Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create parser and parser plugins for Apple Biome files (aka: SEBG files) #4812

Open
rick-slin opened this issue Feb 23, 2024 · 10 comments · May be fixed by #4878
Open

Create parser and parser plugins for Apple Biome files (aka: SEBG files) #4812

rick-slin opened this issue Feb 23, 2024 · 10 comments · May be fixed by #4878
Labels
enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins

Comments

@rick-slin
Copy link
Contributor

Describe the problem:

On MacOS and iOS devices, some of the artifacts that could be found in the KnowledgeC database have migrated under the biome folders (/private/var/db/biome and /private/var/mobile/Library/Biome). iLEAP supports those files and I'd like to bring support for these files in Plaso. The format consists of protobuffs stored in a binary file.

@rick-slin
Copy link
Contributor Author

A python parser is already [available] (https://github.com/cclgroupltd/ccl-segb) but not as a module that can be installed. I'm not sure what would be the best way to integrate that code into plaso. Also it uses the MIT licence. I don't know if this is ok.

@joachimmetz
Copy link
Member

MIT license is fine also see https://github.com/log2timeline/l2tdocs/blob/main/process/Dependencies.md

However it needs to be an installable Python module otherwise we cannot use it as a dependency. If the format is straight forward it can likely be easily re-implemented.

@joachimmetz joachimmetz added enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins labels Feb 23, 2024
@joachimmetz
Copy link
Member

Given the size of the Python code it likely can be easily implemented with dtFabric (famous last words) if you have test files that can be shared (are not someones else their copyright) that would be a good start.

@rick-slin
Copy link
Contributor Author

I got samples from Magnet's CTF

@joachimmetz
Copy link
Member

What the license/copyright of those? Likely can't use them as CI test files.

@rick-slin
Copy link
Contributor Author

Right. I'll generate some with a test device.

@rick-slin
Copy link
Contributor Author

I'll get started using dtFabric. Thanks for the input.

@joachimmetz
Copy link
Member

protobufs use varints which might be more tricky with dtfabric but this might give you some inspiration https://github.com/libyal/dtformats/blob/main/dtformats/leveldb.py

@rick-slin
Copy link
Contributor Author

Could I use dtfrabric to get the protobufs and then use [this] ( https://pypi.org/project/bbpb/) to parse the protobufs themselves?

@joachimmetz
Copy link
Member

or https://pypi.org/project/protobuf/

@rick-slin rick-slin linked a pull request Apr 18, 2024 that will close this issue
3 tasks
@github-project-automation github-project-automation bot moved this to In progress in Format support Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins
Projects
Status: In progress
Development

Successfully merging a pull request may close this issue.

2 participants