-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create parser and parser plugins for Apple Biome files (aka: SEBG files) #4812
Comments
A python parser is already [available] (https://github.com/cclgroupltd/ccl-segb) but not as a module that can be installed. I'm not sure what would be the best way to integrate that code into plaso. Also it uses the MIT licence. I don't know if this is ok. |
MIT license is fine also see https://github.com/log2timeline/l2tdocs/blob/main/process/Dependencies.md However it needs to be an installable Python module otherwise we cannot use it as a dependency. If the format is straight forward it can likely be easily re-implemented. |
Given the size of the Python code it likely can be easily implemented with dtFabric (famous last words) if you have test files that can be shared (are not someones else their copyright) that would be a good start. |
I got samples from Magnet's CTF |
What the license/copyright of those? Likely can't use them as CI test files. |
Right. I'll generate some with a test device. |
I'll get started using dtFabric. Thanks for the input. |
protobufs use varints which might be more tricky with dtfabric but this might give you some inspiration https://github.com/libyal/dtformats/blob/main/dtformats/leveldb.py |
Could I use dtfrabric to get the protobufs and then use [this] ( https://pypi.org/project/bbpb/) to parse the protobufs themselves? |
Describe the problem:
On MacOS and iOS devices, some of the artifacts that could be found in the KnowledgeC database have migrated under the biome folders (/private/var/db/biome and /private/var/mobile/Library/Biome). iLEAP supports those files and I'd like to bring support for these files in Plaso. The format consists of protobuffs stored in a binary file.
The text was updated successfully, but these errors were encountered: