From 5468e6b0242bdbe2d328bbb5b3a8b9f7fe3543dd Mon Sep 17 00:00:00 2001
From: CopasAlpha26 <copasalpha@gmail.com>
Date: Sat, 23 Nov 2024 09:38:20 +0700
Subject: [PATCH] improvements to plugin functionality

---
 plaso/data/formatters/ios_wifi.yaml           |  13 +++
 plaso/data/timeliner.yaml                     |  14 +++
 plaso/parsers/plist_plugins/__init__.py       |   1 +
 .../plist_plugins/ios_wifi_known_networks.py  |  90 ++++++++++++++++++
 test_data/com.apple.wifi.known-networks.plist | Bin 0 -> 1650 bytes
 .../plist_plugins/ios_wifi_known_networks.py  |  48 ++++++++++
 6 files changed, 166 insertions(+)
 create mode 100644 plaso/data/formatters/ios_wifi.yaml
 create mode 100644 plaso/parsers/plist_plugins/ios_wifi_known_networks.py
 create mode 100755 test_data/com.apple.wifi.known-networks.plist
 create mode 100644 tests/parsers/plist_plugins/ios_wifi_known_networks.py

diff --git a/plaso/data/formatters/ios_wifi.yaml b/plaso/data/formatters/ios_wifi.yaml
new file mode 100644
index 0000000000..2d41da8a8c
--- /dev/null
+++ b/plaso/data/formatters/ios_wifi.yaml
@@ -0,0 +1,13 @@
+type: 'conditional'
+data_type: 'ios:wifi:known_networks:knowing'
+message:
+  - 'SSID={ssid}'
+  - 'BSSID={bssid}'
+  - 'Channel={channel}'
+  - 'Added At={added_at_time_str}'
+  - 'Last Associated={last_associated_time_str}'
+short_message:
+  - 'SSID={ssid}'
+short_source: 'PLIST'
+source: 'Apple iOS WiFi Known Networks plist file'
+
diff --git a/plaso/data/timeliner.yaml b/plaso/data/timeliner.yaml
index 1681f33d74..793594c7bb 100644
--- a/plaso/data/timeliner.yaml
+++ b/plaso/data/timeliner.yaml
@@ -581,6 +581,20 @@ attribute_mappings:
   description: 'Content Modification Time'
 place_holder_event: true
 ---
+data_type: 'ios:wifi:known_networks:knowing'
+attribute_mappings:
+  - name: 'added_at'
+    description: 'Time network was added'
+  - name: 'last_associated'
+    description: 'Last associated time'
+  - name: 'ssid'
+    description: 'SSID of the network'
+  - name: 'bssid'
+    description: 'BSSID of the network'
+  - name: 'channel'
+    description: 'Channel of the network'
+place_holder_event: true
+---
 data_type: 'ipod:device:entry'
 attribute_mappings:
 - name: 'last_connected_time'
diff --git a/plaso/parsers/plist_plugins/__init__.py b/plaso/parsers/plist_plugins/__init__.py
index a3292555b6..f0a0f5ee12 100644
--- a/plaso/parsers/plist_plugins/__init__.py
+++ b/plaso/parsers/plist_plugins/__init__.py
@@ -8,6 +8,7 @@
 from plaso.parsers.plist_plugins import install_history
 from plaso.parsers.plist_plugins import ios_carplay
 from plaso.parsers.plist_plugins import ios_identityservices
+from plaso.parsers.plist_plugins import ios_wifi_known_networks
 from plaso.parsers.plist_plugins import ipod
 from plaso.parsers.plist_plugins import launchd
 from plaso.parsers.plist_plugins import macos_background_items
diff --git a/plaso/parsers/plist_plugins/ios_wifi_known_networks.py b/plaso/parsers/plist_plugins/ios_wifi_known_networks.py
new file mode 100644
index 0000000000..46e9657eac
--- /dev/null
+++ b/plaso/parsers/plist_plugins/ios_wifi_known_networks.py
@@ -0,0 +1,90 @@
+# -*- coding: utf-8 -*-
+"""Plist parser plugin for Apple iOS WiFi Known Networks plist files.
+
+The plist contains information about WiFi networks the device has connected to.
+"""
+
+from dfdatetime import posix_time as dfdatetime_posix_time
+from plaso.containers import events
+from plaso.parsers import plist
+from plaso.parsers.plist_plugins import interface
+
+
+class IOSWiFiKnownNetworksEventData(events.EventData):
+    """Apple iOS WiFi Known Networks event data.
+
+    Attributes:
+        ssid (str): SSID of the WiFi network.
+        added_at (dfdatetime.DateTimeValues): date the network was added.
+        last_associated (dfdatetime.DateTimeValues): date the network was last associated.
+        bssid (str): BSSID of the WiFi network.
+        channel (int): Channel used by the WiFi network.
+    """
+
+    DATA_TYPE = 'ios:wifi:known_networks:knowing'
+
+    def __init__(self):
+        """Initializes event data."""
+        super(IOSWiFiKnownNetworksEventData, self).__init__(data_type=self.DATA_TYPE)
+        self.ssid = None
+        self.added_at = None
+        self.last_associated = None
+        self.bssid = None
+        self.channel = None
+
+
+class IOSWiFiKnownNetworksPlistPlugin(interface.PlistPlugin):
+    """Plist parser plugin for Apple iOS WiFi Known Networks plist files."""
+
+    NAME = 'ios_wifi_known_networks'
+    DATA_FORMAT = 'Apple iOS WiFi Known Networks plist file'
+
+    PLIST_PATH_FILTERS = frozenset([
+        interface.PlistPathFilter('com.apple.wifi.known-networks.plist')])
+
+    PLIST_KEYS = frozenset([])
+
+
+    def _ParsePlist(self, parser_mediator, match=None, top_level=None, **unused_kwargs):
+        print(f"Top-level keys in plist: {list(top_level.keys())}")
+        """Extract WiFi known network entries.
+
+        Args:
+            parser_mediator (ParserMediator): mediates interactions between parsers
+                and other components, such as storage and dfVFS.
+            match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
+            top_level (Optional[dict[str: object]]): entire plist file.
+        """
+        for ssid_key, ssid_data in top_level.items():
+            added_at = ssid_data.get('AddedAt')
+            bssid_list = ssid_data.get('BSSList', [])
+
+
+            for bssid_data in bssid_list:
+                event_data = IOSWiFiKnownNetworksEventData()
+                event_data.ssid = ssid_key
+
+                if added_at:
+                    added_at_obj = dfdatetime_posix_time.PosixTime(
+                        timestamp=added_at.timestamp())
+                    event_data.added_at = added_at_obj
+                    event_data.added_at_time_str = added_at_obj.CopyToDateTimeString()
+
+                event_data.bssid = bssid_data.get('BSSID')
+                event_data.channel = bssid_data.get('Channel')
+
+
+                last_associated = bssid_data.get('LastAssociatedAt')
+                if last_associated:
+                    last_associated_obj = dfdatetime_posix_time.PosixTime(
+                        timestamp=last_associated.timestamp())
+                    event_data.last_associated = last_associated_obj
+                    event_data.last_associated_time_str = last_associated_obj.CopyToDateTimeString()
+
+                print(f"Debug Event: SSID={event_data.ssid}, Added At={event_data.added_at_time_str}, Last Associated={event_data.last_associated_time_str}")
+
+                parser_mediator.ProduceEventData(event_data)
+
+
+
+plist.PlistParser.RegisterPlugin(IOSWiFiKnownNetworksPlistPlugin)
diff --git a/test_data/com.apple.wifi.known-networks.plist b/test_data/com.apple.wifi.known-networks.plist
new file mode 100755
index 0000000000000000000000000000000000000000..37218a0f653c70f40450163c5ddfb35cf1f5b0a6
GIT binary patch
literal 1650
zcmbtTT}&KR6uxus-MT;}ccHBUt*!#CRG_e1c40KpfnEOGKbc)tD(vmBb9Xysnc40P
z;QFF9@dr&bF@33NYy4~LgGL{G(PAY*TN4x0Xw?K78)J<RrZJ{ye5i3|XHhA>^}bBz
zobP<!ch0$YGM`g)qod;j2PxS;r(~3Nl^JtdVX9r%6}deu83ygwa;&(Fuw&CL&Wg&a
z&9_!pliDp?w~6sYaWt&WDr$CgP?2S(ruwA3q0F*aLCYvPmKxR+mC3!ugw6_r5f{aw
zKvFP)vS6erjf!HPrA^H=rIe60uvpX$HZ2&GY!held97eDS!C&%f?^co#XQrKy`mU0
zZI31LvScO&!|A->s$LV1*bO+n!qV!Y)icFQ!~b?sj$L&x-*$UleZ%%0ciic|>+Z&;
z=AGe4H1_bwc)9z8E@c@dwNt7#r<!tQrGP1yFn@;v6Mch1BoYkK{*W*rQsV9n3VqQC
zjg3TmgLEj;AEmM22rXf0Xh@7xQeQR}%?zmqD=^&{)TWten4HNn+rE5(&DwLIq%o=V
zE9IJ)r0eEZ<gg}N^O6ijQ!O(|Ax6W|K#&qwK#{VlrW;CH@7497I@>4+ePc_PP64m*
zX(g;*Jf1aCK8g2uc&~@=>E<(gc{$_4<n*q#&aV3&=o|Q|?w*$2)vc6liN*ygj*0PL
z*zQFPM$8V}H-^hiM<byzYC~LpA20d&y`4Ps^Zqp7BReZB+IEX}qq?2+l#+gFU8T=w
zC4K(xn>6%K$DK0oWxV9IY40y-c6<1}U3`~03qL>U<-MJD^1=Tz)Whs#pp^9a)(^6j
z92^?HNw<Es-cX0Lf^g(DbA_8<zIWxvI{N}I4*W(S!B+I$7v@tf6Umt1amQFe*HkI@
z_UMGfl<B-a^L4WBk+FS`hR4VI4oIrXa{W0et0&7p=9>#ix*_PgmR9VCL@LcKZCIhH
z<MdrVyzo|uuQ^5cTd4Kx>S3hG^5Z^o<l<QyH<^|<;(R{RVd0Mc<ZAfF_Ls>Xuy8ka
zPO41Yrp2nxv+vk^2d8o-Zo|sRQH!tn+vmxM&8LPn6SrYO7RsFA4<Q?MC|me1s(d><
z7OG~~M@>)LnoSYIikMR#Z?Pk@bB|edYwu|7R*_Z<H`n&ZGuO%m%K_j7RbV#|z#xc%
z6qp7D@Hm(U$G`_*0h|Np!RO!$unbnf74R$glOx;?&dc?11KdIGS?(q7748%6Jh#GK
z;jTgm9k3d1g{?3O(@=&C=HQd?FnkKm!{hJ-d=;LA3-B_$23O(l@H%p#8dQtwQ9Ig$
zI*=bdghD8c;%ExJh+ao;pf}M;bQ-;nK165G$LJioh`vWZqg8Yr6I_FL;yt(<hj0WZ
z@qTRJS^NZk4j;oO@G1NrUc#T@FY$Ny7rcu9a@05)98HckhtDzW2ssj<bRcJc&3@M%
GN9u1t`tKS5

literal 0
HcmV?d00001

diff --git a/tests/parsers/plist_plugins/ios_wifi_known_networks.py b/tests/parsers/plist_plugins/ios_wifi_known_networks.py
new file mode 100644
index 0000000000..05d4a12e1d
--- /dev/null
+++ b/tests/parsers/plist_plugins/ios_wifi_known_networks.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Tests for the Apple iOS WiFi Known Networks plist plugin."""
+
+import unittest
+
+from plaso.parsers.plist_plugins import ios_wifi_known_networks
+
+from tests.parsers.plist_plugins import test_lib
+
+
+class IOSWiFiKnownNetworksPlistPluginTest(test_lib.PlistPluginTestCase):
+    """Tests for the Apple iOS WiFi Known Networks plist plugin."""
+
+    def testProcess(self):
+        """Tests the Process function."""
+        plist_name = 'com.apple.wifi.known-networks.plist'
+
+        plugin = ios_wifi_known_networks.IOSWiFiKnownNetworksPlistPlugin()
+        storage_writer = self._ParsePlistFileWithPlugin(
+            plugin, [plist_name], plist_name)
+
+        number_of_event_data = storage_writer.GetNumberOfAttributeContainers(
+            'event_data')
+        self.assertEqual(number_of_event_data, 9)
+
+        number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+            'extraction_warning')
+        self.assertEqual(number_of_warnings, 0)
+
+        number_of_recovery_warnings = storage_writer.GetNumberOfAttributeContainers(
+            'recovery_warning')
+        self.assertEqual(number_of_recovery_warnings, 0)
+
+        expected_event_values = {
+            'ssid': 'wifi.network.ssid.Matt_Foley',
+            'bssid': '76:a7:41:e7:7c:9d',
+            'data_type': 'ios:wifi:known_networks:knowing',
+            'channel': 1,
+            'added_at': '2023-04-15T13:53:47+00:00',
+            'last_associated': '2023-05-14T01:15:45+00:00'}
+
+        event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
+        self.CheckEventData(event_data, expected_event_values)
+
+
+if __name__ == '__main__':
+    unittest.main()