From 37046b641dcd3bb349aa48852c8c9c10c5ce6e64 Mon Sep 17 00:00:00 2001 From: puffyCid <16283453+puffyCid@users.noreply.github.com> Date: Sat, 1 Jun 2024 22:52:59 -0400 Subject: [PATCH] fix for macos alias format. Migrating timestamps to ISO8601 --- artemis-docs/docs/Artifacts/macOS Artifacts/alias.md | 4 ++-- .../docs/Artifacts/macOS Artifacts/homebrew.md | 4 ++-- artemis-docs/docs/Artifacts/macOS Artifacts/munki.md | 4 ++-- .../docs/Artifacts/macOS Artifacts/quarantine.md | 2 +- artemis-docs/docs/Artifacts/macOS Artifacts/tcc.md | 4 ++-- src/macos/alias.ts | 8 ++++---- src/macos/homebrew.ts | 11 +++++++---- src/macos/plist/firewall.ts | 4 ++-- src/macos/sqlite/munki.ts | 3 ++- src/macos/sqlite/quarantine.ts | 6 +++--- src/macos/sqlite/tcc.ts | 5 +++-- src/timesketch/artifacts/macos/homebrew.ts | 7 +++---- types/macos/alias.ts | 4 ++-- types/macos/homebrew.ts | 4 ++-- types/macos/plist/xprotect.ts | 2 +- types/macos/sqlite/munki.ts | 4 ++-- types/macos/sqlite/quarantine.ts | 2 +- types/macos/sqlite/tcc.ts | 4 ++-- 18 files changed, 43 insertions(+), 39 deletions(-) diff --git a/artemis-docs/docs/Artifacts/macOS Artifacts/alias.md b/artemis-docs/docs/Artifacts/macOS Artifacts/alias.md index e351d6a4..cdadd3f6 100644 --- a/artemis-docs/docs/Artifacts/macOS Artifacts/alias.md +++ b/artemis-docs/docs/Artifacts/macOS Artifacts/alias.md @@ -38,13 +38,13 @@ An `alias` object structure export interface Alias { kind: string; volume_name: string; - volume_created: number; + volume_created: string; filesystem_type: number; disk_type: number; cnid: number; target_name: string; target_cnid: number; - target_created: number; + target_created: string; target_creator_code: number; target_type_code: number; number_directory_levels_from_alias_to_root: number; diff --git a/artemis-docs/docs/Artifacts/macOS Artifacts/homebrew.md b/artemis-docs/docs/Artifacts/macOS Artifacts/homebrew.md index bd016ec5..1c420849 100644 --- a/artemis-docs/docs/Artifacts/macOS Artifacts/homebrew.md +++ b/artemis-docs/docs/Artifacts/macOS Artifacts/homebrew.md @@ -52,8 +52,8 @@ A `HomebrewData` object structure export interface HomebrewReceipt extends HomebrewFormula { installedAsDependency: boolean; installedOnRequest: boolean; - installTime: number; - sourceModified: number; + installTime: string; + sourceModified: string; name: string; } diff --git a/artemis-docs/docs/Artifacts/macOS Artifacts/munki.md b/artemis-docs/docs/Artifacts/macOS Artifacts/munki.md index 52e95865..f9d8cb1b 100644 --- a/artemis-docs/docs/Artifacts/macOS Artifacts/munki.md +++ b/artemis-docs/docs/Artifacts/macOS Artifacts/munki.md @@ -53,8 +53,8 @@ export interface MunkiApplicationUsage { app_version: string; /**Path the application */ app_path: string; - /**Last time of the event in UNIXEPOCH seconds */ - last_time: number; + /**Last time of the event */ + last_time: string; /**Number of times of the event */ number_times: number; } diff --git a/artemis-docs/docs/Artifacts/macOS Artifacts/quarantine.md b/artemis-docs/docs/Artifacts/macOS Artifacts/quarantine.md index d16d6a7d..7b99171c 100644 --- a/artemis-docs/docs/Artifacts/macOS Artifacts/quarantine.md +++ b/artemis-docs/docs/Artifacts/macOS Artifacts/quarantine.md @@ -40,7 +40,7 @@ export interface MacosQuarantine { } export interface QuarantineEvent { id: string; - timestamp: number; + timestamp: string; bundle_id?: string; agent_name: string; url_string?: string; diff --git a/artemis-docs/docs/Artifacts/macOS Artifacts/tcc.md b/artemis-docs/docs/Artifacts/macOS Artifacts/tcc.md index e9d093c4..24f37bf0 100644 --- a/artemis-docs/docs/Artifacts/macOS Artifacts/tcc.md +++ b/artemis-docs/docs/Artifacts/macOS Artifacts/tcc.md @@ -61,11 +61,11 @@ export interface TccData { indirect_object_identifier: string; indirect_object_code_identity: SingleRequirement | undefined; flags: number | undefined; - last_modified: number; + last_modified: string; pid: number | undefined; pid_version: number | undefined; boot_uuid: string; - last_reminded: number; + last_reminded: string; } export enum Reason { diff --git a/src/macos/alias.ts b/src/macos/alias.ts index bd151f64..fe4535ed 100644 --- a/src/macos/alias.ts +++ b/src/macos/alias.ts @@ -11,7 +11,7 @@ import { nomUnsignedTwoBytes, } from "../nom/helpers.ts"; import { take } from "../nom/parsers.ts"; -import { hfsToUnixEpoch } from "../time/conversion.ts"; +import { hfsToUnixEpoch, unixEpochToISO } from "../time/conversion.ts"; import { MacosError } from "./errors.ts"; /** @@ -88,7 +88,7 @@ export function parseAlias(data: Uint8Array): Alias | MacosError { // Get the volume name const volume_name = extractUtf8String(string_data.nommed as Uint8Array); - const created_data = nomSignedFourBytes( + const created_data = nomUnsignedFourBytes( alias_data.remaining as Uint8Array, Endian.Be, ); @@ -257,13 +257,13 @@ export function parseAlias(data: Uint8Array): Alias | MacosError { const alias: Alias = { kind, volume_name, - volume_created: hfsToUnixEpoch(volume_created), + volume_created: unixEpochToISO(hfsToUnixEpoch(volume_created)), filesystem_type, disk_type, cnid, target_name, target_cnid, - target_created: hfsToUnixEpoch(target_created), + target_created: unixEpochToISO(hfsToUnixEpoch(target_created)), target_creator_code, target_type_code, number_directory_levels_from_alias_to_root, diff --git a/src/macos/homebrew.ts b/src/macos/homebrew.ts index 63c14684..208cbec2 100644 --- a/src/macos/homebrew.ts +++ b/src/macos/homebrew.ts @@ -5,6 +5,7 @@ import { } from "../../types/macos/homebrew.ts"; import { FileError } from "../filesystem/errors.ts"; import { glob, readTextFile } from "../filesystem/files.ts"; +import { unixEpochToISO } from "../time/conversion.ts"; /** * Function to get Homebrew info on installed packages and Casks @@ -53,8 +54,8 @@ export function getPackages(glob_path?: string): HomebrewReceipt[] { const brew_info: HomebrewReceipt = { installedAsDependency: false, installedOnRequest: false, - installTime: 0, - sourceModified: 0, + installTime: "", + sourceModified: "", version: "", name: "", description: "", @@ -108,11 +109,13 @@ export function getPackages(glob_path?: string): HomebrewReceipt[] { } const receipt_data = JSON.parse(receipt); - brew_info.installTime = receipt_data["time"]; + brew_info.installTime = unixEpochToISO(receipt_data["time"]); brew_info.installedAsDependency = receipt_data["installed_as_dependency"]; brew_info.installedOnRequest = receipt_data["installed_on_request"]; - brew_info.sourceModified = receipt_data["source_modified_time"]; + brew_info.sourceModified = unixEpochToISO( + receipt_data["source_modified_time"], + ); } brew_receipts.push(brew_info); diff --git a/src/macos/plist/firewall.ts b/src/macos/plist/firewall.ts index ae1e3eda..90f5eaeb 100644 --- a/src/macos/plist/firewall.ts +++ b/src/macos/plist/firewall.ts @@ -92,13 +92,13 @@ function parseApplications( application_info: { kind: "", volume_name: "", - volume_created: 0, + volume_created: "", filesystem_type: 0, disk_type: 0, cnid: 0, target_name: "", target_cnid: 0, - target_created: 0, + target_created: "", target_creator_code: 0, target_type_code: 0, number_directory_levels_from_alias_to_root: 0, diff --git a/src/macos/sqlite/munki.ts b/src/macos/sqlite/munki.ts index a6a51829..afba1c2a 100644 --- a/src/macos/sqlite/munki.ts +++ b/src/macos/sqlite/munki.ts @@ -2,6 +2,7 @@ import { ApplicationError } from "../../applications/errors.ts"; import { querySqlite } from "../../applications/sqlite.ts"; import { MacosError } from "../errors.ts"; import { MunkiApplicationUsage } from "../../../types/macos/sqlite/munki.ts"; +import { unixEpochToISO } from "../../time/conversion.ts"; /** * Function to extract application usage info from Munki database @@ -24,7 +25,7 @@ export function munkiApplicationUsage( bundle_id: value["bundle_id"] as string, app_version: value["app_version"] as string, app_path: value["app_path"] as string, - last_time: value["last_time"] as number, + last_time: unixEpochToISO(value["last_time"] as number), number_times: value["number_times"] as number, }; diff --git a/src/macos/sqlite/quarantine.ts b/src/macos/sqlite/quarantine.ts index fbc69e23..80ac40b7 100644 --- a/src/macos/sqlite/quarantine.ts +++ b/src/macos/sqlite/quarantine.ts @@ -8,7 +8,7 @@ import { QuarantineEvent, QuarantineType, } from "../../../types/macos/sqlite/quarantine.ts"; -import { cocoatimeToUnixEpoch } from "../../time/conversion.ts"; +import { cocoatimeToUnixEpoch, unixEpochToISO } from "../../time/conversion.ts"; /** * Function to extract macOS Quarantine Events @@ -53,9 +53,9 @@ export function quarantineEvents( for (const value of results) { const entry: QuarantineEvent = { id: value["LSQuarantineEventIdentifier"] as string, - timestamp: cocoatimeToUnixEpoch( + timestamp: unixEpochToISO(cocoatimeToUnixEpoch( value["LSQuarantineTimeStamp"] as number, - ), + )), agent_name: value["LSQuarantineAgentName"] as string, type: quarantineType(value["LSQuarantineTypeNumber"] as number), bundle_id: diff --git a/src/macos/sqlite/tcc.ts b/src/macos/sqlite/tcc.ts index 0e597109..45c4d6a7 100644 --- a/src/macos/sqlite/tcc.ts +++ b/src/macos/sqlite/tcc.ts @@ -15,6 +15,7 @@ import { decode } from "../../encoding/base64.ts"; import { EncodingError } from "../../encoding/errors.ts"; import { parseRequirementBlob } from "../codesigning/blob.ts"; import { SigningError } from "../codesigning/errors.ts"; +import { unixEpochToISO } from "../../time/conversion.ts"; /** * Query all `TCC.db` files on the system. `TCC.db` contains granted permissions for applications. @@ -82,11 +83,11 @@ function getTccData(data: Record[], path: string): TccValues { indirect_object_identifier: entry["indirect_object_identifier"] as string, indirect_object_code_identity: undefined, flags: entry["flags"] as number | undefined, - last_modified: entry["last_modified"] as number, + last_modified: unixEpochToISO(entry["last_modified"] as number), pid: entry["pid"] as number | undefined, pid_version: entry["pid_version"] as number | undefined, boot_uuid: entry["boot_uuid"] as string, - last_reminded: entry["last_reminded"] as number, + last_reminded: unixEpochToISO(entry["last_reminded"] as number), }; if (entry["csreq"] != undefined) { diff --git a/src/timesketch/artifacts/macos/homebrew.ts b/src/timesketch/artifacts/macos/homebrew.ts index 33937da1..6c045b50 100644 --- a/src/timesketch/artifacts/macos/homebrew.ts +++ b/src/timesketch/artifacts/macos/homebrew.ts @@ -1,6 +1,5 @@ import { HomebrewReceipt } from "../../../../types/macos/homebrew.ts"; import { TimesketchTimeline } from "../../../../types/timesketch/timeline.ts"; -import { unixEpochToISO } from "../../../time/conversion.ts"; /** * Function to timeline Homebrew Packages info @@ -14,7 +13,7 @@ export function timelineHomebrew( for (const item of data) { let entry: TimesketchTimeline = { - datetime: unixEpochToISO(item.installTime), + datetime: item.installTime, timestamp_desc: "Homebrew Package Installed", message: `${item.name} - ${item.description}`, data_type: "macos:homebrew:package", @@ -22,8 +21,8 @@ export function timelineHomebrew( }; entry = { ...entry, ...item }; - entry["installTime"] = unixEpochToISO(item.installTime); - entry["sourceModified"] = unixEpochToISO(item.sourceModified); + entry["installTime"] = item.installTime; + entry["sourceModified"] = item.sourceModified; entries.push(entry); } diff --git a/types/macos/alias.ts b/types/macos/alias.ts index 8fe95515..f47f1b19 100644 --- a/types/macos/alias.ts +++ b/types/macos/alias.ts @@ -11,13 +11,13 @@ export interface Alias { kind: string; volume_name: string; - volume_created: number; + volume_created: string; filesystem_type: number; disk_type: number; cnid: number; target_name: string; target_cnid: number; - target_created: number; + target_created: string; target_creator_code: number; target_type_code: number; number_directory_levels_from_alias_to_root: number; diff --git a/types/macos/homebrew.ts b/types/macos/homebrew.ts index d9dd0e4f..245b5379 100644 --- a/types/macos/homebrew.ts +++ b/types/macos/homebrew.ts @@ -1,8 +1,8 @@ export interface HomebrewReceipt extends HomebrewFormula { installedAsDependency: boolean; installedOnRequest: boolean; - installTime: number; - sourceModified: number; + installTime: string; + sourceModified: string; name: string; } diff --git a/types/macos/plist/xprotect.ts b/types/macos/plist/xprotect.ts index af15df05..21e612a1 100644 --- a/types/macos/plist/xprotect.ts +++ b/types/macos/plist/xprotect.ts @@ -5,7 +5,7 @@ export interface XprotectEntries { } export interface MatchData { - /**Hex encoded values. These are maybe compiled? Yara Rules */ + /**Hex encoded values */ pattern: string; filetype: string; sha1: string; diff --git a/types/macos/sqlite/munki.ts b/types/macos/sqlite/munki.ts index a5ea3190..a9318740 100644 --- a/types/macos/sqlite/munki.ts +++ b/types/macos/sqlite/munki.ts @@ -10,8 +10,8 @@ export interface MunkiApplicationUsage { app_version: string; /**Path the application */ app_path: string; - /**Last time of the event in UNIXEPOCH seconds */ - last_time: number; + /**Last time of the event */ + last_time: string; /**Number of times of the event */ number_times: number; } diff --git a/types/macos/sqlite/quarantine.ts b/types/macos/sqlite/quarantine.ts index 0ac35c09..b2bfdad2 100644 --- a/types/macos/sqlite/quarantine.ts +++ b/types/macos/sqlite/quarantine.ts @@ -4,7 +4,7 @@ export interface MacosQuarantine { } export interface QuarantineEvent { id: string; - timestamp: number; + timestamp: string; bundle_id?: string; agent_name: string; url_string?: string; diff --git a/types/macos/sqlite/tcc.ts b/types/macos/sqlite/tcc.ts index 063cdb5c..8a040f3e 100644 --- a/types/macos/sqlite/tcc.ts +++ b/types/macos/sqlite/tcc.ts @@ -18,11 +18,11 @@ export interface TccData { indirect_object_identifier: string; indirect_object_code_identity: SingleRequirement | undefined; flags: number | undefined; - last_modified: number; + last_modified: string; pid: number | undefined; pid_version: number | undefined; boot_uuid: string; - last_reminded: number; + last_reminded: string; } export enum Reason {