abrignoni · ScottKjr3347 · Jan 15, 2025
diff --git a/scripts/artifacts/Ph100UFEDdevcievaluesplist.py b/scripts/artifacts/Ph100UFEDdevcievaluesplist.py
@@ -1,88 +1,77 @@
-# Author:  Scott Koenig https://theforensicscooter.com/
-# Version: 1.0
-#
-#   Description:
-#   Parses basic data from */device_values.plist which is a part of a UFED Advance Logical acquisitions
-#   with non-encrypted backups. The parsing of this file will allow for iLEAPP to parse some basic information
-#   such as */PhotoData/Photos.sqlite.
-#   Based on research and published blogs written by Scott Koenig https://theforensicscooter.com/
-
+__artifacts_v2__ = {
+    'Ph100UFEDdevicevaluesPlist': {
+        'name': 'Ph100-UFED-device-values-Plist',
+        'description': 'Parses basic data from */device_values.plist which is a part of a UFED Advance Logical'
+                       ' acquisitions with non-encrypted backups. The parsing of this file will allow for iLEAPP'
+                       ' to parse some basic information such as */PhotoData/Photos.sqlite.'
+                       ' Based on research and published blogs written by Scott Koenig https://theforensicscooter.com/',
+        'author': 'Scott Koenig',
+        'version': '5.0',
+        'date': '2025-01-05',
+        'requirements': 'Acquisition that contains device_values.plist',
+        'category': 'Photos-Z-Settings',
+        'notes': '',
+        'paths': ('*/device_values.plist',),
+        "output_types": ["standard", "tsv", "none"]
+    }
+}
 import os
 import plistlib
 import biplist
 import nska_deserialize as nd
+from scripts.builds_ids import OS_build
 import scripts.artifacts.artGlobals
-from scripts.artifact_report import ArtifactHtmlReport
-from scripts.ilapfuncs import logfunc, logdevinfo, tsv, is_platform_windows 
-
+from scripts.ilapfuncs import artifact_processor, logfunc, device_info, get_file_path
 
-def get_ph100ufeddevicevaluesplist(files_found, report_folder, seeker, wrap_text, timezone_offset):
-    versionnum = 0
+@artifact_processor
+def Ph100UFEDdevicevaluesPlist(files_found, report_folder, seeker, wrap_text, timezone_offset):
     data_list = []
-    file_found = str(files_found[0])
-    with open(file_found, "rb") as fp:
+    source_path = str(files_found[0])
+
+    with open(source_path, "rb") as fp:
         pl = plistlib.load(fp)
         for key, val in pl.items():
-            data_list.append((key, val))
+            data_list.append((key, str(val)))
+
             if key == "ProductVersion":
-                scripts.artifacts.artGlobals.versionf = val
+                scripts.artifacts.artGlobals.versionf = str(val)
                 logfunc(f"iOS version: {val}")
-                logdevinfo(f"<b>iOS version: </b>{val}")
+                device_info("devicevaluesplist-ufedadvlog", "Product Version", str(val), source_path)
 
             if key == "BuildVersion":
-                logdevinfo(f"<b>BuildVersion: </b>{val}")
+                logfunc(f"Build Version: {val}")
+                device_info("devicevaluesplist-ufedadvlog", "Build Version", str(val), source_path)
 
             if key == "ProductType":
-                logfunc(f"ProductType: {val}")
-                logdevinfo(f"<b>ProductType: </b>{val}")
+                logfunc(f"Product Type: {val}")
+                device_info("devicevaluesplist-ufedadvlog", "Product Type", str(val), source_path)
 
             if key == "HardwareModel":
-                logdevinfo(f"<b>HardwareModel: </b>{val}")
+                logfunc(f"Hardware Model: {val}")
+                device_info("devicevaluesplist-ufedadvlog", "Hardware Model", str(val), source_path)
 
             if key == "InternationalMobileEquipmentIdentity":
-                logdevinfo(f"<b>InternationalMobileEquipmentIdentity: </b>{val}")
+                logfunc(f"IMEI: {val}")
+                device_info("devicevaluesplist-ufedadvlog", "IMEI", str(val), source_path)
 
             if key == "SerialNumber":
-                logdevinfo(f"<b>SerialNumber: </b>{val}")
+                logfunc(f"Serial Number: {val}")
+                device_info("devicevaluesplist-ufedadvlog", "Serial Number", str(val), source_path)
 
             if key == "DeviceName":
-                logdevinfo(f"<b>DeviceName: </b>{val}")
+                logfunc(f"Device Name: {val}")
+                device_info("devicevaluesplist-ufedadvlog", "Device Name", str(val), source_path)
 
             if key == "PasswordProtected":
-                logdevinfo(f"<b>PasswordProtected: </b>{val}")
+                logfunc(f"Password Protected: {val}")
+                device_info("devicevaluesplist-ufedadvlog", "Password Protected", str(val), source_path)
 
             if key == "TimeZone":
-                logdevinfo(f"<b>TimeZone: </b>{val}")
-
-    description = ('Parses basic data from */device_values.plist which is a part of a UFED Advance Logical'
-                   ' acquisitions with non-encrypted backups. The parsing of this file will allow for iLEAPP'
-                   ' to parse some basic information such as */PhotoData/Photos.sqlite.'
-                   ' Based on research and published blogs written by Scott Koenig https://theforensicscooter.com/')
-    report = ArtifactHtmlReport('Ph100-UFED-device-values-Plist')
-    report.start_artifact_report(report_folder, 'Ph100-UFED-device-values-Plist', description)
-    report.add_script()
-    data_headers = ('Key', 'Values')
-    report.write_artifact_data_table(data_headers, data_list, file_found)
-    report.end_artifact_report()
+                logfunc(f"TimeZone: {val}")
+                device_info("devicevaluesplist-ufedadvlog", "TimeZone", str(val), source_path)
 
-    tsvname = 'Ph100-UFED-device-values-Plist'
-    tsv(report_folder, data_headers, data_list, tsvname)
+            else:
+                data_list.append((key, str(val)))
 
-
-__artifacts_v2__ = {
-    'Ph100-UFED-device-values-Plist': {
-        'name': 'UFED Adv Log Acquisition Ph100 UFED Device Values Plist',
-        'description': 'Parses basic data from */device_values.plist which is a part of a UFED Advance Logical'
-                       ' acquisitions with non-encrypted backups. The parsing of this file will allow for iLEAPP'
-                       ' to parse some basic information such as */PhotoData/Photos.sqlite.'
-                       ' Based on research and published blogs written by Scott Koenig https://theforensicscooter.com/',
-        'author': 'Scott Koenig https://theforensicscooter.com/',
-        'version': '1.0',
-        'date': '2024-06-10',
-        'requirements': 'Acquisition that contains device_values.plist',
-        'category': 'Photos-Z-Settings',
-        'notes': '',
-        'paths': '*/device_values.plist',
-        'function': 'get_ph100ufeddevicevaluesplist'
-    }
-}
+    data_headers = ('Property','Property Value')
+    return data_headers, data_list, source_path