plugins.ios package¶

An RVT2 plugin to parse iOS backups.

In order to use these plugins, you’ll need a Tika server and/or an ElasticSearch server running in the network.

Jobs¶

ios: Run all jobs.
plugins.ios.Unback: mount an iOS backup. The backup can be a zip file or a directory.

class plugins.ios.IOSModule(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

A base class for the modules for iOS.

database(path)¶

Submodules¶

plugins.ios.adv_whatsapp module¶

File for conducting a coherence analysis on WhatsApps

class plugins.ios.adv_whatsapp.AdvWhatsapps(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.ios.IOSModule

Class responsible for conducting the coherence analysis on WhatsApps

adv_whatsapp()¶

blacklist(con_storage, out)¶

compare_count(items_storage, out)¶

compare_date(items_search, items_storage, out)¶: Compare dates by id between ChatStorage.sqlite and ChatSearch.sqlite. Write messages with dates differing in more than 10sec

compare_text(items_search, items_storage, out)¶: Compare text by id between ChatStorage.sqlite and ChatSearch.sqlite. Write differences

connect()¶

deleted_items(con_storage, out)¶

get_items_count(con_storage)¶

get_items_date(con_storage, con_search)¶

get_items_text(con_storage, con_search)¶

get_tables(con_storage, con_search, out)¶

last_backup(out)¶: Show last backup date. All message from this date on should be considered unmodified

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

plugins.ios.characterization module¶

class plugins.ios.characterization.Characterization(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

A module that parses the Manifest.plist to characterize the iPhone.

The path is an unbacked iPhone backup. See job plugins.ios.unback.Unback

Configuration:

outfile: Characterization is writen to this file.

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path)¶

Parameters: path (str) – The path to the directory where the backup was unbacked.
Returns: An array of a dictionary with the extracted documentation

plugins.ios.cookies module¶

class plugins.ios.cookies.Cookies(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Module to parse and yield cookies at /HomeDomain/Library/Cookies/.

This module looks for these cookie files:

‘/HomeDomain/Library/Cookies/Cookies.binarycookies’
‘/HomeDomain/Library/Cookies/com.apple.appstored.binarycookies’

parse_cookie_file(cookie_file)¶

run(path)¶

Parameters: path (str) – Path to the unbacked backup.
Yields: {"date_creation", "date_expiration", "name", "domain", "value", "cookie_path", "flags"}

plugins.ios.timeline module¶

class plugins.ios.timeline.Timeline(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.ios.IOSModule

Module that parses the file Manifest.db and generates a timeline.

The run method yields an OrderedDict with the fields in TSK3 body file.

Warning

We couldn’t identify a last modification time field in the backup. Last modification time is used instead.

run(path)¶

Parameters: path (str) – The path to the directory where the backup was unbacked.
Yields: An OrderedDict with the fields in TSK3 BODY file.

plugins.ios.unback module¶

This file gets the backup from the variable path and ‘unbacks’ it in the desired extract_path

class plugins.ios.unback.Unback(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.ios.IOSModule

Unback an ios backup directory into a directory.

Currently, only unencrypted backups are supported.

Configuration:

unzip_path: If needed, unzip the source to this path before unbacking.
extract_path: Extract the backup into this path.
unback_cmd: If exists, use this external command to unback. It is a Python string template that receives variables “bk_path” and “extract_path”. An external command might be useful to unback encrypted backups. For example, check https://github.com/dinosec/iphone-dataprotection/blob/master/python_scripts/backup_tool.py

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path)¶

Unpacks a directory

Parameters: path (str) – The path to a backup directory or zip file
Returns: An empty array, always.

plugins.ios.whatsapp module¶

class plugins.ios.whatsapp.WhatsApp(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.ios.IOSModule

Parse the WhatsApp iOS database.

Configuration section:: media_outdir: Save media to this directory. It is a python format string, with a parameter message_group message_group: If set, output only messages in this message group start_date: If set, output only messages from this date end_date: If set, output only messages until this date

execute_query(chatstorage_file, cursor)¶

Creates a custom view and executes a query based on the parameters:

message_group
start_date
end_date

Returns a cursor object

filter_query(query)¶: Filter by dates and group

get_media_filename(media_location, message_type, message_group)¶: Get basename of media file related to message

parse_query(line)¶: Parse the query and yields a dictionary

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path)¶

Parameters: path (str) – Path to an unbacked backup

status_switcher = {0: 'system', 1: 'sent', 6: 'delivered', 7: 'deleted', 8: 'seen'}¶

type_switcher = {0: 'Text message', 1: 'Image', 2: 'Video', 3: 'Voice/Audio note', 4: 'Contact', 5: 'Location', 7: 'Url', 8: 'Document', 10: 'Key change', 11: 'Video', 14: 'Deleted', 15: 'Image'}¶

class plugins.ios.whatsapp.WhatsAppChatSessions(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Returns all the available chat identifiers in a whatsapp database.

The returned dictionary have a field mesage_group.

run(path=None)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.