fix for macos alias format. Migrating timestamps to ISO8601

artemis-docs/docs/Artifacts/macOS Artifacts/alias.md

@@ -38,13 +38,13 @@ An `alias` object structure
 export interface Alias {
   kind: string;
   volume_name: string;
-  volume_created: number;
+  volume_created: string;
   filesystem_type: number;
   disk_type: number;
   cnid: number;
   target_name: string;
   target_cnid: number;
-  target_created: number;
+  target_created: string;
   target_creator_code: number;
   target_type_code: number;
   number_directory_levels_from_alias_to_root: number;

artemis-docs/docs/Artifacts/macOS Artifacts/homebrew.md

@@ -52,8 +52,8 @@ A `HomebrewData` object structure
 export interface HomebrewReceipt extends HomebrewFormula {
   installedAsDependency: boolean;
   installedOnRequest: boolean;
-  installTime: number;
-  sourceModified: number;
+  installTime: string;
+  sourceModified: string;
   name: string;
 }
 

artemis-docs/docs/Artifacts/macOS Artifacts/munki.md

@@ -53,8 +53,8 @@ export interface MunkiApplicationUsage {
   app_version: string;
   /**Path the application */
   app_path: string;
-  /**Last time of the event in UNIXEPOCH seconds */
-  last_time: number;
+  /**Last time of the event */
+  last_time: string;
   /**Number of times of the event */
   number_times: number;
 }

artemis-docs/docs/Artifacts/macOS Artifacts/quarantine.md

@@ -40,7 +40,7 @@ export interface MacosQuarantine {
 }
 export interface QuarantineEvent {
   id: string;
-  timestamp: number;
+  timestamp: string;
   bundle_id?: string;
   agent_name: string;
   url_string?: string;

artemis-docs/docs/Artifacts/macOS Artifacts/tcc.md

@@ -61,11 +61,11 @@ export interface TccData {
   indirect_object_identifier: string;
   indirect_object_code_identity: SingleRequirement | undefined;
   flags: number | undefined;
-  last_modified: number;
+  last_modified: string;
   pid: number | undefined;
   pid_version: number | undefined;
   boot_uuid: string;
-  last_reminded: number;
+  last_reminded: string;
 }
 
 export enum Reason {

src/macos/alias.ts

@@ -11,7 +11,7 @@ import {
   nomUnsignedTwoBytes,
 } from "../nom/helpers.ts";
 import { take } from "../nom/parsers.ts";
-import { hfsToUnixEpoch } from "../time/conversion.ts";
+import { hfsToUnixEpoch, unixEpochToISO } from "../time/conversion.ts";
 import { MacosError } from "./errors.ts";
 
 /**
@@ -88,7 +88,7 @@ export function parseAlias(data: Uint8Array): Alias | MacosError {
   // Get the volume name
   const volume_name = extractUtf8String(string_data.nommed as Uint8Array);
 
-  const created_data = nomSignedFourBytes(
+  const created_data = nomUnsignedFourBytes(
     alias_data.remaining as Uint8Array,
     Endian.Be,
   );
@@ -257,13 +257,13 @@ export function parseAlias(data: Uint8Array): Alias | MacosError {
   const alias: Alias = {
     kind,
     volume_name,
-    volume_created: hfsToUnixEpoch(volume_created),
+    volume_created: unixEpochToISO(hfsToUnixEpoch(volume_created)),
     filesystem_type,
     disk_type,
     cnid,
     target_name,
     target_cnid,
-    target_created: hfsToUnixEpoch(target_created),
+    target_created: unixEpochToISO(hfsToUnixEpoch(target_created)),
     target_creator_code,
     target_type_code,
     number_directory_levels_from_alias_to_root,

src/macos/homebrew.ts

@@ -5,6 +5,7 @@ import {
 } from "../../types/macos/homebrew.ts";
 import { FileError } from "../filesystem/errors.ts";
 import { glob, readTextFile } from "../filesystem/files.ts";
+import { unixEpochToISO } from "../time/conversion.ts";
 
 /**
  * Function to get Homebrew info on installed packages and Casks
@@ -53,8 +54,8 @@ export function getPackages(glob_path?: string): HomebrewReceipt[] {
       const brew_info: HomebrewReceipt = {
         installedAsDependency: false,
         installedOnRequest: false,
-        installTime: 0,
-        sourceModified: 0,
+        installTime: "",
+        sourceModified: "",
         version: "",
         name: "",
         description: "",
@@ -108,11 +109,13 @@ export function getPackages(glob_path?: string): HomebrewReceipt[] {
         }
         const receipt_data = JSON.parse(receipt);
 
-        brew_info.installTime = receipt_data["time"];
+        brew_info.installTime = unixEpochToISO(receipt_data["time"]);
         brew_info.installedAsDependency =
           receipt_data["installed_as_dependency"];
         brew_info.installedOnRequest = receipt_data["installed_on_request"];
-        brew_info.sourceModified = receipt_data["source_modified_time"];
+        brew_info.sourceModified = unixEpochToISO(
+          receipt_data["source_modified_time"],
+        );
       }
 
       brew_receipts.push(brew_info);

src/macos/plist/firewall.ts

@@ -92,13 +92,13 @@ function parseApplications(
     application_info: {
       kind: "",
       volume_name: "",
-      volume_created: 0,
+      volume_created: "",
       filesystem_type: 0,
       disk_type: 0,
       cnid: 0,
       target_name: "",
       target_cnid: 0,
-      target_created: 0,
+      target_created: "",
       target_creator_code: 0,
       target_type_code: 0,
       number_directory_levels_from_alias_to_root: 0,

src/macos/sqlite/munki.ts

@@ -2,6 +2,7 @@ import { ApplicationError } from "../../applications/errors.ts";
 import { querySqlite } from "../../applications/sqlite.ts";
 import { MacosError } from "../errors.ts";
 import { MunkiApplicationUsage } from "../../../types/macos/sqlite/munki.ts";
+import { unixEpochToISO } from "../../time/conversion.ts";
 
 /**
  * Function to extract application usage info from Munki database
@@ -24,7 +25,7 @@ export function munkiApplicationUsage(
       bundle_id: value["bundle_id"] as string,
       app_version: value["app_version"] as string,
       app_path: value["app_path"] as string,
-      last_time: value["last_time"] as number,
+      last_time: unixEpochToISO(value["last_time"] as number),
       number_times: value["number_times"] as number,
     };
 

src/macos/sqlite/quarantine.ts

@@ -8,7 +8,7 @@ import {
   QuarantineEvent,
   QuarantineType,
 } from "../../../types/macos/sqlite/quarantine.ts";
-import { cocoatimeToUnixEpoch } from "../../time/conversion.ts";
+import { cocoatimeToUnixEpoch, unixEpochToISO } from "../../time/conversion.ts";
 
 /**
  * Function to extract macOS Quarantine Events
@@ -53,9 +53,9 @@ export function quarantineEvents(
     for (const value of results) {
       const entry: QuarantineEvent = {
         id: value["LSQuarantineEventIdentifier"] as string,
-        timestamp: cocoatimeToUnixEpoch(
+        timestamp: unixEpochToISO(cocoatimeToUnixEpoch(
           value["LSQuarantineTimeStamp"] as number,
-        ),
+        )),
         agent_name: value["LSQuarantineAgentName"] as string,
         type: quarantineType(value["LSQuarantineTypeNumber"] as number),
         bundle_id:

src/macos/sqlite/tcc.ts

@@ -15,6 +15,7 @@ import { decode } from "../../encoding/base64.ts";
 import { EncodingError } from "../../encoding/errors.ts";
 import { parseRequirementBlob } from "../codesigning/blob.ts";
 import { SigningError } from "../codesigning/errors.ts";
+import { unixEpochToISO } from "../../time/conversion.ts";
 
 /**
  * Query all `TCC.db` files on the system. `TCC.db` contains granted permissions for applications.
@@ -82,11 +83,11 @@ function getTccData(data: Record<string, unknown>[], path: string): TccValues {
       indirect_object_identifier: entry["indirect_object_identifier"] as string,
       indirect_object_code_identity: undefined,
       flags: entry["flags"] as number | undefined,
-      last_modified: entry["last_modified"] as number,
+      last_modified: unixEpochToISO(entry["last_modified"] as number),
       pid: entry["pid"] as number | undefined,
       pid_version: entry["pid_version"] as number | undefined,
       boot_uuid: entry["boot_uuid"] as string,
-      last_reminded: entry["last_reminded"] as number,
+      last_reminded: unixEpochToISO(entry["last_reminded"] as number),
     };
 
     if (entry["csreq"] != undefined) {

src/timesketch/artifacts/macos/homebrew.ts

@@ -1,6 +1,5 @@
 import { HomebrewReceipt } from "../../../../types/macos/homebrew.ts";
 import { TimesketchTimeline } from "../../../../types/timesketch/timeline.ts";
-import { unixEpochToISO } from "../../../time/conversion.ts";
 
 /**
  * Function to timeline Homebrew Packages info
@@ -14,16 +13,16 @@ export function timelineHomebrew(
 
   for (const item of data) {
     let entry: TimesketchTimeline = {
-      datetime: unixEpochToISO(item.installTime),
+      datetime: item.installTime,
       timestamp_desc: "Homebrew Package Installed",
       message: `${item.name} - ${item.description}`,
       data_type: "macos:homebrew:package",
       artifact: "HomebrewPackages",
     };
 
     entry = { ...entry, ...item };
-    entry["installTime"] = unixEpochToISO(item.installTime);
-    entry["sourceModified"] = unixEpochToISO(item.sourceModified);
+    entry["installTime"] = item.installTime;
+    entry["sourceModified"] = item.sourceModified;
 
     entries.push(entry);
   }

types/macos/alias.ts

@@ -11,13 +11,13 @@
 export interface Alias {
   kind: string;
   volume_name: string;
-  volume_created: number;
+  volume_created: string;
   filesystem_type: number;
   disk_type: number;
   cnid: number;
   target_name: string;
   target_cnid: number;
-  target_created: number;
+  target_created: string;
   target_creator_code: number;
   target_type_code: number;
   number_directory_levels_from_alias_to_root: number;

types/macos/homebrew.ts

@@ -1,8 +1,8 @@
 export interface HomebrewReceipt extends HomebrewFormula {
   installedAsDependency: boolean;
   installedOnRequest: boolean;
-  installTime: number;
-  sourceModified: number;
+  installTime: string;
+  sourceModified: string;
   name: string;
 }
 

types/macos/plist/xprotect.ts

@@ -5,7 +5,7 @@ export interface XprotectEntries {
 }
 
 export interface MatchData {
-  /**Hex encoded values. These are maybe compiled? Yara Rules */
+  /**Hex encoded values */
   pattern: string;
   filetype: string;
   sha1: string;

types/macos/sqlite/munki.ts

@@ -10,8 +10,8 @@ export interface MunkiApplicationUsage {
   app_version: string;
   /**Path the application */
   app_path: string;
-  /**Last time of the event in UNIXEPOCH seconds */
-  last_time: number;
+  /**Last time of the event */
+  last_time: string;
   /**Number of times of the event */
   number_times: number;
 }

types/macos/sqlite/quarantine.ts

@@ -4,7 +4,7 @@ export interface MacosQuarantine {
 }
 export interface QuarantineEvent {
   id: string;
-  timestamp: number;
+  timestamp: string;
   bundle_id?: string;
   agent_name: string;
   url_string?: string;

types/macos/sqlite/tcc.ts

@@ -18,11 +18,11 @@ export interface TccData {
   indirect_object_identifier: string;
   indirect_object_code_identity: SingleRequirement | undefined;
   flags: number | undefined;
-  last_modified: number;
+  last_modified: string;
   pid: number | undefined;
   pid_version: number | undefined;
   boot_uuid: string;
-  last_reminded: number;
+  last_reminded: string;
 }
 
 export enum Reason {