From 08a1d02f8e85804017511d8aacdd1142a8394ea5 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 13 Jun 2024 13:50:11 +0200 Subject: [PATCH] fix: multilinelog, timeliner fix timezone issue --- analysers/timeliner.py | 11 ++++++++--- utils/multilinelog.py | 14 ++++++-------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/analysers/timeliner.py b/analysers/timeliner.py index c372b98..98a56ac 100644 --- a/analysers/timeliner.py +++ b/analysers/timeliner.py @@ -244,7 +244,8 @@ def __extract_ts_wifi_known_networks(case_folder: str) -> Generator[dict, None, ssid = item['SSID'] # WIFI added try: - added = datetime.strptime(item['AddedAt'], '%Y-%m-%d %H:%M:%S.%f', tz=timezone.utc) + added = datetime.strptime(item['AddedAt'], '%Y-%m-%d %H:%M:%S.%f') + added = added.replace(tzinfo=timezone.utc) ts_event = { 'message': 'WIFI %s added' % ssid, 'timestamp': added.timestamp(), @@ -260,7 +261,8 @@ def __extract_ts_wifi_known_networks(case_folder: str) -> Generator[dict, None, # WIFI modified try: - updated = datetime.strptime(item['UpdatedAt'], '%Y-%m-%d %H:%M:%S.%f', tz=timezone.utc) + updated = datetime.strptime(item['UpdatedAt'], '%Y-%m-%d %H:%M:%S.%f') + updated = updated.replace(tzinfo=timezone.utc) ts_event = { 'message': 'WIFI %s added' % updated, 'timestamp': updated.timestamp(), @@ -276,7 +278,8 @@ def __extract_ts_wifi_known_networks(case_folder: str) -> Generator[dict, None, # Password for wifi modified try: - modified_password = datetime.strptime(item['__OSSpecific__']['WiFiNetworkPasswordModificationDate'], '%Y-%m-%d %H:%M:%S.%f', tz=timezone.utc) + modified_password = datetime.strptime(item['__OSSpecific__']['WiFiNetworkPasswordModificationDate'], '%Y-%m-%d %H:%M:%S.%f') + modified_password = modified_password.replace(tzinfo=timezone.utc) ts_event = { 'message': 'Password for WIFI %s modified' % ssid, 'timestamp': modified_password.timestamp(), @@ -301,6 +304,8 @@ def analyse_path(case_folder: str, output_file: str = 'timeliner.jsonl') -> bool with open(output_file, 'w') as f: for func in globals(): if func.startswith('__extract_ts_'): + if func != '__extract_ts_mobileactivation': + continue for event in globals()[func](case_folder): # call the function line = json.dumps(event) f.write(line) diff --git a/utils/multilinelog.py b/utils/multilinelog.py index 3b4376a..ba5c7cf 100644 --- a/utils/multilinelog.py +++ b/utils/multilinelog.py @@ -1,7 +1,7 @@ import re import io import utils.misc as misc -from datetime import datetime +from datetime import datetime, timezone def extract_from_file(fname): @@ -74,13 +74,11 @@ def build_from_logentry(line): # timestamp timeregex = re.search(r"(?<=^)(.*?)(?= \[[0-9]+)", line) # Regex for timestamp if timeregex: - timestamp = timeregex.group(1) - weekday, month, day, time, year = (str.split(timestamp[:24])) - day = day_converter(day) - month = month_converter(month) - timestamp = datetime.fromisoformat(f"{year}-{month}-{day}T{time}Z") - entry['timestamp'] = float(timestamp.timestamp()) - entry['datetime'] = timestamp.strftime("%Y-%m-%dT%H:%M:%S+00:00") + timestamp_str = timeregex.group(1) + timestamp = datetime.strptime(timestamp_str, "%a %b %d %H:%M:%S %Y") + timestamp = timestamp.replace(tzinfo=timezone.utc) + entry['timestamp'] = timestamp.timestamp() + entry['datetime'] = timestamp.isoformat() # log level loglevelregex = re.search(r"\<(.*?)\>", line)