Development build. Please be cauious using on real cases.
Framework for Logs, Events, And Plists Parser (LEAPP)
This framework is a complete rewrite of the excellent tool iLEAPP.Details of iLEAPP can be found in this blog post
xLEAPP is the framework created to merge several tools together. More information about the rewrite is given in by talk (YouTube) at Black Hills Info Security's Wild West Hackin' Fest (WWHF): Deadwood in 2021.
- Provides a centralized and modular framework
- Provides a simplified way to write plugins (artifacts) for each different supported platform.
- Parses iOS, macOS, Android, Chromebook, warranty returns, and Windows artifacts depending on the plugins installed.
This project requires you to have Python >= 3.9
Notice: Extensions have been merged into a single repo. Please ensure ths post [v0.2.1] version.
Here is a list of plugins that need to be completed. Plugin package suffixed with "non-free" use licenses that may not conform with MIT licenses and are seperated out.
-
Python
PS> py -3 -m pip install xleapp PS> py -3 -m pip install xleapp-<plugin>
-
PIPX
PS> py -3 -m pip install pipx PS> pipx install xleapp PS> pipx inject xleapp xleapp-<plugin>
-
Python
$ python3 -m pip install xleapp $ python3 -m pip install xleapp-<plugin>
-
PIPX
$ python3 -m pip install pipx $ pipx install xleapp $ pipx inject xleapp xleapp-<plugin>
There are several configuration files that I have been using for VS Code.
NOTE: This may not work at this time with this alpha version.
To compile to an executable so you can run this on a system without python installed.
To create xleapp.exe, run:
pyinstaller --onefile xleapp.spec
To create xleappGUI.exe, run:
pyinstaller --onefile --noconsole xleappGUI.spec
$ xleapp -h
usage: xleapp [-h] [-I] [-R] [-A] [-C] [-V] [-o OUTPUT_FOLDER] [-i INPUT_PATH]
[--artifacts [ARTIFACTS ...]] [-p] [-l] [--gui] [--version]
xLEAPP: Logs, Events, and Plists Parser.
optional arguments:
-h, --help show this help message and exit
-I parse ios artifacts
-R parse Warrant Returns / User Generated Archives artifacts
-A parse android artifacts
-C parse Chromebook artifacts
-V parse vehicle artifacts
-o OUTPUT_FOLDER, --output_folder OUTPUT_FOLDER
Output folder path
-i INPUT_PATH, --input_path INPUT_PATH
Path to input file/folder
--artifact [ARTIFACT ...]
Filtered list of artifacts to run. Allowed: core, <check artifact list in
documentation>
-p, --artifact_paths Text file list of artifact paths
-l, --artifact_table Text file with table of artifacts
--gui Runs xLEAPP into graphical mode
--version show program's version number and exit
This needs work and may not work properly!
$ xleapp --gui
$ xleapp.py --help
The GUI will open in another window.
This tool is the result of a collaborative effort of many people in the DFIR community.
This product includes software developed by Sarah Edwards (Station X Labs, LLC, @iamevltwin, mac4n6.com) and other contributors as part of APOLLO (Apple Pattern of Life Lazy Output'er).