abrignoni · abrignoni · Jan 10, 2023 · Jan 10, 2023
diff --git a/scripts/artifacts/FacebookMessenger.py b/scripts/artifacts/FacebookMessenger.py
@@ -118,13 +118,13 @@ def get_FacebookMessenger(files_found, report_folder, seeker, wrap_text):
             report.write_artifact_data_table(data_headers, data_list, file_found)
             report.end_artifact_report()
 
-            tsvname = f'Facebook Messenger{typeof}-- Chats{usernum}'
+            tsvname = f'Facebook Messenger{typeof}- Chats{usernum}'
             tsv(report_folder, data_headers, data_list, tsvname, source_file)
 
-            tlactivity = f'Facebook Messenger{typeof}-- Chats{usernum}'
+            tlactivity = f'Facebook Messenger{typeof}- Chats{usernum}'
             timeline(report_folder, tlactivity, data_list, data_headers)
         else:
-            logfunc(f'No Facebook{typeof} - Chats data available{usernum}')
+            logfunc(f'No Facebook{typeof}- Chats data available{usernum}')
 
         cursor.execute('''
         select
@@ -199,8 +199,6 @@ def get_FacebookMessenger(files_found, report_folder, seeker, wrap_text):
             tsvname = f'Facebook{typeof}- Contacts{usernum}'
             tsv(report_folder, data_headers, data_list, tsvname, source_file)
 
-            tlactivity = f'Facebook{typeof}- Contacts{usernum}'
-            timeline(report_folder, tlactivity, data_list, data_headers)
         else:
             logfunc(f'No Facebook{typeof}- Contacts data available{usernum}')
 

diff --git a/scripts/artifacts/FilesByGoogle_FilesMaster.py b/scripts/artifacts/FilesByGoogle_FilesMaster.py
@@ -15,14 +15,14 @@ def get_FilesByGoogle_FilesMaster(files_found, report_folder, seeker, wrap_text)
         cursor = db.cursor()
         cursor.execute('''
         select
-            root_path,
-            root_relative_file_path,
-            file_name,
-            size,
             case file_date_modified_ms
                 when 0 then ''
                 else datetime(file_date_modified_ms/1000,'unixepoch')
             end as file_date_modified_ms,
+            root_path,
+            root_relative_file_path,
+            file_name,
+            size,
             mime_type,
             case media_type
                 when 0 then 'App/Data'
@@ -47,7 +47,7 @@ def get_FilesByGoogle_FilesMaster(files_found, report_folder, seeker, wrap_text)
             report = ArtifactHtmlReport('Files by Google - Files Master')
             report.start_artifact_report(report_folder, 'Files by Google - Files Master')
             report.add_script()
-            data_headers = ('Root Path','Root Relative Path','File Name','Size','Date Modified','Mime Type','Media Type','URI','Hidden','Title','Parent Folder') # Don't remove the comma, that is required to make this a tuple as there is only 1 element
+            data_headers = ('Date Modified','Root Path','Root Relative Path','File Name','Size','Mime Type','Media Type','URI','Hidden','Title','Parent Folder') # Don't remove the comma, that is required to make this a tuple as there is only 1 element
             data_list = []
             for row in all_rows:
                 data_list.append((row[0],row[1],row[2],row[3],row[4],row[5],row[6],row[7],row[8],row[9],row[10]))

diff --git a/scripts/artifacts/WhatsApp.py b/scripts/artifacts/WhatsApp.py
@@ -312,7 +312,6 @@ def get_WhatsApp(files_found, report_folder, seeker, wrap_text):
             ELSE "" 
             END AS "Sending Party JID",
             CASE
-
             WHEN message.from_me=0 THEN "Incoming"
             WHEN message.from_me=1 THEN "Outgoing"
             END AS "Message Direction",
@@ -380,9 +379,6 @@ def get_WhatsApp(files_found, report_folder, seeker, wrap_text):
         else:
             logfunc('No WhatsApp - Group Messages found')
 
-
-
-
         try:
             cursor.execute('''
             SELECT
@@ -455,8 +451,6 @@ def get_WhatsApp(files_found, report_folder, seeker, wrap_text):
                     tsvname = "WhatsApp - User Profile"
                     tsv(report_folder, data_headers, data_list,tsvname)
 
-                    tlactivity = "WhatsApp - User Profile"
-                    timeline(report_folder, tlactivity, data_list, data_headers)
                 else:
                     logfunc("No WhatsApp - Profile data found")
 

diff --git a/scripts/artifacts/airGuard.py b/scripts/artifacts/airGuard.py
@@ -35,7 +35,11 @@ def get_airGuard(files_found, report_folder, seeker, wrap_text):
         data_headers_kml = ('Timestamp','Time (Local)','Device MAC Address','Latitude','Longitude','Signal Strength (RSSI)','First Time Device Seen','Last Time User Notified') 
         data_list = []
         for row in all_rows:
-            data_list.append((row[0],row[1],row[2],row[3],row[4],row[5],row[6],row[7]))
+            last_time_dev_seen = str(row[0]).replace("T", " ")
+            time_local = str(row[1]).replace("T", " ")
+            first_time_dev_seen = str(row[6]).replace("T", " ")
+            last_time_user_notified = str(row[7]).replace("T", " ")
+            data_list.append((last_time_dev_seen,time_local,row[2],row[3],row[4],row[5],first_time_dev_seen,last_time_user_notified))
 
         report.write_artifact_data_table(data_headers, data_list, file_found)
         report.end_artifact_report()

diff --git a/scripts/artifacts/bumble.py b/scripts/artifacts/bumble.py
@@ -550,8 +550,6 @@ def get_bumble(files_found, report_folder, seeker, wrap_text):
             tsvname = f'Bumble - User Settings'
             tsv(report_folder, data_headers, data_list, tsvname)
 
-            tlactivity = f'Bumble - User Settings'
-            timeline(report_folder, tlactivity, data_list, data_headers)
         else:
             logfunc('No Bumble - User Settings data available')
 

diff --git a/scripts/artifacts/clipBoard.py b/scripts/artifacts/clipBoard.py
@@ -44,22 +44,22 @@ def get_clipBoard(files_found, report_folder, seeker, wrap_text):
                         path = file_found
                         modtime = os.path.getmtime(file_found)
                         modtime = time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(modtime))
-                        data_list.append((thumb, modtime, path))
+                        data_list.append((modtime, thumb, path))
                 else:
                     #print('Outside of Matching')
                     path = file_found
                     textdata = triage_text(file_found)
                     modtime = os.path.getmtime(file_found)
                     modtime = time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(modtime))
-                    data_list.append((textdata, modtime, path))
+                    data_list.append((modtime, textdata, path))
 
 
 
     if len(data_list) > 0:
         report = ArtifactHtmlReport('Clipboard Data')
         report.start_artifact_report(report_folder, f'Clipboard Data')
         report.add_script()
-        data_headers = ('Data', 'Modified Time', 'Path')
+        data_headers = ('Modified Time', 'Data', 'Path')
         report.write_artifact_data_table(data_headers, data_list, file_found, html_escape=False)
         report.end_artifact_report()
 

diff --git a/scripts/artifacts/contacts.py b/scripts/artifacts/contacts.py
@@ -65,9 +65,6 @@ def get_contacts(files_found, report_folder, seeker, wrap_text):
 
             tsvname = f'Contacts'
             tsv(report_folder, data_headers, data_list, tsvname, source_file)
-
-            tlactivity = f'Contaccts'
-            timeline(report_folder, tlactivity, data_list, data_headers)
 
         else:
             logfunc('No Contacts found')

diff --git a/scripts/artifacts/gboard.py b/scripts/artifacts/gboard.py
@@ -100,10 +100,10 @@ def read_trainingcache2(file_found, report_folder, seeker):
         report.start_artifact_report(report_folder, f'{file_name}', description)
         report.add_script()
 
-        data_headers = ('Id','Text','App','Input Name','Input ID','Event Timestamp')
+        data_headers = ('Event Timestamp','ID','Text','App','Input Name','Input ID')
         data_list = []
         for ke in keyboard_events:
-            data_list.append((ke.id, ke.text, ke.app, ke.textbox_name, ke.textbox_id, ke.event_date))
+            data_list.append((ke.event_date, ke.id, ke.text, ke.app, ke.textbox_name, ke.textbox_id))
 
         report.write_artifact_data_table(data_headers, data_list, file_found)
         report.end_artifact_report()
@@ -187,10 +187,10 @@ def read_trainingcachev2(file_found, report_folder, seeker):
         report.start_artifact_report(report_folder, f'{file_name}', description)
         report.add_script()
 
-        data_headers = ('Id','Text','App','Input Name','Input ID','Event Timestamp')
+        data_headers = ('Event Timestamp','ID','Text','App','Input Name','Input ID')
         data_list = []
         for ke in keyboard_events:
-            data_list.append((ke.id, ke.text, ke.app, ke.textbox_name, ke.textbox_id, ke.event_date))
+            data_list.append((ke.event_date, ke.id, ke.text, ke.app, ke.textbox_name, ke.textbox_id))
 
         report.write_artifact_data_table(data_headers, data_list, file_found)
         report.end_artifact_report()
@@ -217,9 +217,9 @@ def read_trainingcachev3_sessions(file_found, report_folder, seeker):
     # Sessions
     sql = """
         SELECT
-            session._session_id AS Session,
             datetime(session._session_id / 1000, 'unixepoch') AS Start,
             datetime(session._timestamp_ / 1000, 'unixepoch') AS Finish,
+            session._session_id AS Session,
             session.package_name AS Application 
         FROM 
             session
@@ -228,7 +228,7 @@ def read_trainingcachev3_sessions(file_found, report_folder, seeker):
     results = cursor.fetchall()
 
     if results:
-        data_headers = ("Session ID", "Start", "Finish", "Application")
+        data_headers = ("Start", "Finish", "Session ID", "Application")
         data_list = results
 
         description = "GBoard Sessions"
@@ -239,6 +239,8 @@ def read_trainingcachev3_sessions(file_found, report_folder, seeker):
         report.end_artifact_report()
 
         tsv(report_folder, data_headers, data_list, title)
+
+        timeline(report_folder, title, data_list, data_headers)
 
     # Close
     conn.close()

diff --git a/scripts/artifacts/googleCalendar.py b/scripts/artifacts/googleCalendar.py
@@ -86,7 +86,10 @@ def get_calendar(files_found, report_folder, seeker, wrap_text):
     cursor = db.cursor()
     cursor.execute('''
     select
-    datetime(cal_sync8/1000,'unixepoch') as "Last Synced Timestamp",
+    case
+		when cal_sync8 is NULL then ''
+		else datetime(cal_sync8/1000,'unixepoch')
+	end,
     name,
     calendar_displayName,
     account_name,

diff --git a/scripts/artifacts/mewe.py b/scripts/artifacts/mewe.py
@@ -31,7 +31,6 @@
     JOIN CHAT_THREAD ON threadId = CHAT_THREAD.id
 '''
 
-
 def _perform_query(cursor, query):
     try:
         cursor.execute(query)

diff --git a/scripts/artifacts/snapchat.py b/scripts/artifacts/snapchat.py
@@ -11,9 +11,9 @@
 # Last actions taken in the application and who did them
 FEED_QUERY = '''
     SELECT
+        DATETIME(lastInteractionTimestamp/1000, 'unixepoch', 'localtime'),
         key,
         displayInteractionType,
-        DATETIME(lastInteractionTimestamp/1000, 'unixepoch', 'localtime'),
         DATETIME(lastReadTimestamp/1000, 'unixepoch', 'localtime'),
         lastReader,
         DATETIME(lastWriteTimestamp/1000, 'unixepoch', 'localtime'),
@@ -171,7 +171,7 @@ def _parse_feeds(feeds_count, rows, report_folder, db_file_name):
     logfunc(f'{feeds_count} feeds found')
 
     data_headers = (
-        'Key', 'Display Interaction Type', 'Last Interaction Timestamp',
+        'Last Interaction Timestamp','Key', 'Display Interaction Type',
         'Last Read Timestamp', 'Last Reader', 'Last Write Timestamp',
         'Last Writer', 'Last Write Type'
     )

diff --git a/scripts/artifacts/swellbeing.py b/scripts/artifacts/swellbeing.py
@@ -39,14 +39,13 @@ def get_swellbeing(files_found, report_folder, seeker, wrap_text):
         END as eventTypeDescription
         FROM usageEvents
         INNER JOIN foundPackages ON usageEvents.pkgId=foundPackages.pkgId
-
         ''')
 
         all_rows = cursor.fetchall()
         usageentries = len(all_rows)
         if usageentries > 0:
-            report = ArtifactHtmlReport('Samsung Wellbeing events')
-            report.start_artifact_report(report_folder, 'Events')
+            report = ArtifactHtmlReport('Samsung Digital Wellbeing - Events')
+            report.start_artifact_report(report_folder, 'Samsung Digital Wellbeing - Events')
             report.add_script()
             data_headers = ('Timestamp','Event ID','Package Name','Event Type','Event Type Description')
             data_list = []
@@ -56,19 +55,19 @@ def get_swellbeing(files_found, report_folder, seeker, wrap_text):
             report.write_artifact_data_table(data_headers, data_list, file_found)
             report.end_artifact_report()
 
-            tsvname = f'samsung wellbeing - events'
+            tsvname = f'Samsung Digital Wellbeing - Events'
             tsv(report_folder, data_headers, data_list, tsvname)
 
-            tlactivity = f'Samsung Wellbeing - Events'
+            tlactivity = f'Samsung Digital Wellbeing - Events'
             timeline(report_folder, tlactivity, data_list, data_headers)
         else:
-            logfunc('No Samsung Wellbeing event data available')
+            logfunc('No Samsung Digital Wellbeing - Events data available')
 
         db.close()
 
 __artifacts__ = {
         "swellbeing": (
-                "Wellbeing",
+                "Digital Wellbeing",
                 ('*/com.samsung.android.forest/databases/dwbCommon.db*'),
                 get_swellbeing)
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -31,7 +31,6 @@ @@
         JOIN CHAT_THREAD ON threadId = CHAT_THREAD.id
     '''
     def _perform_query(cursor, query):
         try:
             cursor.execute(query)
@@ Expand Down @@