-
Download Anaconda https://www.anaconda.com/download
-
Create an environment
This environment should be different to the one you use in ITeratOr's.
This environment is created with pip so running
pip installwill default to this environment's pip, and not your PATH if you have pip installed already.conda create -n aleapp pip conda activate aleapp -
Install the modules for running aleappGUI.py
Make sure the environment is activated before running the command below.
pip install -r requirements.txt
This command is to run aleappGUI.py which is used for ease of demonstration (and development) of our scripts.
python aleappGUI.py
Select /target_images folder for Directory to parse
Select /dump_reports folder for Output Folder
Load Profile and select YT-ZH-HBTFY-GPS-Config.alprofile
Click 'Process' to run the extraction
Click 'Open Report & Close' to view the report.
-
Install pyinstaller
conda install pyinstallerpyinstaller is not in requirements.txt because it will cause version conflicts.
-
Build aleapp.exe
The following files below are crucial to the compilation:
- aleapp-file_version_info.txt
- aleapp.py
- aleapp.spec
- hook-plugin_loader.py
- plugin_loader.py
Run the following command below
pyinstaller aleapp.specPyinstaller will create a folder
buildthat contains the required libraries anddistthat contains the final executable.
-
Locate aLeapp folder
- In the Autopsy path eg.
Autopsy-4.21.0/autopsy/, you will findaLeappfolder containingaleapp.exe,LICENSEandVersion.txtfiles.
- In the Autopsy path eg.
-
Replace the executable
-
Replace the
aleapp.exewith the newaleapp.exeyou have compiled indist. -
Run Autopsy normally, and it now has the ability to process Habitify, Youtube Music, Zoho Notebook, GPS Navigation (WearOS) artifacts.
-
A folder replica of
aLeappthat we used can be found in this repository under ALEAPP/aLeapp.
-
- ALEAPP/scripts/artifacts/habitify.py
- ALEAPP/scripts/artifacts/youtubeMusic.py
- ALEAPP/scripts/artifacts/zohoNotebook.py
- ALEAPP/scripts/artifacts/gpsNavigation.py
-
Declaring metadata
__artifacts_v2__At the start of the script, you have to define the metadata for your script. The main function will look for these metadata and collate the functions in
artifacts/__artifacts_v2__ = { "appName": { "name": "app name", "description": "describe what your script does", "author": "@yourname", "version": "x.x.x", "date": "yyyy-mm-dd", "requirements": "none", "category": "can be anything", "notes": "any notes you want future users to pay attention to", "paths": ('*/path/to/app/in/device/filename.filetype'), "function": "actual function name" } } -
Imports
You must import
ArtifactHtmlReport.ilapfuncscontain many useful functions that your script might need.from datetime import * from scripts.artifact_report import ArtifactHtmlReport from scripts.ilapfuncs import logfunc, tsv, is_platform_windows, open_sqlite_db_readonly, convert_ts_int_to_utc -
Function
This is the function you're exporting, all 5 parameters must be there.
get_applicationName(files_found, report_folder, seeker, wrap_text, time_offset) -
Generate Report
These are the lines that generate the report, we have commented our scripts to help you understand better.
report = ArtifactHtmlReport('Report Name') # displayed at the sidebar report.start_artifact_report(report_folder, 'Report Header') # displayed at the top of the report report.add_script() data_headers = ("Column A", "Column B", "Column C") report.write_artifact_data_table(data_headers, data_list, file_found, html_escape=False) report.end_artifact_report()
This project is developed using ALEAPP v3.2.3, and the project can be found here: https://github.com/abrignoni/ALEAPP/releases/tag/v3.2.3
Version of referenced Autopsy (4.21.0) uses ALEAPP v3.1.6
You can pull the latest release from their repository, and replicate the same steps for building the aleapp.exe. It will function the same as how we replaced the original Autopsy aleapp.exe.