mirror of https://github.com/mvt-project/mvt.git
92 lines
3.0 KiB
Python
92 lines
3.0 KiB
Python
# Mobile Verification Toolkit (MVT)
|
|
# Copyright (c) 2021 The MVT Project Authors.
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
# https://license.mvt.re/1.1/
|
|
|
|
import sqlite3
|
|
from datetime import datetime
|
|
|
|
from mvt.common.utils import convert_timestamp_to_iso
|
|
|
|
from ..base import IOSExtraction
|
|
|
|
TCC_BACKUP_IDS = [
|
|
"64d0019cb3d46bfc8cce545a8ba54b93e7ea9347",
|
|
]
|
|
TCC_ROOT_PATHS = [
|
|
"private/var/mobile/Library/TCC/TCC.db",
|
|
]
|
|
|
|
AUTH_VALUES = {
|
|
0: "denied",
|
|
1: "unknown",
|
|
2: "allowed",
|
|
3: "limited",
|
|
}
|
|
AUTH_REASONS = {
|
|
1: "error",
|
|
2: "user_consent",
|
|
3: "user_set",
|
|
4: "system_set",
|
|
5: "service_policy",
|
|
6: "mdm_policy",
|
|
7: "override_policy",
|
|
8: "missing_usage_string",
|
|
9: "prompt_timeout",
|
|
10: "preflight_unknown",
|
|
11: "entitled",
|
|
12: "app_type_policy",
|
|
}
|
|
|
|
|
|
class TCC(IOSExtraction):
|
|
"""This module extracts records from the TCC.db SQLite database."""
|
|
|
|
def __init__(self, file_path=None, base_folder=None, output_folder=None,
|
|
fast_mode=False, log=None, results=[]):
|
|
super().__init__(file_path=file_path, base_folder=base_folder,
|
|
output_folder=output_folder, fast_mode=fast_mode,
|
|
log=log, results=results)
|
|
|
|
def process_db(self, file_path):
|
|
conn = sqlite3.connect(file_path)
|
|
cur = conn.cursor()
|
|
cur.execute("""SELECT
|
|
service, client, client_type, auth_value, auth_reason, last_modified
|
|
FROM access;""")
|
|
|
|
for row in cur:
|
|
service = row[0]
|
|
client = row[1]
|
|
client_type = row[2]
|
|
client_type_desc = "bundle_id" if client_type == 0 else "absolute_path"
|
|
auth_value = row[3]
|
|
auth_value_desc = AUTH_VALUES.get(auth_value, "")
|
|
auth_reason = row[4]
|
|
auth_reason_desc = AUTH_REASONS.get(auth_reason, "unknown")
|
|
last_modified = convert_timestamp_to_iso(datetime.utcfromtimestamp((row[5])))
|
|
|
|
if service in ["kTCCServiceMicrophone", "kTCCServiceCamera"]:
|
|
device = "microphone" if service == "kTCCServiceMicrophone" else "camera"
|
|
self.log.info("Found client \"%s\" with access %s to %s on %s by %s",
|
|
client, auth_value_desc, device, last_modified, auth_reason_desc)
|
|
|
|
self.results.append({
|
|
"service": service,
|
|
"client": client,
|
|
"client_type": client_type_desc,
|
|
"auth_value": auth_value_desc,
|
|
"auth_reason_desc": auth_reason_desc,
|
|
"last_modified": last_modified,
|
|
})
|
|
|
|
cur.close()
|
|
conn.close()
|
|
|
|
def run(self):
|
|
self._find_ios_database(backup_ids=TCC_BACKUP_IDS, root_paths=TCC_ROOT_PATHS)
|
|
self.log.info("Found TCC database at path: %s", self.file_path)
|
|
self.process_db(self.file_path)
|
|
|
|
self.log.info("Extracted a total of %d TCC items", len(self.results))
|