Merge branch 'master' of https://github.com/ydkhatri/mac_apt

plugins/applist.py

@@ -88,7 +88,7 @@ def Plugin_Start(mac_info):
                 if deserialized_plist:
                     parse_appList_plist(deserialized_plist, apps, user_name, source_path)
             else:
-                log.error('Could not open file {}'.format(path))
+                log.error('Could not open file {}'.format(source_path))
 
     if len(apps) > 0:
         PrintAll(apps, mac_info.output_params, '')

plugins/domains.py

@@ -80,7 +80,7 @@ def Plugin_Start_Standalone(input_files_list, output_params):
         success, plist, error = CommonFunctions.ReadPlist(input_path)
         if success:
             ProcessActiveDirectoryPlist(input_path, plist)
-            WriteList('domain details', 'Domain_ActiveDirectory', ad_details, ad_info, mac_info.output_params, input_path)
+            WriteList('domain details', 'Domain_ActiveDirectory', ad_details, ad_info, output_params, input_path)
         else:
             log.error("Failed to read plist " + input_path + " Error was: " + error)
 

plugins/helpers/aff4_helper.py

@@ -43,7 +43,7 @@ def get_sha1_hash(self):
 
         while data:
             hasher.update(data)
-            data = img.read(unit)
+            data = self.read(unit)
             if data:
                 pos += len(data)
                 print(f'Read {pos/(1024*1024)} MB, {pos} bytes')

plugins/helpers/apfs.py

@@ -141,7 +141,7 @@ class ObjType(Enum):
         integrity_meta = 0x1e
         fext_tree = 0x1f
 
-    class ItemType(Enum):
+    class ItemType(Enum): # Not used in DrecHashedRecord as there it is used a flag, which can sometimes be combined
         unknown = 0
         fifo_named_pipe = 1
         character_special_file = 2
@@ -566,7 +566,7 @@ def __init__(self, _io, _parent=None, _root=None):
             self._root = _root if _root else self
             self.node_id = self._io.read_u8le()
             self.date_added = self._io.read_s8le()
-            self.type_item = self._root.ItemType(self._io.read_u2le() & 0xF) #DREC_TYPE_MASK = 0x000f
+            self.type_item = self._io.read_u2le() & 0xF #DREC_TYPE_MASK = 0x000f
             self.xfields = {}
             if _parent.header.data_length > 18:  # extended fields exist!
                 xf_num_exts = self._io.read_u2le()
@@ -938,15 +938,6 @@ def __init__(self, _io, _parent=None, _root=None):
             self.length = self._io.read_u2le()
 
 
-    class XfName(KaitaiStruct):
-        __slots__ = ['_io', '_parent', '_root', 'name']
-        def __init__(self, _io, _parent=None, _root=None):
-            self._io = _io
-            self._parent = _parent
-            self._root = _root if _root else self
-            self.xf_name = (KaitaiStream.bytes_terminate(self._io.read_bytes(name_len), 0, False)).decode("UTF-8", "backslashreplace")
-
-
     class DStream(KaitaiStruct):
         __slots__ = ['_io', '_parent', '_root', 'size', 'alloced_size', 'default_crypto_id', 'total_bytes_written', 'total_bytes_read']
         def __init__(self, _io, _parent=None, _root=None):

plugins/helpers/apfs_reader.py

@@ -636,7 +636,7 @@ def read_entries_for_block(self, block_num, block, no_blk_hdr_force_subtype_fs_t
                     self.num_records_read_batch += 1
                     self.num_records_read_total += 1
                     rec = entry.data
-                    self.dir_records.append([oid, xid, rec.node_id, entry.key.obj_id, rec.date_added, rec.type_item.value, entry.key.content.name, '', None])
+                    self.dir_records.append([oid, xid, rec.node_id, entry.key.obj_id, rec.date_added, rec.type_item, entry.key.content.name, '', None])
                 elif entry_type == self.inode_type: #container.apfs.EntryType.inode.value:
                     self.num_records_read_batch += 1
                     self.num_records_read_total += 1
@@ -1186,9 +1186,7 @@ def GetFileMetadataByPath(self, path):
         return self.GetFileMetadata(where_clause)
 
     def GetFilePathFromCnid(self, cnid):
-        apfs_file_meta = self.GetApfsFileMeta(path)
-        if not apfs_file_meta:
-            apfs_file_meta = self.GetFileMetadataByCnid(cnid)
+        apfs_file_meta = self.GetFileMetadataByCnid(cnid)
         return apfs_file_meta.path
 
     def GetFileMetadata(self, where_clause):

plugins/helpers/common.py

@@ -50,7 +50,9 @@ def ReadMacAbsoluteTime(mac_abs_time): # Mac Absolute time is time epoch beginni
             try:
                 if isinstance(mac_abs_time, str):
                     mac_abs_time = float(mac_abs_time)
-                if mac_abs_time > 0xFFFFFFFF: # more than 32 bits, this should be nano-second resolution timestamp (seen only in HighSierra)
+                if mac_abs_time in (-63114076800, -63114076800000000000) : # MS & Python considers -63113904000 as 01-01-0001, Apple considers -63114076800
+                    return datetime.datetime(1,1,1)
+                if abs(mac_abs_time) > 0xFFFFFFFF: # more than 32 bits, this should be nano-second resolution timestamp (seen only in HighSierra)
                     return datetime.datetime(2001, 1, 1) + datetime.timedelta(seconds=mac_abs_time/1000000000.)
                 return datetime.datetime(2001, 1, 1) + datetime.timedelta(seconds=mac_abs_time)
             except (ValueError, OverflowError, TypeError) as ex:

plugins/helpers/darwin_path_generator.py

@@ -23,6 +23,7 @@
 #                under /var/folders/
 #
 
+import struct
 
 def GetDarwinPath(uuid, uid):
     '''Returns DARWIN_USER_FOLDER path constructed from UUID and UID for 

plugins/helpers/hfs_alt.py

@@ -321,7 +321,7 @@ def getXattrsByPath(self, path):
 
     def getXattrByPath(self, path, name):
         file_id = self.getCnidForPath(path)
-        return self.getXattr(fileID, name)
+        return self.getXattr(file_id, name)
 
     '''	Compression type in Xattr as per apple:
         Source: https://opensource.apple.com/source/copyfile/copyfile-138/copyfile.c.auto.html

plugins/helpers/spotlight_parser.py

@@ -363,7 +363,7 @@ def ParseItem(self, properties, categories, indexes_1, indexes_2):
                                         if len(all_translations) > 2:
                                             log.warning('Encountered more than one control sequence in single translation'
                                                         'string.')
-                                            log.debug('Found this list: {}', other)
+                                            #log.debug('Found this list: {}', other)
                                         value = all_translations[0].decode('utf8', 'backslashreplace')
                                         break # only get first, rest are language variants!
                         elif prop_type & 0x2 == 0x2: #== 0x4A: # ContentTypeTree ItemUserTags

plugins/installhistory.py

@@ -61,7 +61,7 @@ def ReadInstallHistoryPlist(plist, history):
 
 def ParseInstallHistoryFile(input_file):
     history = []
-    success, plist, error = CommonFunctions.ReadPlist(input_path)
+    success, plist, error = CommonFunctions.ReadPlist(input_file)
     if success:
         ReadInstallHistoryPlist(plist, history)
     else:

plugins/netusage.py

@@ -23,7 +23,8 @@
 
 __Plugin_Modes = "MACOS,ARTIFACTONLY,IOS"
 __Plugin_ArtifactOnly_Usage = 'Provide one or more netusage sqlite databases as input to process. This is '\
-                            'located at /private/var/networkd/netusage.sqlite'
+                            'located at /private/var/networkd/netusage.sqlite (<= macOS 10.15)'\
+                            'or /private/var/networkd/db/netusage.sqlite (>= macOS 11)'
 
 log = logging.getLogger('MAIN.' + __Plugin_Name) # Do not rename or remove this ! This is the logger object
 
@@ -96,7 +97,7 @@ def ReadNetUsageDb(db, netusage_items, source):
                 "p.ztimestamp as last_seen_date, "\
                 " lu.ztimestamp as usage_since, "\
                 "lu.zwifiin, lu.zwifiout,lu.zwiredin,lu.zwiredout,lu.zwwanin,lu.zwwanout  "\
-                "FROM zliveusage lu LEFT JOIN zprocess p ON p.z_pk = lu.zhasprocess  "\
+                "FROM zprocess p LEFT JOIN zliveusage lu ON p.z_pk = lu.zhasprocess  "\
                 "LEFT JOIN z_primarykey pk ON p.z_ent = pk.z_ent  "\
                 "ORDER BY process_name"
         db.row_factory = sqlite3.Row
@@ -148,8 +149,19 @@ def ProcessDbFromPath(mac_info, netusage_items, source_path):
 def Plugin_Start(mac_info):
     '''Main Entry point function for plugin'''
     netusage_items = []
-    netusage_path  = '/private/var/networkd/netusage.sqlite'
-
+    netusage_base_path  = '/private/var/networkd'
+    netusage_db_name = 'netusage.sqlite'
+
+    version_info = mac_info.GetVersionDictionary()
+    if version_info['major'] == 10:
+        netusage_path = os.path.join(netusage_base_path, netusage_db_name)
+    elif version_info['major'] == 11:
+        netusage_path = os.path.join(netusage_base_path, 'db', netusage_db_name)
+    else:
+        log.error('Cannot determine OS version.')
+        return
+
+    log.info('OS version: {}.{}.{}'.format(version_info['major'], version_info['minor'], version_info['micro']))
     ProcessDbFromPath(mac_info, netusage_items, netusage_path)
 
     if len(netusage_items) > 0:
@@ -161,6 +173,7 @@ def Plugin_Start_Standalone(input_files_list, output_params):
     log.info("Module Started as standalone")
     for input_path in input_files_list:
         log.debug("Input file passed was: " + input_path)
+        netusage_items = []
         db = OpenDb(input_path)
         if db != None:
             ReadNetUsageDb(db, netusage_items, input_path)

plugins/networking.py

@@ -7,7 +7,6 @@
    
 '''
 
-import binascii
 import logging
 import os
 import re

plugins/spotlightshortcuts.py

@@ -7,10 +7,7 @@
    
 '''
 
-import os
-import sys
 import logging
-import struct
 
 from plugins.helpers.common import CommonFunctions
 from plugins.helpers.macinfo import *
@@ -38,7 +35,7 @@ def PrintAll(shortcut_items, output_params, source_path):
     WriteList("spotlight shortcut information", "SpotlightShortcuts", shortcut_items, shortcut_info, output_params, source_path)
 
 def ParseShortcutFile(input_file, shortcuts):
-    success, plist, error = CommonFunctions.ReadPlist(input_path)
+    success, plist, error = CommonFunctions.ReadPlist(input_file)
     if success:
         ReadShortcutPlist(plist, shortcuts, input_file)
     else:

plugins/sudo_lastrun.py

@@ -100,7 +100,7 @@ def Plugin_Start_Standalone(input_files_list, output_params):
     for input_path in input_files_list:
         log.debug("Input file passed was: " + input_path)
         ## Process the input file here ##
-        f = open(file_path)
+        f = open(input_path)
         if f:
             ProcessTsFile(f, os.path.basename(input_path), input_path, os.path.getsize(input_path), sudo_logs)
             f.close()

plugins/term_sessions.py

@@ -8,7 +8,6 @@
 '''
 
 
-import os
 import binascii
 import logging
 from plugins.helpers.macinfo import *

plugins/users.py

@@ -7,7 +7,6 @@
    
 '''
 
-import os
 import logging
 from plugins.helpers.macinfo import *
 from plugins.helpers.writer import *

plugins/utmpx.py

@@ -14,7 +14,6 @@
 '''
 
 import os
-import sys
 import time
 from construct import *