Open rick-slin opened 4 months ago
rick-slin
commented
4 months ago A python parser is already [available] (https://github.com/cclgroupltd/ccl-segb) but not as a module that can be installed. I'm not sure what would be the best way to integrate that code into plaso. Also it uses the MIT licence. I don't know if this is ok.
joachimmetz
commented
4 months ago MIT license is fine also see https://github.com/log2timeline/l2tdocs/blob/main/process/Dependencies.md
However it needs to be an installable Python module otherwise we cannot use it as a dependency. If the format is straight forward it can likely be easily re-implemented.
joachimmetz
commented
4 months ago Given the size of the Python code it likely can be easily implemented with dtFabric (famous last words) if you have test files that can be shared (are not someones else their copyright) that would be a good start.
joachimmetz
commented
4 months ago What the license/copyright of those? Likely can't use them as CI test files.
rick-slin
commented
4 months ago Right. I'll generate some with a test device.
rick-slin
commented
4 months ago I'll get started using dtFabric. Thanks for the input.
joachimmetz
commented
4 months ago protobufs use varints which might be more tricky with dtfabric but this might give you some inspiration https://github.com/libyal/dtformats/blob/main/dtformats/leveldb.py
rick-slin
commented
4 months ago Could I use dtfrabric to get the protobufs and then use [this] ( https://pypi.org/project/bbpb/) to parse the protobufs themselves?
joachimmetz
commented
4 months ago
Describe the problem:
On MacOS and iOS devices, some of the artifacts that could be found in the KnowledgeC database have migrated under the biome folders (/private/var/db/biome and /private/var/mobile/Library/Biome). iLEAP supports those files and I'd like to bring support for these files in Plaso. The format consists of protobuffs stored in a binary file.