diff --git a/mvt/ios/modules/mixed/safari_browserstate.py b/mvt/ios/modules/mixed/safari_browserstate.py index 38de49f..97806e1 100644 --- a/mvt/ios/modules/mixed/safari_browserstate.py +++ b/mvt/ios/modules/mixed/safari_browserstate.py @@ -62,6 +62,7 @@ class SafariBrowserState(IOSExtraction): self.detected.append(result) def _process_browser_state_db(self, db_path): + self._recover_sqlite_db_if_needed(db_path) conn = sqlite3.connect(db_path) cur = conn.cursor() @@ -92,8 +93,12 @@ class SafariBrowserState(IOSExtraction): if row[4]: # Skip a 4 byte header before the plist content. session_plist = row[4][4:] - session_data = plistlib.load(io.BytesIO(session_plist)) - session_data = keys_bytes_to_string(session_data) + session_data = {} + try: + session_data = plistlib.load(io.BytesIO(session_plist)) + session_data = keys_bytes_to_string(session_data) + except plistlib.InvalidFileException: + pass if "SessionHistoryEntries" in session_data.get("SessionHistory", {}): for session_entry in session_data["SessionHistory"].get("SessionHistoryEntries"): @@ -114,7 +119,6 @@ class SafariBrowserState(IOSExtraction): }) def run(self): - if self.is_backup: for backup_file in self._get_backup_files_from_manifest(relative_path=SAFARI_BROWSER_STATE_BACKUP_RELPATH): self.file_path = self._get_backup_file_from_id(backup_file["file_id"]) diff --git a/tests/artifacts/ios_backup/3a/3a47b0981ed7c10f3e2800aa66bac96a3b5db28e b/tests/artifacts/ios_backup/3a/3a47b0981ed7c10f3e2800aa66bac96a3b5db28e new file mode 100644 index 0000000..b27d5a2 Binary files /dev/null and b/tests/artifacts/ios_backup/3a/3a47b0981ed7c10f3e2800aa66bac96a3b5db28e differ diff --git a/tests/ios/test_safari_browserstate.py b/tests/ios/test_safari_browserstate.py new file mode 100644 index 0000000..a89ca55 --- /dev/null +++ b/tests/ios/test_safari_browserstate.py @@ -0,0 +1,36 @@ +# Mobile Verification Toolkit (MVT) +# Copyright (c) 2021 The MVT Project Authors. +# Use of this software is governed by the MVT License 1.1 that can be found at +# https://license.mvt.re/1.1/ + +import logging + +from mvt.common.indicators import Indicators +from mvt.common.module import run_module +from mvt.ios.modules.mixed.safari_browserstate import SafariBrowserState + +from ..utils import get_backup_folder + + +class TestSafariBrowserStateModule: + def test_parsing(self): + m = SafariBrowserState(base_folder=get_backup_folder(), log=logging, results=[]) + m.is_backup = True + run_module(m) + assert m.file_path != None + assert len(m.results) == 1 + assert len(m.timeline) == 1 + assert len(m.detected) == 0 + + def test_detection(self, indicator_file): + m = SafariBrowserState(base_folder=get_backup_folder(), log=logging, results=[]) + m.is_backup = True + ind = Indicators(log=logging) + ind.parse_stix2(indicator_file) + # Adds a file that exists in the manifest. + ind.ioc_files[0]["domains"].append("en.wikipedia.org") + m.indicators = ind + run_module(m) + assert len(m.detected) == 1 + assert len(m.results) == 1 + assert m.results[0]["tab_url"] == "https://en.wikipedia.org/wiki/NSO_Group"