Fix Parser Crashes for Wire Messenger, Firefox, and Android Notification History

[Revprm]

This PR addresses distinct issues causing parser crashes across three different artifacts during analysis:

1. Firefox Artifacts: Fixes a sqlite3.OperationalError caused by schema version mismatches where the moz_places_metadata table is missing.

2. Android Notification History: Fixes an xml.etree.ElementTree.ParseError caused by residual "junk" data at the end of XML files and corrects logic flow to prevent incorrect parser selection.

3. Wire Messenger: Fixes an AttributeError crash caused by the parser erroneously identifying cache files as SQLite databases.

Changes

1. Firefox (scripts/artifacts/firefox.py)

• Schema Validation: Introduced a table_exists() helper function to verify the presence of moz_places_metadata and moz_places_metadata_search_queries before execution.

• Dynamic Querying: Implemented conditional logic to switch between a full query (with metadata) and a fallback query (without metadata) depending on the database version. This prevents the parser from crashing on older or different versions of Firefox where specific tables are absent.

2. Android Notification History (scripts/artifacts/notificationHistory.py)

• XML Sanitization & Recovery: Added try-except ET.ParseError blocks for settings_secure.xml and notification_policy.xml. If parsing fails due to junk data (slack space) after the closing tag, the script now reads the file as a raw string, identifies the valid closing tag (e.g., ), and trims the residual data before re-parsing.

• Logic Flow Correction: Changed the if statement to elif for the notification_policy.xml check. This ensures mutually exclusive execution paths, preventing XML files from being erroneously processed by the Protobuf parser in the else block.

3. Wire Messenger (scripts/artifacts/wireMessenger.py)

• Database Validation: The parser previously attempted to open any file ending in the User ID UUID, leading it to process non-database cache files. Modified get_user_database to explicitly ignore /cache/ directories and validate the file header for SQLite format 3 bytes before accepting it.

• Null Safety: Added checks (if not user_database) in the main processing functions to ensure a valid database path was returned. This prevents the AttributeError: 'NoneType' object has no attribute 'cursor' crash when no valid DB is found or if the file cannot be opened.

Before the Bug Fix:

1. notificationHistory:

Android Notification History [notificationHistory] artifact started Reading Android Notification History artifact had errors! Error was junk after document element: line 149, column 0 Exception Traceback: Traceback (most recent call last): File "/home/rev/Documents/CyberSec/Tools/ALEAPP/aleapp.py", line 383, in crunch_artifacts plugin.method(files_found, category_folder, seeker, wrap_text) ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/rev/Documents/CyberSec/Tools/ALEAPP/scripts/artifacts/notificationHistory.py", line 42, in get_notificationHistory tree = ET.parse(file_found) File "/usr/lib/python3.13/xml/etree/ElementTree.py", line 1210, in parse tree.parse(source, parser) ~~~~~~~~~~^^^^^^^^^^^^^^^^ File "/usr/lib/python3.13/xml/etree/ElementTree.py", line 573, in parse self._root = parser._parse_whole(source) ~~~~~~~~~~~~~~~~~~~^^^^^^^^ xml.etree.ElementTree.ParseError: junk after document element: line 149, column 0 

2. firefox:

Firefox [firefox] artifact started Reading Firefox artifact had errors! Error was no such table: moz_places_metadata Exception Traceback: Traceback (most recent call last): File "/home/rev/Documents/CyberSec/Tools/ALEAPP/aleapp.py", line 383, in crunch_artifacts plugin.method(files_found, category_folder, seeker, wrap_text) ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/rev/Documents/CyberSec/Tools/ALEAPP/scripts/artifacts/firefox.py", line 17, in get_firefox cursor.execute(''' ~~~~~~~~~~~~~~^^^^ SELECT ^^^^^^ ...<20 lines>... moz_places.last_visit_date_local ASC ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ''') ^^^^ sqlite3.OperationalError: no such table: moz_places_metadata 

3. wireMessenger

Wire Messages [wireMessenger] artifact started
Located a file ending with the User ID, but it is not an SQLite DB - I'll continue looking!
Error with /home/rev/Documents/College/Digital_Forensics/Final Project/ALEAPP_Reports_2025-12-09_Tuesday_073113/data/data/com.wire/cache/raw_assets_052477d9-0c43-4bee-a934-ced86153e9cf:
- unable to open database file
Reading Wire Messages artifact had errors!
Error was 'NoneType' object has no attribute 'cursor'
Exception Traceback: Traceback (most recent call last): File "/home/rev/Documents/CyberSec/Tools/aleapp_pers/ALEAPP/aleapp.py", line 383, in crunch_artifacts plugin.method(files_found, category_folder, seeker, wrap_text) ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/rev/Documents/CyberSec/Tools/aleapp_pers/ALEAPP/scripts/artifacts/wireMessenger.py", line 240, in get_wire_messages cursor = db.cursor() ^^^^^^^^^ AttributeError: 'NoneType' object has no attribute 'cursor' 

After the Bug Fix:

1. notificationHistory

Android Notification History [notificationHistory] artifact started
No Android Notification History - Status data available
No Android Notification History - Snoozed notifications data available
No Android Notification History - Notifications available
Android Notification History [notificationHistory] artifact completed

2. firefox

Firefox [firefox] artifact started
No Firefox - Search Terms data available
Firefox [firefox] artifact completed

3. wireMessenger

Wire Messages [wireMessenger] artifact started
Wire Messages [wireMessenger] artifact completed

Note: This is tested on Android Forensic Image Version 11 from https://thebinaryhick.blog/public_images/