Parsers for phone artifacts integrating ALeapp/iLeapp about iped HOT 16 OPEN

Next steps:

1. Test on Windows machine
2. Map aleap html fields on IPED default fields. I will implement this to be configured on ALeappConfig.txt. Any objection?
3. Detail specific ALeapp plugins resources. For example, some plugins pass a link to a existing file as an HTML field of the artifact table. This link can be parsed and also saved as such in LINKED_ITEMS metadata.

from iped.

Some logic or code for different Android artifacts could be adapted from https://github.com/sleuthkit/autopsy/tree/develop/InternalPythonModules/android as their license is Apache v2.

Currently IPED has support for python tasks, parsers not yet, but I could add if anyone from python world is interested in contributing. But a number of those artifacts could be decoded in tasks instead of parsers, basically those that will create new case items corresponding to database records (calls, contacts, calendar, sms) storing relevant info in new metadata columns. Items with small text (like sms) could also store text as metadata. Items with very large text to be indexed should be decoded by a parser implementation, except if a subitem is created to store the text by the task.

from iped.

I think that the Telegram/Videogram parser fits here.

from iped.

For sure! There is a specific ticket #177 to track the progress on the telegram parser. Thanks, @hauck-jvsh!

from iped.

Just found this iOS artifacts python parser MIT licensed https://github.com/abrignoni/iLEAPP

from iped.

https://github.com/kacos2000/Queries

from iped.

Just found this iOS artifacts python parser MIT licensed https://github.com/abrignoni/iLEAPP

And this for Android: https://github.com/abrignoni/ALEAPP

from iped.

MIT licensed: https://github.com/den4uk/andriller

from iped.

Just to warn other DEVs and avoid duplicate efforts, @patrickdalla is working on this and should share some ideas and his progress here soon for comments/suggestions.

from iped.

from iped.

I noted that, as I downloaded ALeapp scripts via git, it included git config files, and eclipse PUSH did not recognize these scripts as part of IPED, not pushing them.
Currently (locally) I am embbeding them inside "scripts/tasks/ALEAPP" folder. As the ALeapp license is MIT, I think it can stay as it is. Any objection @lfcnassif @hauck-jvsh ?

Another important note about these scripts is that, to "override" the html generation with IPED items generation code, I had to overwrite the script "scripts/artifact_report.py" with a IPED java class wrapper. So, for any future ALeapp update, we must remember to overwrite this file again.

from iped.

I could find some code that hooks Python module loading, and redirect to a java code to make this change "on-the-fly". This could be and option to avoid this ALeapp upgrade procedure. But, although worked for many python modules, for the ALeapp modules there were some exceptions thrown for which I could not identify the cause/problem, yet. Do you think it worth trying to implement this option, @lfcnassif ?

from iped.

Currently (locally) I am embbeding them inside "scripts/tasks/ALEAPP" folder. As the ALeapp license is MIT, I think it can stay as it is. Any objection @lfcnassif @hauck-jvsh ?

No problem from my side. Another possible option would be to put aleapp into iped/tools folder and reference it from the iped task.

Do you think it worth trying to implement this option, @lfcnassif ?

If it is possible to simplify the dependency upgrade process, I think it is worth to try, instead of having to maintain a dependency patch/fork...

from iped.

I decided to put ALeapp Scripts in tools. They will be downloaded by maven build, avoiding code redudancy inside IPED project tree.

from iped.

I decided to put ALeapp Scripts in tools. They will be downloaded by maven build, avoiding code redudancy inside IPED project tree.

Nice!

from iped.

I could implement the Python module load hook. So, the changes needed in ALeapp code are made by IPED when loading them. It is working and implemented in class PythonHook.
I tryed to implement PythonHook in a decoupled way from ALeapp, so it can be used by some other Python tools. Unfortunatelly JEP does not support the method call with keywords as parameters (named parameters) of java objects. So I had to make a specific method for ALeapp modification.

from iped.