diff --git a/mvt/common/module.py b/mvt/common/module.py index 9f0873c..e6ca60c 100644 --- a/mvt/common/module.py +++ b/mvt/common/module.py @@ -66,13 +66,6 @@ class MVTModule(object): sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", self.__class__.__name__) return re.sub("([a-z0-9])([A-Z])", r"\1_\2", sub).lower() - def _find_paths(self, root_paths): - for root_path in root_paths: - for found_path in glob.glob(os.path.join(self.base_folder, root_path)): - if not os.path.exists(found_path): - continue - yield found_path - def load_indicators(self, file_path): self.indicators = Indicators(file_path, self.log) diff --git a/mvt/ios/modules/backup/configuration_profiles.py b/mvt/ios/modules/backup/configuration_profiles.py index a2c608e..785b6c1 100644 --- a/mvt/ios/modules/backup/configuration_profiles.py +++ b/mvt/ios/modules/backup/configuration_profiles.py @@ -22,7 +22,7 @@ class ConfigurationProfiles(IOSExtraction): log=log, results=results) def run(self): - for conf_file in self._get_files_from_manifest(domain=CONF_PROFILES_DOMAIN): + for conf_file in self._get_backup_files_from_manifest(domain=CONF_PROFILES_DOMAIN): conf_file_path = self._get_backup_file_from_id(conf_file["file_id"]) if not conf_file_path: continue diff --git a/mvt/ios/modules/backup/profile_events.py b/mvt/ios/modules/backup/profile_events.py index 31cacfd..1dbea76 100644 --- a/mvt/ios/modules/backup/profile_events.py +++ b/mvt/ios/modules/backup/profile_events.py @@ -32,7 +32,7 @@ class ProfileEvents(IOSExtraction): } def run(self): - for events_file in self._get_files_from_manifest(relative_path=CONF_PROFILES_EVENTS_RELPATH): + for events_file in self._get_backup_files_from_manifest(relative_path=CONF_PROFILES_EVENTS_RELPATH): events_file_path = self._get_backup_file_from_id(events_file["file_id"]) if not events_file_path: continue diff --git a/mvt/ios/modules/base.py b/mvt/ios/modules/base.py index f925f4f..729baf8 100644 --- a/mvt/ios/modules/base.py +++ b/mvt/ios/modules/base.py @@ -68,7 +68,7 @@ class IOSExtraction(MVTModule): self.log.info("Database at path %s recovered successfully!", file_path) - def _get_files_from_manifest(self, relative_path=None, domain=None): + def _get_backup_files_from_manifest(self, relative_path=None, domain=None): """Locate files from Manifest.db. :param relative_path: Relative path to use as filter from Manifest.db. :param domain: Domain to use as filter from Manifest.db. @@ -107,6 +107,14 @@ class IOSExtraction(MVTModule): return None + def _find_fs_files_from_pattern(self, root_paths): + for root_path in root_paths: + for found_path in glob.glob(os.path.join(self.base_folder, root_path)): + if not os.path.exists(found_path): + continue + + yield found_path + def _find_ios_database(self, backup_ids=None, root_paths=[]): """Try to locate the module's database file from either an iTunes backup or a full filesystem dump. diff --git a/mvt/ios/modules/fs/version_history.py b/mvt/ios/modules/fs/version_history.py index 564ff64..a15448a 100644 --- a/mvt/ios/modules/fs/version_history.py +++ b/mvt/ios/modules/fs/version_history.py @@ -32,7 +32,7 @@ class IOSVersionHistory(IOSExtraction): } def run(self): - for found_path in self._find_paths(IOS_ANALYTICS_JOURNAL_PATHS): + for found_path in self._find_fs_files_from_pattern(IOS_ANALYTICS_JOURNAL_PATHS): with open(found_path, "r") as analytics_log: log_line = json.loads(analytics_log.readline().strip()) diff --git a/mvt/ios/modules/fs/webkit_base.py b/mvt/ios/modules/fs/webkit_base.py index 58f59e5..fcdc087 100644 --- a/mvt/ios/modules/fs/webkit_base.py +++ b/mvt/ios/modules/fs/webkit_base.py @@ -23,7 +23,7 @@ class WebkitBase(IOSExtraction): self.detected.append(item) def _process_webkit_folder(self, root_paths): - for found_path in self._find_paths(root_paths): + for found_path in self._find_fs_files_from_pattern(root_paths): key = os.path.relpath(found_path, self.base_folder) for name in os.listdir(found_path): diff --git a/mvt/ios/modules/mixed/webkit_resource_load_statistics.py b/mvt/ios/modules/mixed/webkit_resource_load_statistics.py index 8e685e5..3b2f3eb 100644 --- a/mvt/ios/modules/mixed/webkit_resource_load_statistics.py +++ b/mvt/ios/modules/mixed/webkit_resource_load_statistics.py @@ -76,12 +76,12 @@ class WebkitResourceLoadStatistics(IOSExtraction): def run(self): if self.is_backup: try: - for backup_file in self._get_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH): + for backup_file in self._get_backup_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH): db_path = os.path.join(self.base_folder, backup_file["file_id"][0:2], backup_file["file_id"]) key = f"{backup_file['domain']}/{WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH}" self._process_observations_db(db_path=db_path, key=key) except Exception as e: self.log.info("Unable to search for WebKit observations.db: %s", e) elif self.is_fs_dump: - for db_path in self._find_paths(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS): + for db_path in self._find_fs_files_from_pattern(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS): self._process_observations_db(db_path=db_path, key=os.path.relpath(db_path, self.base_folder)) diff --git a/mvt/ios/modules/mixed/webkit_session_resource_log.py b/mvt/ios/modules/mixed/webkit_session_resource_log.py index c9ce8ed..93df003 100644 --- a/mvt/ios/modules/mixed/webkit_session_resource_log.py +++ b/mvt/ios/modules/mixed/webkit_session_resource_log.py @@ -14,7 +14,6 @@ from ..base import IOSExtraction WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS = [ "a500ee38053454a02e990957be8a251935e28d3f", ] - WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS = [ "private/var/mobile/Containers/Data/Application/*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/full_browsing_session_resourceLog.plist", "private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.plist", @@ -32,6 +31,8 @@ class WebkitSessionResourceLog(IOSExtraction): output_folder=output_folder, fast_mode=fast_mode, log=log, results=results) + self.results = {} + def _extract_browsing_stats(self, file_path): items = [] @@ -110,32 +111,13 @@ class WebkitSessionResourceLog(IOSExtraction): self.log.warning("Found HTTP redirect between suspicious domains: %s", redirect_path) - def _find_paths(self, root_paths): - results = {} - for root_path in root_paths: - for found_path in glob.glob(os.path.join(self.base_folder, root_path)): - if not os.path.exists(found_path): - continue - - key = os.path.relpath(found_path, self.base_folder) - if key not in results: - results[key] = [] - - return results - def run(self): - self.results = {} - - try: + if self.is_backup: self._find_ios_database(backup_ids=WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS) - except FileNotFoundError: - pass - else: - if self.file_path: - self.results[self.file_path] = self._extract_browsing_stats(self.file_path) - return + self.results[self.file_path] = self._extract_browsing_stats(self.file_path) + return - self.results = self._find_paths(root_paths=WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS) - for log_file in self.results.keys(): + for log_file in self._find_fs_files_from_pattern(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS): self.log.info("Found Safari browsing session resource log at path: %s", log_file) - self.results[log_file] = self._extract_browsing_stats(os.path.join(self.base_folder, log_file)) + key = os.path.relpath(log_file, self.base_folder) + self.results[key] = self._extract_browsing_stats(log_file)