 Imagine you've just parsed an Android phone with a leap, and you're looking through the report, but you don't really see the artifacts that you expect to find. So for example, on this phone, I would expect a Gmail account to be available. But none of these options show the Gmail account. What can I do? Well, the good news is a leap is really easy to develop a module for if you know a little bit of Python. So what we're going to do today is show you how to make an artifact in a leap. The first thing you need to do is actually download a leap from the GitHub repository. I just have the folder cloned and all of the code here. Now once I have that, I open up that directory inside Microsoft code. Visual Studio code is what I use for a coding. And you can see a couple of different things here. The first is in the a leap folder, we have a leap dot pi. And this is the utility that we run normally. And we have a leap gooey dot pi. So if I click on those, you can see a lot of different code. But most people don't need to worry about a leap dot pi or a leap gooey dot pi. Most people who are developing a module will never even look at that code. Okay, what we care about is in the scripts folder. So there's a folder called scripts, expand that and then there's basically two files we're interested in one file that we actually have to create ourselves and then one file that we have to modify a little bit. But before we get into that, let's identify some information that we want to be presented in the a leap report. So the file that I'm interested in today, I found during the celebrite CTF, and it is in the com Google Android GM shared prefs Gmail XML file. Okay, so if we look inside that file, it's just a simple XML file. And what I'm really interested in is this active account string, right? So we have a string name equals active account, and then we have a Gmail address that's that I'm looking at. So I want a leap to be able to pull out that active account, and show me that Gmail address just from the reports page. Okay, but right now it doesn't. Now, we're kind of lucky because this is just a straight XML file. So we don't have to parse any databases, very often we're parsing SQL like databases whenever we're dealing with Android, but this I can just pull it out directly out of the XML file. There is some other information that could be interesting in here, but I'm going to save that for later and just try to get the active account pulled out for this particular module. So I'm going to call my module Gmail or Gmail active account or active Gmail. Okay, so now I have an idea of what I need to pull out. It's the active Gmail account. And I know what I want to call it just Gmail analysis, because there is no other Gmail analysis in here. So let's go to first ilap underscore artifacts dot pi. Now what this file is, is the list of all of the artifacts that a leap will recognize, or you need to point this file at your particular code. And it has a very specific structure that you have to follow. I've already added my code. And basically, we just enter an alphabetical order, we are adding code to scripts dot artifacts folder. So we are in the scripts, artifacts folder. And I'm going to add a new Python script called Gmail, because it's for Gmail analysis. Now, I'm importing a function called get underscore Gmail active. Okay, so get underscore Gmail active. Basically, what you can do is once you know what you want to name your artifact, you can just copy one of these lines and then change the file that you're pointing to and the function that you're calling. And we'll talk more about what those mean in a second. Once you have that inserted, you can scroll down. And again, looking at this in alphabetical order, I've added my Gmail active entry, and then given it a common name. And this is what will show up in the categories, I'll show you in a second. And then the final thing that we add is the file that I want to analyze. So basically a leap will go through all of the files in Android. And if it finds a file that matches the string that I'm looking for, then it will send that file to our script so we can process it. So all of that is defined inside the ilap underscore artifacts dot pi file. So you need to add two entries in the ilap underscore artifacts file. One is the name and artifact or file that we're interested in analyzing. And then the second is the function to call whenever those files are found. The next thing is whatever I've added here. So I called my file, for example, Gmail. So in the scripts to artifacts folder, I need to create a new file called Gmail. So I already have it created here, but I have an empty file. So now we can actually get started in writing our module, we've already told a leap that our module exists and which file it can be found in. So then now we just have to actually start writing our module. Now I'm going to add one thing that I don't usually see other authors do. And that is add a header to your module. Now most of the modules have been written by a small group of people. But as more people write these modules, we're going to want to add headers that way we can keep track of things. So I'm going to create a header. And I'm just going to give a description of what this module does, who to contact if there's a problem with it, the date that it was written, the version number of this individual module, and then any special requirements. And what I mean by special requirements are really third party tools or libraries that are not built into Python. So if they're in the Python standard library, doesn't require special requirements. Now once we have our header setup, and like I said, it's non standard, add the information that you think is useful. The next thing we need to do is is import Python libraries that are necessary to, to run your program. Now I'm going to need two things. The first is just this report header. So basically from scripts dot artifact underscore report, that is a script that is built into a leap that handles all of the reporting. So we want to import artifact HTML report, that way we can output our report to an HTML file. And then we also want from scripts, I lab functions, and then import a bunch of different, a bunch of different functions that are used also for reporting. So these two scripts artifacts report and scripts I lab functions are part of a leap reporting. So you want to include those in your script. Now the one at the top, this import XML E tree elementary as ET, this is what I need for my script, a leap doesn't care about that. But I know that I'm going to be parsing out XML. So I want to use the XML library to be able to parse that out. So I'm going to import those libraries. So once we have that, we have another default class that's created for a leap. And basically just copy this directly over from one of these other artifacts. This is a class keyboard event. And basically that just keeps track of the keyboard as the module is running. And then we finally get into our main function that we defined previously. And that is the def get underscore Gmail active. Now remember, this is exactly the same as I lab artifacts, and then get underscore Gmail active, they have to be exactly the same. That way the program knows which function to call whenever the file that we're interested in is found, we have a couple of different things, we have to give it four different things. First is the files found. And that's all of the files that elite found that match our string that we're looking for the report folder, that's where we want to save files into and then see her and wrap texts. I actually don't know what those do, but we don't need them for now unless you're trying to do something advanced. So don't worry about the last two, just make sure you keep them. Otherwise, you'll have an error in your code. I just want to do a test to make sure that my module actually works. So instead of using print, I can't just print. Otherwise, I won't see the print happening. What I can do is the log function log funk, and that will basically output to the a leap log, anything that I put in here. So basically, copy the log funk in here. If you can read this, your module is working. And then I also print the files found what we want to do before we get too far. I want to actually run this. So I'm going to run the a leap GUI version. And the first thing that we should see is if I deselect all, I should be able to scroll down. And if everything looks good so far, then I should have my module available inside this list. So we can see Gmail active. Gmail active is listed properly, which means that a leap detected my module. Now, does my module have any errors? I don't know yet, but at least a leap knows about it. So I'm going to go ahead and select the folder that I want to save the report into. I'm going to select the data that I'm going to be processing. And since I've only selected my module, that should be the only thing that runs. So let's go ahead and process. And we can see that there was an error. But we did actually run. So if you can read this, the module is working, that means that that first text did actually run. And then we're basically printing out the files that were found. And then we had an error after that. Okay, so at least we know that we got to that point. So everything looks okay so far. So once I have that, then I can go ahead and remove those log functions. Just keep them for testing. But now that I know that that's working, that is fine. So the next thing I'm going to do is actually add our processing code. So first we just have the libraries that we need to do this module. We tested to make sure that our module is detected by a leap and that we can actually output to the log function. The next thing I'm going to do is we have my processing script. Okay, so we have a variable that's created called active account. That's the Gmail address that I want to pull out. We have the file found and file found is coming from files found. And I want to take basically the first file that I find, I'm going to use that file for my analysis. That file is in XML. So we can go back and look at our original file here, we just have an XML file. And I want to parse that out where I'm looking for, for example, string name equals active account, and then pull out that Gmail address. So that's actually the contents that I'm looking for. So I'm going to use XML tree equals ET, that's from our imported library. And then we are doing ET parse file found. So whatever file a leap is sending to us, I'm going to parse that as an XML file, and then save everything in XML tree, then XML tree, I'm going to get the root, the XML root of that, which basically just means all elements from that file, and then save that into the root variable. And then for child, so all of the child elements inside the XML root, get the child's attribute of name, if that name equals active account output that active account to the log set active account variable to child dot text. So basically what I'm doing is parsing all of this as XML finding active account. And if it equals active account, I'm getting the Gmail address, and then I'm just saving that Gmail address text to a variable. That's all it is for parsing out my data. This isn't a complicated data structure. It's very simple data structure. But that's it. Now I have the very the data saved in the variable. All I have to do is create my report. So I have my variable set with my child text in it, if active account is not equal to empty. So here it was empty. So if we actually have set it to something, then that means we have found the active Gmail account. Okay, good. If we found it, then create the report. If we didn't find it, then just output that no active Gmail address was found. If it's found, then we go ahead and start making the report. And most of this reporting is just straight from the other artifacts that were created. Go ahead and take a look at them and see if you see anything that's useful for you. So here we have report equals artifact HTML report. Remember, that's coming from a library that we are importing above. And I'm calling it Gmail active. Then we have report start artifact report in the report folder. So the location that we're saving all of the reports for this phone basically just create another Gmail active folder in there. And then we have ad script. And here's where we actually start creating our data headers. And this is the header for the table that's going to be shown in the HTML file. So here we have data headers. And I only have one header because I only have one Gmail address. So I have this active Gmail address, you can name it whatever you want as long as it makes sense for that column. Then we have our data list, which is an empty list. And I'm appending the active account to that list. So basically I'm adding the Gmail address to a list that is going to be creating a table. It's a little bit complicated, but if you're dealing with lots of different data inside a table, this really makes sense. And then we're just writing the artifact table out with the data headers, the data list, and then the file that was found, we have the end artifact report. And that's all it is for creating the HTML report. Now if you don't create the HTML report, you can still output, for example, to a TSV your module will still run. Now the next thing is this TSV name equals Gmail active. And this is creating a tab separated value file along with the HTML report. And then we have TSV report folder data headers, data list, TSV name. So basically two reports are always generated whenever a leap is ran, the HTML report as well as a tab separated value report. It's basically split into three parts. First is just getting ready and importing all the requirements. Second is actually parsing out the information from the files that you're given, get the file from a leap, parse out the information. Once we have the data that we need, we just output that to a simple report. And this type of reporting is pretty much always the same for all of the artifacts. It'll just change, for example, your data headers and the data that you actually show in the in the table. So let's go ahead and save that. Now I'm going to run my module again, and then select my module Gmail active, and then click process. And we didn't have any errors. You can see here Gmail active artifact is executing. And then we have our log function active Gmail account found. And we just print it here in the log file. But that's not the HTML page. So we know that our artifact was found and it ran, and it was found correctly. And then we exited properly. And then we also get this processing complete where the report is. If I click okay, our page pops up automatically. And you can see that a new category has been created Gmail active. And we have another tag Gmail dash active. And this is our artifact that ran. I didn't set any icons or anything like that. We might want to just name this category Gmail, but you know, we'll deal with that later once we get multiple Gmail artifacts created. So go ahead and click on Gmail active. Then we can see the total number of entries we have Gmail active located at this Gmail XML file. So that's exactly what we were looking for. And then active Gmail address, we have this table and it has the active Gmail address here. That's it. That's all it takes to create a module. Now, like I said, I'm dealing with a very, very simple data structure. I knew exactly where the data was located at the beginning. So I had already analyzed an Android phone. And I knew that in shared prefs Gmail dot XML has that active account available. So I knew where the data was located. I knew what the structure was. Once you have that at a basic artifact parser to a leap, and then you can use it in all of your investigations from then on, and especially contribute that artifact back to the elite group that way everyone else can also use that artifact. Okay, so relatively straightforward to do, there is some tweaking in terms of making things look nice or getting categories or getting your icons or whatever. But essentially, the processing itself, if you know where your data is and what it looks like, the processing is super simple. And then you're just sending it to a report. So I hope that helps with creating an artifact in a leap, essentially the same approach works for I leap, w leap, all of the leap structures are basically the same. And I'm going to put a a leap template on GitHub. So watch out for that and check below for links to my GitHub repository, where you can get a very basic template for new artifacts. All right, that's it for today. Thank you very much.