mvt/mvt/common/module.py

# Mobile Verification Toolkit (MVT)
# Copyright (c) 2021-2023 The MVT Authors.
# Use of this software is governed by the MVT License 1.1 that can be found at
#   https://license.mvt.re/1.1/

import csv
import logging
import os
import re
from typing import Any, Dict, List, Optional, Union

import simplejson as json

from .utils import exec_or_profile


class DatabaseNotFoundError(Exception):
    pass


class DatabaseCorruptedError(Exception):
    pass


class InsufficientPrivileges(Exception):
    pass


class MVTModule:
    """This class provides a base for all extraction modules."""

    enabled = True
    slug: Optional[str] = None

    def __init__(
        self,
        file_path: Optional[str] = None,
        target_path: Optional[str] = None,
        results_path: Optional[str] = None,
        module_options: Optional[Dict[str, Any]] = None,
        log: logging.Logger = logging.getLogger(__name__),
        results: Union[List[Dict[str, Any]], Dict[str, Any], None] = None,
    ) -> None:
        """Initialize module.

        :param file_path: Path to the module's database file, if there is any
        :type file_path: str
        :param target_path: Path to the target folder (backup or filesystem
                            dump)
        :type file_path: str
        :param results_path: Folder where results will be stored
        :type results_path: str
        :param fast_mode: Flag to enable or disable slow modules
        :type fast_mode: bool
        :param log: Handle to logger
        :param results: Provided list of results entries
        :type results: list
        """
        self.file_path = file_path
        self.target_path = target_path
        self.results_path = results_path
        self.module_options = module_options if module_options else {}
        self.log = log
        self.indicators = None
        self.results = results if results else []
        self.detected: List[Dict[str, Any]] = []
        self.timeline: List[Dict[str, str]] = []
        self.timeline_detected: List[Dict[str, str]] = []

    @classmethod
    def from_json(cls, json_path: str, log: logging.Logger):
        with open(json_path, "r", encoding="utf-8") as handle:
            results = json.load(handle)
            if log:
                log.info('Loaded %d results from "%s"', len(results), json_path)
            return cls(results=results, log=log)

    def get_slug(self) -> str:
        """Use the module's class name to retrieve a slug"""
        if self.slug:
            return self.slug

        sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", self.__class__.__name__)
        return re.sub("([a-z0-9])([A-Z])", r"\1_\2", sub).lower()

    def check_indicators(self) -> None:
        """Check the results of this module against a provided list of
        indicators.


        """
        raise NotImplementedError

    def save_to_json(self) -> None:
        """Save the collected results to a json file."""
        if not self.results_path:
            return

        name = self.get_slug()

        if self.results:
            results_file_name = f"{name}.json"
            results_json_path = os.path.join(self.results_path, results_file_name)
            with open(results_json_path, "w", encoding="utf-8") as handle:
                try:
                    json.dump(self.results, handle, indent=4, default=str)
                except Exception as exc:
                    self.log.error(
                        "Unable to store results of module %s to file %s: %s",
                        self.__class__.__name__,
                        results_file_name,
                        exc,
                    )

        if self.detected:
            detected_file_name = f"{name}_detected.json"
            detected_json_path = os.path.join(self.results_path, detected_file_name)
            with open(detected_json_path, "w", encoding="utf-8") as handle:
                json.dump(self.detected, handle, indent=4, default=str)

    def serialize(self, record: dict) -> Union[dict, list, None]:
        raise NotImplementedError

    @staticmethod
    def _deduplicate_timeline(timeline: list) -> list:
        """Serialize entry as JSON to deduplicate repeated entries

        :param timeline: List of entries from timeline to deduplicate

        """
        timeline_set = set()
        for record in timeline:
            timeline_set.add(json.dumps(record, sort_keys=True))
        return [json.loads(record) for record in timeline_set]

    def to_timeline(self) -> None:
        """Convert results into a timeline."""
        for result in self.results:
            record = self.serialize(result)
            if record:
                if isinstance(record, list):
                    self.timeline.extend(record)
                else:
                    self.timeline.append(record)

        for detected in self.detected:
            record = self.serialize(detected)
            if record:
                if isinstance(record, list):
                    self.timeline_detected.extend(record)
                else:
                    self.timeline_detected.append(record)

        # De-duplicate timeline entries.
        self.timeline = self._deduplicate_timeline(self.timeline)
        self.timeline_detected = self._deduplicate_timeline(self.timeline_detected)

    def run(self) -> None:
        """Run the main module procedure."""
        raise NotImplementedError


def run_module(module: MVTModule) -> None:
    module.log.info("Running module %s...", module.__class__.__name__)

    try:
        exec_or_profile("module.run()", globals(), locals())
    except NotImplementedError:
        module.log.exception(
            "The run() procedure of module %s was not implemented yet!",
            module.__class__.__name__,
        )
    except InsufficientPrivileges as exc:
        module.log.info(
            "Insufficient privileges for module %s: %s", module.__class__.__name__, exc
        )
    except DatabaseNotFoundError as exc:
        module.log.info(
            "There might be no data to extract by module %s: %s",
            module.__class__.__name__,
            exc,
        )
    except DatabaseCorruptedError as exc:
        module.log.error(
            "The %s module database seems to be corrupted: %s",
            module.__class__.__name__,
            exc,
        )
    except Exception as exc:
        module.log.exception(
            "Error in running extraction from module %s: %s",
            module.__class__.__name__,
            exc,
        )
    else:
        try:
            exec_or_profile("module.check_indicators()", globals(), locals())
        except NotImplementedError:
            module.log.info(
                "The %s module does not support checking for indicators",
                module.__class__.__name__,
            )
        except Exception as exc:
            module.log.exception(
                "Error when checking indicators from module %s: %s",
                module.__class__.__name__,
                exc,
            )

        else:
            if module.indicators and not module.detected:
                module.log.info(
                    "The %s module produced no detections!", module.__class__.__name__
                )

        try:
            module.to_timeline()
        except NotImplementedError:
            pass
        except Exception as exc:
            module.log.exception(
                "Error when serializing data from module %s: %s",
                module.__class__.__name__,
                exc,
            )

        module.save_to_json()


def save_timeline(timeline: list, timeline_path: str) -> None:
    """Save the timeline in a csv file.

    :param timeline: List of records to order and store
    :param timeline_path: Path to the csv file to store the timeline to

    """
    with open(timeline_path, "a+", encoding="utf-8") as handle:
        csvoutput = csv.writer(
            handle, delimiter=",", quotechar='"', quoting=csv.QUOTE_ALL, escapechar="\\"
        )
        csvoutput.writerow(["UTC Timestamp", "Plugin", "Event", "Description"])

        for event in sorted(
            timeline, key=lambda x: x["timestamp"] if x["timestamp"] is not None else ""
        ):
            csvoutput.writerow(
                [
                    event.get("timestamp"),
                    event.get("module"),
                    event.get("event"),
                    event.get("data"),
                ]
            )
First commit 2021-07-16 06:05:01 +00:00			`# Mobile Verification Toolkit (MVT)`
Updated copyright notice 2023-09-09 15:55:27 +00:00			`# Copyright (c) 2021-2023 The MVT Authors.`
More explicit copyright and licensing notes 2021-08-01 19:11:08 +00:00			`# Use of this software is governed by the MVT License 1.1 that can be found at`
			`# https://license.mvt.re/1.1/`
First commit 2021-07-16 06:05:01 +00:00
			`import csv`
Starting to add type hints 2022-06-17 20:30:46 +00:00			`import logging`
Sorted imports 2021-07-30 09:40:09 +00:00			`import os`
			`import re`
Improves typing 2023-03-24 18:02:02 +00:00			`from typing import Any, Dict, List, Optional, Union`
Sorted imports 2021-07-30 09:40:09 +00:00
First commit 2021-07-16 06:05:01 +00:00			`import simplejson as json`

Add optional profiling for MVT modules 2023-06-29 11:22:43 +00:00			`from .utils import exec_or_profile`

Sorted imports 2021-07-30 09:40:09 +00:00
Automatically recover malformed sqlite3 databases (closes: #25 #37) 2021-07-25 09:47:05 +00:00			`class DatabaseNotFoundError(Exception):`
			`pass`

Standardized code with flake8 2021-11-19 14:27:51 +00:00
Automatically recover malformed sqlite3 databases (closes: #25 #37) 2021-07-25 09:47:05 +00:00			`class DatabaseCorruptedError(Exception):`
			`pass`

Standardized code with flake8 2021-11-19 14:27:51 +00:00
Catching check if root exception more grafully (closes: #5) 2021-08-05 06:49:34 +00:00			`class InsufficientPrivileges(Exception):`
			`pass`

Standardized code with flake8 2021-11-19 14:27:51 +00:00
Started linting the code 2022-08-12 14:20:16 +00:00			`class MVTModule:`
Pyment to reST 2021-10-12 16:06:58 +00:00			`"""This class provides a base for all extraction modules."""`
First commit 2021-07-16 06:05:01 +00:00
			`enabled = True`
Improves typing 2023-03-24 18:02:02 +00:00			`slug: Optional[str] = None`
First commit 2021-07-16 06:05:01 +00:00
Improved type hints and code style enforcement 2022-08-16 11:39:55 +00:00			`def __init__(`
			`self,`
Changed default for Optional[str] 2022-08-17 13:52:17 +00:00			`file_path: Optional[str] = None,`
			`target_path: Optional[str] = None,`
			`results_path: Optional[str] = None,`
Move --fast flag from being a top-level MVT module parameter to an option in a new module_options parameter 2023-07-17 16:29:43 +00:00			`module_options: Optional[Dict[str, Any]] = None,`
Improved type hints and code style enforcement 2022-08-16 11:39:55 +00:00			`log: logging.Logger = logging.getLogger(__name__),`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`results: Union[List[Dict[str, Any]], Dict[str, Any], None] = None,`
Improved type hints and code style enforcement 2022-08-16 11:39:55 +00:00			`) -> None:`
First commit 2021-07-16 06:05:01 +00:00			`"""Initialize module.`
More docstrings 2021-09-10 18:09:37 +00:00
Standardizing reST docstrings 2021-09-10 13:18:13 +00:00			`:param file_path: Path to the module's database file, if there is any`
More docstrings 2021-09-10 18:09:37 +00:00			`:type file_path: str`
Trying to enforce line lengths at 80/100 2022-08-12 17:14:05 +00:00			`:param target_path: Path to the target folder (backup or filesystem`
			`dump)`
More docstrings 2021-09-10 18:09:37 +00:00			`:type file_path: str`
First commit to refactor of command definitions 2022-06-15 15:41:19 +00:00			`:param results_path: Folder where results will be stored`
			`:type results_path: str`
First commit 2021-07-16 06:05:01 +00:00			`:param fast_mode: Flag to enable or disable slow modules`
More docstrings 2021-09-10 18:09:37 +00:00			`:type fast_mode: bool`
First commit 2021-07-16 06:05:01 +00:00			`:param log: Handle to logger`
			`:param results: Provided list of results entries`
More docstrings 2021-09-10 18:09:37 +00:00			`:type results: list`
First commit 2021-07-16 06:05:01 +00:00			`"""`
			`self.file_path = file_path`
First commit to refactor of command definitions 2022-06-15 15:41:19 +00:00			`self.target_path = target_path`
			`self.results_path = results_path`
Move --fast flag from being a top-level MVT module parameter to an option in a new module_options parameter 2023-07-17 16:29:43 +00:00			`self.module_options = module_options if module_options else {}`
First commit 2021-07-16 06:05:01 +00:00			`self.log = log`
			`self.indicators = None`
Fix use of global list instance as self.results variable 2022-01-18 14:53:05 +00:00			`self.results = results if results else []`
Improves typing 2023-03-24 18:02:02 +00:00			`self.detected: List[Dict[str, Any]] = []`
			`self.timeline: List[Dict[str, str]] = []`
			`self.timeline_detected: List[Dict[str, str]] = []`
First commit 2021-07-16 06:05:01 +00:00
			`@classmethod`
Improves typing 2023-03-24 18:02:02 +00:00			`def from_json(cls, json_path: str, log: logging.Logger):`
Set utf-8 as an encoding for open() Not every system uses 'utf-8' as a default encoding for opening files in Python. Before you say that there must be a way to set default encoding in one line, no, there is not. At least, I didn't found a way to do this. 2022-01-29 11:18:18 +00:00			`with open(json_path, "r", encoding="utf-8") as handle:`
First commit 2021-07-16 06:05:01 +00:00			`results = json.load(handle)`
			`if log:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`log.info('Loaded %d results from "%s"', len(results), json_path)`
First commit 2021-07-16 06:05:01 +00:00			`return cls(results=results, log=log)`

Adding more type hints 2022-06-22 14:53:29 +00:00			`def get_slug(self) -> str:`
Pyment to reST 2021-10-12 16:06:58 +00:00			`"""Use the module's class name to retrieve a slug"""`
First commit 2021-07-16 06:05:01 +00:00			`if self.slug:`
			`return self.slug`

			`sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", self.__class__.__name__)`
			`return re.sub("([a-z0-9])([A-Z])", r"\1_\2", sub).lower()`

Starting to add type hints 2022-06-17 20:30:46 +00:00			`def check_indicators(self) -> None:`
Fixes typos 2021-07-22 21:21:31 +00:00			`"""Check the results of this module against a provided list of`
Standardizing reST docstrings 2021-09-10 13:18:13 +00:00			`indicators.`
Pyment to reST 2021-10-12 16:06:58 +00:00

Standardizing reST docstrings 2021-09-10 13:18:13 +00:00			`"""`
First commit 2021-07-16 06:05:01 +00:00			`raise NotImplementedError`

Starting to add type hints 2022-06-17 20:30:46 +00:00			`def save_to_json(self) -> None:`
Pyment to reST 2021-10-12 16:06:58 +00:00			`"""Save the collected results to a json file."""`
First commit to refactor of command definitions 2022-06-15 15:41:19 +00:00			`if not self.results_path:`
First commit 2021-07-16 06:05:01 +00:00			`return`

			`name = self.get_slug()`

			`if self.results:`
			`results_file_name = f"{name}.json"`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`results_json_path = os.path.join(self.results_path, results_file_name)`
Small code clean-ups 2022-01-29 14:13:35 +00:00			`with open(results_json_path, "w", encoding="utf-8") as handle:`
Fix WhatsApp thumb image 2021-07-25 12:13:10 +00:00			`try:`
Added modules to extract details on configuration profiles from backup 2021-08-15 16:53:02 +00:00			`json.dump(self.results, handle, indent=4, default=str)`
Continuing enforcement of line length and simplifying date conversions 2022-08-13 00:14:24 +00:00			`except Exception as exc:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`self.log.error(`
			`"Unable to store results of module %s to file %s: %s",`
			`self.__class__.__name__,`
			`results_file_name,`
			`exc,`
			`)`
First commit 2021-07-16 06:05:01 +00:00
			`if self.detected:`
			`detected_file_name = f"{name}_detected.json"`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`detected_json_path = os.path.join(self.results_path, detected_file_name)`
Small code clean-ups 2022-01-29 14:13:35 +00:00			`with open(detected_json_path, "w", encoding="utf-8") as handle:`
Added modules to extract details on configuration profiles from backup 2021-08-15 16:53:02 +00:00			`json.dump(self.detected, handle, indent=4, default=str)`
First commit 2021-07-16 06:05:01 +00:00
Improves typing 2023-03-24 18:02:02 +00:00			`def serialize(self, record: dict) -> Union[dict, list, None]:`
First commit 2021-07-16 06:05:01 +00:00			`raise NotImplementedError`

Cleaning up some classes 2021-08-28 10:33:27 +00:00			`@staticmethod`
Starting to add type hints 2022-06-17 20:30:46 +00:00			`def _deduplicate_timeline(timeline: list) -> list:`
Standardizing reST docstrings 2021-09-10 13:18:13 +00:00			`"""Serialize entry as JSON to deduplicate repeated entries`

			`:param timeline: List of entries from timeline to deduplicate`
Pyment to reST 2021-10-12 16:06:58 +00:00
Standardizing reST docstrings 2021-09-10 13:18:13 +00:00			`"""`
Cleaning up some classes 2021-08-28 10:33:27 +00:00			`timeline_set = set()`
			`for record in timeline:`
			`timeline_set.add(json.dumps(record, sort_keys=True))`
			`return [json.loads(record) for record in timeline_set]`

Starting to add type hints 2022-06-17 20:30:46 +00:00			`def to_timeline(self) -> None:`
Standardizing reST docstrings 2021-09-10 13:18:13 +00:00			`"""Convert results into a timeline."""`
First commit 2021-07-16 06:05:01 +00:00			`for result in self.results:`
			`record = self.serialize(result)`
Fixes issue with Manifest format 2021-07-26 23:23:22 +00:00			`if record:`
Started linting the code 2022-08-12 14:20:16 +00:00			`if isinstance(record, list):`
Fixes issue with Manifest format 2021-07-26 23:23:22 +00:00			`self.timeline.extend(record)`
			`else:`
			`self.timeline.append(record)`
First commit 2021-07-16 06:05:01 +00:00
			`for detected in self.detected:`
			`record = self.serialize(detected)`
Fixes issue with Manifest format 2021-07-26 23:23:22 +00:00			`if record:`
Started linting the code 2022-08-12 14:20:16 +00:00			`if isinstance(record, list):`
Fixes issue with Manifest format 2021-07-26 23:23:22 +00:00			`self.timeline_detected.extend(record)`
			`else:`
			`self.timeline_detected.append(record)`
First commit 2021-07-16 06:05:01 +00:00
Added module to parse WebKit ResourceLoadStatistics observations.db (ref: #133) 2021-07-29 11:46:58 +00:00			`# De-duplicate timeline entries.`
Cleaning up some classes 2021-08-28 10:33:27 +00:00			`self.timeline = self._deduplicate_timeline(self.timeline)`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`self.timeline_detected = self._deduplicate_timeline(self.timeline_detected)`
First commit 2021-07-16 06:05:01 +00:00
Starting to add type hints 2022-06-17 20:30:46 +00:00			`def run(self) -> None:`
Pyment to reST 2021-10-12 16:06:58 +00:00			`"""Run the main module procedure."""`
First commit 2021-07-16 06:05:01 +00:00			`raise NotImplementedError`


Improves typing 2023-03-24 18:02:02 +00:00			`def run_module(module: MVTModule) -> None:`
First commit 2021-07-16 06:05:01 +00:00			`module.log.info("Running module %s...", module.__class__.__name__)`

			`try:`
Add optional profiling for MVT modules 2023-06-29 11:22:43 +00:00			`exec_or_profile("module.run()", globals(), locals())`
First commit 2021-07-16 06:05:01 +00:00			`except NotImplementedError:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.exception(`
			`"The run() procedure of module %s was not implemented yet!",`
			`module.__class__.__name__,`
			`)`
Continuing enforcement of line length and simplifying date conversions 2022-08-13 00:14:24 +00:00			`except InsufficientPrivileges as exc:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.info(`
			`"Insufficient privileges for module %s: %s", module.__class__.__name__, exc`
			`)`
Continuing enforcement of line length and simplifying date conversions 2022-08-13 00:14:24 +00:00			`except DatabaseNotFoundError as exc:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.info(`
			`"There might be no data to extract by module %s: %s",`
			`module.__class__.__name__,`
			`exc,`
			`)`
Continuing enforcement of line length and simplifying date conversions 2022-08-13 00:14:24 +00:00			`except DatabaseCorruptedError as exc:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.error(`
			`"The %s module database seems to be corrupted: %s",`
			`module.__class__.__name__,`
			`exc,`
			`)`
Continuing enforcement of line length and simplifying date conversions 2022-08-13 00:14:24 +00:00			`except Exception as exc:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.exception(`
			`"Error in running extraction from module %s: %s",`
			`module.__class__.__name__,`
			`exc,`
			`)`
First commit 2021-07-16 06:05:01 +00:00			`else:`
			`try:`
Add optional profiling for MVT modules 2023-06-29 11:22:43 +00:00			`exec_or_profile("module.check_indicators()", globals(), locals())`
First commit 2021-07-16 06:05:01 +00:00			`except NotImplementedError:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.info(`
			`"The %s module does not support checking for indicators",`
			`module.__class__.__name__,`
			`)`
Improves module handling 2023-04-07 10:25:01 +00:00			`except Exception as exc:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.exception(`
			`"Error when checking indicators from module %s: %s",`
			`module.__class__.__name__,`
			`exc,`
			`)`
Improves module handling 2023-04-07 10:25:01 +00:00
Improved logging around detection results 2021-08-12 10:56:12 +00:00			`else:`
			`if module.indicators and not module.detected:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.info(`
			`"The %s module produced no detections!", module.__class__.__name__`
			`)`
First commit 2021-07-16 06:05:01 +00:00
			`try:`
			`module.to_timeline()`
			`except NotImplementedError:`
			`pass`
Fixes a bug in WhatsApp iOS module 2023-04-13 07:26:52 +00:00			`except Exception as exc:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`module.log.exception(`
			`"Error when serializing data from module %s: %s",`
			`module.__class__.__name__,`
			`exc,`
			`)`
First commit 2021-07-16 06:05:01 +00:00
			`module.save_to_json()`


Adding more type hints 2022-06-22 14:53:29 +00:00			`def save_timeline(timeline: list, timeline_path: str) -> None:`
First commit 2021-07-16 06:05:01 +00:00			`"""Save the timeline in a csv file.`
Standardizing reST docstrings 2021-09-10 13:18:13 +00:00
			`:param timeline: List of records to order and store`
			`:param timeline_path: Path to the csv file to store the timeline to`
Pyment to reST 2021-10-12 16:06:58 +00:00
First commit 2021-07-16 06:05:01 +00:00			`"""`
Small code clean-ups 2022-01-29 14:13:35 +00:00			`with open(timeline_path, "a+", encoding="utf-8") as handle:`
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`csvoutput = csv.writer(`
			`handle, delimiter=",", quotechar='"', quoting=csv.QUOTE_ALL, escapechar="\\"`
			`)`
First commit 2021-07-16 06:05:01 +00:00			`csvoutput.writerow(["UTC Timestamp", "Plugin", "Event", "Description"])`
Trying to enforce line lengths at 80/100 2022-08-12 17:14:05 +00:00
Linted code using isort + autoflake + black, fixed wrong use of Optional[bool] 2023-06-01 21:40:26 +00:00			`for event in sorted(`
			`timeline, key=lambda x: x["timestamp"] if x["timestamp"] is not None else ""`
			`):`
			`csvoutput.writerow(`
			`[`
			`event.get("timestamp"),`
			`event.get("module"),`
			`event.get("event"),`
			`event.get("data"),`
			`]`
			`)`