diff --git a/plaso/data/formatters/ios.yaml b/plaso/data/formatters/ios.yaml index bd3c3b005c..f059ac0e90 100644 --- a/plaso/data/formatters/ios.yaml +++ b/plaso/data/formatters/ios.yaml @@ -233,3 +233,17 @@ short_message: - 'Message: {text}' short_source: 'Twitter iOS' source: 'Twitter iOS Status' +--- +#ios_siminfo +type: 'conditional' +data_type: 'ios:sim:info' +message: + - 'SIM MDN: {mdn}' + - 'SIM Type: {sim_type}' + - 'CB Ver: {cb_ver}' + - 'Label ID: {label_id}' +short_message: + - 'SIM MDN: {mdn}' +short_source: 'IOS' +source: 'iOS SIM Info' +--- \ No newline at end of file diff --git a/plaso/data/timeliner.yaml b/plaso/data/timeliner.yaml index 1681f33d74..f75a83c7a5 100644 --- a/plaso/data/timeliner.yaml +++ b/plaso/data/timeliner.yaml @@ -1795,3 +1795,19 @@ attribute_mappings: - name: 'recorded_time' description: 'Recorded Time' place_holder_event: true +--- +#Configuration for data type +data_type: 'ios:sim:info' +attribute_mappings: + - name: 'mdn' + description: 'Nomor Ponsel SIM' + - name: 'sim_type' + description: 'Jenis SIM (misalnya, SIM atau USIM)' + - name: 'cb_ver' + description: 'Versi CB SIM' + - name: 'label_id' + description: 'ID label untuk SIM' + - name: 'timestamp' + description: 'Timestamp SIM' +place_holder_event: true +--- \ No newline at end of file diff --git a/plaso/parsers/plist_plugins/__init__.py b/plaso/parsers/plist_plugins/__init__.py index a3292555b6..7eef8b75a9 100644 --- a/plaso/parsers/plist_plugins/__init__.py +++ b/plaso/parsers/plist_plugins/__init__.py @@ -21,3 +21,6 @@ from plaso.parsers.plist_plugins import spotlight_searched_terms from plaso.parsers.plist_plugins import spotlight_volume from plaso.parsers.plist_plugins import time_machine + +# Impor parser yang baru dibuat +from plaso.parsers.plist_plugins import ios_siminfo diff --git a/plaso/parsers/plist_plugins/ios_siminfo.py b/plaso/parsers/plist_plugins/ios_siminfo.py new file mode 100644 index 0000000000..bd846f5857 --- /dev/null +++ b/plaso/parsers/plist_plugins/ios_siminfo.py @@ -0,0 +1,74 @@ +import logging +from plaso.containers import events +from plaso.parsers.plist_plugins import interface +from plaso.parsers.plist import PlistParser +from dfdatetime import posix_time as dfdatetime_posix_time + +# Setup logging +logging.basicConfig(level=logging.DEBUG) + + +class IOSSIMInfoEventData(events.EventData): + """Event data untuk iOS SIM Info.""" + DATA_TYPE = 'ios:sim:info' + + def __init__(self): + """Inisialisasi event data.""" + super(IOSSIMInfoEventData, self).__init__(data_type=self.DATA_TYPE) + self.mdn = None + self.eap_aka = None + self.sim_type = None + self.cb_ver = None + self.label_id = None + self.timestamp = None + + +class IOSSIMInfoPlugin(interface.PlistPlugin): + """Plugin untuk memproses iOS SIM Info plist.""" + NAME = 'ios_siminfo' + DATA_FORMAT = 'iOS SIM Info plist file' + + PLIST_PATH_FILTERS = frozenset([ + interface.PlistPathFilter('com.apple.commcenter.data.plist') + ]) + PLIST_KEYS = frozenset(['PersonalWallet']) + + def _ParsePlist(self, parser_mediator, match=None, **unused_kwargs): + """Memproses file plist.""" + personal_wallet = match.get('PersonalWallet', {}) + + if not personal_wallet: + logging.warning('PersonalWallet kosong atau tidak ditemukan di match.') + return + + for sim_id, sim_data in personal_wallet.items(): + info = sim_data.get('info', {}) + if not info: + logging.warning(f'Tidak ada info untuk SIM ID: {sim_id}') + continue + + event_data = IOSSIMInfoEventData() + event_data.mdn = info.get('mdn') + event_data.eap_aka = info.get('eap_aka') + event_data.sim_type = info.get('type') + event_data.cb_ver = info.get('cb_ver') + event_data.label_id = info.get('label-id') + event_data.timestamp = dfdatetime_posix_time.PosixTime( + timestamp=info.get('ts', 0) + ) + + # Debugging untuk memastikan data diproduksi + logging.debug( + f'Memproduksi event data: MDN={event_data.mdn}, ' + f'SIM Type={event_data.sim_type}, CB Ver={event_data.cb_ver}' + ) + + # Pastikan data penting ada sebelum menghasilkan event + if event_data.mdn: + parser_mediator.ProduceEventData(event_data) + else: + logging.warning(f'MDN tidak ditemukan untuk SIM ID: {sim_id}') + + +# Registrasi plugin +PlistParser.RegisterPlugin(IOSSIMInfoPlugin) diff --git a/test_data/com.apple.commcenter.data.plist b/test_data/com.apple.commcenter.data.plist new file mode 100644 index 0000000000..df593ebe14 Binary files /dev/null and b/test_data/com.apple.commcenter.data.plist differ diff --git a/tests/parsers/plist_plugins/ios_siminfo.py b/tests/parsers/plist_plugins/ios_siminfo.py new file mode 100644 index 0000000000..f605acd051 --- /dev/null +++ b/tests/parsers/plist_plugins/ios_siminfo.py @@ -0,0 +1,43 @@ +import unittest +from plaso.parsers.plist_plugins import ios_siminfo +from tests.parsers.plist_plugins import test_lib + + +class IOSSIMInfoPluginTest(test_lib.PlistPluginTestCase): + """Test untuk plugin iOS SIM Info.""" + + def testProcess(self): + """Menguji proses parsing plist menggunakan plugin iOS SIM Info.""" + # Nama file plist yang akan diuji + plist_name = 'com.apple.commcenter.data.plist' + + # Membuat instance dari plugin + plugin = ios_siminfo.IOSSIMInfoPlugin() + + # Memproses file plist dengan plugin + storage_writer = self._ParsePlistFileWithPlugin(plugin, [plist_name], plist_name) + + # Mengambil jumlah event_data yang diproses + number_of_event_data = storage_writer.GetNumberOfAttributeContainers('event_data') + + # Memastikan jumlah event_data yang diproses sesuai + self.assertEqual(number_of_event_data, 1) + + # Mengambil daftar event_data + events = list(storage_writer.GetAttributeContainers('event_data')) + + # Memastikan bahwa data di event pertama sesuai dengan yang diharapkan + event = events[0] + self.assertEqual(event.mdn, '+19195794674') + self.assertEqual(event.eap_aka, True) + self.assertEqual(event.sim_type, 'sim') + self.assertEqual(event.cb_ver, '49.0') + self.assertEqual(event.label_id, 'E8B6082D-F391-46CB-9780-0AF46534D89F') + self.assertEqual(event.timestamp.timestamp, 1684326382) + + # Memastikan timestamp diubah ke format yang benar + self.assertEqual(event.timestamp.CopyToDateTimeString(), '2023-05-17 12:26:22') + + +if __name__ == '__main__': + unittest.main()