Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new parser plist plugin on iOS WiFi Known Networks #4925

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add new parser plist plugin on iOS WiFi Known Networks #4925

wants to merge 3 commits into from

Conversation

CopasAlpha26
Copy link

@CopasAlpha26 CopasAlpha26 commented Nov 23, 2024
edited by joachimmetz
Loading

Added a new Plist plugin parser for extracting known WiFi network details from iOS devices.

Description:

This pull request introduces a new Plist plugin parser specifically for the com.apple.wifi.known-networks.plist file. The parser extracts relevant WiFi information such as SSID, BSSID, channels, and associated timestamps, providing enhanced visibility into known network connections on iOS devices.

The implementation includes:

  • Parsing logic for extracting SSID, BSSID, channel, and timestamps like Added At and Last Associated.
  • YAML formatter for producing human-readable output in the timeline.
  • Test cases for verifying plugin functionality and ensuring data accuracy.
  • Sample test data (com.apple.wifi.known-networks.plist) for unit testing.

Notes:

All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

  • Automated checks (GitHub Actions, AppVeyor) pass
  • No new new dependencies are required or l2tdevtools has been updated
  • Reviewer assigned

@joachimmetz
Copy link
Member

Thanks for the PR, I'm a bit preoccupied at the moment will try to take a look as soon as time permits

@joachimmetz joachimmetz self-assigned this Dec 27, 2024
joachimmetz
joachimmetz reviewed Dec 27, 2024
View reviewed changes
plaso/data/formatters/ios.yaml Outdated
@@ -1,6 +1,19 @@
# Plaso iOS related event formatters.
---
type: 'conditional'
data_type: 'ios:wifi:known_networks:knowing'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please keep the entries in this file in alphabetical order of data type.

plaso/data/timeliner.yaml Outdated
description: 'Time network was added'
- name: 'last_associated'
description: 'Last associated time'
- name: 'ssid'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You only need to specify date and time values here.

plaso/data/formatters/ios.yaml Outdated
@@ -1,6 +1,19 @@
# Plaso iOS related event formatters.
---
type: 'conditional'
data_type: 'ios:wifi:known_networks:knowing'
message:
- 'SSID={ssid}'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style nits: yaml and textual formatting does not match rest of the file

plaso/data/formatters/ios.yaml Outdated
- 'SSID={ssid}'
- 'BSSID={bssid}'
- 'Channel={channel}'
- 'Added At={added_at_time_str}'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

date and time values are handled by the timeliner

plaso/data/timeliner.yaml Outdated
@@ -581,6 +581,20 @@ attribute_mappings:
description: 'Content Modification Time'
place_holder_event: true
---
data_type: 'ios:wifi:known_networks:knowing'
attribute_mappings:
- name: 'added_at'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style nit: yaml formatting does not match rest of the file

plaso/parsers/plist_plugins/ios_wifi_known_networks.py Outdated
event_data.last_associated = last_associated_obj
event_data.last_associated_time_str = last_associated_obj.CopyToDateTimeString()

print(f"Debug Event: SSID={event_data.ssid}, Added At={event_data.added_at_time_str}, Last Associated={event_data.last_associated_time_str}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is this print doing here?

plaso/parsers/plist_plugins/ios_wifi_known_networks.py Outdated
last_associated_obj = dfdatetime_posix_time.PosixTime(
timestamp=last_associated.timestamp())
event_data.last_associated = last_associated_obj
event_data.last_associated_time_str = last_associated_obj.CopyToDateTimeString()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is no need for added_at_time_str the timeliner will take care of this.

plaso/parsers/plist_plugins/ios_wifi_known_networks.py Outdated
event_data.ssid = ssid_key

if added_at:
added_at_obj = dfdatetime_posix_time.PosixTime(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use _GetDateTimeValueFromPlistKey ?

plaso/parsers/plist_plugins/ios_wifi_known_networks.py Outdated
match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
top_level (Optional[dict[str: object]]): entire plist file.
"""
for ssid_key, ssid_data in top_level.items():
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ssid_key appears to be the internal network key

plaso/parsers/plist_plugins/ios_wifi_known_networks.py Outdated

for bssid_data in bssid_list:
event_data = IOSWiFiKnownNetworksEventData()
event_data.ssid = ssid_key
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't the SSID stored in the SSID value ?

@codecov Codecov
Copy link

codecov bot commented Dec 27, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.07%. Comparing base (9d4e13c) to head (98cbea3).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4925      +/-   ##
==========================================
+ Coverage   85.05%   85.07%   +0.01%     
==========================================
  Files         431      432       +1     
  Lines       38648    38676      +28     
==========================================
+ Hits        32873    32903      +30     
+ Misses       5775     5773       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachimmetz joachimmetz joachimmetz left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@joachimmetz joachimmetz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CopasAlpha26 @joachimmetz