From 69ce46a703cdf847c37b08e1485a6598b9bc7c5b Mon Sep 17 00:00:00 2001 From: "Ajik D. Jongos" Date: Sat, 13 Dec 2025 22:16:44 +0700 Subject: [PATCH 1/3] feat: fix column query siminfo.py --- scripts/artifacts/siminfo.py | 95 ++++++++++++++++++++++-------------- 1 file changed, 58 insertions(+), 37 deletions(-) mode change 100755 => 100644 scripts/artifacts/siminfo.py diff --git a/scripts/artifacts/siminfo.py b/scripts/artifacts/siminfo.py old mode 100755 new mode 100644 index b5f86a3f..2670cfc5 --- a/scripts/artifacts/siminfo.py +++ b/scripts/artifacts/siminfo.py @@ -32,34 +32,49 @@ def process_siminfo(folder, uid, report_folder): #Query to create report try: - cursor.execute(''' - SELECT - number, - imsi, - display_name, - carrier_name, - iso_country_code, - carrier_id, - icc_id - FROM - siminfo - ''') + # Find columns that available + columns_info = cursor.fetchall() + available_columns = [col[1] for col in columns_info] except: - cursor.execute(''' + # If siminfo table don't exist + logfunc(f'Error getting table schema for SIM_info_{uid}') + db.close() + return + + #Helper function + def get_col(col_name): + return col_name if col_name in available_columns else "''" + + id_col = "''" + if 'imsi' in available_columns: id_col = 'imsi' + elif 'card_id' in available_columns: id_col = 'card_id' + elif 'sim_id' in available_columns: id_col = 'sim_id' + + iso_col = "''" + if 'iso_country_code' in available_columns: iso_column = 'iso_country_code' + elif 'country_iso' in available_columns: iso_column = 'country_iso' + + icc_col = get_col('icc_id') + + query = f''' SELECT - number, - card_id, - display_name, - carrier_name, - carrier_name, - carrier_name, - icc_id - FROM - siminfo - ''') - - all_rows = cursor.fetchall() - usageentries = len(all_rows) + {get_col('number')}, + {id_col} as sim_identifier, + {get_col('display_name')}, + {get_col('carrier_name')}, + {iso_col} as country_iso, + {get_col('carrier_id')}, + {icc_col} + FROM siminfo + ''' + + try: + cursor.execute(query) + all_rows = cursor.fetchall() + usageentries = len(all_rows) + except Exception as e: + logfunc(f'Error executing query for SIM_info_{uid}: {str(e)}') + usageentries = 0 if usageentries > 0: report = ArtifactHtmlReport('Device Info') report.start_artifact_report(report_folder, f'SIM_info_{uid}') @@ -68,17 +83,21 @@ def process_siminfo(folder, uid, report_folder): data_list = [] for row in all_rows: - if row[3] == row[4]: - row1 = '' - row4 = '' - row5 = '' - else: - row1 = row[1] - row4 = row[4] - row5 = row[5] - data_list.append((row[0], row1, row[2], row[3], row4, row5, row[6])) - logdevinfo(f"SIM Number & IMSI: {row[0]} - {row1}") - logdevinfo(f"SIM Display Name: {row[2]}") + # Collect data directly + number = str(row[0]) if row[0] is not None else '' + identifier = str(row[1]) if row[1] is not None else '' + display_name = str(row[2]) if row[2] is not None else '' + carrier = str(row[3]) if row[3] is not None else '' + iso = str(row[4]) if row[4] is not None else '' + carrier_id = str(row[5]) if row[5] is not None else '' + icc_id = str(row[6]) if row[6] is not None else '' + + data_list.append((number, identifier, display_name, carrier, iso, carrier_id, icc_id)) + + logdevinfo(f"SIM Number: {number}") + logdevinfo(f"SIM ID (IMSI/CardID): {identifier}") + logdevinfo(f"SIM Carrier: {carrier}") + report.write_artifact_data_table(data_headers, data_list, folder) report.end_artifact_report() @@ -87,6 +106,8 @@ def process_siminfo(folder, uid, report_folder): else: logfunc(f'No SIM_Info{uid} data available') db.close() + + __artifacts__ = { "siminfo": ( From ff7396b1bfa34b78742be320d6e0ed6f8b1791e9 Mon Sep 17 00:00:00 2001 From: "Ajik D. Jongos" Date: Sat, 13 Dec 2025 23:05:07 +0700 Subject: [PATCH 2/3] feat: add fix for static query FacebookMessenger.py --- scripts/artifacts/FacebookMessenger.py | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) mode change 100755 => 100644 scripts/artifacts/FacebookMessenger.py diff --git a/scripts/artifacts/FacebookMessenger.py b/scripts/artifacts/FacebookMessenger.py old mode 100755 new mode 100644 index b1b22c58..6ecad775 --- a/scripts/artifacts/FacebookMessenger.py +++ b/scripts/artifacts/FacebookMessenger.py @@ -168,13 +168,7 @@ def get_FacebookMessenger(files_found, report_folder, seeker, wrap_text): when 0 then "" when 1 then "Yes" end as "Messenger User", - case friendship_status - when 0 then "N/A (Self)" - when 1 then "Friends" - when 2 then "Friend Request Received" - when 3 then "Friend Request Sent" - when 4 then "Not Friends" - end as "Friendship Status", + '' as "Friendship Status", substr(datetime(birthday_timestamp,'unixepoch'),6,5) as "Birthdate (MM-DD)" from contacts ''') @@ -224,7 +218,7 @@ def get_FacebookMessenger(files_found, report_folder, seeker, wrap_text): (select json_extract (messages.shares, '$[0].description')) as ShareDesc, (select json_extract (messages.shares, '$[0].href')) as ShareLink, message_reactions.reaction as "Message Reaction", - datetime(message_reactions.reaction_timestamp/1000,'unixepoch') as "Message Reaction Timestamp", + '' as "Message Reaction Timestamp", messages.msg_id from messages, threads left join message_reactions on message_reactions.msg_id = messages.msg_id @@ -248,7 +242,7 @@ def get_FacebookMessenger(files_found, report_folder, seeker, wrap_text): (select json_extract (messages.shares, '$[0].description')) as ShareDesc, (select json_extract (messages.shares, '$[0].href')) as ShareLink, message_reactions.reaction as "Message Reaction", - datetime(message_reactions.reaction_timestamp/1000,'unixepoch') as "Message Reaction Timestamp", + '' as "Message Reaction Timestamp", messages.msg_id from messages, threads left join message_reactions on message_reactions.msg_id = messages.msg_id @@ -338,8 +332,8 @@ def get_FacebookMessenger(files_found, report_folder, seeker, wrap_text): when 0 then 'No' when 1 then 'Yes' end is_friend, - friendship_status, - contact_relationship_status + '' as friendship_status, + '' contact_relationship_status from thread_users ''') From 0a2e0f10fe65c0902af645a1bfe782cbf423514b Mon Sep 17 00:00:00 2001 From: "Ajik D. Jongos" Date: Sat, 13 Dec 2025 23:08:14 +0700 Subject: [PATCH 3/3] feat: add fix for static query googleMessages --- scripts/artifacts/googleMessages.py | 36 ++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 6 deletions(-) mode change 100755 => 100644 scripts/artifacts/googleMessages.py diff --git a/scripts/artifacts/googleMessages.py b/scripts/artifacts/googleMessages.py old mode 100755 new mode 100644 index 38c9eb04..bec999ac --- a/scripts/artifacts/googleMessages.py +++ b/scripts/artifacts/googleMessages.py @@ -11,6 +11,7 @@ from scripts.artifact_report import ArtifactHtmlReport from scripts.ilapfuncs import logfunc, tsv, timeline, is_platform_windows, open_sqlite_db_readonly + def get_googleMessages(files_found, report_folder, seeker, wrap_text): for file_found in files_found: @@ -18,20 +19,43 @@ def get_googleMessages(files_found, report_folder, seeker, wrap_text): if not file_found.endswith('bugle_db'): continue # Skip all other files + # Helper function + def table_col_info(cursor, table): + cursor.execute(f"PRAGMA table_info({table});") + return {row[1] for row in cursor.fetchall()} + db = open_sqlite_db_readonly(file_found) cursor = db.cursor() - cursor.execute(''' + cols = table_col_info(cursor, "parts") + + if "file_size_bytes" in cols: + size_expr = """ + CASE + WHEN parts.file_size_bytes = -1 THEN 'N/A' + ELSE parts.file_size_bytes + END + """ + elif "size" in cols: + size_expr = "parts.size" + else: + size_expr = "''" + + if "local_cache_path" in cols: + location_expr = "parts.local_cache_path" + elif "content_uri" in cols: + location_expr = "parts.content_uri" + else: + location_expr = "''" + + cursor.execute(f''' SELECT datetime(parts.timestamp/1000,'unixepoch') AS "Timestamp (UTC)", parts.content_type AS "Message Type", conversations.name AS "Other Participant/Conversation Name", participants.display_destination AS "Message Sender", parts.text AS "Message", - CASE - WHEN parts.file_size_bytes=-1 THEN "N/A" - ELSE parts.file_size_bytes - END AS "Attachment Byte Size", - parts.local_cache_path AS "Attachment Location" + {size_expr} AS "Attachment Byte Size", + {location_expr} AS "Attachment Location" FROM parts JOIN messages ON messages._id=parts.message_id