Fixed WebkitSessionResourceLog module, still needs testing

2024-06-23 12:58:58 +00:00 · 2021-08-15 20:00:29 +02:00 · 2021-08-15 20:00:29 +02:00 · fdaf2fc760
commit fdaf2fc760
parent fda621672d
8 changed files with 23 additions and 40 deletions
--- a/mvt/common/module.py
+++ b/mvt/common/module.py
@ -66,13 +66,6 @@ class MVTModule(object):
        sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", self.__class__.__name__)
        return re.sub("([a-z0-9])([A-Z])", r"\1_\2", sub).lower()

-    def _find_paths(self, root_paths):
-        for root_path in root_paths:
-            for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
-                if not os.path.exists(found_path):
-                    continue
-                yield found_path
-
    def load_indicators(self, file_path):
        self.indicators = Indicators(file_path, self.log)

--- a/mvt/ios/modules/backup/configuration_profiles.py
+++ b/mvt/ios/modules/backup/configuration_profiles.py
@ -22,7 +22,7 @@ class ConfigurationProfiles(IOSExtraction):
                         log=log, results=results)

    def run(self):
-        for conf_file in self._get_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
+        for conf_file in self._get_backup_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
            conf_file_path = self._get_backup_file_from_id(conf_file["file_id"])
            if not conf_file_path:
                continue
--- a/mvt/ios/modules/backup/profile_events.py
+++ b/mvt/ios/modules/backup/profile_events.py
@ -32,7 +32,7 @@ class ProfileEvents(IOSExtraction):
        }

    def run(self):
-        for events_file in self._get_files_from_manifest(relative_path=CONF_PROFILES_EVENTS_RELPATH):
+        for events_file in self._get_backup_files_from_manifest(relative_path=CONF_PROFILES_EVENTS_RELPATH):
            events_file_path = self._get_backup_file_from_id(events_file["file_id"])
            if not events_file_path:
                continue
--- a/mvt/ios/modules/base.py
+++ b/mvt/ios/modules/base.py
@ -68,7 +68,7 @@ class IOSExtraction(MVTModule):

        self.log.info("Database at path %s recovered successfully!", file_path)

-    def _get_files_from_manifest(self, relative_path=None, domain=None):
+    def _get_backup_files_from_manifest(self, relative_path=None, domain=None):
        """Locate files from Manifest.db.
        :param relative_path: Relative path to use as filter from Manifest.db.
        :param domain: Domain to use as filter from Manifest.db.
@ -107,6 +107,14 @@ class IOSExtraction(MVTModule):

        return None

+    def _find_fs_files_from_pattern(self, root_paths):
+        for root_path in root_paths:
+            for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
+                if not os.path.exists(found_path):
+                    continue
+
+                yield found_path
+
    def _find_ios_database(self, backup_ids=None, root_paths=[]):
        """Try to locate the module's database file from either an iTunes
        backup or a full filesystem dump.
--- a/mvt/ios/modules/fs/version_history.py
+++ b/mvt/ios/modules/fs/version_history.py
@ -32,7 +32,7 @@ class IOSVersionHistory(IOSExtraction):
        }

    def run(self):
-        for found_path in self._find_paths(IOS_ANALYTICS_JOURNAL_PATHS):
+        for found_path in self._find_fs_files_from_pattern(IOS_ANALYTICS_JOURNAL_PATHS):
            with open(found_path, "r") as analytics_log:
                log_line = json.loads(analytics_log.readline().strip())

--- a/mvt/ios/modules/fs/webkit_base.py
+++ b/mvt/ios/modules/fs/webkit_base.py
@ -23,7 +23,7 @@ class WebkitBase(IOSExtraction):
                self.detected.append(item)

    def _process_webkit_folder(self, root_paths):
-        for found_path in self._find_paths(root_paths):
+        for found_path in self._find_fs_files_from_pattern(root_paths):
            key = os.path.relpath(found_path, self.base_folder)

            for name in os.listdir(found_path):
--- a/mvt/ios/modules/mixed/webkit_resource_load_statistics.py
+++ b/mvt/ios/modules/mixed/webkit_resource_load_statistics.py
@ -76,12 +76,12 @@ class WebkitResourceLoadStatistics(IOSExtraction):
    def run(self):
        if self.is_backup:
            try:
-                for backup_file in self._get_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH):
+                for backup_file in self._get_backup_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH):
                    db_path = os.path.join(self.base_folder, backup_file["file_id"][0:2], backup_file["file_id"])
                    key = f"{backup_file['domain']}/{WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH}"
                    self._process_observations_db(db_path=db_path, key=key)
            except Exception as e:
                self.log.info("Unable to search for WebKit observations.db: %s", e)
        elif self.is_fs_dump:
-            for db_path in self._find_paths(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
+            for db_path in self._find_fs_files_from_pattern(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
                self._process_observations_db(db_path=db_path, key=os.path.relpath(db_path, self.base_folder))
--- a/mvt/ios/modules/mixed/webkit_session_resource_log.py
+++ b/mvt/ios/modules/mixed/webkit_session_resource_log.py
@ -14,7 +14,6 @@ from ..base import IOSExtraction
 WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS = [
    "a500ee38053454a02e990957be8a251935e28d3f",
 ]
-
 WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS = [
    "private/var/mobile/Containers/Data/Application/*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/full_browsing_session_resourceLog.plist",
    "private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.plist",
@ -32,6 +31,8 @@ class WebkitSessionResourceLog(IOSExtraction):
                         output_folder=output_folder, fast_mode=fast_mode,
                         log=log, results=results)

+        self.results = {}
+
    def _extract_browsing_stats(self, file_path):
        items = []

@ -110,32 +111,13 @@ class WebkitSessionResourceLog(IOSExtraction):

                    self.log.warning("Found HTTP redirect between suspicious domains: %s", redirect_path)

-    def _find_paths(self, root_paths):
-        results = {}
-        for root_path in root_paths:
-            for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
-                if not os.path.exists(found_path):
-                    continue
-
-                key = os.path.relpath(found_path, self.base_folder)
-                if key not in results:
-                    results[key] = []
-
-        return results
-
    def run(self):
-        self.results = {}
-
-        try:
+        if self.is_backup:
            self._find_ios_database(backup_ids=WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS)
-        except FileNotFoundError:
-            pass
-        else:
-            if self.file_path:
-                self.results[self.file_path] = self._extract_browsing_stats(self.file_path)
-                return
+            self.results[self.file_path] = self._extract_browsing_stats(self.file_path)
+            return

-        self.results = self._find_paths(root_paths=WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS)
-        for log_file in self.results.keys():
+        for log_file in self._find_fs_files_from_pattern(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
            self.log.info("Found Safari browsing session resource log at path: %s", log_file)
-            self.results[log_file] = self._extract_browsing_stats(os.path.join(self.base_folder, log_file))
+            key = os.path.relpath(log_file, self.base_folder)
+            self.results[key] = self._extract_browsing_stats(log_file)