diff --git a/mvt/ios/cli.py b/mvt/ios/cli.py index 166168b..daa30d9 100644 --- a/mvt/ios/cli.py +++ b/mvt/ios/cli.py @@ -15,7 +15,9 @@ from mvt.common.module import run_module, save_timeline from mvt.common.options import MutuallyExclusiveOption from .decrypt import DecryptBackup -from .modules.fs import BACKUP_MODULES, FS_MODULES +from .modules.backup import BACKUP_MODULES +from .modules.fs import FS_MODULES +from .modules.mixed import MIXED_MODULES # Setup logging using Rich. LOG_FORMAT = "[%(name)s] %(message)s" @@ -129,7 +131,7 @@ def extract_key(password, backup_path, key_file): def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module): if list_modules: log.info("Following is the list of available check-backup modules:") - for backup_module in BACKUP_MODULES: + for backup_module in BACKUP_MODULES + MIXED_MODULES: log.info(" - %s", backup_module.__name__) return @@ -154,7 +156,7 @@ def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module): timeline = [] timeline_detected = [] - for backup_module in BACKUP_MODULES: + for backup_module in BACKUP_MODULES + MIXED_MODULES: if module and backup_module.__name__ != module: continue @@ -191,7 +193,7 @@ def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module): def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module): if list_modules: log.info("Following is the list of available check-fs modules:") - for fs_module in FS_MODULES: + for fs_module in FS_MODULES + MIXED_MODULES: log.info(" - %s", fs_module.__name__) return @@ -216,7 +218,7 @@ def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module): timeline = [] timeline_detected = [] - for fs_module in FS_MODULES: + for fs_module in FS_MODULES + MIXED_MODULES: if module and fs_module.__name__ != module: continue diff --git a/mvt/ios/modules/backup/__init__.py b/mvt/ios/modules/backup/__init__.py new file mode 100644 index 0000000..882d782 --- /dev/null +++ b/mvt/ios/modules/backup/__init__.py @@ -0,0 +1,9 @@ +# Mobile Verification Toolkit (MVT) +# Copyright (c) 2021 The MVT Project Authors. +# Use of this software is governed by the MVT License 1.1 that can be found at +# https://license.mvt.re/1.1/ + +from .backup_info import BackupInfo +from .manifest import Manifest + +BACKUP_MODULES = [BackupInfo, Manifest,] diff --git a/mvt/ios/modules/fs/device_info.py b/mvt/ios/modules/backup/backup_info.py similarity index 96% rename from mvt/ios/modules/fs/device_info.py rename to mvt/ios/modules/backup/backup_info.py index 583839b..33012c8 100644 --- a/mvt/ios/modules/fs/device_info.py +++ b/mvt/ios/modules/backup/backup_info.py @@ -8,10 +8,10 @@ import plistlib from mvt.common.module import DatabaseNotFoundError -from .base import IOSExtraction +from ..base import IOSExtraction -class DeviceInfo(IOSExtraction): +class BackupInfo(IOSExtraction): """This module extracts information about the device.""" def __init__(self, file_path=None, base_folder=None, output_folder=None, diff --git a/mvt/ios/modules/fs/manifest.py b/mvt/ios/modules/backup/manifest.py similarity index 99% rename from mvt/ios/modules/fs/manifest.py rename to mvt/ios/modules/backup/manifest.py index 7514e97..3e0f640 100644 --- a/mvt/ios/modules/fs/manifest.py +++ b/mvt/ios/modules/backup/manifest.py @@ -12,7 +12,7 @@ import sqlite3 from mvt.common.module import DatabaseNotFoundError from mvt.common.utils import convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction class Manifest(IOSExtraction): diff --git a/mvt/ios/modules/fs/base.py b/mvt/ios/modules/base.py similarity index 100% rename from mvt/ios/modules/fs/base.py rename to mvt/ios/modules/base.py diff --git a/mvt/ios/modules/fs/__init__.py b/mvt/ios/modules/fs/__init__.py index b5b74da..9a54b51 100644 --- a/mvt/ios/modules/fs/__init__.py +++ b/mvt/ios/modules/fs/__init__.py @@ -4,43 +4,13 @@ # https://license.mvt.re/1.1/ from .cache_files import CacheFiles -from .calls import Calls -from .chrome_favicon import ChromeFavicon -from .chrome_history import ChromeHistory -from .contacts import Contacts -from .device_info import DeviceInfo from .filesystem import Filesystem -from .firefox_favicon import FirefoxFavicon -from .firefox_history import FirefoxHistory -from .idstatuscache import IDStatusCache -from .interactionc import InteractionC -from .locationd import LocationdClients -from .manifest import Manifest -from .net_datausage import Datausage from .net_netusage import Netusage -from .safari_browserstate import SafariBrowserState from .safari_favicon import SafariFavicon -from .safari_history import SafariHistory -from .sms import SMS -from .sms_attachments import SMSAttachments from .version_history import IOSVersionHistory from .webkit_indexeddb import WebkitIndexedDB from .webkit_localstorage import WebkitLocalStorage -from .webkit_resource_load_statistics import WebkitResourceLoadStatistics from .webkit_safariviewservice import WebkitSafariViewService -from .webkit_session_resource_log import WebkitSessionResourceLog -from .whatsapp import Whatsapp -BACKUP_MODULES = [SafariBrowserState, SafariHistory, Datausage, SMS, SMSAttachments, - ChromeHistory, ChromeFavicon, WebkitSessionResourceLog, - WebkitResourceLoadStatistics, Calls, IDStatusCache, LocationdClients, - InteractionC, FirefoxHistory, FirefoxFavicon, Contacts, Manifest, Whatsapp, - DeviceInfo] - -FS_MODULES = [IOSVersionHistory, SafariHistory, SafariFavicon, SafariBrowserState, - WebkitIndexedDB, WebkitLocalStorage, WebkitSafariViewService, - WebkitResourceLoadStatistics, WebkitSessionResourceLog, - Datausage, Netusage, ChromeHistory, - ChromeFavicon, Calls, IDStatusCache, SMS, SMSAttachments, - LocationdClients, InteractionC, FirefoxHistory, FirefoxFavicon, - Contacts, CacheFiles, Whatsapp, Filesystem] +FS_MODULES = [CacheFiles, Filesystem, Netusage, SafariFavicon, IOSVersionHistory, + WebkitIndexedDB, WebkitLocalStorage, WebkitSafariViewService,] diff --git a/mvt/ios/modules/fs/cache_files.py b/mvt/ios/modules/fs/cache_files.py index 80fd166..8156bc1 100644 --- a/mvt/ios/modules/fs/cache_files.py +++ b/mvt/ios/modules/fs/cache_files.py @@ -6,7 +6,7 @@ import os import sqlite3 -from .base import IOSExtraction +from ..base import IOSExtraction class CacheFiles(IOSExtraction): diff --git a/mvt/ios/modules/fs/filesystem.py b/mvt/ios/modules/fs/filesystem.py index 692ee58..af333d0 100644 --- a/mvt/ios/modules/fs/filesystem.py +++ b/mvt/ios/modules/fs/filesystem.py @@ -8,7 +8,7 @@ import os from mvt.common.utils import convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction class Filesystem(IOSExtraction): diff --git a/mvt/ios/modules/fs/net_netusage.py b/mvt/ios/modules/fs/net_netusage.py index 72bd55f..9ad648a 100644 --- a/mvt/ios/modules/fs/net_netusage.py +++ b/mvt/ios/modules/fs/net_netusage.py @@ -3,7 +3,7 @@ # Use of this software is governed by the MVT License 1.1 that can be found at # https://license.mvt.re/1.1/ -from .net_base import NetBase +from ..net_base import NetBase NETUSAGE_ROOT_PATHS = [ "private/var/networkd/netusage.sqlite", diff --git a/mvt/ios/modules/fs/safari_favicon.py b/mvt/ios/modules/fs/safari_favicon.py index 0a931ef..cdf4b4b 100644 --- a/mvt/ios/modules/fs/safari_favicon.py +++ b/mvt/ios/modules/fs/safari_favicon.py @@ -7,7 +7,7 @@ import sqlite3 from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction SAFARI_FAVICON_ROOT_PATHS = [ "private/var/mobile/Library/Image Cache/Favicons/Favicons.db", diff --git a/mvt/ios/modules/fs/version_history.py b/mvt/ios/modules/fs/version_history.py index 1b091de..564ff64 100644 --- a/mvt/ios/modules/fs/version_history.py +++ b/mvt/ios/modules/fs/version_history.py @@ -8,7 +8,7 @@ import json from mvt.common.utils import convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction IOS_ANALYTICS_JOURNAL_PATHS = [ "private/var/db/analyticsd/Analytics-Journal-*.ips", diff --git a/mvt/ios/modules/fs/webkit_base.py b/mvt/ios/modules/fs/webkit_base.py index 75979b3..c18a2f5 100644 --- a/mvt/ios/modules/fs/webkit_base.py +++ b/mvt/ios/modules/fs/webkit_base.py @@ -8,7 +8,7 @@ import os from mvt.common.utils import convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction class WebkitBase(IOSExtraction): diff --git a/mvt/ios/modules/mixed/__init__.py b/mvt/ios/modules/mixed/__init__.py new file mode 100644 index 0000000..c35bf26 --- /dev/null +++ b/mvt/ios/modules/mixed/__init__.py @@ -0,0 +1,27 @@ +# Mobile Verification Toolkit (MVT) +# Copyright (c) 2021 The MVT Project Authors. +# Use of this software is governed by the MVT License 1.1 that can be found at +# https://license.mvt.re/1.1/ + +from .calls import Calls +from .chrome_favicon import ChromeFavicon +from .chrome_history import ChromeHistory +from .contacts import Contacts +from .firefox_favicon import FirefoxFavicon +from .firefox_history import FirefoxHistory +from .idstatuscache import IDStatusCache +from .interactionc import InteractionC +from .locationd import LocationdClients +from .net_datausage import Datausage +from .safari_browserstate import SafariBrowserState +from .safari_history import SafariHistory +from .sms import SMS +from .sms_attachments import SMSAttachments +from .webkit_resource_load_statistics import WebkitResourceLoadStatistics +from .webkit_session_resource_log import WebkitSessionResourceLog +from .whatsapp import Whatsapp + +MIXED_MODULES = [Calls, ChromeFavicon, ChromeHistory, Contacts, FirefoxFavicon, + FirefoxHistory, IDStatusCache, InteractionC, LocationdClients, + Datausage, SafariBrowserState, SafariHistory, SMS, SMSAttachments, + WebkitResourceLoadStatistics, WebkitSessionResourceLog, Whatsapp,] diff --git a/mvt/ios/modules/fs/calls.py b/mvt/ios/modules/mixed/calls.py similarity index 98% rename from mvt/ios/modules/fs/calls.py rename to mvt/ios/modules/mixed/calls.py index 45c91ea..0a6ae3b 100644 --- a/mvt/ios/modules/fs/calls.py +++ b/mvt/ios/modules/mixed/calls.py @@ -7,7 +7,7 @@ import sqlite3 from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction CALLS_BACKUP_IDS = [ "5a4935c78a5255723f707230a451d79c540d2741", diff --git a/mvt/ios/modules/fs/chrome_favicon.py b/mvt/ios/modules/mixed/chrome_favicon.py similarity index 98% rename from mvt/ios/modules/fs/chrome_favicon.py rename to mvt/ios/modules/mixed/chrome_favicon.py index 7b6014b..643aa1d 100644 --- a/mvt/ios/modules/fs/chrome_favicon.py +++ b/mvt/ios/modules/mixed/chrome_favicon.py @@ -8,7 +8,7 @@ import sqlite3 from mvt.common.utils import (convert_chrometime_to_unix, convert_timestamp_to_iso) -from .base import IOSExtraction +from ..base import IOSExtraction CHROME_FAVICON_BACKUP_IDS = [ "55680ab883d0fdcffd94f959b1632e5fbbb18c5b" diff --git a/mvt/ios/modules/fs/chrome_history.py b/mvt/ios/modules/mixed/chrome_history.py similarity index 98% rename from mvt/ios/modules/fs/chrome_history.py rename to mvt/ios/modules/mixed/chrome_history.py index e0573a5..59b99b8 100644 --- a/mvt/ios/modules/fs/chrome_history.py +++ b/mvt/ios/modules/mixed/chrome_history.py @@ -8,7 +8,7 @@ import sqlite3 from mvt.common.utils import (convert_chrometime_to_unix, convert_timestamp_to_iso) -from .base import IOSExtraction +from ..base import IOSExtraction CHROME_HISTORY_BACKUP_IDS = [ "faf971ce92c3ac508c018dce1bef2a8b8e9838f1", diff --git a/mvt/ios/modules/fs/contacts.py b/mvt/ios/modules/mixed/contacts.py similarity index 98% rename from mvt/ios/modules/fs/contacts.py rename to mvt/ios/modules/mixed/contacts.py index cea082d..c640b73 100644 --- a/mvt/ios/modules/fs/contacts.py +++ b/mvt/ios/modules/mixed/contacts.py @@ -5,7 +5,7 @@ import sqlite3 -from .base import IOSExtraction +from ..base import IOSExtraction CONTACTS_BACKUP_IDS = [ "31bb7ba8914766d4ba40d6dfb6113c8b614be442", diff --git a/mvt/ios/modules/fs/firefox_favicon.py b/mvt/ios/modules/mixed/firefox_favicon.py similarity index 98% rename from mvt/ios/modules/fs/firefox_favicon.py rename to mvt/ios/modules/mixed/firefox_favicon.py index a41764d..6aeee9b 100644 --- a/mvt/ios/modules/fs/firefox_favicon.py +++ b/mvt/ios/modules/mixed/firefox_favicon.py @@ -8,7 +8,7 @@ from datetime import datetime from mvt.common.utils import convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction FIREFOX_HISTORY_BACKUP_IDS = [ "2e57c396a35b0d1bcbc624725002d98bd61d142b", diff --git a/mvt/ios/modules/fs/firefox_history.py b/mvt/ios/modules/mixed/firefox_history.py similarity index 98% rename from mvt/ios/modules/fs/firefox_history.py rename to mvt/ios/modules/mixed/firefox_history.py index 0825fba..afa814c 100644 --- a/mvt/ios/modules/fs/firefox_history.py +++ b/mvt/ios/modules/mixed/firefox_history.py @@ -8,7 +8,7 @@ from datetime import datetime from mvt.common.utils import convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction FIREFOX_HISTORY_BACKUP_IDS = [ "2e57c396a35b0d1bcbc624725002d98bd61d142b", diff --git a/mvt/ios/modules/fs/idstatuscache.py b/mvt/ios/modules/mixed/idstatuscache.py similarity index 99% rename from mvt/ios/modules/fs/idstatuscache.py rename to mvt/ios/modules/mixed/idstatuscache.py index 752f59e..6f6acf0 100644 --- a/mvt/ios/modules/fs/idstatuscache.py +++ b/mvt/ios/modules/mixed/idstatuscache.py @@ -8,7 +8,7 @@ import plistlib from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction IDSTATUSCACHE_BACKUP_IDS = [ "6b97989189901ceaa4e5be9b7f05fb584120e27b", diff --git a/mvt/ios/modules/fs/interactionc.py b/mvt/ios/modules/mixed/interactionc.py similarity index 99% rename from mvt/ios/modules/fs/interactionc.py rename to mvt/ios/modules/mixed/interactionc.py index 8523431..e0b479e 100644 --- a/mvt/ios/modules/fs/interactionc.py +++ b/mvt/ios/modules/mixed/interactionc.py @@ -7,7 +7,7 @@ import sqlite3 from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction INTERACTIONC_BACKUP_IDS = [ "1f5a521220a3ad80ebfdc196978df8e7a2e49dee", diff --git a/mvt/ios/modules/fs/locationd.py b/mvt/ios/modules/mixed/locationd.py similarity index 98% rename from mvt/ios/modules/fs/locationd.py rename to mvt/ios/modules/mixed/locationd.py index 5ca80f7..bdd8c84 100644 --- a/mvt/ios/modules/fs/locationd.py +++ b/mvt/ios/modules/mixed/locationd.py @@ -7,7 +7,7 @@ import plistlib from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction LOCATIOND_BACKUP_IDS = [ "a690d7769cce8904ca2b67320b107c8fe5f79412", diff --git a/mvt/ios/modules/fs/net_datausage.py b/mvt/ios/modules/mixed/net_datausage.py similarity index 97% rename from mvt/ios/modules/fs/net_datausage.py rename to mvt/ios/modules/mixed/net_datausage.py index 633bffc..b8ba13f 100644 --- a/mvt/ios/modules/fs/net_datausage.py +++ b/mvt/ios/modules/mixed/net_datausage.py @@ -3,7 +3,7 @@ # Use of this software is governed by the MVT License 1.1 that can be found at # https://license.mvt.re/1.1/ -from .net_base import NetBase +from ..net_base import NetBase DATAUSAGE_BACKUP_IDS = [ "0d609c54856a9bb2d56729df1d68f2958a88426b", diff --git a/mvt/ios/modules/fs/safari_browserstate.py b/mvt/ios/modules/mixed/safari_browserstate.py similarity index 99% rename from mvt/ios/modules/fs/safari_browserstate.py rename to mvt/ios/modules/mixed/safari_browserstate.py index 2555d0c..c15cef8 100644 --- a/mvt/ios/modules/fs/safari_browserstate.py +++ b/mvt/ios/modules/mixed/safari_browserstate.py @@ -10,7 +10,7 @@ import sqlite3 from mvt.common.utils import (convert_mactime_to_unix, convert_timestamp_to_iso, keys_bytes_to_string) -from .base import IOSExtraction +from ..base import IOSExtraction SAFARI_BROWSER_STATE_BACKUP_IDS = [ "3a47b0981ed7c10f3e2800aa66bac96a3b5db28e", diff --git a/mvt/ios/modules/fs/safari_history.py b/mvt/ios/modules/mixed/safari_history.py similarity index 99% rename from mvt/ios/modules/fs/safari_history.py rename to mvt/ios/modules/mixed/safari_history.py index 487ac5a..94acda5 100644 --- a/mvt/ios/modules/fs/safari_history.py +++ b/mvt/ios/modules/mixed/safari_history.py @@ -8,7 +8,7 @@ import sqlite3 from mvt.common.url import URL from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction SAFARI_HISTORY_BACKUP_IDS = [ "e74113c185fd8297e140cfcf9c99436c5cc06b57", diff --git a/mvt/ios/modules/fs/sms.py b/mvt/ios/modules/mixed/sms.py similarity index 99% rename from mvt/ios/modules/fs/sms.py rename to mvt/ios/modules/mixed/sms.py index 313f57d..49f4a4c 100644 --- a/mvt/ios/modules/fs/sms.py +++ b/mvt/ios/modules/mixed/sms.py @@ -9,7 +9,7 @@ from base64 import b64encode from mvt.common.utils import (check_for_links, convert_mactime_to_unix, convert_timestamp_to_iso) -from .base import IOSExtraction +from ..base import IOSExtraction SMS_BACKUP_IDS = [ "3d0d7e5fb2ce288813306e4d4636395e047a3d28", diff --git a/mvt/ios/modules/fs/sms_attachments.py b/mvt/ios/modules/mixed/sms_attachments.py similarity index 99% rename from mvt/ios/modules/fs/sms_attachments.py rename to mvt/ios/modules/mixed/sms_attachments.py index a38d263..ceba220 100644 --- a/mvt/ios/modules/fs/sms_attachments.py +++ b/mvt/ios/modules/mixed/sms_attachments.py @@ -8,7 +8,7 @@ from base64 import b64encode from mvt.common.utils import convert_mactime_to_unix, convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction SMS_BACKUP_IDS = [ "3d0d7e5fb2ce288813306e4d4636395e047a3d28", diff --git a/mvt/ios/modules/fs/webkit_resource_load_statistics.py b/mvt/ios/modules/mixed/webkit_resource_load_statistics.py similarity index 99% rename from mvt/ios/modules/fs/webkit_resource_load_statistics.py rename to mvt/ios/modules/mixed/webkit_resource_load_statistics.py index ea23b70..36187ac 100644 --- a/mvt/ios/modules/fs/webkit_resource_load_statistics.py +++ b/mvt/ios/modules/mixed/webkit_resource_load_statistics.py @@ -9,7 +9,7 @@ import sqlite3 from mvt.common.utils import convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH = "Library/WebKit/WebsiteData/ResourceLoadStatistics/observations.db" WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS = [ diff --git a/mvt/ios/modules/fs/webkit_session_resource_log.py b/mvt/ios/modules/mixed/webkit_session_resource_log.py similarity index 99% rename from mvt/ios/modules/fs/webkit_session_resource_log.py rename to mvt/ios/modules/mixed/webkit_session_resource_log.py index 9f05abe..5bcc50a 100644 --- a/mvt/ios/modules/fs/webkit_session_resource_log.py +++ b/mvt/ios/modules/mixed/webkit_session_resource_log.py @@ -9,7 +9,7 @@ import plistlib from mvt.common.utils import convert_timestamp_to_iso -from .base import IOSExtraction +from ..base import IOSExtraction WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS = [ "a500ee38053454a02e990957be8a251935e28d3f", diff --git a/mvt/ios/modules/fs/whatsapp.py b/mvt/ios/modules/mixed/whatsapp.py similarity index 98% rename from mvt/ios/modules/fs/whatsapp.py rename to mvt/ios/modules/mixed/whatsapp.py index 8e973df..abfebb1 100644 --- a/mvt/ios/modules/fs/whatsapp.py +++ b/mvt/ios/modules/mixed/whatsapp.py @@ -9,7 +9,7 @@ import sqlite3 from mvt.common.utils import (check_for_links, convert_mactime_to_unix, convert_timestamp_to_iso) -from .base import IOSExtraction +from ..base import IOSExtraction log = logging.getLogger(__name__) diff --git a/mvt/ios/modules/fs/net_base.py b/mvt/ios/modules/net_base.py similarity index 100% rename from mvt/ios/modules/fs/net_base.py rename to mvt/ios/modules/net_base.py