xleapp 0.2.1

Multiplaform Logs, Events, And Plists Parser

xLEAPP

Development build. Please be cauious using on real cases.

Framework for Logs, Events, And Plists Parser (LEAPP)

This framework is a complete rewrite of the excellent tool iLEAPP.Details of iLEAPP can be found in this blog post

xLEAPP is the framework created to merge several tools together. More information about the rewrite is given in by talk (YouTube) at Black Hills Info Security's Wild West Hackin' Fest (WWHF): Deadwood in 2021.

Features

• Provides a centralized and modular framework
• Provides a simplified way to write plugins (artifacts) for each different supported platform.
• Parses iOS, macOS, Android, Chromebook, warranty returns, and Windows artifacts depending on the plugins installed.

Other Documentation

• Artifact Creation

Pre-requisites

This project requires you to have Python >= 3.9

Plugins

Here is a list of plugins that need to be completed. Plugin package suffixed with "non-free" use licenses that may not conform with MIT licenses and are seperated out.

• xleapp-ios [Github] [PyPI]
• xleapp-ios-non-free [Github]
• xleapp-android
• xleapp-android-non-free
• xleapp-chrome
• xleapp-chrome-non-free
• xleapp-returns
• xleapp-returns-non-free
• xleapp-vehicles
• xleapp-vehicles-non-free
• xleapp-windows
• xleapp-windows-non-free

Installation

Windows

• Python

  PS> py -3 -m pip install xleapp
  PS> py -3 -m pip install xleapp-<plugin>
  

• PIPX

  PS> py -3 -m pip install pipx
  PS> pipx install xleapp
  PS> pipx inject xleapp xleapp-<plugin>
  

Linux

• Python

  $ python3 -m pip install xleapp
  $ python3 -m pip install xleapp-<plugin>
  

• PIPX

  $ python3 -m pip install pipx
  $ pipx install xleapp
  $ pipx inject xleapp xleapp-<plugin>
  

Installation from Github and Development Information

• Windows
• Linux

VS Code configuration files

There are several configuration files that I have been using for VS Code.

Compile to executable

NOTE: This may not work at this time with this alpha version.

To compile to an executable so you can run this on a system without python installed.

To create xleapp.exe, run:

pyinstaller --onefile xleapp.spec

To create xleappGUI.exe, run:

pyinstaller --onefile --noconsole xleappGUI.spec

Usage

CLI

$ xleapp -h
usage: xleapp [-h] [-I] [-R] [-A] [-C] [-V] [-o OUTPUT_FOLDER] [-i INPUT_PATH]
       [--artifacts [ARTIFACTS ...]] [-p] [-l] [--gui] [--version]

xLEAPP: Logs, Events, and Plists Parser.

optional arguments:
  -h, --help            show this help message and exit
  -I                    parse ios artifacts
  -R                    parse Warrant Returns / User Generated Archives artifacts
  -A                    parse android artifacts
  -C                    parse Chromebook artifacts
  -V                    parse vehicle artifacts
  -o OUTPUT_FOLDER, --output_folder OUTPUT_FOLDER
                        Output folder path
  -i INPUT_PATH, --input_path INPUT_PATH
                        Path to input file/folder
  --artifact [ARTIFACT ...]
                        Filtered list of artifacts to run. Allowed: core, <check artifact list in
                        documentation>
  -p, --artifact_paths  Text file list of artifact paths
  -l, --artifact_table  Text file with table of artifacts
  --gui                 Runs xLEAPP into graphical mode
  --version             show program&#39;s version number and exit

GUI

This needs work and may not work properly!

$ xleapp --gui 

Help

$ xleapp.py --help

The GUI will open in another window.

Acknowledgements

This tool is the result of a collaborative effort of many people in the DFIR community.

This product includes software developed by Sarah Edwards (Station X Labs, LLC, @iamevltwin, mac4n6.com) and other contributors as part of APOLLO (Apple Pattern of Life Lazy Output'er).