search

ydkhatri / mac_apt

macOS (& ios) Artifact Parsing Tool
https://swiftforensics.com
MIT License
778 stars 100 forks source link

Feature Request: Zip folder support for ios_apt #75

Open stark4n6 opened 3 years ago

stark4n6 commented 3 years ago

I have no idea how difficult it would be but would love to see it, as we see more FFS extractions.

ydkhatri commented 3 years ago

It shouldn't be too hard but need to find the time to do so. I'll put it on the list of things to do.

On Fri, Oct 1, 2021, 2:07 AM stark4n6 @.***> wrote:

I have no idea how difficult it would be but would love to see it, as we see more FFS extractions.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ydkhatri/mac_apt/issues/75, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADFCHUHROL25TU67OS2WGHDUESDLVANCNFSM5FCWE54A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

stark4n6 commented 3 years ago

thanks!

ydkhatri commented 3 years ago

Do you have specific samples for this that you can share? I support reading AXIOM ZIPS in mac_apt, however it won't work for just about any zip file. The reason being that unlike ileapp/aleapp or Axiom, mac_apt does not glob through the folder structure to identify files. It needs to know the structure of the image. Also zip images were not built to be forensic containers, so some part of storing forensic data in them is programmer dependent, and will be different as per the implementation. Let me give you an example. Axiom stores folders as empty entries in the zip with a trailing slash to identify it as such. Some other implementation may just skip folders altogether and just store files (which is how its supposed to be in zips).

So I really need samples from vendor implementations to support reading zips created by different programs.

stark4n6 commented 3 years ago

I'll have to check but I think the main ones I had for testing were from CTF's like Cellebrite's or Magnet's or Josh Hickman's images. If you want links I can send them.