|
1 | | -// Script Name: msgIntel.js |
2 | | -// MITRE ATT&CK Technique: T1005 - Data from Local System |
3 | | -// Platform: macOS |
| 1 | +/** |
| 2 | + * Script Name: msgIntel.js |
| 3 | + * Description: Extracts message data from macOS Messages app databases |
| 4 | + * MITRE ATT&CK Technique: T1005 - Data from Local System |
| 5 | + * Platform: macOS |
| 6 | + * |
| 7 | + * Author: Daniel Acevedo |
| 8 | + * Date: 2024DEC19 |
| 9 | + * Version: 0.8.0 |
| 10 | + * License: Apache 2.0 |
| 11 | + * |
| 12 | + * Copyright 2024 Daniel Acevedo |
| 13 | + * |
| 14 | + * Licensed under the Apache License, Version 2.0 (the "License"); |
| 15 | + * you may not use this file except in compliance with the License. |
| 16 | + * You may obtain a copy of the License at |
| 17 | + * |
| 18 | + * http://www.apache.org/licenses/LICENSE-2.0 |
| 19 | + * |
| 20 | + * Unless required by applicable law or agreed to in writing, software |
| 21 | + * distributed under the License is distributed on an "AS IS" BASIS, |
| 22 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 23 | + * See the License for the specific language governing permissions and |
| 24 | + * limitations under the License. |
| 25 | + */ |
4 | 26 |
|
5 | 27 | (() => { |
6 | 28 | 'use strict'; |
|
374 | 396 | m.is_delivered, |
375 | 397 | m.is_read, |
376 | 398 | m.is_sent, |
377 | | - m.is_empty, |
378 | | - m.is_delayed, |
379 | | - m.is_auto_reply, |
380 | | - m.is_prepared, |
381 | | - m.is_finished, |
382 | 399 | m.is_spam, |
383 | | - m.is_kt_verified |
| 400 | + m.is_kt_verified, |
| 401 | + m.service, |
| 402 | + m.version |
384 | 403 | FROM attachment a |
385 | 404 | LEFT JOIN message_attachment_join maj ON a.ROWID = maj.attachment_id |
386 | 405 | LEFT JOIN message m ON maj.message_id = m.ROWID |
|
414 | 433 | attachment: { |
415 | 434 | guid: att.guid, |
416 | 435 | created_date: MsgIntelUtils.convertAppleDate(att.created_date), |
417 | | - metadata: { |
| 436 | + file_metadata: { |
418 | 437 | filename: att.filename, |
419 | 438 | mime_type: att.mime_type, |
420 | 439 | uti: att.uti, |
|
426 | 445 | is_outgoing: att.is_outgoing, |
427 | 446 | is_sticker: att.is_sticker, |
428 | 447 | hide_attachment: att.hide_attachment, |
429 | | - is_commsafety_sensitive: att.is_commsafety_sensitive, |
430 | | - ck_sync_state: att.ck_sync_state |
| 448 | + is_commsafety_sensitive: att.is_commsafety_sensitive |
431 | 449 | }, |
432 | 450 | message: { |
433 | 451 | guid: att.guid.substring(att.guid.indexOf('_', att.guid.indexOf('_') + 1) + 1), |
434 | | - is_from_me: att.is_from_me, |
435 | | - communication: MsgIntelUtils.mapCommunication(att, |
436 | | - this.handles.byRowId.get(att.handle_id), |
437 | | - this.handles.byId.get(att.destination_caller_id)), |
| 452 | + communication: { |
| 453 | + channel: { |
| 454 | + service: att.service, |
| 455 | + version: att.version, |
| 456 | + is_from_me: att.is_from_me |
| 457 | + }, |
| 458 | + ...MsgIntelUtils.mapCommunication(att, |
| 459 | + this.handles.byRowId.get(att.handle_id), |
| 460 | + this.handles.byId.get(att.destination_caller_id)) |
| 461 | + }, |
438 | 462 | state: { |
439 | 463 | is_delivered: Boolean(att.is_delivered), |
440 | 464 | is_read: Boolean(att.is_read), |
441 | 465 | is_sent: Boolean(att.is_sent), |
442 | 466 | is_spam: Boolean(att.is_spam), |
443 | 467 | is_kt_verified: Boolean(att.is_kt_verified) |
444 | 468 | } |
| 469 | + }, |
| 470 | + icloud: { |
| 471 | + ck_sync_state: att.ck_sync_state, |
| 472 | + ck_record_id: att.ck_record_id, |
| 473 | + ck_record_change_tag: att.ck_record_change_tag |
445 | 474 | } |
446 | 475 | } |
447 | 476 | })) |
|
0 commit comments