Skip to content

Maite modules batch 2 #1301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Maite modules batch 2 #1301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
afa6aad
Refactor artifact functions to use context parameter
Maite2003 Oct 8, 2025
3015ff9
Fix timestamp handling in AMDSQLiteDB_UsageEvents
Maite2003 Oct 8, 2025
6c16241
Merge branch 'main' into maite-modules-batch-2
Maite2003 Oct 16, 2025
654c4e9
fix data headers in appConduit
Maite2003 Oct 16, 2025
a4e41ce
Add plist validity check in appGrouplisting
Maite2003 Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 15 additions & 11 deletions scripts/artifacts/AMDSQLiteDB.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
"name": "App Usage Events (AMDSQLiteDB)",
"description": "Apple App Store application foreground events",
"author": "@stark4n6",
"date": "2025-07-21",
"creation_date": "2025-07-21",
"last_update_date": "2025-10-08",
"requirements": "none",
"category": "App Usage",
"notes": "",
Expand All @@ -18,7 +19,8 @@
"name": "Device Storage Capacity",
"description": "Shows storage capacity size over time",
"author": "@stark4n6",
"date": "2025-07-21",
"creation_date": "2025-07-21",
"last_update_date": "2025-10-08",
"requirements": "none",
"category": "Device Information",
"notes": "",
Expand All @@ -33,8 +35,7 @@
import urllib.request
import json

from scripts.artifact_report import ArtifactHtmlReport
from scripts.ilapfuncs import artifact_processor, get_file_path, get_sqlite_db_records, attach_sqlite_db_readonly, logfunc
from scripts.ilapfuncs import artifact_processor, get_file_path, get_sqlite_db_records, attach_sqlite_db_readonly, logfunc, convert_unix_ts_to_utc

def get_data_from_itunes(lookup_value, lookup_type):
response_json_data = None
Expand Down Expand Up @@ -78,18 +79,18 @@ def results_for_id(item_record, data_dictionary):
return app_name, bundle_name

@artifact_processor
def AMDSQLiteDB_UsageEvents(files_found, report_folder, seeker, wrap_text, timezone_offset):
def AMDSQLiteDB_UsageEvents(context):
data_list = []
my_data_store = {}

files_found = context.get_files_found()
source_path = get_file_path(files_found, "AMDSQLite.db.0")

storeUserDB = get_file_path(files_found, "storeUser.db")
attach_query = attach_sqlite_db_readonly(storeUserDB, 'storeUser')

query = '''
select
datetime(AMDAppStoreUsageEvents.time/1000,'unixepoch') as "Timestamp",
AMDAppStoreUsageEvents.time,
case AMDAppStoreUsageEvents.type
when "0" then "Install/Update"
when "1" then "Uninstall"
Expand All @@ -110,27 +111,30 @@ def AMDSQLiteDB_UsageEvents(files_found, report_folder, seeker, wrap_text, timez
db_records = get_sqlite_db_records(source_path, query, attach_query)
for record in db_records:
app_name, bundle_name = results_for_id(record[3], process_ids(record[3], my_data_store, 'adamId'))
data_list.append((record[0], record[1], app_name, record[2], record[3], record[4], record[5], record[6], record[7]))
time = convert_unix_ts_to_utc(record[0])
data_list.append((time, record[1], app_name, record[2], record[3], record[4], record[5], record[6], record[7]))

data_headers = (('Timestamp', 'datetime'),'App Action','App Name','Bundle ID','AdamID','App Version','Foreground Duration (Secs)','Apple ID','User ID')
return data_headers, data_list, source_path

@artifact_processor
def AMDSQLiteDB_StorageCapacity(files_found, report_folder, seeker, wrap_text, timezone_offset):
def AMDSQLiteDB_StorageCapacity(context):
data_list = []
files_found = context.get_files_found()
source_path = get_file_path(files_found, "AMDSQLite.db.0")

query = '''
select
datetime(time/1000,'unixepoch'),
time,
availableDeviceCapacityGB,
totalDeviceCapacityGB
from DeviceStorageUsage
'''

db_records = get_sqlite_db_records(source_path, query)
for record in db_records:
data_list.append((record[0], record[1], record[2]))
time = convert_unix_ts_to_utc(record[0])
data_list.append((time, record[1], record[2]))

data_headers = (('Timestamp', 'datetime'),'Available Capacity (GB)','Total Capacity (GB)')
return data_headers, data_list, source_path
5 changes: 3 additions & 2 deletions scripts/artifacts/airdropId.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"description": "Extract Airdrop ID",
"author": "@AlexisBrignoni",
"creation_date": "2023-10-03",
"last_update_date": "2025-01-28",
"last_update_date": "2025-10-08",
"requirements": "none",
"category": "Identifiers",
"notes": "",
Expand All @@ -17,7 +17,8 @@
from scripts.ilapfuncs import artifact_processor, get_file_path, get_plist_file_content, device_info

@artifact_processor
def airdropId(files_found, report_folder, seeker, wrap_text, timezone_offset):
def airdropId(context):
files_found = context.get_files_found()
source_path = get_file_path(files_found, "com.apple.sharingd.plist")

pl = get_plist_file_content(source_path)
Expand Down
10 changes: 6 additions & 4 deletions scripts/artifacts/allTrails.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"description": "Extract trail details from AllTrails App",
"author": "@stark4n6",
"creation_date": "2022-04-28",
"last_update_date": "2024-12-17",
"last_update_date": "2025-10-08",
"requirements": "none",
"category": "Health & Fitness",
"notes": "",
Expand All @@ -17,7 +17,7 @@
"description": "Extract user info from AllTrails App",
"author": "@stark4n6",
"creation_date": "2022-04-28",
"last_update_date": "2024-12-17",
"last_update_date": "2025-10-08",
"requirements": "none",
"category": "Health & Fitness",
"notes": "",
Expand All @@ -30,7 +30,8 @@
from scripts.ilapfuncs import artifact_processor, get_file_path, get_sqlite_db_records, convert_cocoa_core_data_ts_to_utc

@artifact_processor
def allTrailsTrailDetails(files_found, report_folder, seeker, wrap_text, timezone_offset):
def allTrailsTrailDetails(context):
files_found = context.get_files_found()
source_path = get_file_path(files_found, "AllTrails.sqlite")
data_list = []

Expand Down Expand Up @@ -87,7 +88,8 @@ def allTrailsTrailDetails(files_found, report_folder, seeker, wrap_text, timezon


@artifact_processor
def allTrailsUserInfo(files_found, report_folder, seeker, wrap_text, timezone_offset):
def allTrailsUserInfo(context):
files_found = context.get_files_found()
source_path = get_file_path(files_found, "AllTrails.sqlite")
data_list = []

Expand Down
4 changes: 2 additions & 2 deletions scripts/artifacts/appConduit.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
i.e. Apple Watch',
'author': '@ydkhatri',
'creation_date': '2020-08-05',
'last_update_date': '2025-09-29',
"last_update_date": "2025-10-08",
'requirements': 'none',
'category': 'App Conduit',
'notes': '',
Expand Down Expand Up @@ -108,6 +108,6 @@ def app_conduit(context):
data_headers = (('Timestamp', 'datetime'), 'Device interaction',
'Device ID', 'Pairing ID', 'Device Type', 'Device Model',
'OS Build', 'OS Version', 'Log File Name')
source_path = ', '.join(source_paths)
source_path = 'see Log File Name for more info'

return data_headers, data_list, source_path
9 changes: 6 additions & 3 deletions scripts/artifacts/appGrouplisting.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"description": "List can included once installed but not present apps. Each file is named .com.apple.mobile_container_manager.metadata.plist",
"author": "@AlexisBrignoni",
"creation_date": "2020-09-22",
"last_update_date": "2024-12-20",
"last_update_date": "2025-10-08",
"requirements": "none",
"category": "Installed Apps",
"notes": "",
Expand All @@ -20,12 +20,15 @@
from scripts.ilapfuncs import artifact_processor, get_plist_file_content

@artifact_processor
def appGrouplisting(files_found, report_folder, seeker, wrap_text, timezone_offset):
def appGrouplisting(context):
source_path = 'Path column in the report'
data_list = []

for file_found in files_found:
for file_found in context.get_files_found():
plist = get_plist_file_content(file_found)
# Check if plist is a valid parseable object
if not plist or not isinstance(plist, dict):
continue
bundleid = plist['MCMMetadataIdentifier']

p = pathlib.Path(file_found)
Expand Down
Loading