Skip to content

Commit

Permalink
Merge pull request #323 from abrignoni/Brigs-working
Browse files Browse the repository at this point in the history 
Android Chrome browser cache files parser
  • Loading branch information
@abrignoni
abrignoni authored Jan 28, 2023
2 parents 0bb72f1 + 259ded5 commit 1675763
Show file tree
Hide file tree
Showing 2 changed files with 101 additions and 1 deletion.
97 changes: 97 additions & 0 deletions scripts/artifacts/browserCachechrome.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
import datetime
import email
import os
import struct
import magic
import gzip
import shutil
from io import BytesIO

from scripts.artifact_report import ArtifactHtmlReport
from scripts.ilapfuncs import logfunc, tsv, is_platform_windows, media_to_html

def get_browserCachechrome(files_found, report_folder, seeker, wrap_text):

data_list = []

for file_found in files_found:
file_found = str(file_found)

if file_found.endswith('_0'):

filename = os.path.basename(file_found)

modified_time = os.path.getmtime(file_found)
utc_modified_date = datetime.datetime.utcfromtimestamp(modified_time)

with open(file_found, 'rb') as file:
data = file.read()
ab = BytesIO(data)

eofloc = data.index(b'\xD8\x41\x0D\x97\x45\x6F\xFA\xF4')

header = ab.read(8)
version = ab.read(4)
lenghturl = ab.read(4)
lenghturl = (struct.unpack_from("<i",lenghturl)[0])
dismiss = ab.read(8)

headerlenght = lenghturl + 8 + 4 + 4 + 8

url = ab.read(lenghturl)
url = (url.decode())
filedata = ab.read(eofloc - headerlenght)

mime = magic.from_buffer(filedata, mime=True)
ext = (mime.split('/')[1])

sfilename = filename + '.' + ext
spath = os.path.join(report_folder,sfilename)

with open(f'{spath}', 'wb') as d:
d.write(filedata)

if ext == 'x-gzip':
try:
with gzip.open(f'{spath}', 'rb') as f_in:
file_content = f_in.read()

mime = magic.from_buffer(file_content, mime=True)
extin = (mime.split('/')[1])
#logfunc(f'Gzip mime: {mime} for {spath}')
sfilenamein = filename + '.' + extin
spath = os.path.join(report_folder,sfilenamein)

with open(f'{spath}', 'wb') as f_out:
f_out.write(file_content)

except Exception as e: logfunc(str(e))

if 'video' in mime:
spath = f'<video width="320" height="240" controls="controls"><source src="{spath}" type="video/mp4">Your browser does not support the video tag.</video>'
elif 'image' in mime:
spath = f'<img src="{spath}"width="300"></img>'
else:
spath = f'<a href="{spath}"> Link to {mime} </>'

data_list.append((utc_modified_date, filename, spath, url, file_found))

if len(data_list) > 0:
note = 'Source location in extraction found in the report for each item.'
report = ArtifactHtmlReport('Chrome Browser Cache')
report.start_artifact_report(report_folder, f'Chrome Browser Cache')
report.add_script()
data_headers = ('Timestamp Modified', 'Filename', 'Cached File', 'Source URL', 'Source')
report.write_artifact_data_table(data_headers, data_list, note, html_no_escape=['Cached File'])
report.end_artifact_report()

tsvname = f'Chrome Browser Cache'
tsv(report_folder, data_headers, data_list, tsvname)

__artifacts__ = {
"browserCachechrome": (
"Browser Cache",
( '*/data/com.android.chrome/cache/Cache/*_0'),
get_browserCachechrome)
}

5 changes: 4 additions & 1 deletion scripts/report.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,10 @@ def get_icon_name(category, artifact):
category = category.upper()
artifact = artifact.upper()
icon = 'alert-triangle' # default (if not defined!)


if category.find('BROWSER CACHE') >= 0:
if artifact.find('CHROME BROWSER CACHE') >= 0: icon = 'chrome'
else: icon = 'globe'
if category.find('ACCOUNT') >= 0:
if artifact.find('AUTH') >= 0: icon = 'key'
else: icon = 'user'
Expand Down

0 comments on commit 1675763

Please sign in to comment.