From bd5f846d246aa015919dc435c6292ea75c928c4f Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Mon, 2 Mar 2020 11:08:29 -0500 Subject: [PATCH 1/4] Update viber.py Added the coalesce sqlite function to the sql statement, this function will return the first column included in it that does not contain a null value. --- InternalPythonModules/android/viber.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/InternalPythonModules/android/viber.py b/InternalPythonModules/android/viber.py index a5edef4ce9..ded45e186f 100644 --- a/InternalPythonModules/android/viber.py +++ b/InternalPythonModules/android/viber.py @@ -268,8 +268,8 @@ class ViberContactsParser(TskContactsParser): def __init__(self, contact_db): super(ViberContactsParser, self).__init__(contact_db.runQuery( """ - SELECT C.display_name AS name, - D.data2 AS number + SELECT C.display_name AS name, + coalesce(D.data2, D.data1, D.data3) AS number FROM phonebookcontact AS C JOIN phonebookdata AS D ON C._id = D.contact_id From 64d73e04348572539f174820c5888450b8015787 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Thu, 5 Mar 2020 16:44:23 -0500 Subject: [PATCH 2/4] Update viber.py If contact does not have an email or phone number then create a TSK_Contact artifact outside of comms helper so we do not loose the contact. --- InternalPythonModules/android/viber.py | 29 +++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/InternalPythonModules/android/viber.py b/InternalPythonModules/android/viber.py index ded45e186f..aadd1a2104 100644 --- a/InternalPythonModules/android/viber.py +++ b/InternalPythonModules/android/viber.py @@ -117,13 +117,28 @@ class ViberAnalyzer(general.AndroidComponentAnalyzer): try: contacts_parser = ViberContactsParser(contacts_db) while contacts_parser.next(): - helper.addContact( - contacts_parser.get_contact_name(), - contacts_parser.get_phone(), - contacts_parser.get_home_phone(), - contacts_parser.get_mobile_phone(), - contacts_parser.get_email() - ) + if contacts_parser.get_phone() is not None: + helper.addContact( + contacts_parser.get_contact_name(), + contacts_parser.get_phone(), + contacts_parser.get_home_phone(), + contacts_parser.get_mobile_phone(), + contacts_parser.get_email() + ) + else: + current_case = Case.getCurrentCase().getSleuthkitCase() + attributes = ArrayList() + artifact = contacts_db.getDBFile().newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT) + attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), self._PARSER_NAME, contacts_parser.get_contact_name())) + artifact.addAttributes(attributes) + + try: + # Post the artifact to blackboard + current_case.getBlackboard().postArtifact(artifact, self._PARSER_NAME) + except Blackboard.BlackboardException as e: + self.log(Level.WARNING, "Error adding viber contacts artifact to case database.", ex ) + self._logger.log(Level.WARNING, traceback.format_exc()) + contacts_parser.close() except SQLException as ex: self._logger.log(Level.WARNING, "Error querying the viber database for contacts.", ex) From 276242d3192a029064869020b91a35fcb1c42e33 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Wed, 11 Mar 2020 11:10:02 -0400 Subject: [PATCH 3/4] Update viber.py Added check for only spaces, blanks and special characters. --- InternalPythonModules/android/viber.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/InternalPythonModules/android/viber.py b/InternalPythonModules/android/viber.py index aadd1a2104..4bc2d0c5d2 100644 --- a/InternalPythonModules/android/viber.py +++ b/InternalPythonModules/android/viber.py @@ -117,7 +117,7 @@ class ViberAnalyzer(general.AndroidComponentAnalyzer): try: contacts_parser = ViberContactsParser(contacts_db) while contacts_parser.next(): - if contacts_parser.get_phone() is not None: + if (not(not contacts_parser.get_phone() or contacts_parser.get_phone().isspace())): helper.addContact( contacts_parser.get_contact_name(), contacts_parser.get_phone(), @@ -125,7 +125,8 @@ class ViberAnalyzer(general.AndroidComponentAnalyzer): contacts_parser.get_mobile_phone(), contacts_parser.get_email() ) - else: + # Check if contact_name is blank and if it is not create a TSK_CONTACT otherwise ignore as not Contact Info + elif (not(not contacts_parser.get_contact_name() or contacts_parser.get_contact_name().isspace())): current_case = Case.getCurrentCase().getSleuthkitCase() attributes = ArrayList() artifact = contacts_db.getDBFile().newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT) From af2842925f7263024587de2f64c7733af6f2bd3b Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Sun, 15 Mar 2020 21:07:08 -0400 Subject: [PATCH 4/4] Update viber.py Address comments, remove inner try block. --- InternalPythonModules/android/viber.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/InternalPythonModules/android/viber.py b/InternalPythonModules/android/viber.py index 4bc2d0c5d2..1ad418b478 100644 --- a/InternalPythonModules/android/viber.py +++ b/InternalPythonModules/android/viber.py @@ -133,12 +133,8 @@ class ViberAnalyzer(general.AndroidComponentAnalyzer): attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), self._PARSER_NAME, contacts_parser.get_contact_name())) artifact.addAttributes(attributes) - try: # Post the artifact to blackboard - current_case.getBlackboard().postArtifact(artifact, self._PARSER_NAME) - except Blackboard.BlackboardException as e: - self.log(Level.WARNING, "Error adding viber contacts artifact to case database.", ex ) - self._logger.log(Level.WARNING, traceback.format_exc()) + current_case.getBlackboard().postArtifact(artifact, self._PARSER_NAME) contacts_parser.close() except SQLException as ex: