|
from ..net_base import NetBase
|
2021-07-16 06:05:01 +00:00
|
|
|
|
|
|
|
|
NETUSAGE_ROOT_PATHS = [
|
|
|
|
|
"private/var/networkd/netusage.sqlite",
|
|
|
|
|
"private/var/networkd/db/netusage.sqlite"
|
|
|
|
|
]
|
|
|
|
|
|
2021-11-19 14:27:51 +00:00
|
|
|
|
2021-07-16 06:05:01 +00:00
|
|
|
class Netusage(NetBase):
|
|
|
|
|
"""This class extracts data from netusage.sqlite and attempts to identify
|
2021-09-10 13:18:13 +00:00
|
|
|
any suspicious processes if running on a full filesystem dump.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"""
|
2021-07-16 06:05:01 +00:00
|
|
|
|
|
|
|
|
def __init__(self, file_path=None, base_folder=None, output_folder=None,
|
|
|
|
|
fast_mode=False, log=None, results=[]):
|
|
|
|
|
super().__init__(file_path=file_path, base_folder=base_folder,
|
|
|
|
|
output_folder=output_folder, fast_mode=fast_mode,
|
|
|
|
|
log=log, results=results)
|
|
|
|
|
|
|
|
|
|
def run(self):
|
2021-08-16 08:50:35 +00:00
|
|
|
for netusage_path in self._get_fs_files_from_patterns(NETUSAGE_ROOT_PATHS):
|
|
|
|
|
self.file_path = netusage_path
|
|
|
|
|
self.log.info("Found NetUsage database at path: %s", self.file_path)
|
|
|
|
|
try:
|
|
|
|
|
self._extract_net_data()
|
|
|
|
|
except sqlite3.OperationalError as e:
|
|
|
|
|
self.log.info("Skipping this NetUsage database because it seems empty or malformed: %s", e)
|
|
|
|
|
continue
|
2021-07-16 06:05:01 +00:00
|
|
|
|
|
|
|
|
self._find_suspicious_processes()
|
