Skip to content

flamusdiu/xleapp

Repository files navigation

xLEAPP

Note

This is an alpha application. I am having trouble getting a testing suite to test the main app object. So, I have been trying to solve this problem. Please use official packages for real DFIR work. If you want to help, please find me on https://azuleonyx.bio.link

Code style: black pre-commit

Development build. Please be cauious using on real cases.

Framework for Logs, Events, And Plists Parser (LEAPP)

This framework is a complete rewrite of the excellent tool iLEAPP.Details of iLEAPP can be found in this blog post

xLEAPP is the framework created to merge several tools together. More information about the rewrite is given in by talk (YouTube) at Black Hills Info Security's Wild West Hackin' Fest (WWHF): Deadwood in 2021.

Features

  • Provides a centralized and modular framework
  • Provides a simplified way to write plugins (artifacts) for each different supported platform.
  • Parses iOS, macOS, Android, Chromebook, warranty returns, and Windows artifacts depending on the plugins installed.

Other Documentation

Pre-requisites

This project requires you to have Python >= 3.9

Plugins

Notice: Extensions have been merged into a single repo. Please ensure ths post [v0.2.1] version.

Here is a list of plugins that need to be completed. Plugin package suffixed with "non-free" use licenses that may not conform with MIT licenses and are seperated out.

Installation

Windows

  • Python

    PS> py -3 -m pip install xleapp
    PS> py -3 -m pip install xleapp-<plugin>
  • PIPX

    PS> py -3 -m pip install pipx
    PS> pipx install xleapp
    PS> pipx inject xleapp xleapp-<plugin>

Linux

  • Python

    $ python3 -m pip install xleapp
    $ python3 -m pip install xleapp-<plugin>
  • PIPX

    $ python3 -m pip install pipx
    $ pipx install xleapp
    $ pipx inject xleapp xleapp-<plugin>

Installation from Github and Development Information

VS Code configuration files

There are several configuration files that I have been using for VS Code.

Compile to executable

NOTE: This may not work at this time with this alpha version.

To compile to an executable so you can run this on a system without python installed.

To create xleapp.exe, run:

pyinstaller --onefile xleapp.spec

To create xleappGUI.exe, run:

pyinstaller --onefile --noconsole xleappGUI.spec

Usage

CLI

$ xleapp -h
usage: xleapp [-h] [-I] [-R] [-A] [-C] [-V] [-o OUTPUT_FOLDER] [-i INPUT_PATH]
       [--artifacts [ARTIFACTS ...]] [-p] [-l] [--gui] [--version]

xLEAPP: Logs, Events, and Plists Parser.

optional arguments:
  -h, --help            show this help message and exit
  -I                    parse ios artifacts
  -R                    parse Warrant Returns / User Generated Archives artifacts
  -A                    parse android artifacts
  -C                    parse Chromebook artifacts
  -V                    parse vehicle artifacts
  -o OUTPUT_FOLDER, --output_folder OUTPUT_FOLDER
                        Output folder path
  -i INPUT_PATH, --input_path INPUT_PATH
                        Path to input file/folder
  --artifact [ARTIFACT ...]
                        Filtered list of artifacts to run. Allowed: core, <check artifact list in
                        documentation>
  -p, --artifact_paths  Text file list of artifact paths
  -l, --artifact_table  Text file with table of artifacts
  --gui                 Runs xLEAPP into graphical mode
  --version             show program&#39;s version number and exit

GUI

This needs work and may not work properly!

$ xleapp --gui

Help

$ xleapp.py --help

The GUI will open in another window.

Acknowledgements

This tool is the result of a collaborative effort of many people in the DFIR community.

This product includes software developed by Sarah Edwards (Station X Labs, LLC, @iamevltwin, mac4n6.com) and other contributors as part of APOLLO (Apple Pattern of Life Lazy Output'er).