From d1f4212df5d83c565bb696854057aa292e36ec72 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 1 Apr 2022 08:20:30 -0700 Subject: [PATCH 01/10] username updates and cleanup --- artifacts/ShellHistoryAndProfiles.swift | 22 +++++++++++------- artifacts/TCC.swift | 7 +++++- filesystem/browsers/Brave.swift | 12 ++++++---- filesystem/browsers/Chrome.swift | 30 ++++++++++++++++--------- filesystem/browsers/Firefox.swift | 12 ++++++---- filesystem/browsers/Opera.swift | 6 +++-- filesystem/browsers/Safari.swift | 12 ++++++---- 7 files changed, 68 insertions(+), 33 deletions(-) diff --git a/artifacts/ShellHistoryAndProfiles.swift b/artifacts/ShellHistoryAndProfiles.swift index 9d86c9a..7cd59ca 100644 --- a/artifacts/ShellHistoryAndProfiles.swift +++ b/artifacts/ShellHistoryAndProfiles.swift @@ -26,24 +26,30 @@ class BashProfiles: ArtifactsModule { let globalFiles = ["/etc/profile", "/etc/zshenv", "/etc/zprofile", "/etc/zshrc", "/etc/zlogin", "/etc/zlogout"] // for each user, copy the shell historys and profiles - if let users = self.users { - for user in users { - for filename in userFiles { - let path = URL(fileURLWithPath: "\(user.homedir)/\(filename)") + let users = getUsersOnSystem() + for user in users { + for filename in userFiles { + let path = URL(fileURLWithPath: "\(user.homedir)/\(filename)") + if (filemanager.fileExists(atPath: path.path)) { let newFileName = "\(user.username)_\(filename)" self.copyFileToCase(fileToCopy: path, toLocation: self.profilesDir, newFileName: newFileName) - } + } else { continue } + } } + // Copy all the global files for file in globalFiles { let fileUrl = URL(fileURLWithPath: file) - let filename = fileUrl.lastPathComponent - let newFileName = "etc_\(filename)" - self.copyFileToCase(fileToCopy: fileUrl, toLocation: self.profilesDir, newFileName: newFileName) + if (filemanager.fileExists(atPath: fileUrl.path)) { + let filename = fileUrl.lastPathComponent + let newFileName = "etc_\(filename)" + self.copyFileToCase(fileToCopy: fileUrl, toLocation: self.profilesDir, newFileName: newFileName) + } else { continue } } + self.log("Finished collecting shell history and profile information...") } } diff --git a/artifacts/TCC.swift b/artifacts/TCC.swift index eadbe55..6c36c4c 100644 --- a/artifacts/TCC.swift +++ b/artifacts/TCC.swift @@ -16,7 +16,12 @@ class TCC: ArtifactsModule { } func getTCC() { - let fileURL = try! filemanager.url(for: .applicationSupportDirectory, in: .userDomainMask, appropriateFor: nil, create: false).appendingPathComponent("com.apple.TCC/TCC.db") + let username = getUsersOnSystem() + let local_name = username[0].username + + let fileURL = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/com.apple.TCC/TCC.db") +// let fileURL = try! filemanager.url(for: .applicationSupportDirectory, in: .userDomainMask, appropriateFor: nil, create: false).appendingPathComponent("com.apple.TCC/TCC.db") + self.copyFileToCase(fileToCopy: fileURL, toLocation: tccDir) let capturedTCC = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "tccItems.txt") diff --git a/filesystem/browsers/Brave.swift b/filesystem/browsers/Brave.swift index 37634fb..18be18f 100644 --- a/filesystem/browsers/Brave.swift +++ b/filesystem/browsers/Brave.swift @@ -18,8 +18,10 @@ class Brave: BrowserModule { } func getContents() { - let username = NSUserName() - let path = "/Users/\(username)/Library/Application Support/BraveSoftware/Brave-Browser/Default" + let username = getUsersOnSystem() + let local_name = username[0].username + + let path = "/Users/\(local_name)/Library/Application Support/BraveSoftware/Brave-Browser/Default" let files = filemanager.filesInDirRecursive(path: path) for file in files { @@ -60,8 +62,10 @@ class Brave: BrowserModule { } func dumpCookies() { - let username = NSUserName() - let file = URL(fileURLWithPath: "/Users/\(username)/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") + let username = getUsersOnSystem() + let local_name = username[0].username + + let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") self.addTextToFile(atUrl: self.writeFile, text: "----- Brave Cookies: -----\n") diff --git a/filesystem/browsers/Chrome.swift b/filesystem/browsers/Chrome.swift index d3c193b..ed5c81b 100644 --- a/filesystem/browsers/Chrome.swift +++ b/filesystem/browsers/Chrome.swift @@ -18,8 +18,10 @@ class Chrome: BrowserModule { } func gatherHistory() { - let username = NSUserName() - let file = URL(fileURLWithPath: "/Users/\(username)/Library/Application Support/Google/Chrome/Default/History") + let username = getUsersOnSystem() + let local_name = username[0].username + + let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/History") self.addTextToFile(atUrl: self.writeFile, text: "\n----- Chrome History: -----\n") @@ -52,8 +54,10 @@ class Chrome: BrowserModule { } func dumpDownloads() { - let username = NSUserName() - let file = URL(fileURLWithPath: "/Users/\(username)/Library/Application Support/Google/Chrome/Default/History") + let username = getUsersOnSystem() + let local_name = username[0].username + + let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/History") self.addTextToFile(atUrl: self.writeFile, text: "----- Chrome Downloads: -----\n") @@ -105,8 +109,10 @@ class Chrome: BrowserModule { // TODO - this needs to be tuned more func captureExtensions() { - let username = NSUserName() - let exdir = "/Users/\(username)/Library/Application Support/Google/Chrome/Default/Extensions" + let username = getUsersOnSystem() + let local_name = username[0].username + + let exdir = "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/Extensions" let _ = filemanager.filesInDirRecursive(path: exdir) // // for file in files { @@ -115,8 +121,10 @@ class Chrome: BrowserModule { } func dumpPreferences() { - let username = NSUserName() - let file = URL(fileURLWithPath: "/Users/\(username)/Library/Application Support/Google/Chrome/Default/Preferences") + let username = getUsersOnSystem() + let local_name = username[0].username + + let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/Preferences") do { let data = try Data(contentsOf: file, options: .mappedIfSafe) @@ -128,8 +136,10 @@ class Chrome: BrowserModule { } func dumpCookies() { - let username = NSUserName() - let file = URL(fileURLWithPath: "/Users/\(username)/Library/Application Support/Google/Chrome/Default/Cookies") + let username = getUsersOnSystem() + let local_name = username[0].username + + let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/Cookies") self.addTextToFile(atUrl: self.writeFile, text: "----- Chrome Cookies: -----\n") diff --git a/filesystem/browsers/Firefox.swift b/filesystem/browsers/Firefox.swift index d564787..ccce83f 100644 --- a/filesystem/browsers/Firefox.swift +++ b/filesystem/browsers/Firefox.swift @@ -19,8 +19,10 @@ class Firefox: BrowserModule { } func getContent() { - let username = NSUserName() - let profiles = "/Users/\(username)/Library/Application Support/Firefox/Profiles" + let username = getUsersOnSystem() + let local_name = username[0].username + + let profiles = "/Users/\(local_name)/Library/Application Support/Firefox/Profiles" let files = filemanager.filesInDirRecursive(path: profiles) for file in files { @@ -104,8 +106,10 @@ class Firefox: BrowserModule { } func dumpCookies(file: URL) { - let username = NSUserName() - let file = URL(fileURLWithPath: "/Users/\(username)/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") + let username = getUsersOnSystem() + let local_name = username[0].username + + let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") self.addTextToFile(atUrl: self.writeFile, text: "----- Brave Cookies: -----\n") diff --git a/filesystem/browsers/Opera.swift b/filesystem/browsers/Opera.swift index 6032e6a..e21d2da 100644 --- a/filesystem/browsers/Opera.swift +++ b/filesystem/browsers/Opera.swift @@ -18,8 +18,10 @@ class Opera: BrowserModule { } func gatherHistory() { - let username = NSUserName() - let file = URL(fileURLWithPath: "/Users/\(username)/Library/Application Support/Opera/com.operasoftware.Opera/History") + let username = getUsersOnSystem() + let local_name = username[0].username + + let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Opera/com.operasoftware.Opera/History") self.addTextToFile(atUrl: self.writeFile, text: "----- Opera History: -----\n") diff --git a/filesystem/browsers/Safari.swift b/filesystem/browsers/Safari.swift index bab96ab..ce8e5f0 100644 --- a/filesystem/browsers/Safari.swift +++ b/filesystem/browsers/Safari.swift @@ -18,8 +18,10 @@ class Safari: BrowserModule { } func getHistory() { - let username = NSUserName() - let file = URL(fileURLWithPath: "/Users/\(username)/Library/Safari/History") + let username = getUsersOnSystem() + let local_name = username[0].username + + let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/History") self.addTextToFile(atUrl: self.writeFile, text: "\n----- Safari History -----\n") @@ -52,8 +54,10 @@ class Safari: BrowserModule { } func dumpImportantPlists() { - let username = NSUserName() - let files: [URL] = [URL(fileURLWithPath: "/Users/\(username)/Library/Safari/Bookmarks.plist"), URL(fileURLWithPath: "/Users/\(username)/Library/Safari/Downloads.plist"), URL(fileURLWithPath: "/Users/\(username)/Library/Safari/UserNotificationPermissions.plist"), URL(fileURLWithPath: "/Users/\(username)/Library/Safari/LastSession.plist")] + let username = getUsersOnSystem() + let local_name = username[0].username + + let files: [URL] = [URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/Bookmarks.plist"), URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/Downloads.plist"), URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/UserNotificationPermissions.plist"), URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/LastSession.plist")] for file in files { let plistDict = Aftermath.getPlistAsDict(atUrl: file) From a2c9c233ab6e1d1b07b907d8f402cad1a8eb0c06 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 1 Apr 2022 08:22:21 -0700 Subject: [PATCH 02/10] removed commented out code --- artifacts/TCC.swift | 1 - 1 file changed, 1 deletion(-) diff --git a/artifacts/TCC.swift b/artifacts/TCC.swift index 6c36c4c..58d6a08 100644 --- a/artifacts/TCC.swift +++ b/artifacts/TCC.swift @@ -20,7 +20,6 @@ class TCC: ArtifactsModule { let local_name = username[0].username let fileURL = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/com.apple.TCC/TCC.db") -// let fileURL = try! filemanager.url(for: .applicationSupportDirectory, in: .userDomainMask, appropriateFor: nil, create: false).appendingPathComponent("com.apple.TCC/TCC.db") self.copyFileToCase(fileToCopy: fileURL, toLocation: tccDir) From 26787ca71ea497ab05b945c1af00e6bcdcd6fe4e Mon Sep 17 00:00:00 2001 From: stuartjash Date: Wed, 6 Apr 2022 11:29:28 -0700 Subject: [PATCH 03/10] added cron jobs --- persistence/Cron.swift | 33 +++++++++++++++++++++++++++++ persistence/PersistenceModule.swift | 4 ++++ 2 files changed, 37 insertions(+) create mode 100644 persistence/Cron.swift diff --git a/persistence/Cron.swift b/persistence/Cron.swift new file mode 100644 index 0000000..7d97148 --- /dev/null +++ b/persistence/Cron.swift @@ -0,0 +1,33 @@ +// +// Cron.swift +// aftermath +// +// +import Foundation + + +class Cron: PersistenceModule { + + let saveToRawDir: URL + + init(saveToRawDir: URL) { + self.saveToRawDir = saveToRawDir + } + + func captureCronJobs(urlLocations: [URL], toLocation: URL) { + for url in urlLocations { + // copy the files to the persistence directory + self.copyFileToCase(fileToCopy: url, toLocation: toLocation) + + } + } + + override func run() { + let cronRawDir = self.createNewDir(dir: self.saveToRawDir, dirname: "cron_dump") + + let cronjobsPath = "/usr/lib/cron/tabs/" + let cronjobs = filemanager.filesInDirRecursive(path: cronjobsPath) + + captureCronJobs(urlLocations: cronjobs, toLocation: cronRawDir) + } +} diff --git a/persistence/PersistenceModule.swift b/persistence/PersistenceModule.swift index 37ab304..fae8822 100644 --- a/persistence/PersistenceModule.swift +++ b/persistence/PersistenceModule.swift @@ -26,5 +26,9 @@ class PersistenceModule: AftermathModule, AMProto { self.log("Collecting login hooks...") let hooks = LoginHooks(saveToRawDir: persistenceRawDir) hooks.run() + + self.log("Collecting cron jobs...") + let cron = Cron(saveToRawDir: persistenceRawDir) + cron.run() } } From b68a43ef58a424b2f4d8537a431cfcf7c7d94d12 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Wed, 6 Apr 2022 14:47:18 -0700 Subject: [PATCH 04/10] added overrides and fixed crontabs --- persistence/Cron.swift | 15 +++++++++--- persistence/Overrides.swift | 36 +++++++++++++++++++++++++++++ persistence/PersistenceModule.swift | 4 ++++ 3 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 persistence/Overrides.swift diff --git a/persistence/Cron.swift b/persistence/Cron.swift index 7d97148..8effd41 100644 --- a/persistence/Cron.swift +++ b/persistence/Cron.swift @@ -14,10 +14,17 @@ class Cron: PersistenceModule { self.saveToRawDir = saveToRawDir } - func captureCronJobs(urlLocations: [URL], toLocation: URL) { + func captureCronJobs(urlLocations: [URL], rawLoc: URL, captured: URL) { for url in urlLocations { // copy the files to the persistence directory - self.copyFileToCase(fileToCopy: url, toLocation: toLocation) + do { + self.copyFileToCase(fileToCopy: url, toLocation: rawLoc) + self.addTextToFile(atUrl: captured, text: "/n ----- \(url) -----/n") + let contents = try String(contentsOf: url) + self.addTextToFile(atUrl: captured, text: contents) + } catch { + self.log("Unable to copy crontabs file") + } } } @@ -25,9 +32,11 @@ class Cron: PersistenceModule { override func run() { let cronRawDir = self.createNewDir(dir: self.saveToRawDir, dirname: "cron_dump") + let capturedCronJobs = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "crontabs.txt") + let cronjobsPath = "/usr/lib/cron/tabs/" let cronjobs = filemanager.filesInDirRecursive(path: cronjobsPath) - captureCronJobs(urlLocations: cronjobs, toLocation: cronRawDir) + captureCronJobs(urlLocations: cronjobs, rawLoc: cronRawDir, captured: capturedCronJobs) } } diff --git a/persistence/Overrides.swift b/persistence/Overrides.swift new file mode 100644 index 0000000..487102b --- /dev/null +++ b/persistence/Overrides.swift @@ -0,0 +1,36 @@ +// +// Overrides.swift +// aftermath +// +// Created by Stuart Ashenbrenner on 4/6/22. +// + +import Foundation + +class Overrides: PersistenceModule { + + let saveToRawDir: URL + + init(saveToRawDir: URL) { + self.saveToRawDir = saveToRawDir + } + + func collectOverrides(urlLocations: [URL], capturedFile: URL) { + for url in urlLocations { + let plistDict = Aftermath.getPlistAsDict(atUrl: url) + + self.copyFileToCase(fileToCopy: url, toLocation: self.saveToRawDir) + self.addTextToFile(atUrl: capturedFile, text: "\n----- \(url) -----\n") + self.addTextToFile(atUrl: capturedFile, text: plistDict.description) + } + } + + override func run() { + let capturedOverridesFile = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "overrides.txt") + + let overrides = filemanager.filesInDirRecursive(path: "/var/db/launchd.db/com.apple.launchd/") + + collectOverrides(urlLocations: overrides, capturedFile: capturedOverridesFile) + + } +} diff --git a/persistence/PersistenceModule.swift b/persistence/PersistenceModule.swift index fae8822..52323e1 100644 --- a/persistence/PersistenceModule.swift +++ b/persistence/PersistenceModule.swift @@ -30,5 +30,9 @@ class PersistenceModule: AftermathModule, AMProto { self.log("Collecting cron jobs...") let cron = Cron(saveToRawDir: persistenceRawDir) cron.run() + + self.log("Collecting overrides...") + let overrides = Overrides(saveToRawDir: persistenceRawDir) + overrides.run() } } From 7b86f47f94f2760fe9e5f8826d58e352056d6ff7 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Mon, 11 Apr 2022 11:25:56 -0700 Subject: [PATCH 05/10] fixed usernames and handled errors --- aftermath.xcodeproj/project.pbxproj | 12 ++ aftermath/Module.swift | 38 +++- artifacts/ShellHistoryAndProfiles.swift | 3 +- artifacts/TCC.swift | 103 +++++----- filesystem/browsers/Brave.swift | 139 +++++++------ filesystem/browsers/Chrome.swift | 252 ++++++++++++------------ filesystem/browsers/Firefox.swift | 115 ++++++----- filesystem/browsers/Opera.swift | 61 +++--- filesystem/browsers/Safari.swift | 74 +++---- persistence/PersistenceModule.swift | 4 + persistence/SystemExtensions.swift | 33 ++++ 11 files changed, 461 insertions(+), 373 deletions(-) create mode 100644 persistence/SystemExtensions.swift diff --git a/aftermath.xcodeproj/project.pbxproj b/aftermath.xcodeproj/project.pbxproj index 89a2075..952e27f 100644 --- a/aftermath.xcodeproj/project.pbxproj +++ b/aftermath.xcodeproj/project.pbxproj @@ -16,6 +16,9 @@ A076742C27555FC100ED7066 /* PersistenceModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A076742B27555FC100ED7066 /* PersistenceModule.swift */; }; A076742F2755798F00ED7066 /* ArtifactsModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A076742E2755798F00ED7066 /* ArtifactsModule.swift */; }; A0879957275AD2DC00E885BC /* SystemConfig.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0879956275AD2DC00E885BC /* SystemConfig.swift */; }; + A0D6D54327F76C58002BB3C8 /* Cron.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54227F76C58002BB3C8 /* Cron.swift */; }; + A0D6D54727FE147D002BB3C8 /* Overrides.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54627FE147D002BB3C8 /* Overrides.swift */; }; + A0D6D54927FE52C1002BB3C8 /* SystemExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54827FE52C1002BB3C8 /* SystemExtensions.swift */; }; A0E1E3E4275EC3D2008D0DC6 /* Swap.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E3275EC3D2008D0DC6 /* Swap.swift */; }; A0E1E3E6275EC433008D0DC6 /* MemoryModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E5275EC433008D0DC6 /* MemoryModule.swift */; }; A0E1E3E9275EC736008D0DC6 /* BrowserModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E8275EC736008D0DC6 /* BrowserModule.swift */; }; @@ -57,6 +60,9 @@ A076742B27555FC100ED7066 /* PersistenceModule.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PersistenceModule.swift; sourceTree = ""; }; A076742E2755798F00ED7066 /* ArtifactsModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ArtifactsModule.swift; sourceTree = ""; }; A0879956275AD2DC00E885BC /* SystemConfig.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SystemConfig.swift; sourceTree = ""; }; + A0D6D54227F76C58002BB3C8 /* Cron.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Cron.swift; sourceTree = ""; }; + A0D6D54627FE147D002BB3C8 /* Overrides.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Overrides.swift; sourceTree = ""; }; + A0D6D54827FE52C1002BB3C8 /* SystemExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SystemExtensions.swift; sourceTree = ""; }; A0E1E3E3275EC3D2008D0DC6 /* Swap.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Swap.swift; sourceTree = ""; }; A0E1E3E5275EC433008D0DC6 /* MemoryModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MemoryModule.swift; sourceTree = ""; }; A0E1E3E8275EC736008D0DC6 /* BrowserModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BrowserModule.swift; sourceTree = ""; }; @@ -123,6 +129,9 @@ A076742B27555FC100ED7066 /* PersistenceModule.swift */, A3745357275730870074B65C /* LaunchItems.swift */, A3745359275735B40074B65C /* LoginHooks.swift */, + A0D6D54227F76C58002BB3C8 /* Cron.swift */, + A0D6D54627FE147D002BB3C8 /* Overrides.swift */, + A0D6D54827FE52C1002BB3C8 /* SystemExtensions.swift */, ); path = persistence; sourceTree = ""; @@ -294,7 +303,10 @@ A0759135275985170006766F /* TCC.swift in Sources */, A0E1E3F6275ED2E4008D0DC6 /* NetworkModule.swift in Sources */, A076742C27555FC100ED7066 /* PersistenceModule.swift in Sources */, + A0D6D54727FE147D002BB3C8 /* Overrides.swift in Sources */, A0E1E3E4275EC3D2008D0DC6 /* Swap.swift in Sources */, + A0D6D54927FE52C1002BB3C8 /* SystemExtensions.swift in Sources */, + A0D6D54327F76C58002BB3C8 /* Cron.swift in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; diff --git a/aftermath/Module.swift b/aftermath/Module.swift index 9746148..b353368 100644 --- a/aftermath/Module.swift +++ b/aftermath/Module.swift @@ -6,6 +6,7 @@ // import Foundation +import CoreData struct User { let username: String @@ -45,13 +46,39 @@ class AftermathModule { if !filename.hasPrefix("_") { let username = file.deletingPathExtension().lastPathComponent if let homedir = NSHomeDirectoryForUser(username) { - let user = User(username:username, homedir: homedir) - users.append(user) + let user = User(username:username, homedir: homedir) + users.append(user) + } } } } - } + return users + } + + func getBasicUsersOnSystem() -> [User] { + var users = [User]() + // Check Permissions + if (activeUser != "root") { + self.log("Aftermath being run in non-root mode...") + if let homedir = NSHomeDirectoryForUser(activeUser) { + let user = User(username:activeUser, homedir: homedir) + users.append(user) + } + } else { + let userPlists = filemanager.filesInDir(path: "/var/db/dslocal/nodes/Default/users/") + for file in userPlists { + let filename = file.lastPathComponent + if !filename.hasPrefix("_") { + let username = file.deletingPathExtension().lastPathComponent + if let homedir = NSHomeDirectoryForUser(username) { + let user = User(username:username, homedir: homedir) + if SystemUsers.allCases.contains(where: {$0.rawValue == user.username}) { continue } + users.append(user) + } + } + } + } return users } @@ -153,4 +180,9 @@ class AftermathModule { addTextToFile(atUrl: CaseFiles.logFile, text: entry) } } + + enum SystemUsers: String, CaseIterable { + case nobody = "nobody" + case daemon = "daemon" + } } diff --git a/artifacts/ShellHistoryAndProfiles.swift b/artifacts/ShellHistoryAndProfiles.swift index 7cd59ca..7722745 100644 --- a/artifacts/ShellHistoryAndProfiles.swift +++ b/artifacts/ShellHistoryAndProfiles.swift @@ -26,8 +26,7 @@ class BashProfiles: ArtifactsModule { let globalFiles = ["/etc/profile", "/etc/zshenv", "/etc/zprofile", "/etc/zshrc", "/etc/zlogin", "/etc/zlogout"] // for each user, copy the shell historys and profiles - let users = getUsersOnSystem() - for user in users { + for user in getUsersOnSystem() { for filename in userFiles { let path = URL(fileURLWithPath: "\(user.homedir)/\(filename)") if (filemanager.fileExists(atPath: path.path)) { diff --git a/artifacts/TCC.swift b/artifacts/TCC.swift index 58d6a08..e7af849 100644 --- a/artifacts/TCC.swift +++ b/artifacts/TCC.swift @@ -16,69 +16,78 @@ class TCC: ArtifactsModule { } func getTCC() { - let username = getUsersOnSystem() - let local_name = username[0].username - - let fileURL = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/com.apple.TCC/TCC.db") - - self.copyFileToCase(fileToCopy: fileURL, toLocation: tccDir) let capturedTCC = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "tccItems.txt") - var db : OpaquePointer? - if sqlite3_open(fileURL.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "select client, auth_value, auth_reason, service from access" + for user in getBasicUsersOnSystem() { + + var fileURL: URL + if filemanager.fileExists(atPath: "\(user.homedir)/Library/Application Support/com.apple.TCC/TCC.db") { + fileURL = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/com.apple.TCC/TCC.db") + } else { continue } + + + self.copyFileToCase(fileToCopy: fileURL, toLocation: tccDir, newFileName: "tcc_\(user.username)") + + + var db : OpaquePointer? - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var client: String = "" - var authValue: String = "" - var authReason: String = "" - var service: String = "" + if sqlite3_open(fileURL.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "select client, auth_value, auth_reason, service from access" - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil{ - client = String(cString: col1!) - } + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var client: String = "" + var authValue: String = "" + var authReason: String = "" + var service: String = "" - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - authValue = String(cString: col2!) - for item in TCCAuthValue.allCases { - if authValue == String(item.rawValue) { - authValue = String(describing: item) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil{ + client = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + authValue = String(cString: col2!) + for item in TCCAuthValue.allCases { + if authValue == String(item.rawValue) { + authValue = String(describing: item) + } } } - } - - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - authReason = String(cString: col3!) - for item in TCCAuthReason.allCases { - if authReason == String(item.rawValue) { - authReason = String(describing: item) + + let col3 = sqlite3_column_text(queryStatement, 2) + if col3 != nil { + authReason = String(cString: col3!) + for item in TCCAuthReason.allCases { + if authReason == String(item.rawValue) { + authReason = String(describing: item) + } } } - } - - let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - service = String(cString: col4!) - for item in TCCService.allCases { - if service == String(item.rawValue) { - service = String(describing: item) + + let col4 = sqlite3_column_text(queryStatement, 3) + if col4 != nil { + service = String(cString: col4!) + for item in TCCService.allCases { + if service == String(item.rawValue) { + service = String(describing: item) + } } } + + self.addTextToFile(atUrl: capturedTCC, text: "TCC Data for \(user.username)") + self.addTextToFile(atUrl: capturedTCC, text: "Name: \(client)\nRequested Service: \(service)\nAuth Value: \(authValue)\nAuth Reason: \(authReason)\n") } - - self.addTextToFile(atUrl: capturedTCC, text: "Name: \(client)\nRequested Service: \(service)\nAuth Value: \(authValue)\nAuth Reason: \(authReason)\n") } + self.log("Finished capturing TCC data for \(user.username)") + } else { + self.log("An error occurred when attempting to query the TCC database for user \(user.username)...") } - self.log("Finished capturing TCC data") - } else { - self.log("An error occurred when attempting to query the TCC database...") } + self.log("Finished querying TCC") } override func run() { diff --git a/filesystem/browsers/Brave.swift b/filesystem/browsers/Brave.swift index 18be18f..fa11716 100644 --- a/filesystem/browsers/Brave.swift +++ b/filesystem/browsers/Brave.swift @@ -18,15 +18,14 @@ class Brave: BrowserModule { } func getContents() { - let username = getUsersOnSystem() - let local_name = username[0].username - - let path = "/Users/\(local_name)/Library/Application Support/BraveSoftware/Brave-Browser/Default" - let files = filemanager.filesInDirRecursive(path: path) - - for file in files { - if file.lastPathComponent == "" { - dumpHistory(file: file) + for user in getBasicUsersOnSystem() { + let path = "\(user.homedir)/Library/Application Support/BraveSoftware/Brave-Browser/Default" + let files = filemanager.filesInDirRecursive(path: path) + + for file in files { + if file.lastPathComponent == "" { + dumpHistory(file: file) + } } } } @@ -34,84 +33,82 @@ class Brave: BrowserModule { func dumpHistory(file: URL) { self.addTextToFile(atUrl: self.writeFile, text: "\n----- Brave History -----\n") - var db: OpaquePointer? - if sqlite3_open(file.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "select datetime(vi.visit_time/1000000, 'unixepoch') as dt, urls.url FROM visits vi INNER join urls on vi.id = urls.id;" - - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var dateTime: String = "" - var url: String = "" + var db: OpaquePointer? + if sqlite3_open(file.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "select datetime(vi.visit_time/1000000, 'unixepoch') as dt, urls.url FROM visits vi INNER join urls on vi.id = urls.id;" - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var dateTime: String = "" + var url: String = "" - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - url = String(cString: col2!) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil { + dateTime = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + url = String(cString: col2!) + } + + self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n") } - - self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n") } } - } self.addTextToFile(atUrl: self.writeFile, text: "----- End of Brave History -----\n") } func dumpCookies() { - let username = getUsersOnSystem() - let local_name = username[0].username - - let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") - self.addTextToFile(atUrl: self.writeFile, text: "----- Brave Cookies: -----\n") - var db: OpaquePointer? - if sqlite3_open(file.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "select datetime(creation_utc/1000000-11644473600, 'unixepoch'), name, host_key, path, datetime(expires_utc/1000000-11644473600, 'unixepoch') from cookies;" - - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var dateTime: String = "" - var name: String = "" - var hostKey: String = "" - var path: String = "" - var expireTime: String = "" - - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } - - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - name = String(cString: col2!) - } - - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - hostKey = String(cString: col1!) - } - - let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - path = String(cString: col2!) - } + for user in getBasicUsersOnSystem() { + let file = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") + + var db: OpaquePointer? + if sqlite3_open(file.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "select datetime(creation_utc/1000000-11644473600, 'unixepoch'), name, host_key, path, datetime(expires_utc/1000000-11644473600, 'unixepoch') from cookies;" + + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var dateTime: String = "" + var name: String = "" + var hostKey: String = "" + var path: String = "" + var expireTime: String = "" - let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - expireTime = String(cString: col1!) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil { + dateTime = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + name = String(cString: col2!) + } + + let col3 = sqlite3_column_text(queryStatement, 2) + if col3 != nil { + hostKey = String(cString: col1!) + } + + let col4 = sqlite3_column_text(queryStatement, 3) + if col4 != nil { + path = String(cString: col2!) + } + + let col5 = sqlite3_column_text(queryStatement, 4) + if col5 != nil { + expireTime = String(cString: col1!) + } + + self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") } - - self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") } } } - self.addTextToFile(atUrl: self.writeFile, text: "\n----- End of Brave Cookies -----\n") } diff --git a/filesystem/browsers/Chrome.swift b/filesystem/browsers/Chrome.swift index ed5c81b..f7d6c98 100644 --- a/filesystem/browsers/Chrome.swift +++ b/filesystem/browsers/Chrome.swift @@ -18,88 +18,87 @@ class Chrome: BrowserModule { } func gatherHistory() { - let username = getUsersOnSystem() - let local_name = username[0].username - - let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/History") - - self.addTextToFile(atUrl: self.writeFile, text: "\n----- Chrome History: -----\n") - - var db: OpaquePointer? - if sqlite3_open(file.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "SELECT datetime(((v.visit_time/1000000)-11644473600), 'unixepoch'), u.url FROM visits v INNER JOIN urls u ON u.id = v.url;" - - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var dateTime: String = "" - var url: String = "" - - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + for user in getBasicUsersOnSystem() { + + let file = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/Google/Chrome/Default/History") + + self.addTextToFile(atUrl: self.writeFile, text: "\n----- Chrome History: -----\n") + + var db: OpaquePointer? + if sqlite3_open(file.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "SELECT datetime(((v.visit_time/1000000)-11644473600), 'unixepoch'), u.url FROM visits v INNER JOIN urls u ON u.id = v.url;" + + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var dateTime: String = "" + var url: String = "" - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - url = String(cString: col2!) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil { + dateTime = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + url = String(cString: col2!) + } + + self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n\n") } - - self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n\n") } } } - self.addTextToFile(atUrl: self.writeFile, text: "----- End of Chrome History -----\n") } func dumpDownloads() { - let username = getUsersOnSystem() - let local_name = username[0].username - - let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/History") - self.addTextToFile(atUrl: self.writeFile, text: "----- Chrome Downloads: -----\n") - var db: OpaquePointer? - if sqlite3_open(file.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "SELECT datetime(d.start_time/1000000-11644473600, 'unixepoch'), dc.url, d.target_path, d.danger_type, d.opened FROM downloads d INNER JOIN downloads_url_chains dc ON dc.id = d.id;" + for user in getBasicUsersOnSystem() { - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var dateTime: String = "" - var url: String = "" - var targetPath: String = "" - var dangerType: String = "" - var opened: String = "" - - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } - - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - url = String(cString: col2!) - } - - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - targetPath = String(cString: col1!) - } - - let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - dangerType = String(cString: col2!) - } + let file = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/Google/Chrome/Default/History") + + var db: OpaquePointer? + if sqlite3_open(file.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "SELECT datetime(d.start_time/1000000-11644473600, 'unixepoch'), dc.url, d.target_path, d.danger_type, d.opened FROM downloads d INNER JOIN downloads_url_chains dc ON dc.id = d.id;" + + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var dateTime: String = "" + var url: String = "" + var targetPath: String = "" + var dangerType: String = "" + var opened: String = "" - let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - opened = String(cString: col1!) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil { + dateTime = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + url = String(cString: col2!) + } + + let col3 = sqlite3_column_text(queryStatement, 2) + if col3 != nil { + targetPath = String(cString: col1!) + } + + let col4 = sqlite3_column_text(queryStatement, 3) + if col4 != nil { + dangerType = String(cString: col2!) + } + + let col5 = sqlite3_column_text(queryStatement, 4) + if col5 != nil { + opened = String(cString: col1!) + } + + self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\nTargetPath: \(targetPath)\nDangerType:\(dangerType)\nOpened: \(opened)\n\n") } - - self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\nTargetPath: \(targetPath)\nDangerType:\(dangerType)\nOpened: \(opened)\n\n") } } } @@ -109,83 +108,82 @@ class Chrome: BrowserModule { // TODO - this needs to be tuned more func captureExtensions() { - let username = getUsersOnSystem() - let local_name = username[0].username + for user in getBasicUsersOnSystem() { - let exdir = "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/Extensions" - let _ = filemanager.filesInDirRecursive(path: exdir) + let exdir = "\(user.homedir)/Library/Application Support/Google/Chrome/Default/Extensions" + let _ = filemanager.filesInDirRecursive(path: exdir) // // for file in files { // self.caseHandler.copyFileToCase(fileToCopy: file, toLocation: self.chromeDir) // } + } } func dumpPreferences() { - let username = getUsersOnSystem() - let local_name = username[0].username - - let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/Preferences") - - do { - let data = try Data(contentsOf: file, options: .mappedIfSafe) - if let json = try JSONSerialization.jsonObject(with: data, options: .mutableLeaves) as? [String: Any] { - self.addTextToFile(atUrl: writeFile, text: "\nChrome Preferences -----\n\(String(describing: json))\n ----- End of Chrome Preferences -----\n") - } + for user in getBasicUsersOnSystem() { - } catch { self.log("Unable to capture Chrome Preferenes") } + let file = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/Google/Chrome/Default/Preferences") + + do { + let data = try Data(contentsOf: file, options: .mappedIfSafe) + if let json = try JSONSerialization.jsonObject(with: data, options: .mutableLeaves) as? [String: Any] { + self.addTextToFile(atUrl: writeFile, text: "\nChrome Preferences -----\n\(String(describing: json))\n ----- End of Chrome Preferences -----\n") + } + + } catch { self.log("Unable to capture Chrome Preferenes") } + } } func dumpCookies() { - let username = getUsersOnSystem() - let local_name = username[0].username - - let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Google/Chrome/Default/Cookies") - self.addTextToFile(atUrl: self.writeFile, text: "----- Chrome Cookies: -----\n") - - var db: OpaquePointer? - if sqlite3_open(file.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "select datetime(creation_utc/100000 -11644473600, 'unixepoch'), name, host_key, path, datetime(expires_utc/100000-11644473600, 'unixepoch') from cookies;" - - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var dateTime: String = "" - var name: String = "" - var hostKey: String = "" - var path: String = "" - var expireTime: String = "" - - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } - - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - name = String(cString: col2!) - } - - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - hostKey = String(cString: col1!) - } - - let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - path = String(cString: col2!) - } + + for user in getBasicUsersOnSystem() { + + let file = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/Google/Chrome/Default/Cookies") + + var db: OpaquePointer? + if sqlite3_open(file.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "select datetime(creation_utc/100000 -11644473600, 'unixepoch'), name, host_key, path, datetime(expires_utc/100000-11644473600, 'unixepoch') from cookies;" + + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var dateTime: String = "" + var name: String = "" + var hostKey: String = "" + var path: String = "" + var expireTime: String = "" - let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - expireTime = String(cString: col1!) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil { + dateTime = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + name = String(cString: col2!) + } + + let col3 = sqlite3_column_text(queryStatement, 2) + if col3 != nil { + hostKey = String(cString: col1!) + } + + let col4 = sqlite3_column_text(queryStatement, 3) + if col4 != nil { + path = String(cString: col2!) + } + + let col5 = sqlite3_column_text(queryStatement, 4) + if col5 != nil { + expireTime = String(cString: col1!) + } + + self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") } - - self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") } } } - self.addTextToFile(atUrl: self.writeFile, text: "\n----- End of Chrome Cookies -----\n") } diff --git a/filesystem/browsers/Firefox.swift b/filesystem/browsers/Firefox.swift index ccce83f..1fde316 100644 --- a/filesystem/browsers/Firefox.swift +++ b/filesystem/browsers/Firefox.swift @@ -19,22 +19,22 @@ class Firefox: BrowserModule { } func getContent() { - let username = getUsersOnSystem() - let local_name = username[0].username + for user in getBasicUsersOnSystem() { - let profiles = "/Users/\(local_name)/Library/Application Support/Firefox/Profiles" - let files = filemanager.filesInDirRecursive(path: profiles) - - for file in files { - if file.lastPathComponent == "places.sqlite" { - dumpHistory(file: file) - dumpDownloads(file: file) - } - if file.lastPathComponent == "cookies.sqlite" { - dumpCookies(file: file) - } - if file.lastPathComponent == "extensions.json" { - dumpExtensions(file: file) + let profiles = "\(user.homedir)/Library/Application Support/Firefox/Profiles" + let files = filemanager.filesInDirRecursive(path: profiles) + + for file in files { + if file.lastPathComponent == "places.sqlite" { + dumpHistory(file: file) + dumpDownloads(file: file) + } + if file.lastPathComponent == "cookies.sqlite" { + dumpCookies(file: file) + } + if file.lastPathComponent == "extensions.json" { + dumpExtensions(file: file) + } } } } @@ -106,56 +106,55 @@ class Firefox: BrowserModule { } func dumpCookies(file: URL) { - let username = getUsersOnSystem() - let local_name = username[0].username - - let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") - self.addTextToFile(atUrl: self.writeFile, text: "----- Brave Cookies: -----\n") + + for user in getBasicUsersOnSystem() { - var db: OpaquePointer? - if sqlite3_open(file.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "select datetime(creation_utc/1000000-11644473600, 'unixepoch'), name, host_key, path, datetime(expires_utc/1000000-11644473600, 'unixepoch') from cookies;" - - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var dateTime: String = "" - var name: String = "" - var hostKey: String = "" - var path: String = "" - var expireTime: String = "" - - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } - - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - name = String(cString: col2!) - } - - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - hostKey = String(cString: col1!) - } - - let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - path = String(cString: col2!) - } + let file = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") + + var db: OpaquePointer? + if sqlite3_open(file.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "select datetime(creation_utc/1000000-11644473600, 'unixepoch'), name, host_key, path, datetime(expires_utc/1000000-11644473600, 'unixepoch') from cookies;" + + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var dateTime: String = "" + var name: String = "" + var hostKey: String = "" + var path: String = "" + var expireTime: String = "" - let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - expireTime = String(cString: col1!) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil { + dateTime = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + name = String(cString: col2!) + } + + let col3 = sqlite3_column_text(queryStatement, 2) + if col3 != nil { + hostKey = String(cString: col1!) + } + + let col4 = sqlite3_column_text(queryStatement, 3) + if col4 != nil { + path = String(cString: col2!) + } + + let col5 = sqlite3_column_text(queryStatement, 4) + if col5 != nil { + expireTime = String(cString: col1!) + } + + self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") } - - self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") } } } - self.addTextToFile(atUrl: self.writeFile, text: "\n----- End of Brave Cookies -----\n") } diff --git a/filesystem/browsers/Opera.swift b/filesystem/browsers/Opera.swift index e21d2da..380c361 100644 --- a/filesystem/browsers/Opera.swift +++ b/filesystem/browsers/Opera.swift @@ -18,45 +18,44 @@ class Opera: BrowserModule { } func gatherHistory() { - let username = getUsersOnSystem() - let local_name = username[0].username - - let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Application Support/Opera/com.operasoftware.Opera/History") - self.addTextToFile(atUrl: self.writeFile, text: "----- Opera History: -----\n") - var db: OpaquePointer? - if sqlite3_open(file.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "SELECT start_time, current_path FROM downloads;" - - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var dateTime: String = "" - var currentPath: String = "" - var url: String = "" - - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + for user in getBasicUsersOnSystem() { + let file = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/Opera/com.operasoftware.Opera/History") + + var db: OpaquePointer? + if sqlite3_open(file.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "SELECT start_time, current_path FROM downloads;" + + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var dateTime: String = "" + var currentPath: String = "" + var url: String = "" - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - currentPath = String(cString: col2!) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil { + dateTime = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + currentPath = String(cString: col2!) + } + + let col3 = sqlite3_column_text(queryStatement, 2) + if col3 != nil { + url = String(cString: col3!) + } + + self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\nContent: \(currentPath)\n") } - - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - url = String(cString: col3!) - } - - self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\nContent: \(currentPath)\n") } } } - self.addTextToFile(atUrl: self.writeFile, text: "----- End of Opera Downloads -----") + } override func run() { diff --git a/filesystem/browsers/Safari.swift b/filesystem/browsers/Safari.swift index ce8e5f0..86a40fb 100644 --- a/filesystem/browsers/Safari.swift +++ b/filesystem/browsers/Safari.swift @@ -18,57 +18,63 @@ class Safari: BrowserModule { } func getHistory() { - let username = getUsersOnSystem() - let local_name = username[0].username - let file = URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/History") - - self.addTextToFile(atUrl: self.writeFile, text: "\n----- Safari History -----\n") - - var db: OpaquePointer? - if sqlite3_open(file.path, &db) == SQLITE_OK { - var queryStatement: OpaquePointer? = nil - let queryString = "SELECT h.visit_time, i.url FROM history_visits h INNER JOIN history_items i ON h.history_item = i.id;" + for user in getBasicUsersOnSystem() { + var file: URL + if filemanager.fileExists(atPath: "\(user.homedir)/Library/Safari/History") { + file = URL(fileURLWithPath: "\(user.homedir)/Library/Safari/History") } else { continue } + - if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { - var dateTime: String = "" - var url: String = "" + + self.addTextToFile(atUrl: self.writeFile, text: "\n----- Safari History -----\n") + + var db: OpaquePointer? + if sqlite3_open(file.path, &db) == SQLITE_OK { + var queryStatement: OpaquePointer? = nil + let queryString = "SELECT h.visit_time, i.url FROM history_visits h INNER JOIN history_items i ON h.history_item = i.id;" - while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK { + var dateTime: String = "" + var url: String = "" - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - url = String(cString: col2!) + while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) + if col1 != nil { + dateTime = String(cString: col1!) + } + + let col2 = sqlite3_column_text(queryStatement, 1) + if col2 != nil { + url = String(cString: col2!) + } + + self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n") } - - self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n") } } + + self.addTextToFile(atUrl: self.writeFile, text: "----- End of Safari History -----\n") } - - self.addTextToFile(atUrl: self.writeFile, text: "----- End of Safari History -----\n") } func dumpImportantPlists() { - let username = getUsersOnSystem() - let local_name = username[0].username + for user in getBasicUsersOnSystem() { - let files: [URL] = [URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/Bookmarks.plist"), URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/Downloads.plist"), URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/UserNotificationPermissions.plist"), URL(fileURLWithPath: "/Users/\(local_name)/Library/Safari/LastSession.plist")] - - for file in files { - let plistDict = Aftermath.getPlistAsDict(atUrl: file) - self.addTextToFile(atUrl: self.writeFile, text: "\nFile Name:\n----- \(file) -----\n\n\(plistDict.description)\n----- End of \(file) -----\n") + let files: [URL] = [URL(fileURLWithPath: "\(user.homedir)/Library/Safari/Bookmarks.plist"), URL(fileURLWithPath: "\(user.homedir)/Library/Safari/Downloads.plist"), URL(fileURLWithPath: "\(user.homedir)/Library/Safari/UserNotificationPermissions.plist"), URL(fileURLWithPath: "\(user.homedir)/Library/Safari/LastSession.plist")] - self.copyFileToCase(fileToCopy: file, toLocation: self.safariDir) + for file in files { + if filemanager.fileExists(atPath: file.absoluteString) { + let plistDict = Aftermath.getPlistAsDict(atUrl: file) + self.addTextToFile(atUrl: self.writeFile, text: "\nFile Name:\n----- \(file) -----\n\n\(plistDict.description)\n----- End of \(file) -----\n") + + self.copyFileToCase(fileToCopy: file, toLocation: self.safariDir) + } else { continue } + } } } override func run() { - self.log("Collecting safari browser information...") + self.log("Collecting Safari browser information...") getHistory() dumpImportantPlists() } diff --git a/persistence/PersistenceModule.swift b/persistence/PersistenceModule.swift index 52323e1..ea3b9bb 100644 --- a/persistence/PersistenceModule.swift +++ b/persistence/PersistenceModule.swift @@ -34,5 +34,9 @@ class PersistenceModule: AftermathModule, AMProto { self.log("Collecting overrides...") let overrides = Overrides(saveToRawDir: persistenceRawDir) overrides.run() + + self.log("Writing system extension urls...") + let systemExtensions = SystemExtensions(saveToRawDir: persistenceRawDir) + systemExtensions.run() } } diff --git a/persistence/SystemExtensions.swift b/persistence/SystemExtensions.swift new file mode 100644 index 0000000..02d0c4a --- /dev/null +++ b/persistence/SystemExtensions.swift @@ -0,0 +1,33 @@ +// +// SystemExtensions.swift +// aftermath +// +// Created by Stuart Ashenbrenner on 4/6/22. +// + +import Foundation + +class SystemExtensions: PersistenceModule { + + let saveToRawDir: URL + + init(saveToRawDir: URL) { + self.saveToRawDir = saveToRawDir + } + + func captureSysExtensions(urlLocations: [URL], rawLoc: URL) { + let capturedSystemExtensions = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "systemExtensions.txt") + self.addTextToFile(atUrl: capturedSystemExtensions, text: "System Extension URLs\n-----\n\n") + for url in urlLocations { + self.addTextToFile(atUrl: capturedSystemExtensions, text: "\(url.absoluteString)\n") + } + } + + override func run() { + let sysExtensionsRaw = self.createNewDir(dir: self.saveToRawDir, dirname: "systemExtensions_dump") + + let sysExtensions = filemanager.filesInDirRecursive(path: "/Library/SystemExtensions/") + + captureSysExtensions(urlLocations: sysExtensions, rawLoc: sysExtensionsRaw) + } +} From 30c69473452f49b916732cd65c1b8749466eaea8 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Mon, 11 Apr 2022 12:57:30 -0700 Subject: [PATCH 06/10] updated basic users function --- aftermath/Module.swift | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) diff --git a/aftermath/Module.swift b/aftermath/Module.swift index b353368..7cca706 100644 --- a/aftermath/Module.swift +++ b/aftermath/Module.swift @@ -56,30 +56,14 @@ class AftermathModule { } func getBasicUsersOnSystem() -> [User] { - var users = [User]() - - // Check Permissions - if (activeUser != "root") { - self.log("Aftermath being run in non-root mode...") - if let homedir = NSHomeDirectoryForUser(activeUser) { - let user = User(username:activeUser, homedir: homedir) - users.append(user) + var basicUsers = [User]() + if let users = self.users { + for user in users { + if SystemUsers.allCases.contains(where: {$0.rawValue == user.username}) { continue } + basicUsers.append(user) } - } else { - let userPlists = filemanager.filesInDir(path: "/var/db/dslocal/nodes/Default/users/") - for file in userPlists { - let filename = file.lastPathComponent - if !filename.hasPrefix("_") { - let username = file.deletingPathExtension().lastPathComponent - if let homedir = NSHomeDirectoryForUser(username) { - let user = User(username:username, homedir: homedir) - if SystemUsers.allCases.contains(where: {$0.rawValue == user.username}) { continue } - users.append(user) - } - } - } - } - return users + } + return basicUsers } func createNewDirInRoot(dirName: String) -> URL { From ede03e21c7ae1dd3c7f49275d461d23d360b0aeb Mon Sep 17 00:00:00 2001 From: stuartjash Date: Mon, 11 Apr 2022 13:41:09 -0700 Subject: [PATCH 07/10] update per comments --- artifacts/ShellHistoryAndProfiles.swift | 4 ++-- filesystem/browsers/Safari.swift | 2 +- persistence/LoginHooks.swift | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/artifacts/ShellHistoryAndProfiles.swift b/artifacts/ShellHistoryAndProfiles.swift index 7722745..854bf79 100644 --- a/artifacts/ShellHistoryAndProfiles.swift +++ b/artifacts/ShellHistoryAndProfiles.swift @@ -32,7 +32,7 @@ class BashProfiles: ArtifactsModule { if (filemanager.fileExists(atPath: path.path)) { let newFileName = "\(user.username)_\(filename)" self.copyFileToCase(fileToCopy: path, toLocation: self.profilesDir, newFileName: newFileName) - } else { continue } + } } } @@ -45,7 +45,7 @@ class BashProfiles: ArtifactsModule { let filename = fileUrl.lastPathComponent let newFileName = "etc_\(filename)" self.copyFileToCase(fileToCopy: fileUrl, toLocation: self.profilesDir, newFileName: newFileName) - } else { continue } + } } diff --git a/filesystem/browsers/Safari.swift b/filesystem/browsers/Safari.swift index 86a40fb..8d0dbd2 100644 --- a/filesystem/browsers/Safari.swift +++ b/filesystem/browsers/Safari.swift @@ -68,7 +68,7 @@ class Safari: BrowserModule { self.addTextToFile(atUrl: self.writeFile, text: "\nFile Name:\n----- \(file) -----\n\n\(plistDict.description)\n----- End of \(file) -----\n") self.copyFileToCase(fileToCopy: file, toLocation: self.safariDir) - } else { continue } + } } } } diff --git a/persistence/LoginHooks.swift b/persistence/LoginHooks.swift index c31660b..fdeb884 100644 --- a/persistence/LoginHooks.swift +++ b/persistence/LoginHooks.swift @@ -27,7 +27,7 @@ class LoginHooks: PersistenceModule { } else { parsedHooks = hook } - } else { continue } + } } return parsedHooks From b7a6ba5134958710d8a6dbf81c564e53f79728c6 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Mon, 11 Apr 2022 13:51:41 -0700 Subject: [PATCH 08/10] removed unused import --- aftermath/Module.swift | 1 - 1 file changed, 1 deletion(-) diff --git a/aftermath/Module.swift b/aftermath/Module.swift index 7cca706..e3dcdf3 100644 --- a/aftermath/Module.swift +++ b/aftermath/Module.swift @@ -6,7 +6,6 @@ // import Foundation -import CoreData struct User { let username: String From 4aac70072a42bb7596898273005f987795d89c4a Mon Sep 17 00:00:00 2001 From: stuartjash Date: Mon, 11 Apr 2022 17:03:06 -0700 Subject: [PATCH 09/10] update sql --- artifacts/TCC.swift | 46 +++++++++++++++---------------- filesystem/browsers/Brave.swift | 28 +++++-------------- filesystem/browsers/Chrome.swift | 22 ++++----------- filesystem/browsers/Firefox.swift | 20 ++++---------- filesystem/browsers/Opera.swift | 12 ++------ filesystem/browsers/Safari.swift | 8 ++---- 6 files changed, 46 insertions(+), 90 deletions(-) diff --git a/artifacts/TCC.swift b/artifacts/TCC.swift index e7af849..eb9e98c 100644 --- a/artifacts/TCC.swift +++ b/artifacts/TCC.swift @@ -20,19 +20,20 @@ class TCC: ArtifactsModule { let capturedTCC = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "tccItems.txt") for user in getBasicUsersOnSystem() { - - var fileURL: URL - if filemanager.fileExists(atPath: "\(user.homedir)/Library/Application Support/com.apple.TCC/TCC.db") { - fileURL = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/com.apple.TCC/TCC.db") + + let tcc_path = URL(fileURLWithPath:"\(user.homedir)/Library/Application Support/com.apple.TCC/TCC.db") + + if filemanager.fileExists(atPath: tcc_path.relativePath) { + // use else-statement to break loop if the file does not exist } else { continue } - self.copyFileToCase(fileToCopy: fileURL, toLocation: tccDir, newFileName: "tcc_\(user.username)") + self.copyFileToCase(fileToCopy: tcc_path, toLocation: tccDir, newFileName: "tcc_\(user.username)") var db : OpaquePointer? - if sqlite3_open(fileURL.path, &db) == SQLITE_OK { + if sqlite3_open(tcc_path.path, &db) == SQLITE_OK { var queryStatement: OpaquePointer? = nil let queryString = "select client, auth_value, auth_reason, service from access" @@ -43,14 +44,13 @@ class TCC: ArtifactsModule { var service: String = "" while sqlite3_step(queryStatement) == SQLITE_ROW { + let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil{ - client = String(cString: col1!) - } + if let col1 = col1 { client = String(cString: col1) } let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - authValue = String(cString: col2!) + if let col2 = col2 { + authValue = String(cString: col2) for item in TCCAuthValue.allCases { if authValue == String(item.rawValue) { authValue = String(describing: item) @@ -59,24 +59,24 @@ class TCC: ArtifactsModule { } let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - authReason = String(cString: col3!) - for item in TCCAuthReason.allCases { - if authReason == String(item.rawValue) { - authReason = String(describing: item) + if let col3 = col3 { + authReason = String(cString: col3) + for item in TCCAuthReason.allCases { + if authReason == String(item.rawValue) { + authReason = String(describing: item) + } } } - } let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - service = String(cString: col4!) - for item in TCCService.allCases { - if service == String(item.rawValue) { - service = String(describing: item) + if let col4 = col4 { + service = String(cString: col4) + for item in TCCService.allCases { + if service == String(item.rawValue) { + service = String(describing: item) + } } } - } self.addTextToFile(atUrl: capturedTCC, text: "TCC Data for \(user.username)") self.addTextToFile(atUrl: capturedTCC, text: "Name: \(client)\nRequested Service: \(service)\nAuth Value: \(authValue)\nAuth Reason: \(authReason)\n") diff --git a/filesystem/browsers/Brave.swift b/filesystem/browsers/Brave.swift index fa11716..2a3a36a 100644 --- a/filesystem/browsers/Brave.swift +++ b/filesystem/browsers/Brave.swift @@ -44,14 +44,10 @@ class Brave: BrowserModule { while sqlite3_step(queryStatement) == SQLITE_ROW { let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + if let col1 = col1 { dateTime = String(cString: col1) } let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - url = String(cString: col2!) - } + if let col2 = col2 { url = String(cString: col2) } self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n") } @@ -80,29 +76,19 @@ class Brave: BrowserModule { while sqlite3_step(queryStatement) == SQLITE_ROW { let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + if let col1 = col1 { dateTime = String(cString: col1) } let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - name = String(cString: col2!) - } + if let col2 = col2 { name = String(cString: col2) } let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - hostKey = String(cString: col1!) - } + if let col3 = col3 { hostKey = String(cString: col3) } let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - path = String(cString: col2!) - } + if let col4 = col4 { path = String(cString: col4) } let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - expireTime = String(cString: col1!) - } + if let col5 = col5 { expireTime = String(cString: col5) } self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") } diff --git a/filesystem/browsers/Chrome.swift b/filesystem/browsers/Chrome.swift index f7d6c98..d1f4a65 100644 --- a/filesystem/browsers/Chrome.swift +++ b/filesystem/browsers/Chrome.swift @@ -73,29 +73,19 @@ class Chrome: BrowserModule { while sqlite3_step(queryStatement) == SQLITE_ROW { let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + if let col1 = col1 { dateTime = String(cString: col1) } let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - url = String(cString: col2!) - } - + if let col2 = col2 { url = String(cString: col2) } + let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - targetPath = String(cString: col1!) - } + if let col3 = col3 { targetPath = String(cString: col3) } let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - dangerType = String(cString: col2!) - } + if let col4 = col4 { dangerType = String(cString: col4) } let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - opened = String(cString: col1!) - } + if let col5 = col5 { opened = String(cString: col5) } self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\nTargetPath: \(targetPath)\nDangerType:\(dangerType)\nOpened: \(opened)\n\n") } diff --git a/filesystem/browsers/Firefox.swift b/filesystem/browsers/Firefox.swift index 1fde316..913c040 100644 --- a/filesystem/browsers/Firefox.swift +++ b/filesystem/browsers/Firefox.swift @@ -126,29 +126,19 @@ class Firefox: BrowserModule { while sqlite3_step(queryStatement) == SQLITE_ROW { let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + if let col1 = col1 { dateTime = String(cString: col1) } let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - name = String(cString: col2!) - } + if let col2 = col2 { name = String(cString: col2) } let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - hostKey = String(cString: col1!) - } + if let col3 = col3 { hostKey = String(cString: col3) } let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - path = String(cString: col2!) - } + if let col4 = col4 { path = String(cString: col4) } let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - expireTime = String(cString: col1!) - } + if let col5 = col5 { expireTime = String(cString: col5) } self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") } diff --git a/filesystem/browsers/Opera.swift b/filesystem/browsers/Opera.swift index 380c361..b2924e5 100644 --- a/filesystem/browsers/Opera.swift +++ b/filesystem/browsers/Opera.swift @@ -35,19 +35,13 @@ class Opera: BrowserModule { while sqlite3_step(queryStatement) == SQLITE_ROW { let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + if let col1 = col1 { dateTime = String(cString: col1) } let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - currentPath = String(cString: col2!) - } + if let col2 = col2 { currentPath = String(cString: col2) } let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - url = String(cString: col3!) - } + if let col3 = col3 { url = String(cString: col3) } self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\nContent: \(currentPath)\n") } diff --git a/filesystem/browsers/Safari.swift b/filesystem/browsers/Safari.swift index 8d0dbd2..ccf1dfa 100644 --- a/filesystem/browsers/Safari.swift +++ b/filesystem/browsers/Safari.swift @@ -39,14 +39,10 @@ class Safari: BrowserModule { while sqlite3_step(queryStatement) == SQLITE_ROW { let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) - } + if let col1 = col1 { dateTime = String(cString: col1) } let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - url = String(cString: col2!) - } + if let col2 = col2 { url = String(cString: col2) } self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n") } From e4a5ed267a87b3d7f1d0a4b63e2c1e76ab5ecbe8 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Tue, 12 Apr 2022 08:58:52 -0700 Subject: [PATCH 10/10] fixec if --- artifacts/TCC.swift | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/artifacts/TCC.swift b/artifacts/TCC.swift index eb9e98c..8f210ce 100644 --- a/artifacts/TCC.swift +++ b/artifacts/TCC.swift @@ -23,9 +23,7 @@ class TCC: ArtifactsModule { let tcc_path = URL(fileURLWithPath:"\(user.homedir)/Library/Application Support/com.apple.TCC/TCC.db") - if filemanager.fileExists(atPath: tcc_path.relativePath) { - // use else-statement to break loop if the file does not exist - } else { continue } + if !filemanager.fileExists(atPath: tcc_path.relativePath) { continue } self.copyFileToCase(fileToCopy: tcc_path, toLocation: tccDir, newFileName: "tcc_\(user.username)")