log2timeline/plaso

Create parser and parser plugins for Apple Biome files (aka: SEBG files)

Opened this issue · 10 comments

Describe the problem:

On MacOS and iOS devices, some of the artifacts that could be found in the KnowledgeC database have migrated under the biome folders (/private/var/db/biome and /private/var/mobile/Library/Biome). iLEAP supports those files and I'd like to bring support for these files in Plaso. The format consists of protobuffs stored in a binary file.

A python parser is already [available] (https://github.com/cclgroupltd/ccl-segb) but not as a module that can be installed. I'm not sure what would be the best way to integrate that code into plaso. Also it uses the MIT licence. I don't know if this is ok.

MIT license is fine also see https://github.com/log2timeline/l2tdocs/blob/main/process/Dependencies.md

However it needs to be an installable Python module otherwise we cannot use it as a dependency. If the format is straight forward it can likely be easily re-implemented.

Given the size of the Python code it likely can be easily implemented with dtFabric (famous last words) if you have test files that can be shared (are not someones else their copyright) that would be a good start.

I got samples from Magnet's CTF

What the license/copyright of those? Likely can't use them as CI test files.

Right. I'll generate some with a test device.

I'll get started using dtFabric. Thanks for the input.

protobufs use varints which might be more tricky with dtfabric but this might give you some inspiration https://github.com/libyal/dtformats/blob/main/dtformats/leveldb.py

Could I use dtfrabric to get the protobufs and then use [this] ( https://pypi.org/project/bbpb/) to parse the protobufs themselves?