From e9a2fe92f7c8ef67075bbc8966b9b6bfe3f23900 Mon Sep 17 00:00:00 2001
From: Patrick Neumann <patrick@neumannsland.de>
Date: Tue, 1 Dec 2020 18:01:13 +0100
Subject: [PATCH] Added Nautilus script for getting timezone info

---
 .../scripts/05b-macOS/02-E01-timezone         | 193 ++++++++++++++++++
 1 file changed, 193 insertions(+)
 create mode 100755 home/lucifer/.local/share/nautilus/scripts/05b-macOS/02-E01-timezone

diff --git a/home/lucifer/.local/share/nautilus/scripts/05b-macOS/02-E01-timezone b/home/lucifer/.local/share/nautilus/scripts/05b-macOS/02-E01-timezone
new file mode 100755
index 0000000..79c2b97
--- /dev/null
+++ b/home/lucifer/.local/share/nautilus/scripts/05b-macOS/02-E01-timezone
@@ -0,0 +1,193 @@
+#!/bin/bash
+#===============================================================================
+#
+# DIRECTORY:
+#   /home/*/.local/share/nautilus/scripts/05b_macOS/
+# OR
+#   /home/*/.gnome2/nautilus-sctipts/05b_macOS/ (deprecated)
+#
+# FILE:
+#   02_timezone
+#
+# USAGE:
+#   Right klick on an EWF (or RAW) image and
+#   choose this nautilus script from the context menu.
+#
+# OPTIONS:
+#   none
+#
+# DESCRIPTION:
+#   Stored and shows timezone information.
+#
+# REQUIREMENTS:
+#   bash, zenity, sleuthkit, awk, libplist-utils, coreutils, sed
+#     and (my own) print_plist_entry.py
+#
+# BUGS:
+#   ---
+#
+# NOTES:
+#   Tested on
+#   - Debian 8+
+#   - Arch Linux
+#
+# AUTHOR:
+#   Patrick Neumann, patrick@neumannsland.de
+#
+# COMPANY:
+#   (privately)
+#
+# VERSION:
+#   0.9 (beta)
+#
+# LINK TO THE MOST CURRENT VERSIONS:
+#   https://
+#
+# CREATED:
+#   24.03.2016
+#
+# COPYRIGHT (C):
+#   2015-2020 - Patrick Neumann
+#
+# LICENSE:
+#   This program is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or
+#   (at your option) any later version.
+#
+# WARRANTY:
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# TODO:
+#   ---
+#
+# HISTORY:
+#   0.9 - Patrick Neumann - Initial (public) release
+#
+#===============================================================================
+
+#-------------------------------------------------------------------------------
+# Additional supported Distribution(s) (add before Library!).
+#-------------------------------------------------------------------------------
+SUPPORTED_OSR="arch"
+
+#-------------------------------------------------------------------------------
+# Check for library (casualscripter_nautilus-scripts_functions.sh).
+#-------------------------------------------------------------------------------
+readonly LIBRARY="${0%/*/*}/.casualscripter_nautilus-scripts_functions.sh"
+if [ ! -f "${LIBRARY}" ] ; then
+  zenity --error \
+         --text \
+         "ERROR: casualscripter_nautilus-scripts_functions.sh MISSING!"
+  exit 1
+fi
+
+source "${LIBRARY}"
+
+#-------------------------------------------------------------------------------
+# Checks (see library "casualscripter_nautilus-scripts_functions.sh").
+#-------------------------------------------------------------------------------
+check_dep "${AWK_BIN}" "awk"
+check_dep "${FSSTAT_BIN}" "sleuthkit"
+check_dep "${ICAT_BIN}" "sleuthkit"
+check_dep "${IFIND_BIN}" "sleuthkit"
+check_dep "${ISTAT_BIN}" "sleuthkit"
+check_dep "${MMLS_BIN}" "sleuthkit"
+check_dep "${PLUTIL_BIN}" "libplist-utils"
+check_dep "${RM_BIN}" "coreutils"
+check_dep "${SED_BIN}" "sed"
+
+# https://raw.githubusercontent.com/casualscripter/debian-stuff
+check_dep "${PPEPY_BIN}" "print_plist_entry.py"
+
+check_ext "${SOURCE}" "[eE]01|dd|DD|raw|RAW|img|IMG"
+
+#-------------------------------------------------------------------------------
+# A little bit of configuration before the magic.
+#-------------------------------------------------------------------------------
+readonly OFFSET="$( choose_partition "${SOURCE}" | ${AWK_BIN} -F "_" '{ print $3; }' )"
+
+readonly TIMEZONE="${DIRNAME}/timezone.txt"
+
+#-------------------------------------------------------------------------------
+# The wonder...
+#-------------------------------------------------------------------------------
+if ${FSSTAT_BIN} -o "${OFFSET}" "${SOURCE}" > /dev/null 2>&1 ; then
+  (
+    echo -e -n "Partition (mmls line):\n  " >> "${TIMEZONE}"
+    ${MMLS_BIN} -aM "${SOURCE}" \
+    | ${AWK_BIN} '$3=="'"${OFFSET}"'" { print $0; }' \
+    >> "${TIMEZONE}"
+
+    localtime="$( ${IFIND_BIN} -o "${OFFSET}" \
+                               -n "/private/etc/localtime" \
+                               "${SOURCE}" )"
+    if [ "${localtime}" != "File not found" ] ; then
+      echo -e -n "  \"/private/etc/localtime\" is a symbolic link to:\n  " >> "${TIMEZONE}"
+      ${ISTAT_BIN} -o "${OFFSET}" "${SOURCE}" "${localtime}" \
+      | ${AWK_BIN} -F ":" '/Symbolic link to/ { sub( /.*\/usr\/share\/zoneinfo\//, "", $2 ); print $2 }' \
+      >> "${TIMEZONE}"
+      echo >> "${TIMEZONE}"
+    else
+      echo -e "  Symbolic link \"/private/etc/localtime\" not found.\n"
+    fi
+
+    pref="$( ${IFIND_BIN} -o "${OFFSET}" \
+                          -n "/Library/Preferences/.GlobalPreferences.plist" \
+                          "${SOURCE}" )"
+    if [ "${pref}" != "File not found" ] ; then
+      if [ ! -f "${DIRNAME}/GlobalPreferences.plist" ] ; then
+        if ! ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${pref}" > "/tmp/${pref}.plist" ; then
+          echo "  During the execution of icat an error occurred." >> "${TIMEZONE}"
+        fi
+        ${PLUTIL_BIN} -i "/tmp/${pref}.plist" -o "${DIRNAME}/GlobalPreferences.plist"
+        ${RM_BIN} "/tmp/${pref}.plist"
+				# since 10.10 (Yosemite) it seems, that the converted XML is not well formed!?
+        ${SED_BIN} --in-place --regexp-extended '/<key>AppleLanguages<\/key>/,/<\/array>/ s/string/key/g' "${DIRNAME}/GlobalPreferences.plist"
+      fi
+      echo -e -n "  Some content from \".GlobalPreferences.plist\":\n  " \
+      >> "${TIMEZONE}"
+      ${PPEPY_BIN} "${DIRNAME}/GlobalPreferences.plist" TimeZoneName \
+      >> "${TIMEZONE}"
+      echo >> "${TIMEZONE}"
+    else
+      echo -e "  File \"/Library/Preferences/.GlobalPreferences.plist\" not found.\n"
+    fi
+
+    auto="$( ${IFIND_BIN} -o "${OFFSET}" \
+                          -n "/Library/Preferences/com.apple.timezone.auto.plist" \
+                          "${SOURCE}" )"
+    if [ "${auto}" != "File not found" ] ; then
+      if [ ! -f "${auto}.plist" ] ; then
+        if ! ${ICAT_BIN} -o "${OFFSET}" "${SOURCE}" "${auto}" > "${DIRNAME}/com.apple.timezone.auto.plist" ; then
+          echo "  During the execution of icat an error occurred." >> "${TIMEZONE}"
+        fi
+      fi
+      echo -e -n "  Some content from \"com.apple.timezone.auto.plist\":\n  " \
+      >> "${TIMEZONE}"
+      ${PPEPY_BIN} "${DIRNAME}/com.apple.timezone.auto.plist" Active \
+      >> "${TIMEZONE}"
+      echo >> "${TIMEZONE}"
+    else
+      echo -e "  File \"/Library/Preferences/com.apple.timezone.auto.plist\" not found.\n" >> "${TIMEZONE}"
+    fi
+  ) | ${ZENITY_BIN} --progress \
+                    --title="timezone" \
+                    --text="Please wait..." \
+                    --pulsate
+else
+  echo -e "  ? (The Sleuth Kit does not support the filesystem!)\n" >> "${TIMEZONE}"
+fi
+
+#-------------------------------------------------------------------------------
+# Display content of the resultfile "timezone.txt".
+#-------------------------------------------------------------------------------
+display_resultfile "${TIMEZONE}"
+
+exit 0