Update BeReal.py #1139

djangofaiola · 2025-05-03T08:40:01Z

Added support for Hackemist SDWebImage Cache, EntitiesStore.sqlite, Cache.db
Fixed minor bugs

Added support for Hackemist SDWebImage Cache, EntitiesStore.sqlite, Cache.db Fixed minor bugs

Johann-PLW · 2025-05-06T20:41:24Z

Thank you for updating these two modules.
For BeReal module:
I noticed that all records were doubled for Accounts and Friends artifacts. Do they come from a different source file or is it a little bug? Do you have time to have a look?

For Waze module:
We can push the update as it is.
However, I think we can replace the actual output of track_gps_quality with "all" to add kml export as there are latitude and longitude data with a timestamp.
In a near future, we could also split the coordinates column of Favorite locations, Recent locations, Searched locations and Session info artifacts in two separate latitude and longitude columns to add a kml export.

Thank you very much for your contribution.

djangofaiola · 2025-05-08T02:53:09Z

For BeReal module:
Double/triple records are present in almost all artefacts. Different source files: Cache.db, EntitiesStore.sqlite and various json.
The "Source file name" column contains the list of files.
Can you help me understand why in the html report the column ‘Source file name’ even though I have formatted the cell with <br> does not display the line break? Where am I going wrong?

For Waze module:
I forgot to put the output to “kml” in the update. I replaced the output of track_gps_quality with “all”.
I have already split the coordinate columns into two columns latitude and longitude in the favorite places, recent places, searched places and sessions info artifacts, but I forgot to include the "kml" output.
For the "session info" artifact I have two coordinates with column names other than "Latitude" and "Longitude" and I did not add the output to "kml".
Done!

Grazie a Voi

Johann-PLW · 2025-05-08T12:02:09Z

Hi @djangofaiola,

If you're inserting HTML tags for better rendering in the HTML report, you need to create the html_columns key in the __artifact_v2__ block and specify the column names.

This was documented in the artifact_info_block.md file on the repo in admin/docs but an update last week accidentally removed this part:

html_columns: The name of the columns that contain HTML code to render it properly in the HTML report. This key is used to populate the optional argument html_no_escape in the report.write_artifact_data_table() function.

You have an example in splitwiseGroups and splitwiseNotifications artifacts from splitwise.py module.

Merci beaucoup.

JamesHabben · 2025-05-08T20:22:46Z

@Johann-PLW did we update the html output engine to take a list of source files? that would be a way better option than injecting formatting tags into the html.

djangofaiola · 2025-05-10T08:28:17Z

Hi @Johann-PLW ,
Of course, I put the column names in the 'html_columns' key.
My data is formatted in HTML, but the HTML report is missing the tags!
It might be a small bug, or I could be doing something wrong.
I would appreciate it if you could take a look at my code.
Thanks!

djangofaiola · 2025-05-10T09:32:12Z

@JamesHabben ,
Having the ability to input a list of source files is useful for most situations. In some cases, it might become too long.
In the analysis of BeReal's 'Cache.db', each record could refer to an external file in the fsCachedData subfolder, and the list could become very lengthy.

djangofaiola · 2025-05-10T09:33:00Z

@Johann-PLW , @JamesHabben Thank you for the great work done

JamesHabben · 2025-05-10T13:19:55Z

@djangofaiola ibthink I misunderstood then. In other modules where the source files can be a long list and unique for each record, we have gone to adding a source_file column to the table. The artifact level source file value can point to the database where the module is extracting information, and then the record level source file value can point to its specific file path(s) that were interpreted or extracted.

We also have a new media manager library that we are moving modules over to when working with media type files. This will help our new LAVA viewer to enrich these for better examiner review. I forget the module that @Johann-PLW started with though , maybe WhatsApp?

If you are curious, look at the check_in_media function. We are still working on developer documentation for 8000 this.

JamesHabben · 2025-06-13T17:29:13Z

take a look at an example of what i am describing in my last comment. there is a Source File column added on the end of the records to show the plist file where this wifi info came from. many modules do this in case they are extracting data from multiple files in different paths or names.

iLEAPP/scripts/artifacts/appleWifiPlist.py

Lines 218 to 267 in b14e3ae

    
           @artifact_processor 
        
           def appleWifiBSSList(files_found, report_folder, seeker, wrap_text, timezone_offset): 
        
               data_list = [] 
        
               for file_found in files_found: 
        
                   file_found = str(file_found) 
        
                   with open(file_found, 'rb') as f: 
        
                       deserialized = plistlib.load(f) 
        
                       if 'com.apple.wifi.known-networks.plist' in file_found: 
        
                           for network_key, known_network in deserialized.items(): 
        
                               ssid = _decode_ssid(known_network.get('SSID', b'')) 
        
                               bss_list = known_network.get('BSSList', []) 
        
                               for bss in bss_list: 
        
                                   channel_flags = bss.get('ChannelFlags', '') 
        
                                   channel = bss.get('Channel', '') 
        
                                   last_associated_at = convert_plist_date_to_timezone_offset(bss.get('LastAssociatedAt', ''), timezone_offset) 
        
                                   bssid = bss.get('BSSID', '') 
        
                                   location_accuracy = bss.get('LocationAccuracy', '') 
        
                                   location_timestamp = convert_plist_date_to_timezone_offset(bss.get('LocationTimestamp', ''), timezone_offset) 
        
                                   location_latitude = bss.get('LocationLatitude', '') 
        
                                   location_longitude = bss.get('LocationLongitude', '') 
        
                                   data_list.append([ 
        
                                       ssid, bssid, channel_flags, channel, last_associated_at, 
        
                                       location_accuracy, location_timestamp, location_latitude, location_longitude, 
        
                                       file_found 
        
                                   ]) 
        
                       if 'List of known networks' in deserialized: 
        
                           for known_network in deserialized['List of known networks']: 
        
                               ssid = known_network.get('SSID_STR', '') 
        
                               bss_list = known_network.get('networkKnownBSSListKey', []) 
        
                               for bss in bss_list: 
        
                                   channel = bss.get('CHANNEL', '') 
        
                                   last_roamed = convert_plist_date_to_timezone_offset(bss.get('lastRoamed', ''), timezone_offset) 
        
                                   bssid = bss.get('BSSID', '') 
        
                                   channel_flags = bss.get('CHANNEL_FLAGS', '') 
        
                                   data_list.append([ 
        
                                       ssid, bssid, channel_flags, channel, last_roamed, 
        
                                       '', '', '', '', 
        
                                       file_found 
        
                                   ]) 
        
               data_headers = ( 
        
                   'SSID', 'BSSID', 'Channel Flags', 'Channel', ('Last Associated/Roamed At', 'datetime'), 
        
                   'Location Accuracy', ('Location Timestamp', 'datetime'), 'Location Latitude', 'Location Longitude', 
        
                   'Source File' 
        
               ) 
        
               return data_headers, data_list, ','.join(files_found)

it ends up in the output like this:

JamesHabben · 2025-06-13T17:32:17Z

In the analysis of BeReal's 'Cache.db', each record could refer to an external file in the fsCachedData subfolder, and the list could become very lengthy.

so if i am following along properly, you would put the path of the central database file in the overall artifact output source path value, then for each of the records that you parse you would make a column indicating the path to each of the files in subfolders.

JamesHabben · 2025-06-13T18:02:32Z

also @djangofaiola , some new documentation about the media management api is up. open to feedback and questions.

https://github.com/abrignoni/iLEAPP/wiki/Artifact-Module-API#check_in_media

djangofaiola added 2 commits May 3, 2025 10:34

Update BeReal.py

62b560a

Added support for Hackemist SDWebImage Cache, EntitiesStore.sqlite, Cache.db Fixed minor bugs

Update waze.py for lava output

8ec0c67

djangofaiola added 2 commits May 8, 2025 04:41

Added kml output

213b797

Add files via upload

92e095f

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update BeReal.py #1139

Update BeReal.py #1139

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Update BeReal.py #1139

Are you sure you want to change the base?

Update BeReal.py #1139

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!