log2timeline · CopasAlpha26 · Nov 23, 2024 · Nov 26, 2024 · Dec 27, 2024
diff --git a/plaso/data/formatters/ios.yaml b/plaso/data/formatters/ios.yaml
@@ -47,8 +47,8 @@ data_type: 'ios:datausage:event'
 message:
 - 'Bundle Identifier: {bundle_identifier}'
 - 'Process Name: {process_name}'
-- 'Wifi In: {wifi_in}'
-- 'Wifi Out: {wifi_out}'
+- 'WiFi In: {wifi_in}'
+- 'WiFi Out: {wifi_out}'
 - 'Wireless Wan In: {wireless_wan_in}'
 - 'Wireless Wan Out: {wireless_wan_out}'
 short_message:
@@ -128,8 +128,8 @@ type: 'conditional'
 data_type: 'ios:netusage:process'
 message:
 - 'Process Name: {process_name}'
-- 'Wifi In: {wifi_in}'
-- 'Wifi Out: {wifi_out}'
+- 'WiFi In: {wifi_in}'
+- 'WiFi Out: {wifi_out}'
 - 'Wired In: {wired_in}'
 - 'Wired Out: {wired_out}'
 - 'Wireless Wan In: {wireless_wan_in}'
@@ -233,3 +233,14 @@ short_message:
 - 'Message: {text}'
 short_source: 'Twitter iOS'
 source: 'Twitter iOS Status'
+---
+type: 'conditional'
+data_type: 'ios:wifi:known_networks:entry'
+message:
+- 'SSID: {ssid}'
+- 'BSSID: {bssid}'
+- 'Channel: {channel}'
+short_message:
+- 'SSID: {ssid}'
+short_source: 'PLIST'
+source: 'Apple iOS WiFi Known Networks plist file'
diff --git a/plaso/data/timeliner.yaml b/plaso/data/timeliner.yaml
@@ -581,6 +581,14 @@ attribute_mappings:
   description: 'Content Modification Time'
 place_holder_event: true
 ---
+data_type: 'ios:wifi:known_networks:entry'
+attribute_mappings:
+- name: 'added_time'
+  description: 'Time network was added'
+- name: 'last_associated_time'
+  description: 'Last associated time'
+place_holder_event: true
+---
 data_type: 'ipod:device:entry'
 attribute_mappings:
 - name: 'last_connected_time'

diff --git a/plaso/parsers/plist_plugins/__init__.py b/plaso/parsers/plist_plugins/__init__.py
@@ -8,6 +8,7 @@
 from plaso.parsers.plist_plugins import install_history
 from plaso.parsers.plist_plugins import ios_carplay
 from plaso.parsers.plist_plugins import ios_identityservices
+from plaso.parsers.plist_plugins import ios_wifi_known_networks
 from plaso.parsers.plist_plugins import ipod
 from plaso.parsers.plist_plugins import launchd
 from plaso.parsers.plist_plugins import macos_background_items

diff --git a/plaso/parsers/plist_plugins/ios_wifi_known_networks.py b/plaso/parsers/plist_plugins/ios_wifi_known_networks.py
@@ -0,0 +1,79 @@
+# -*- coding: utf-8 -*-
+"""Plist parser plugin for Apple iOS WiFi Known Networks plist files.
+
+The plist contains information about WiFi networks the device has connected to.
+"""
+
+from plaso.containers import events
+from plaso.parsers import plist
+from plaso.parsers.plist_plugins import interface
+
+
+class IOSWiFiKnownNetworksEventData(events.EventData):
+  """Apple iOS WiFi Known Networks event data.
+
+  Attributes:
+    added_time (dfdatetime.DateTimeValues): date the network was added.
+    bssid (str): BSSID of the WiFi network.
+    channel (int): Channel used by the WiFi network.
+    last_associated_time (dfdatetime.DateTimeValues): date the network was last
+        associated.
+    ssid (str): SSID of the WiFi network.
+  """
+
+  DATA_TYPE = 'ios:wifi:known_networks:entry'
+
+  def __init__(self):
+    """Initializes event data."""
+    super(IOSWiFiKnownNetworksEventData, self).__init__(
+        data_type=self.DATA_TYPE)
+    self.added_time = None
+    self.bssid = None
+    self.channel = None
+    self.last_associated_time = None
+    self.ssid = None
+
+
+class IOSWiFiKnownNetworksPlistPlugin(interface.PlistPlugin):
+  """Plist parser plugin for Apple iOS WiFi Known Networks plist files."""
+
+  NAME = 'ios_wifi_known_networks'
+  DATA_FORMAT = 'Apple iOS WiFi Known Networks plist file'
+
+  PLIST_PATH_FILTERS = frozenset([
+      interface.PlistPathFilter('com.apple.wifi.known-networks.plist')])
+
+  PLIST_KEYS = frozenset([])
+
+  def _ParsePlist(
+      self, parser_mediator, match=None, top_level=None, **unused_kwargs):
+    """Extract WiFi known network entries.
+
+    Args:
+        parser_mediator (ParserMediator): mediates interactions between parsers
+            and other components, such as storage and dfVFS.
+        match (Optional[dict[str: object]]): keys extracted from PLIST_KEYS.
+        top_level (Optional[dict[str: object]]): entire plist file.
+    """
+    for network_values in top_level.values():
+      event_data = IOSWiFiKnownNetworksEventData()
+      event_data.added_time = self._GetDateTimeValueFromPlistKey(
+          network_values, 'AddedAt')
+      # TODO: add support for JoinedByUserAt
+      # TODO: add support for JoinedBySystemAt
+      # TODO: add support for UpdatedAt
+      event_data.ssid = network_values.get('SSID').decode('utf8')
+
+      for bssid_data in network_values.get('BSSList', []):
+        event_data.bssid = bssid_data.get('BSSID')
+        event_data.channel = bssid_data.get('Channel')
+        event_data.last_associated_time = self._GetDateTimeValueFromPlistKey(
+            bssid_data, 'LastAssociatedAt')
+
+        parser_mediator.ProduceEventData(event_data)
+
+      # TODO: add support for __OSSpecific__ knownBSSUpdatedDate,
+      # prevJoined and WiFiNetworkPasswordModificationDate
+
+
+plist.PlistParser.RegisterPlugin(IOSWiFiKnownNetworksPlistPlugin)
diff --git a/test_data/com.apple.wifi.known-networks.plist b/test_data/com.apple.wifi.known-networks.plist
diff --git a/tests/parsers/plist_plugins/ios_wifi_known_networks.py b/tests/parsers/plist_plugins/ios_wifi_known_networks.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Tests for the Apple iOS WiFi Known Networks plist plugin."""
+
+import unittest
+
+from plaso.parsers.plist_plugins import ios_wifi_known_networks
+
+from tests.parsers.plist_plugins import test_lib
+
+
+class IOSWiFiKnownNetworksPlistPluginTest(test_lib.PlistPluginTestCase):
+  """Tests for the Apple iOS WiFi Known Networks plist plugin."""
+
+  def testProcess(self):
+    """Tests the Process function."""
+    plist_name = 'com.apple.wifi.known-networks.plist'
+
+    plugin = ios_wifi_known_networks.IOSWiFiKnownNetworksPlistPlugin()
+    storage_writer = self._ParsePlistFileWithPlugin(
+        plugin, [plist_name], plist_name)
+
+    number_of_event_data = storage_writer.GetNumberOfAttributeContainers(
+        'event_data')
+    self.assertEqual(number_of_event_data, 9)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'extraction_warning')
+    self.assertEqual(number_of_warnings, 0)
+
+    number_of_recovery_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'recovery_warning')
+    self.assertEqual(number_of_recovery_warnings, 0)
+
+    expected_event_values = {
+        'added_time': '2023-04-15T13:53:47.476017+00:00',
+        'bssid': '76:a7:41:e7:7c:9d',
+        'channel': 1,
+        'data_type': 'ios:wifi:known_networks:entry',
+        'last_associated_time': '2023-05-14T01:15:45.013600+00:00',
+        'ssid': 'Matt_Foley'}
+
+    event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
+    self.CheckEventData(event_data, expected_event_values)
+
+
+if __name__ == '__main__':
+  unittest.main()