iTunesBackupInfo Module Search Pattern

[JamesHabben]

the iTunesBackupInfo module uses a very broad file pattern search of "paths": ('*Info.plist',), and it causes almost 9,000 files (around half of the files written out) to be written from josh's ios15 image. this is a pretty big time sink when running with this module. is there any adjustments we can make to that search pattern to limit this impact? wouldnt the itunes backup info.plist files be near the root on an itunes backup source? and are they in a more known location on a FFS dump?

[JamesHabben]

looks like the plist from josh's image has this path: iOS_15_Public_Image\filesystem1\Applications\AAUIViewService.app\Info.plist

[Johann-PLW]

But the Info.plist file is stored in the root of an iTunes Backup folder and is not part of Manifest.db The iTunesBackupInfo module is the first one which must be executed with an iTunes Backup extraction type to get the iOS version. And this module is executed again later as it is stored in scripts/artifacts folder and is automatically added to the list of artifacts to parse, both in CLI and GUI. The pattern search causes to match too many files and finally this is not the correct one which is parsed. I update ileapp.py and ileappGUI.py to avoid this behavior. (PR #606) The iTunesBackupInfo module is always executed first but is not executed again nor added to the artifact list in GUI.

[JamesHabben]

nice catch, @Johann-PLW. i didnt notice as much of a slow down when running against itunes backups, but this will certainly help to speed it up. love the app icon add too. is there any other info about that app icon that would deserve building out a dynamic type handler for it to allow a popover displaying more details? (see https://github.com/abrignoni/iLEAPP/issues/587)

we still have an issue with the full file system dumps though, and thats where i noticed a significant slow down against josh's public image. we need to determine if the backup info.plist is in a consistent path so we can adjust that file search pattern. 9,000 files is way too many.

[Johann-PLW]

@JamesHabben, the app icon is embedded in base64 in the Info.plist file. The content of the 'PlaceholderIcon' key is just the binary content of a png picture. There is no additional info related to this icon.

Regarding the issue related to the info.plist backup file. I used the FFS josh's public image and selected all modules. Before updating ileapp.py and ileappGUI.py, I had 8596 hits against "/info.plist" in ProcessedFilesLog.html file and iTunesBackupInfo module was executed. With the updated versions of ileapp.py and ileappGUI.py pushed this afternoon, I only have 3 hits against "/info.plist" in ProcessedFilesLog.html file and iTunesBackupInfo module was not executed anymore, both in CLI and GUI. Let me know if I make something wrong.

Not related to this issue, I would also like to discuss with you if we can find a solution for big HTML files. I have developed some artifacts for Health App and stopped as with my own dataset, for Heart Rate, I have more than 1 million records. The HTML file generated is about 240 MB and the web browser is freezing. Maybe an issue to open :-)

[JamesHabben]

@Johann-PLW oh that's awesome then! I havent had a chance to test your change and made a bad assumption. Sorry for that.

For the health data, probably makes sense to start a new issue and we can discuss options.