mac4n6 / apollo Goto Github PK

I am receiving the following errors when trying to run this in Python 2.7, I have navigated to the folder containing the Apollo script and the modules have been placed in a Modules folder and the database files I want to run against are in the DBFiles folder. I'm tearing my hair out trying to figure out what i'm doing wrong!

C:\Users\Technicians\Desktop\PythonProgramming\Test>C:\Python27\python.exe apollo.py -o csv -p ios -v 11 Modules DBFiles
Parsing Modules...
Traceback (most recent call last):
File "apollo.py", line 194, in
parse_module_definition(mod_info)
File "apollo.py", line 45, in parse_module_definition
parser.read(mod_def)
File "C:\Python27\lib\ConfigParser.py", line 305, in read
self._read(fp, filename)
File "C:\Python27\lib\ConfigParser.py", line 512, in _read
raise MissingSectionHeaderError(fpname, lineno, line)
ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: Modules\powerlog_accessory_connection.txt, line: 7
'\n'

The message date in "sms_chat.txt" has a divisor of "1000000000" prior to addition of "978307200". Based upon my analysis of iOS SQLite data, the divisor may be unnecessary and result in an inaccurate date conversion.

E.g. 2000-12-31 19:00:00 versus 2017-07-10 18:24:50 for a DB value of 521418290.

I would suggest updating to use a "CASE" statement, similar to what was done for "DATE DELIVERED" and "DATE READ".

I.e.

SELECT
    CASE 
        WHEN LENGTH(MESSAGE.DATE)=18 THEN DATETIME(MESSAGE.DATE/1000000000+978307200,'UNIXEPOCH','LOCALTIME')
        WHEN LENGTH(MESSAGE.DATE)=9 THEN DATETIME(MESSAGE.DATE + 978307200,'UNIXEPOCH','LOCALTIME')
        ELSE "N/A"
    END "MESSAGE DATE",

KnowledgeC.db is inaccessible in MacOS 12 even under root account. Is there any workaround to access it?

The WHERE clause in sms_chat_message_delievered.txt has a typo.

WHERE "DATE DELIEVERED" IS NOT "N/A"

Should be

WHERE "DATE DELIVERED" IS NOT "N/A"

For some reason with "aggregate_dictionary_distributed_keys.txt", I had to tab over everything from "select" to the end of the statement. Running windows 10, python 2.7, cmd as admin. It kept crashing on that module (immediately). When I removed that module, it ran no issues. I noticed that the other modules had everything from "select" down tabbed over 1 more spot. I applied that tabbing to "aggregate_dictionary_distributed_keys.txt" and it ran just fine.

https://twitter.com/EdXlg123/status/1102436931877654528?s=0

query_predictions.db

will add if i have a chance to test it out, otherwise leaving here for a future update

We've been running some test with Apollo today and we ran into something that confuses us.

If we look at the extracted data we can see that most timestamps have been corrected for the offset except for these tables (gotten with SELECT DISTINCT activity FROM apollo WHERE output NOT LIKE "%OFFSET%";):

Especially for Telephony Activity this is leading to inconsistencies in the data. If we do apply the offset to Telephony Activity then everything fits in nicely with the rest of the events. However if the offset isn't applied to Telephony Activity then we're seeing things like outgoing calls started while the screen is off according to the other events.

Example:

The above example was manually parsed and the offset was calculated from correlating events on the phone. The offset was 96 seconds and this matches the offset found in the database.

However if we don't apply the offset to the two yellow lines then this call takes place when the screen is off.

Are we misinterpreting something or is this an error in the module(s)?

I am receiving the following errors when trying to run this in Python 2.7, I have navigated to the folder containing the Apollo script and the modules have been placed in a Modules folder and the database files I want to run against are in the DBFiles folder

When i try to run the script i get the following message:

File ".\apollo.py", line 34, in
from ConfigParser import RawConfigParser
ImportError: No module named 'ConfigParser'

Should there be a module named ConfigParser in the modules folder?

I am trying to use APOLLO and I am stuck on one part. I am trying to export my screentime from my iPhone and make it into a CSV file to run it on automl. But I am totally lost on what to put on the data directory.
I am currently on this step on Linux.
apollo.py -o {csv} -p {apple} -v {10.15} -k /Users/heojeong/Downloads/apollo/APOLLO/modules
I connected my iPhone to my mac to check on the directory but I cannot find the directory path....and I am not even sure if that is how I should do!
Can you please help me? thank you so much

Hello,

I'm having some trouble running the recently added screentime modules, as they seem to be have some errors which make the parser fail. This occurs with all of the screentime_* modules. I've included an error for the screentime_timed_items below. This is on a fresh clone of the repo with python3 on OSX.

Thanks for making APOLLO! I've been trying it out to analyze device data and it's generally been working great.

> python apollo.py -o csv -p apple -v 13 modules /private/var/db/CoreDuet/Knowledge/

--------------------------------------------------------------------------------------
APOLLO Version: 05072020
Platform: apple
Version: 13
Data Directory: /private/var/db/CoreDuet/Knowledge/
Modules Directory: modules
--------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "apollo.py", line 259, in <module>
    parse_module_definition(mod_info)
  File "apollo.py", line 56, in parse_module_definition
    parser.read(mod_def)
  File "/usr/local/anaconda3/lib/python3.7/configparser.py", line 696, in read
    self._read(fp, filename)
  File "/usr/local/anaconda3/lib/python3.7/configparser.py", line 1110, in _read
    raise e
configparser.ParsingError: Source contains parsing errors: 'modules/screentime_timed_items.txt'
	[line 64]: '\tSELECT \n'
	[line 65]: "\t\tDATETIME(ZUSAGEBLOCK.ZSTARTDATE+978307200,'UNIXEPOCH') AS 'HOUR',\n"
	[line 66]: "\t\tZUSAGETIMEDITEM.ZBUNDLEIDENTIFIER AS  'BUNDLE ID',\n"
... [until line 95]

It looks like crap because of commas in output. Looking to change text formats soon. In the mean time use SQL output.