abrignoni · abrignoni · Oct 12, 2023 · Oct 12, 2023
diff --git a/scripts/artifacts/Cast.py b/scripts/artifacts/Cast.py
@@ -1,3 +1,18 @@
+__artifacts_v2__ = {
+    "Cast": {
+        "name": "Cast",
+        "description": "Parses Cast device information",
+        "author": "@deagler4n6",
+        "version": "0.0.2",
+        "date": "2021-01-11",
+        "requirements": "none",
+        "category": "Cast",
+        "notes": "2023-10-12 - Updated by @KevinPagano3",
+        "paths": ('*/com.google.android.gms/databases/cast.db*'),
+        "function": "get_Cast"
+    }
+}
+
 import sqlite3
 import textwrap
 
@@ -6,50 +21,59 @@
 
 def get_Cast(files_found, report_folder, seeker, wrap_text, time_offset):
 
-    file_found = str(files_found[0])
-    db = open_sqlite_db_readonly(file_found)
-    cursor = db.cursor()
-    cursor.execute('''
-    SELECT
-        case last_published_timestamp_millis
-            when 0 then ''
-            else datetime(last_published_timestamp_millis/1000, 'unixepoch')
-        end as "Last Published Timestamp",
-        device_id,
-        capabilities,
-        device_version,
-        friendly_name,
-        model_name,
-        receiver_metrics_id,
-        service_instance_name,
-        service_address,
-        service_port,
-        supported_criteria,
-        rcn_enabled_status,
-        hotspot_bssid,
-        cloud_devcie_id,
-        case last_discovered_timestamp_millis
-            when 0 then ''
-            else datetime(last_discovered_timestamp_millis/1000, 'unixepoch')
-        end as "Last Discovered Timestamp",
-        case last_discovered_by_ble_timestamp_millis
-            when 0 then ''
-            else datetime(last_discovered_by_ble_timestamp_millis/1000, 'unixepoch')
-        end as "Last Discovered By BLE Timestamp"
-    from DeviceInfo
-    ''')
+    data_list = []
+
+    for file_found in files_found:
+        file_found = str(file_found)
+
+        if file_found.endswith('cast.db'):
+            db = open_sqlite_db_readonly(file_found)
+            cursor = db.cursor()
+            cursor.execute('''
+            SELECT
+            case last_published_timestamp_millis
+                when 0 then ''
+                else datetime(last_published_timestamp_millis/1000, 'unixepoch')
+            end as "Last Published Timestamp",
+            device_id,
+            capabilities,
+            device_version,
+            friendly_name,
+            model_name,
+            receiver_metrics_id,
+            service_instance_name,
+            service_address,
+            service_port,
+            supported_criteria,
+            rcn_enabled_status,
+            hotspot_bssid,
+            cloud_devcie_id,
+            case last_discovered_timestamp_millis
+                when 0 then ''
+                else datetime(last_discovered_timestamp_millis/1000, 'unixepoch')
+            end as "Last Discovered Timestamp",
+            case last_discovered_by_ble_timestamp_millis
+                when 0 then ''
+                else datetime(last_discovered_by_ble_timestamp_millis/1000, 'unixepoch')
+            end as "Last Discovered By BLE Timestamp"
+            from DeviceInfo
+            ''')
 
-    all_rows = cursor.fetchall()
-    usageentries = len(all_rows)
-    if usageentries > 0:
+            all_rows = cursor.fetchall()
+            usageentries = len(all_rows)
+            if usageentries > 0:
+                for row in all_rows:
+                    data_list.append((row[0],row[1],row[2],row[3],row[4],row[5],row[6],row[7],row[8],row[9],row[10],row[11],row[12],row[13],row[14],row[15],file_found))
+            db.close()
+        else:
+            continue # Skip all other files
+
+    if data_list:
         report = ArtifactHtmlReport('Cast')
         report.start_artifact_report(report_folder, 'Cast')
         report.add_script()
-        data_headers = ('Last Published Timestamp','Device ID (SSDP UDN)','Capabilities','Device Version','Device Friendly Name','Device Model Name','Receiver Metrics ID','Service Instance Name','Device IP Address','Device Port','Supported Criteria','RCN Enabled Status','Hotspot BSSID','Cloud Device ID','Last Discovered Timestamp','Last Discovered By BLE Timestamp') 
-        data_list = []
-        for row in all_rows:
-            data_list.append((row[0],row[1],row[2],row[3],row[4],row[5],row[6],row[7],row[8],row[9],row[10],row[11],row[12],row[13],row[14],row[15]))
-
+        data_headers = ('Last Published Timestamp','Device ID (SSDP UDN)','Capabilities','Device Version','Device Friendly Name','Device Model Name','Receiver Metrics ID','Service Instance Name','Device IP Address','Device Port','Supported Criteria','RCN Enabled Status','Hotspot BSSID','Cloud Device ID','Last Discovered Timestamp','Last Discovered By BLE Timestamp','Source') 
+
         report.write_artifact_data_table(data_headers, data_list, file_found)
         report.end_artifact_report()
 
@@ -59,13 +83,4 @@ def get_Cast(files_found, report_folder, seeker, wrap_text, time_offset):
         tlactivity = f'Cast'
         timeline(report_folder, tlactivity, data_list, data_headers)
     else:
-        logfunc('No Cast data available')
-
-    db.close()
-
-__artifacts__ = {
-        "Cast": (
-                "Cast",
-                ('*/com.google.android.gms/databases/cast.db'),
-                get_Cast)
-}
+        logfunc('No Cast data available')
diff --git a/scripts/artifacts/SimpleStorage_applaunch.py b/scripts/artifacts/SimpleStorage_applaunch.py
@@ -1,8 +1,17 @@
-# Module Description: Parses SimpleStorage for application launch
-# Author: @KevinPagano3 (Twitter) / stark4n6@infosec.exchange (Mastodon)
-# Date: 2022-12-13
-# Artifact version: 0.0.1
-# Much thanks to Josh Hickman (@josh_hickman1) for the research, testing and query
+__artifacts_v2__ = {
+    "SimpleStorage_applaunch": {
+        "name": "SimpleStorage",
+        "description": "Parses SimpleStorage for application launch",
+        "author": "@KevinPagano3",
+        "version": "0.0.1",
+        "date": "2022-12-13",
+        "requirements": "none",
+        "category": "Android System Intelligence",
+        "notes": "Much thanks to Josh Hickman (@josh_hickman1) for the research, testing and query",
+        "paths": ('*/com.google.android.as/databases/SimpleStorage*',),
+        "function": "get_SimpleStorage_applaunch"
+    }
+}
 
 import os
 import sqlite3
@@ -14,63 +23,59 @@
 
 def get_SimpleStorage_applaunch(files_found, report_folder, seeker, wrap_text, time_offset):
 
+    data_list = []
+
     for file_found in files_found:
         file_name = str(file_found)
 
-        if not os.path.basename(file_name) == 'SimpleStorage': # skip -journal and other files
-            continue
+        if file_name.endswith('SimpleStorage'): # skip -journal and other files
 
-        db = open_sqlite_db_readonly(file_name)
-
-        cursor = db.cursor()
-        cursor.execute('''
-        SELECT DISTINCT
-        datetime(EchoAppLaunchMetricsEvents.timestampMillis/1000,'unixepoch') AS "Time App Launched",
-        EchoAppLaunchMetricsEvents.packageName AS "App",
-        CASE
-        WHEN EchoAppLaunchMetricsEvents.launchLocationId=1 THEN "Home Screen"
-        WHEN EchoAppLaunchMetricsEvents.launchLocationId=2 THEN "Suggested Apps (Home Screen)"
-        WHEN EchoAppLaunchMetricsEvents.launchLocationId=4 THEN "App Drawer"
-        WHEN EchoAppLaunchMetricsEvents.launchLocationId=7 THEN "Suggested Apps (App Drawer)"
-        WHEN EchoAppLaunchMetricsEvents.launchLocationId=8 THEN "Search (Top of App Drawer/GSB)"
-        WHEN EchoAppLaunchMetricsEvents.launchLocationId=12 THEN "Recent Apps/Multi-Tasking Menu"
-        WHEN EchoAppLaunchMetricsEvents.launchLocationId=1000 THEN "Notification"
-        ELSE EchoAppLaunchMetricsEvents.launchLocationId
-        END AS "Launched From"
-        FROM EchoAppLaunchMetricsEvents
-        ''')
+            db = open_sqlite_db_readonly(file_name)
+            cursor = db.cursor()
+            cursor.execute('''
+            SELECT DISTINCT
+            datetime(EchoAppLaunchMetricsEvents.timestampMillis/1000,'unixepoch') AS "Time App Launched",
+            EchoAppLaunchMetricsEvents.packageName AS "App",
+            CASE
+            WHEN EchoAppLaunchMetricsEvents.launchLocationId=1 THEN "Home Screen"
+            WHEN EchoAppLaunchMetricsEvents.launchLocationId=2 THEN "Suggested Apps (Home Screen)"
+            WHEN EchoAppLaunchMetricsEvents.launchLocationId=4 THEN "App Drawer"
+            WHEN EchoAppLaunchMetricsEvents.launchLocationId=7 THEN "Suggested Apps (App Drawer)"
+            WHEN EchoAppLaunchMetricsEvents.launchLocationId=8 THEN "Search (Top of App Drawer/GSB)"
+            WHEN EchoAppLaunchMetricsEvents.launchLocationId=12 THEN "Recent Apps/Multi-Tasking Menu"
+            WHEN EchoAppLaunchMetricsEvents.launchLocationId=1000 THEN "Notification"
+            ELSE EchoAppLaunchMetricsEvents.launchLocationId
+            END AS "Launched From"
+            FROM EchoAppLaunchMetricsEvents
+            ''')
 
-        all_rows = cursor.fetchall()
-        usageentries = len(all_rows)
-        if usageentries > 0:
-            description = ''
-            report = ArtifactHtmlReport('SimpleStorage - App Launch')
-            report.start_artifact_report(report_folder, 'SimpleStorage - App Launch')
-            report.add_script()
-            data_headers = ('App Launched Timestamp','App Name','Launched From')
-            data_list = []
-            data_list_stripped = []
-            for row in all_rows:
-
-                data_list.append((row[0],row[1],row[2]))
-
-            report.write_artifact_data_table(data_headers, data_list, file_found)
-            report.end_artifact_report()
-
-            tsvname = f'SimpleStorage - App Launch'
-            tsv(report_folder, data_headers, data_list, tsvname)
-
-            tlactivity = f'SimpleStorage - App Launch'
-            timeline(report_folder, tlactivity, data_list, data_headers)
-
+            all_rows = cursor.fetchall()
+            usageentries = len(all_rows)
+            if usageentries > 0:
+                for row in all_rows:
+                    data_list.append((row[0],row[1],row[2], file_found))
+            db.close()
+
         else:
-            logfunc('SimpleStorage - App Launch data available') 
+            continue # Skip all other files
+
+    if data_list:
+        description = ''
+        report = ArtifactHtmlReport('SimpleStorage - App Launch')
+        report.start_artifact_report(report_folder, 'SimpleStorage - App Launch')
+        report.add_script()
+        data_headers = ('App Launched Timestamp','App Name','Launched From', 'Source')
+
+        report.write_artifact_data_table(data_headers, data_list, file_found)
+        report.end_artifact_report()
+
+        tsvname = f'SimpleStorage - App Launch'
+        tsv(report_folder, data_headers, data_list, tsvname)
+
+        tlactivity = f'SimpleStorage - App Launch'
+        timeline(report_folder, tlactivity, data_list, data_headers)
+
+    else:
+        logfunc('SimpleStorage - App Launch data available')
 
-        db.close()
 
-__artifacts__ = {
-        "SimpleStorage_applaunch": (
-                "Android System Intelligence",
-                ('*/com.google.android.as/databases/SimpleStorage*'),
-                get_SimpleStorage_applaunch)
-}
diff --git a/scripts/artifacts/Turbo_AppUsage.py b/scripts/artifacts/Turbo_AppUsage.py
@@ -1,3 +1,18 @@
+__artifacts_v2__ = {
+    "Turbo_AppUsage": {
+        "name": "Turbo_AppUsage",
+        "description": "Parses application usage via Device Health Services",
+        "author": "@KevinPagano3",
+        "version": "0.0.1",
+        "date": "2021-06-29",
+        "requirements": "none",
+        "category": "Device Health Services",
+        "notes": "",
+        "paths": ('*/com.google.android.apps.turbo/shared_prefs/app_usage_stats.xml'),
+        "function": "get_Turbo_AppUsage"
+    }
+}
+
 import datetime
 import struct
 import xml.etree.ElementTree as ET
@@ -33,7 +48,7 @@ def get_Turbo_AppUsage(files_found, report_folder, seeker, wrap_text, time_offse
         report = ArtifactHtmlReport('Turbo - Application Usage')
         report.start_artifact_report(report_folder, f'Turbo - Application Usage')
         report.add_script()
-        data_headers = ('App Launch Timestamp','App Name','File Path')
+        data_headers = ('App Launch Timestamp','App Name','Source')
         report.write_artifact_data_table(data_headers, data_list, file_found)
         report.end_artifact_report()
 
@@ -45,9 +60,3 @@ def get_Turbo_AppUsage(files_found, report_folder, seeker, wrap_text, time_offse
     else:
         logfunc(f'No Turbo - Application Usage data available')
 
-__artifacts__ = {
-        "Turbo_AppUsage": (
-                "Device Health Services",
-                ('*/com.google.android.apps.turbo/shared_prefs/app_usage_stats.xml'),
-                get_Turbo_AppUsage)
-}