Merge pull request #956 from Johann-PLW/main

Update callHistory.py with new get_sqlite_db_records function
abrignoni · Nov 24, 2024 · 192443a · 192443a
2 parents 2f0cb8e + 10e0be6
commit 192443a
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 24 deletions.
diff --git a/scripts/artifacts/callHistory.py b/scripts/artifacts/callHistory.py
@@ -9,7 +9,8 @@
         "category": "Call History",
         "notes": "",
         "paths": ('*/CallHistory.storedata*','*/call_history.db',),
-        "output_types": "standard"
+        "output_types": "standard",
+        "artifact_icon": "phone-call"
     }
 }
 
@@ -18,20 +19,21 @@
 # The Call Ending Timestamp provides an "at-a-glance" review of call lengths during analysis and review
 # Additional details published within "Maximizing iOS Call Log Timestamps and Call Duration Effectiveness: Will You Answer the Call?" at https://sqlmcgee.wordpress.com/2022/11/30/maximizing-ios-call-log-timestamps-and-call-duration-effectiveness-will-you-answer-the-call/
 
-from scripts.ilapfuncs import artifact_processor , open_sqlite_db_readonly, convert_bytes_to_unit, convert_ts_human_to_timezone_offset
+from scripts.ilapfuncs import artifact_processor , get_sqlite_db_records, convert_bytes_to_unit, convert_cocoa_core_data_ts_to_utc
 
 @artifact_processor
 def callHistory(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
     db_file = ''
+    db_records = []
 
     #call_history.db schema taken from here https://avi.alkalay.net/2011/12/iphone-call-history.html 
     query = '''
     select
-    datetime(ZDATE+978307200,'unixepoch'),
+    ZDATE,
     CASE
-        WHEN ((datetime(ZDATE+978307200,'unixepoch')) = (datetime(((ZDATE) + (ZDURATION))+978307200,'unixepoch'))) then NULL
-        ELSE (datetime(((ZDATE) + (ZDURATION))+978307200,'unixepoch'))
+        WHEN ZDATE = (ZDATE + ZDURATION) then NULL
+        ELSE (ZDATE + ZDURATION)
     END, 
     ZSERVICE_PROVIDER,
     CASE ZCALLTYPE
@@ -98,30 +100,25 @@ def callHistory(files_found, report_folder, seeker, wrap_text, timezone_offset):
     for file_found in files_found:
         if file_found.endswith('.storedata'):
             db_file = file_found
+            db_records = get_sqlite_db_records(db_file, query)
             break
         elif file_found.endswith('.db'):
             db_file = file_found
-            query = query_old
+            db_records = get_sqlite_db_records(db_file, query_old)
             break
 
-    with open_sqlite_db_readonly(db_file) as db:
-        cursor = db.cursor()
-        cursor.execute(query)
+    for record in db_records:
+        starting_time = convert_cocoa_core_data_ts_to_utc(record[0])
+        ending_time = convert_cocoa_core_data_ts_to_utc(record[1])
 
-        all_rows = cursor.fetchall()
-
-        for row in all_rows:
-            starting_time = convert_ts_human_to_timezone_offset(row[0], timezone_offset)
-            ending_time = convert_ts_human_to_timezone_offset(row[1], timezone_offset)
+        an = str(record[5])
+        an = an.replace("b'", "")
+        an = an.replace("'", "")
 
-            an = str(row[5])
-            an = an.replace("b'", "")
-            an = an.replace("'", "")
+        facetime_data = convert_bytes_to_unit(record[8])
 
-            facetime_data = convert_bytes_to_unit(row[8])
-
-            data_list.append((starting_time, ending_time, row[2], row[3], row[4], an, row[6], 
-                                row[7], facetime_data, row[9], row[10], row[11]))
+        data_list.append((starting_time, ending_time, record[2], record[3], record[4], an, record[6], 
+                            record[7], facetime_data, record[9], record[10], record[11]))
 
     data_headers = (
         ('Starting Timestamp', 'datetime'), 

diff --git a/scripts/ilapfuncs.py b/scripts/ilapfuncs.py
@@ -169,9 +169,12 @@ def convert_ts_int_to_timezone(time, time_offset):
     return timezone_time
 
 def convert_cocoa_core_data_ts_to_utc(cocoa_core_data_ts):
-    unix_timestamp = cocoa_core_data_ts + 978307200
-    finaltime = datetime.fromtimestamp(unix_timestamp, tz=timezone.utc)
-    return(finaltime)
+    if cocoa_core_data_ts:
+        unix_timestamp = cocoa_core_data_ts + 978307200
+        finaltime = datetime.fromtimestamp(unix_timestamp, tz=timezone.utc)
+        return(finaltime)
+    else:
+        return cocoa_core_data_ts
 
 def webkit_timestampsconv(webkittime):
     unix_timestamp = webkittime + 978307200