From 17365015f5edf46e1b83a49bcc4f60cee5c917b6 Mon Sep 17 00:00:00 2001
From: Greg DiCristofaro <gregd@basistech.com>
Date: Wed, 31 May 2023 21:21:14 -0400
Subject: [PATCH 1/6] updates to LeappFileProcessor

---
 .../leappanalyzers/LeappFileProcessor.java    | 29 +++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
index bda9eb747a..77ea2a0c2b 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
@@ -220,6 +220,10 @@ public final class LeappFileProcessor {
         loadConfigFile();
 
     }
+    
+    private static String normalizeKey(String origKey) {
+        return StringUtils.defaultString(origKey).trim().toLowerCase();
+    }
 
     @NbBundle.Messages({
         "LeappFileProcessor.error.running.Leapp=Error running Leapp, see log file.",
@@ -280,7 +284,7 @@ public final class LeappFileProcessor {
                     .filter(f -> f.toLowerCase().endsWith(".tsv")).collect(Collectors.toList());
 
             for (String tsvFile : allTsvFiles) {
-                if (tsvFiles.containsKey(FilenameUtils.getName(tsvFile.toLowerCase()))) {
+                if (tsvFiles.containsKey(normalizeKey(FilenameUtils.getName(tsvFile)))) {
                     foundTsvFiles.add(tsvFile);
                 }
             }
@@ -329,9 +333,10 @@ public final class LeappFileProcessor {
             progress.progress(Bundle.LeappFileProcessor_tsvProcessed(fileName), i);
 
             File LeappFile = new File(LeappFileName);
-            if (tsvFileAttributes.containsKey(fileName)) {
-                List<TsvColumn> attrList = tsvFileAttributes.get(fileName);
-                BlackboardArtifact.Type artifactType = tsvFileArtifacts.get(fileName);
+            String fileKey = fileName.toLowerCase().trim();
+            if (tsvFileAttributes.containsKey(normalizeKey(fileKey))) {
+                List<TsvColumn> attrList = tsvFileAttributes.get(normalizeKey(fileKey));
+                BlackboardArtifact.Type artifactType = tsvFileArtifacts.get(normalizeKey(fileKey));
 
                 try {
                     processFile(LeappFile, attrList, fileName, artifactType, dataSource);
@@ -940,8 +945,8 @@ public final class LeappFileProcessor {
             attrsToRet.add(attr);
         }
 
-        if (tsvFileArtifactComments.containsKey(fileName)) {
-            attrsToRet.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, tsvFileArtifactComments.get(fileName)));
+        if (tsvFileArtifactComments.containsKey(normalizeKey(fileName))) {
+            attrsToRet.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, tsvFileArtifactComments.get(normalizeKey(fileName))));
         }
 
         return attrsToRet;
@@ -1121,7 +1126,7 @@ public final class LeappFileProcessor {
 
         for (int i = 0; i < nlist.getLength(); i++) {
             NamedNodeMap nnm = nlist.item(i).getAttributes();
-            tsvFiles.put(nnm.getNamedItem("filename").getNodeValue().toLowerCase(), nnm.getNamedItem("description").getNodeValue());
+            tsvFiles.put(normalizeKey(nnm.getNamedItem("filename").getNodeValue()), nnm.getNamedItem("description").getNodeValue());
 
         }
 
@@ -1147,11 +1152,11 @@ public final class LeappFileProcessor {
                 logger.log(Level.SEVERE, String.format("No known artifact mapping found for [artifact: %s, %s]",
                         artifactName, getXmlFileIdentifier(parentName)));
             } else {
-                tsvFileArtifacts.put(parentName, foundArtifactType);
+                tsvFileArtifacts.put(normalizeKey(parentName), foundArtifactType);
             }
 
             if (!comment.toLowerCase().matches("null")) {
-                tsvFileArtifactComments.put(parentName, comment);
+                tsvFileArtifactComments.put(normalizeKey(parentName), comment);
             }
         }
 
@@ -1213,14 +1218,14 @@ public final class LeappFileProcessor {
                         columnName.trim().toLowerCase(),
                         "yes".compareToIgnoreCase(required) == 0);
 
-                if (tsvFileAttributes.containsKey(parentName)) {
-                    List<TsvColumn> attrList = tsvFileAttributes.get(parentName);
+                if (tsvFileAttributes.containsKey(normalizeKey(parentName))) {
+                    List<TsvColumn> attrList = tsvFileAttributes.get(normalizeKey(parentName));
                     attrList.add(thisCol);
                     tsvFileAttributes.replace(parentName, attrList);
                 } else {
                     List<TsvColumn> attrList = new ArrayList<>();
                     attrList.add(thisCol);
-                    tsvFileAttributes.put(parentName, attrList);
+                    tsvFileAttributes.put(normalizeKey(parentName), attrList);
                 }
             }
 

From 83c30d5640e3ef74aabf2eb21b7de80c274c3499 Mon Sep 17 00:00:00 2001
From: Greg DiCristofaro <gregd@basistech.com>
Date: Sat, 10 Jun 2023 20:33:50 -0400
Subject: [PATCH 2/6] parser flexibility

---
 .../leappanalyzers/LeappFileProcessor.java    | 25 +++++++++++++------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
index 393b90c3bb..f00607433e 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
@@ -221,6 +221,13 @@ public final class LeappFileProcessor {
 
     }
     
+    /**
+     * Generates a key trimmed and case-insensitive that can be used for a
+     * case-insensitive lookup in a map.
+     *
+     * @param origKey The original key.
+     * @return The normalized key.
+     */
     private static String normalizeKey(String origKey) {
         return StringUtils.defaultString(origKey).trim().toLowerCase();
     }
@@ -909,12 +916,13 @@ public final class LeappFileProcessor {
         if (MapUtils.isEmpty(columnIndexes) || CollectionUtils.isEmpty(lineValues)
                 || (lineValues.size() == 1 && StringUtils.isEmpty(lineValues.get(0)))) {
             return Collections.emptyList();
-        } else if (lineValues.size() != columnIndexes.size()) {
-            logger.log(Level.WARNING, String.format(
-                    "Row at line number %d in file %s has %d columns when %d were expected based on the header row.",
-                    lineNum, fileName, lineValues.size(), columnIndexes.size()));
-            return Collections.emptyList();
-        }
+        } 
+//        else if (lineValues.size() < columnIndexes.size()) {
+//            logger.log(Level.WARNING, String.format(
+//                    "Row at line number %d in file %s has %d columns when %d were expected based on the header row.",
+//                    lineNum, fileName, lineValues.size(), columnIndexes.size()));
+//            return Collections.emptyList();
+//        }
 
         List<BlackboardAttribute> attrsToRet = new ArrayList<>();
         for (TsvColumn colAttr : attrList) {
@@ -938,11 +946,12 @@ public final class LeappFileProcessor {
             String formattedValue = formatValueBasedOnAttrType(colAttr, value);
 
             BlackboardAttribute attr = getAttribute(colAttr.getAttributeType(), formattedValue, fileName);
-            if (attr == null) {
+            if (attr != null) {
+                attrsToRet.add(attr);
+            } else if (colAttr.isRequired()) {
                 logger.log(Level.WARNING, String.format("Blackboard attribute could not be parsed column %s at line %d in file %s.  Omitting row.", colAttr.getColumnName(), lineNum, fileName));
                 return Collections.emptyList();
             }
-            attrsToRet.add(attr);
         }
 
         if (tsvFileArtifactComments.containsKey(normalizeKey(fileName))) {

From c30c8aefef71d7274fd4ce9719eb9ddd1408d0ad Mon Sep 17 00:00:00 2001
From: Greg DiCristofaro <gregd@basistech.com>
Date: Sat, 10 Jun 2023 20:44:47 -0400
Subject: [PATCH 3/6] updates to xml

---
 .../aleapp-artifact-attribute-reference.xml   | 26 ++++++-
 .../ileapp-artifact-attribute-reference.xml   | 73 ++++++++++++++++++-
 2 files changed, 95 insertions(+), 4 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml
index 9b2a6d9cfa..329568c765 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml
@@ -36,6 +36,14 @@
             </ArtifactName>
         </FileName>
 
+        <FileName filename="accounts ce 10.tsv" description="Accounts_ce">
+            <ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="accounts ce 0">
+                <AttributeName attributename="TSK_USER_ID" columnName="Name" required="yes" />
+                <AttributeName attributename="TSK_PROG_NAME" columnName="Type" required="yes" />
+                <AttributeName attributename="TSK_PASSWORD" columnName="Password" required="yes" />
+            </ArtifactName>
+        </FileName>
+
         <FileName filename="authtokens 0.tsv" description="Authtokens">
             <ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="Authtokens">
                 <AttributeName attributename="null" columnName="ID" required="no" />
@@ -54,6 +62,14 @@
             </ArtifactName>
         </FileName>
 
+        <FileName filename="accounts de 10.tsv" description="Accounts_de">
+            <ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="accounts de 0">
+                <AttributeName attributename="null" columnName="Last password entry" required="no" />
+                <AttributeName attributename="TSK_USER_ID" columnName="Name" required="yes" />
+                <AttributeName attributename="TSK_PROG_NAME" columnName="Type" required="yes" />
+            </ArtifactName>
+        </FileName>
+
         <FileName filename="Browser - Bookmarks.tsv" description="Browser Bookmarks">
             <ArtifactName artifactname="TSK_WEB_BOOKMARK" comment="Browser Bookmarks">
                 <AttributeName attributename="TSK_DATETIME_CREATED" columnName="Added Date" required="yes" />
@@ -173,7 +189,7 @@
         </ArtifactName>
     </FileName>
 
-    <FileName filename="Chrome - History.tsv" description="Chrome History">
+    <FileName filename="Chrome - Web History.tsv" description="Chrome History">
         <ArtifactName artifactname="TSK_WEB_HISTORY" comment="Chrome History">
             <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Visit Time" required="yes"/>
             <AttributeName attributename="TSK_URL" columnName="URL" required="yes"/>
@@ -246,7 +262,7 @@
         </ArtifactName>
     </FileName>
 
-    <FileName filename="Edge - History.tsv" description="Edge History">
+    <FileName filename="Edge - Web History.tsv" description="Edge History">
         <ArtifactName artifactname="TSK_WEB_HISTORY" comment="Edge History">
             <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Visit Time" required="yes"/>
             <AttributeName attributename="TSK_URL" columnName="URL" required="yes"/>
@@ -329,6 +345,12 @@
         </ArtifactName>
     </FileName>
     
+    <FileName filename="installed apps - GMS_0.tsv" description="Installed Apps">
+        <ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps GSM">
+            <AttributeName attributename="TSK_PROG_NAME" columnName="Bundle ID" required="yes" />
+        </ArtifactName>
+    </FileName>
+
     <FileName filename="installed apps vending.tsv" description="Installed Apps (Vending)">
         <ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps (Vending)">
             <AttributeName attributename="TSK_DATETIME" columnName="First Download" required="yes" />
diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
index e2091ac2aa..af4b229b31 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
@@ -65,6 +65,15 @@
             </ArtifactName>
         </FileName>
 
+        <FileName filename="Bluetooth Other LE.tsv" description="Bluetooth Other LE">
+            <ArtifactName artifactname="TSK_BLUETOOTH_ADAPTER" comment="Bluetooth Other">
+                <AttributeName attributename="TSK_NAME" columnName="Name" required="yes" />
+                <AttributeName attributename="TSK_MAC_ADDRESS" columnName="Address" required="yes" />
+                <AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="yes" />
+                <AttributeName attributename="TSK_DEVICE_ID" columnName="UUID" required="yes" />
+            </ArtifactName>
+        </FileName>
+
         <FileName filename="Bluetooth paired.tsv" description="Bluetooth Paired">
             <ArtifactName artifactname="TSK_BLUETOOTH_PAIRING" comment="Bluetooth Paired">
                 <AttributeName attributename="TSK_DEVICE_ID" columnName="UUID" required="yes" />
@@ -77,6 +86,18 @@
             </ArtifactName>
         </FileName>
 
+        <FileName filename="Bluetooth paired LE.tsv" description="Bluetooth Paired LE">
+            <ArtifactName artifactname="TSK_BLUETOOTH_PAIRING" comment="Bluetooth Paired">
+                <AttributeName attributename="TSK_DEVICE_ID" columnName="UUID" required="yes" />
+                <AttributeName attributename="TSK_DEVICE_NAME" columnName="Name" required="yes" />
+                <AttributeName attributename="null" columnName="Name Origin" required="no" />
+                <AttributeName attributename="null" columnName="Address" required="no" />
+                <AttributeName attributename="null" columnName="Resolved Address" required="no" />			
+                <AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="yes" />
+                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Connection Time" required="yes" />			
+            </ArtifactName>
+        </FileName>
+
         <FileName filename="Calendar Items.tsv" description="Calendar Items">
             <ArtifactName artifactname="TSK_CALENDAR_ENTRY" comment="Calendar Items">
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start Date" required="yes" />
@@ -712,8 +733,24 @@
                 <AttributeName attributename="null" columnName="Pairing ID" required="no" />                
             </ArtifactName>
         </FileName>   
+
+        <FileName filename="Recent WebSearches.tsv" description="Recent Web Searches">
+            <ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="null">
+                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Visit Time" required="yes" />
+                <AttributeName attributename="TSK_TEXT" columnName="Search Term" required="yes" />
+                <AttributeName attributename="null" columnName="URL" required="yes" />
+                <AttributeName attributename="null" columnName="Visit Count" required="no" />
+                <AttributeName attributename="null" columnName="Title" required="no" />
+                <AttributeName attributename="null" columnName="iCloud Sync" required="no" />			
+                <AttributeName attributename="null" columnName="Load Successful" required="no" />
+                <AttributeName attributename="null" columnName="Visit ID" required="no" />			
+                <AttributeName attributename="null" columnName="Redirect Source" required="no" />
+                <AttributeName attributename="null" columnName="Redirect Destination" required="no" />			
+                <AttributeName attributename="null" columnName="History Item ID"	 required="no" />
+            </ArtifactName>
+        </FileName>
                
-        <FileName filename="Safari Browser History.tsv" description="Safari Browser">
+        <FileName filename="Safari Browser - History.tsv" description="Safari Browser">
             <ArtifactName artifactname="TSK_WEB_HISTORY" comment="null">
                 <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Visit Time" required="yes" />
                 <AttributeName attributename="TSK_URL" columnName="URL" required="yes" />
@@ -744,7 +781,7 @@
             </ArtifactName>
         </FileName>
 
-        <FileName filename="SMS - iMessage.tsv" description="SMS - iMessage">
+        <FileName filename="SMS &amp; iMessage - Messages.tsv" description="SMS - iMessage">
             <ArtifactName artifactname="TSK_MESSAGE" comment="SMS - iMessage">
                 <AttributeName attributename="TSK_DATETIME" columnName="Message Date" required="yes" />
                 <AttributeName attributename="null" columnName="Date Delivered" required="no" />
@@ -779,4 +816,36 @@
             </ArtifactName>
         </FileName>
 
+        <FileName filename="Wifi Known Networks.tsv" description="Wifi Known Networks">
+            <ArtifactName artifactname="TSK_WIFI_NETWORK" comment="Wifi">
+                <AttributeName attributename="TSK_SSID" columnName="SSID" required="yes" />
+                <AttributeName attributename="TSK_MAC_ADDRESS" columnName="BSSID" required="yes" />
+                <AttributeName attributename="null" columnName="Network usage" required="no" />
+                <AttributeName attributename="null" columnName="Country code" required="no" />
+                <AttributeName attributename="TSK_DEVICE_ID" columnName="Device name" required="yes" />
+                <AttributeName attributename="null" columnName="Manufacturer" required="no" />
+                <AttributeName attributename="null" columnName="Serial number" required="no" />
+                <AttributeName attributename="TSK_DEVICE_MODEL" columnName="Model name" required="no" />
+                <AttributeName attributename="TSK_DATETIME" columnName="Last joined" required="yes" />
+                <AttributeName attributename="null" columnName="Last autojoined" required="no" />
+                <AttributeName attributename="null" columnName="Enabled" required="no" />
+            </ArtifactName>
+        </FileName>
+
+        <FileName filename="Wifi Network Store Model - Networks.tsv" description="Wifi Network Store Model - Networks">
+            <ArtifactName artifactname="TSK_WIFI_NETWORK" comment="Wifi">
+                <AttributeName attributename="TSK_SSID" columnName="SSID" required="yes" />
+                <AttributeName attributename="TSK_MAC_ADDRESS" columnName="BSSID" required="yes" />
+                <AttributeName attributename="null" columnName="Network usage" required="no" />
+                <AttributeName attributename="null" columnName="Country code" required="no" />
+                <AttributeName attributename="TSK_DEVICE_ID" columnName="Device name" required="yes" />
+                <AttributeName attributename="null" columnName="Manufacturer" required="no" />
+                <AttributeName attributename="null" columnName="Serial number" required="no" />
+                <AttributeName attributename="TSK_DEVICE_MODEL" columnName="Model name" required="no" />
+                <AttributeName attributename="TSK_DATETIME" columnName="Last joined" required="yes" />
+                <AttributeName attributename="null" columnName="Last autojoined" required="no" />
+                <AttributeName attributename="null" columnName="Enabled" required="no" />
+            </ArtifactName>
+        </FileName>
+
     </iLeap_Files_To_Process>

From 0bc7606ff4ec301ec4390cc639cc1a866b83d5ae Mon Sep 17 00:00:00 2001
From: Greg DiCristofaro <gregd@basistech.com>
Date: Sun, 11 Jun 2023 15:07:06 -0400
Subject: [PATCH 4/6] updates for ileapp discrepancies

---
 .../leappanalyzers/LeappFileProcessor.java    |  21 ++--
 .../ileapp-artifact-attribute-reference.xml   | 102 ++++++++----------
 2 files changed, 54 insertions(+), 69 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
index f00607433e..3fab3e483c 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
@@ -913,19 +913,15 @@ public final class LeappFileProcessor {
     private Collection<BlackboardAttribute> processReadLine(List<String> lineValues, Map<String, Integer> columnIndexes,
             List<TsvColumn> attrList, String fileName, int lineNum) throws IngestModuleException {
 
+        // if no attributes, return an empty row
         if (MapUtils.isEmpty(columnIndexes) || CollectionUtils.isEmpty(lineValues)
                 || (lineValues.size() == 1 && StringUtils.isEmpty(lineValues.get(0)))) {
             return Collections.emptyList();
-        } 
-//        else if (lineValues.size() < columnIndexes.size()) {
-//            logger.log(Level.WARNING, String.format(
-//                    "Row at line number %d in file %s has %d columns when %d were expected based on the header row.",
-//                    lineNum, fileName, lineValues.size(), columnIndexes.size()));
-//            return Collections.emptyList();
-//        }
+        }
 
         List<BlackboardAttribute> attrsToRet = new ArrayList<>();
         for (TsvColumn colAttr : attrList) {
+            // if no matching attribute type, keep going
             if (colAttr.getAttributeType() == null) {
                 // this handles columns that are currently ignored.
                 continue;
@@ -939,8 +935,15 @@ public final class LeappFileProcessor {
 
             String value = (columnIdx >= lineValues.size() || columnIdx < 0) ? null : lineValues.get(columnIdx);
             if (value == null) {
-                logger.log(Level.WARNING, String.format("No value found for column %s at line %d in file %s.  Omitting row.", colAttr.getColumnName(), lineNum, fileName));
-                return Collections.emptyList();
+                // if column is required, return empty for this row if no value
+                if (colAttr.isRequired()) {
+                    logger.log(Level.WARNING, String.format("No value found for required column %s at line %d in file %s.  Omitting row.", colAttr.getColumnName(), lineNum, fileName));
+                    return Collections.emptyList();
+                } else {
+                    // otherwise, continue to next column
+                    logger.log(Level.WARNING, String.format("No value found for column %s at line %d in file %s.  Omitting column.", colAttr.getColumnName(), lineNum, fileName));
+                    continue;
+                }
             }
 
             String formattedValue = formatValueBasedOnAttrType(colAttr, value);
diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
index af4b229b31..44ad9d3d37 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
@@ -65,24 +65,14 @@
             </ArtifactName>
         </FileName>
 
-        <FileName filename="Bluetooth Other LE.tsv" description="Bluetooth Other LE">
-            <ArtifactName artifactname="TSK_BLUETOOTH_ADAPTER" comment="Bluetooth Other">
-                <AttributeName attributename="TSK_NAME" columnName="Name" required="yes" />
-                <AttributeName attributename="TSK_MAC_ADDRESS" columnName="Address" required="yes" />
-                <AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="yes" />
-                <AttributeName attributename="TSK_DEVICE_ID" columnName="UUID" required="yes" />
-            </ArtifactName>
-        </FileName>
-
         <FileName filename="Bluetooth paired.tsv" description="Bluetooth Paired">
             <ArtifactName artifactname="TSK_BLUETOOTH_PAIRING" comment="Bluetooth Paired">
-                <AttributeName attributename="TSK_DEVICE_ID" columnName="UUID" required="yes" />
-                <AttributeName attributename="TSK_DEVICE_NAME" columnName="Name" required="yes" />
-                <AttributeName attributename="null" columnName="Name Origin" required="no" />
-                <AttributeName attributename="null" columnName="Address" required="no" />
-                <AttributeName attributename="null" columnName="Resolved Address" required="no" />			
                 <AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="yes" />
-                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Connection Time" required="yes" />			
+                <AttributeName attributename="TSK_MAC_ADDRESS" columnName="MAC Address" required="yes" />
+                <AttributeName attributename="TSK_DEVICE_NAME" columnName="Name Key" required="yes" />
+                <AttributeName attributename="null" columnName="Name" required="no" />
+                <AttributeName attributename="null" columnName="Device Product ID" required="no" />
+                <AttributeName attributename="null" columnName="Default Name" required="no" />
             </ArtifactName>
         </FileName>
 
@@ -93,8 +83,7 @@
                 <AttributeName attributename="null" columnName="Name Origin" required="no" />
                 <AttributeName attributename="null" columnName="Address" required="no" />
                 <AttributeName attributename="null" columnName="Resolved Address" required="no" />			
-                <AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="yes" />
-                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Connection Time" required="yes" />			
+                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Connection Time" required="no" />			
             </ArtifactName>
         </FileName>
 
@@ -113,7 +102,8 @@
 
         <FileName filename="Call History.tsv" description="Call Logs">
             <ArtifactName artifactname="TSK_CALLLOG" comment="Call Logs">
-                <AttributeName attributename="TSK_DATETIME_START" columnName="Timestamp" required="yes" />
+                <AttributeName attributename="TSK_DATETIME_START" columnName="Starting Timestamp" required="yes" />
+                <AttributeName attributename="TSK_DATETIME_END" columnName="Ending Timestamp" required="no" />
                 <AttributeName attributename="TSK_PHONE_NUMBER_FROM" columnName="Phone Number" required="yes" />
                 <AttributeName attributename="null" columnName="Name" required="no" />
                 <AttributeName attributename="null" columnName="Answered" required="no" />
@@ -736,32 +726,21 @@
 
         <FileName filename="Recent WebSearches.tsv" description="Recent Web Searches">
             <ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="null">
-                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Visit Time" required="yes" />
+                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Date" required="yes" />
                 <AttributeName attributename="TSK_TEXT" columnName="Search Term" required="yes" />
-                <AttributeName attributename="null" columnName="URL" required="yes" />
-                <AttributeName attributename="null" columnName="Visit Count" required="no" />
-                <AttributeName attributename="null" columnName="Title" required="no" />
-                <AttributeName attributename="null" columnName="iCloud Sync" required="no" />			
-                <AttributeName attributename="null" columnName="Load Successful" required="no" />
-                <AttributeName attributename="null" columnName="Visit ID" required="no" />			
-                <AttributeName attributename="null" columnName="Redirect Source" required="no" />
-                <AttributeName attributename="null" columnName="Redirect Destination" required="no" />			
-                <AttributeName attributename="null" columnName="History Item ID"	 required="no" />
             </ArtifactName>
         </FileName>
-               
+
         <FileName filename="Safari Browser - History.tsv" description="Safari Browser">
             <ArtifactName artifactname="TSK_WEB_HISTORY" comment="null">
-                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Visit Time" required="yes" />
+                <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Visit Timestamp" required="no" />
+                <AttributeName attributename="TSK_TITLE" columnName="Title" required="no" />
                 <AttributeName attributename="TSK_URL" columnName="URL" required="yes" />
                 <AttributeName attributename="null" columnName="Visit Count" required="no" />
-                <AttributeName attributename="TSK_TITLE" columnName="Title" required="yes" />
-                <AttributeName attributename="null" columnName="iCloud Sync" required="no" />			
-                <AttributeName attributename="null" columnName="Load Successful" required="no" />
-                <AttributeName attributename="null" columnName="Visit ID" required="no" />			
-                <AttributeName attributename="TSK_REFERRER" columnName="Redirect Source" required="yes" />
-                <AttributeName attributename="null" columnName="Redirect Destination" required="no" />			
-                <AttributeName attributename="null" columnName="History Item ID"	 required="no" />
+                <AttributeName attributename="TSK_REFERRER" columnName="Redirect Source" required="no" />
+                <AttributeName attributename="null" columnName="Redirect Destination" required="no" />
+                <AttributeName attributename="null" columnName="Visit ID" required="no" />
+                <AttributeName attributename="null" columnName="Origin" required="no" />
             </ArtifactName>
         </FileName>
 
@@ -783,20 +762,26 @@
 
         <FileName filename="SMS &amp; iMessage - Messages.tsv" description="SMS - iMessage">
             <ArtifactName artifactname="TSK_MESSAGE" comment="SMS - iMessage">
-                <AttributeName attributename="TSK_DATETIME" columnName="Message Date" required="yes" />
-                <AttributeName attributename="null" columnName="Date Delivered" required="no" />
-                <AttributeName attributename="null" columnName="Date Read" required="no" />
+                <AttributeName attributename="TSK_DATETIME" columnName="Message Timestamp" required="yes" />
+                <AttributeName attributename="null" columnName="Read Timestamp" required="no" />
                 <AttributeName attributename="TSK_TEXT" columnName="Message" required="yes" />
-                <AttributeName attributename="TSK_PHONE_NUMBER_FROM" columnName="Contact ID" required="yes" />
                 <AttributeName attributename="null" columnName="Service" required="no" />
-                <AttributeName attributename="TSK_PHONE_NUMBER_TO" columnName="Account" required="yes" />
-                <AttributeName attributename="null" columnName="Is Delivered" required="no" />
-                <AttributeName attributename="null" columnName="Is from Me" required="no" />
-                <AttributeName attributename="null" columnName="Filename" required="no" />
-                <AttributeName attributename="null" columnName="MIME Type" required="no" />
-                <AttributeName attributename="null" columnName="Transfer Type" required="no" />
-                <AttributeName attributename="null" columnName="Total Bytes" required="no" />
-                <AttributeName attributename="TSK_TEXT_FILE" columnName="source file" required="yes"/>            
+                <AttributeName attributename="TSK_DIRECTION" columnName="Message Direction" required="no" />
+                <AttributeName attributename="null" columnName="Message Sent" required="no" />
+                <AttributeName attributename="null" columnName="Message Delivered" required="no" />
+                <AttributeName attributename="TSK_READ_STATUS" columnName="Message Read" required="no" />
+                <AttributeName attributename="null" columnName="Account" required="no" />
+                <AttributeName attributename="null" columnName="Account Login" required="no" />
+                <AttributeName attributename="null" columnName="Chat" required="no" />
+                <AttributeName attributename="null" columnName="Contact ID" required="no" />
+                <AttributeName attributename="null" columnName="Attachment Name" required="no" />
+                <AttributeName attributename="null" columnName="Attachment Path" required="no" />
+                <AttributeName attributename="null" columnName="Attachment Timestamp" required="no" />
+                <AttributeName attributename="null" columnName="Attachment Mimetype" required="no" />
+                <AttributeName attributename="null" columnName="Attachment Size (Bytes)" required="no" />
+                <AttributeName attributename="null" columnName="Message Row ID" required="no" />
+                <AttributeName attributename="TSK_THREAD_ID" columnName="Chat ID" required="no" />
+                <AttributeName attributename="null" columnName="From Me" required="no" />            
             </ArtifactName>
         </FileName>
 
@@ -834,17 +819,14 @@
 
         <FileName filename="Wifi Network Store Model - Networks.tsv" description="Wifi Network Store Model - Networks">
             <ArtifactName artifactname="TSK_WIFI_NETWORK" comment="Wifi">
-                <AttributeName attributename="TSK_SSID" columnName="SSID" required="yes" />
-                <AttributeName attributename="TSK_MAC_ADDRESS" columnName="BSSID" required="yes" />
-                <AttributeName attributename="null" columnName="Network usage" required="no" />
-                <AttributeName attributename="null" columnName="Country code" required="no" />
-                <AttributeName attributename="TSK_DEVICE_ID" columnName="Device name" required="yes" />
-                <AttributeName attributename="null" columnName="Manufacturer" required="no" />
-                <AttributeName attributename="null" columnName="Serial number" required="no" />
-                <AttributeName attributename="TSK_DEVICE_MODEL" columnName="Model name" required="no" />
-                <AttributeName attributename="TSK_DATETIME" columnName="Last joined" required="yes" />
-                <AttributeName attributename="null" columnName="Last autojoined" required="no" />
-                <AttributeName attributename="null" columnName="Enabled" required="no" />
+            <AttributeName attributename="TSK_DATETIME" columnName="Last Connected Timestamp" required="no" />
+            <AttributeName attributename="null" columnName="PK" required="no" />
+            <AttributeName attributename="TSK_SSID" columnName="SSID" required="yes" />
+            <AttributeName attributename="TSK_GEO_LATITUDE" columnName="Latitude" required="no" />
+            <AttributeName attributename="TSK_GEO_LONGITUDE" columnName="Longitude" required="no" />
+            <AttributeName attributename="TSK_MAC_ADDRESS" columnName="BSSID" required="no" />
+            <AttributeName attributename="null" columnName="5 GHz Network" required="no" />
+            <AttributeName attributename="null" columnName="2.4 GHz Network" required="no" />
             </ArtifactName>
         </FileName>
 

From 5526b254b75ac19a65318d841feba99ad6a35f97 Mon Sep 17 00:00:00 2001
From: Greg DiCristofaro <gregd@basistech.com>
Date: Sun, 11 Jun 2023 20:25:41 -0400
Subject: [PATCH 5/6] aleapp updates

---
 .../aleapp-artifact-attribute-reference.xml     | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml
index 329568c765..88359a0b4c 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml
@@ -201,11 +201,12 @@
 
     <FileName filename="Chrome - login data.tsv" description="Chrome Login Data">
         <ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="Chrome Login">
-            <AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Time" required="yes" />
+            <AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Time" required="no" />
             <AttributeName attributename="TSK_USER_ID" columnName="Username" required="yes" />
-            <AttributeName attributename="TSK_PASSWORD" columnName="Password" required="yes" />
+            <AttributeName attributename="TSK_PASSWORD" columnName="Password" required="no" />
             <AttributeName attributename="TSK_URL" columnName="Origin URL" required="no" />
             <AttributeName attributename="null" columnName="Blacklisted by User" required="no" />
+            <AttributeName attributename="null" columnName="Browser Name" required="no" />
         </ArtifactName>
     </FileName>
 
@@ -252,12 +253,12 @@
 
     <FileName filename="Edge - cookies.tsv" description="Edge Cookies">
         <ArtifactName artifactname="TSK_WEB_COOKIE" comment="Edge Cookies">
-            <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Date" required="yes" />
+            <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Date" required="no" />
             <AttributeName attributename="TSK_URL" columnName="Host" required="yes" />
             <AttributeName attributename="TSK_NAME" columnName="Name" required="yes" />
             <AttributeName attributename="TSK_VALUE" columnName="Value" required="yes" />
-            <AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Date" required="yes" />
-            <AttributeName attributename="TSK_DATETIME_END" columnName="Expiration Date" required="yes" />
+            <AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Date" required="no" />
+            <AttributeName attributename="TSK_DATETIME_END" columnName="Expiration Date" required="no" />
             <AttributeName attributename="null" columnName="Path" required="no" />
         </ArtifactName>
     </FileName>
@@ -333,7 +334,7 @@
 
     <FileName filename="installed apps library.tsv" description="Installed Apps (Library)">
         <ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps (Library)">
-            <AttributeName attributename="TSK_DATETIME" columnName="Purchase Time" required="yes"/>
+            <AttributeName attributename="TSK_DATETIME" columnName="Purchase Time" required="no"/>
             <AttributeName attributename="null" columnName="Account" required="no"/>
             <AttributeName attributename="TSK_PROG_NAME" columnName="Doc ID" required="yes"/>
         </ArtifactName>
@@ -353,11 +354,13 @@
 
     <FileName filename="installed apps vending.tsv" description="Installed Apps (Vending)">
         <ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps (Vending)">
-            <AttributeName attributename="TSK_DATETIME" columnName="First Download" required="yes" />
+            <AttributeName attributename="TSK_DATETIME" columnName="First Download" required="no" />
             <AttributeName attributename="TSK_PROG_NAME" columnName="Package Name" required="yes" />
             <AttributeName attributename="null" columnName="Title" required="no" />
             <AttributeName attributename="null" columnName="Install Reason" required="no" />
+            <AttributeName attributename="null" columnName="Last Updated" required="no" />
             <AttributeName attributename="null" columnName="Auto Update?" required="no" />
+            <AttributeName attributename="null" columnName="Account" required="no" />
         </ArtifactName>
     </FileName>
 

From 3384520a6f8da529c244a17d927bfdfa9806dd4b Mon Sep 17 00:00:00 2001
From: Greg DiCristofaro <gregd@basistech.com>
Date: Sun, 11 Jun 2023 22:20:37 -0400
Subject: [PATCH 6/6] fixes for ileapp parsing

---
 .../ileapp-artifact-attribute-reference.xml               | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
index 44ad9d3d37..3580e29061 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
+++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
@@ -67,8 +67,8 @@
 
         <FileName filename="Bluetooth paired.tsv" description="Bluetooth Paired">
             <ArtifactName artifactname="TSK_BLUETOOTH_PAIRING" comment="Bluetooth Paired">
-                <AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="yes" />
-                <AttributeName attributename="TSK_MAC_ADDRESS" columnName="MAC Address" required="yes" />
+                <AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="no" />
+                <AttributeName attributename="TSK_MAC_ADDRESS" columnName="MAC Address" required="no" />
                 <AttributeName attributename="TSK_DEVICE_NAME" columnName="Name Key" required="yes" />
                 <AttributeName attributename="null" columnName="Name" required="no" />
                 <AttributeName attributename="null" columnName="Device Product ID" required="no" />
@@ -766,10 +766,10 @@
                 <AttributeName attributename="null" columnName="Read Timestamp" required="no" />
                 <AttributeName attributename="TSK_TEXT" columnName="Message" required="yes" />
                 <AttributeName attributename="null" columnName="Service" required="no" />
-                <AttributeName attributename="TSK_DIRECTION" columnName="Message Direction" required="no" />
+                <AttributeName attributename="null" columnName="Message Direction" required="no" />
                 <AttributeName attributename="null" columnName="Message Sent" required="no" />
                 <AttributeName attributename="null" columnName="Message Delivered" required="no" />
-                <AttributeName attributename="TSK_READ_STATUS" columnName="Message Read" required="no" />
+                <AttributeName attributename="null" columnName="Message Read" required="no" />
                 <AttributeName attributename="null" columnName="Account" required="no" />
                 <AttributeName attributename="null" columnName="Account Login" required="no" />
                 <AttributeName attributename="null" columnName="Chat" required="no" />