search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
940 stars 218 forks source link

SAXParseException processing WAAccount XML #2294

Open aberenguel opened 4 weeks ago

aberenguel commented 4 weeks ago

Using master branch processing an UFDR file generated by PA 10.3:

bytes)      org.apache.tika.exception.TikaException: Failed to detect the character encoding of a document
[Fatal Error] :1:1: Content is not allowed in prolog.
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at java.xml/javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:122)
    at iped.parsers.whatsapp.WAAccount.getFromAndroidXml(WAAccount.java:37)
    at iped.parsers.whatsapp.WhatsAppParser.parseWhatsAppAccount(WhatsAppParser.java:795)
    at iped.parsers.whatsapp.WhatsAppParser.parse(WhatsAppParser.java:252)
    at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
    at iped.parsers.standard.StandardParser.parse(StandardParser.java:245)
    at iped.engine.io.ParsingReader$BackgroundParsing.run(ParsingReader.java:247)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
aberenguel commented 4 weeks ago

Another exception in log file:

org.xml.sax.SAXParseException; Premature end of file.
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at java.xml/javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:122)
    at iped.parsers.whatsapp.WAAccount.getFromAndroidXml(WAAccount.java:37)
    at iped.parsers.whatsapp.WhatsAppParser.getUserAccount(WhatsAppParser.java:831)
    at iped.parsers.whatsapp.WhatsAppParser.parseWhatsAppContacts(WhatsAppParser.java:1164)
    at iped.parsers.whatsapp.WhatsAppParser.parse(WhatsAppParser.java:260)
    at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
    at iped.parsers.standard.StandardParser.parse(StandardParser.java:245)
    at iped.engine.io.ParsingReader$BackgroundParsing.run(ParsingReader.java:247)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
patrickdalla commented 4 weeks ago

This happened on main ufdr xml read?Some weeks ago someone had similar exceptions (sax parser) and reviewing the xml inside the ufdr I found that the XML was malformed (some unclosed tags at the end). I considered it a bug of PA and not of IPED. Check the XML.

lfcnassif commented 4 weeks ago

This happened on main ufdr xml read?

From the stacktraces, seems not.

I considered it a bug of PA and not of IPED. Check the XML

I agree.

About the first exception, if the xml is not corrupted but if it is some missing support from java XML parser, maybe an approach similar to iped.engine.io.UFEDXMLWrapper class could be used...

aberenguel commented 3 weeks ago

I've checked the file com.whatsapp_preferences_light.xml seems to be corrupted (or encrypted).

Btw, I checked how PA got user information about WhatsApp user account. The result was: image

It gets the phone number in /data/data/com.whatsapp/shared_prefs/registration.RegisterPhone.xml file:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1" />
    <int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="11" />
    <string name="com.whatsapp.registration.RegisterPhone.input_country_code">55</string>
    <string name="com.whatsapp.registration.RegisterPhone.country_code">55</string>
    <string name="com.whatsapp.registration.RegisterPhone.phone_number">XXXXXXXXXX</string>
    <int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0" />
    <string name="com.whatsapp.registration.RegisterPhone.input_phone_number">XX XXXXX-XXXX</string>
</map>

Other information values ares in /data/data/com.whatsapp/databases/wa.db database, table wa_contacts.

aberenguel commented 3 weeks ago

Another exception in log file:

org.xml.sax.SAXParseException; Premature end of file.
  at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
  at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
  at java.xml/javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:122)
  at iped.parsers.whatsapp.WAAccount.getFromAndroidXml(WAAccount.java:37)
  at iped.parsers.whatsapp.WhatsAppParser.getUserAccount(WhatsAppParser.java:831)
  at iped.parsers.whatsapp.WhatsAppParser.parseWhatsAppContacts(WhatsAppParser.java:1164)
  at iped.parsers.whatsapp.WhatsAppParser.parse(WhatsAppParser.java:260)
  at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:298)
  at iped.parsers.standard.StandardParser.parse(StandardParser.java:245)
  at iped.engine.io.ParsingReader$BackgroundParsing.run(ParsingReader.java:247)
  at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
  at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
  at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
  at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
  at java.base/java.lang.Thread.run(Thread.java:829)

The cause of this exception is related to the issue #2299