Deprecated directory source type #286 (#475)

data/instant_messaging.yaml

@@ -23,7 +23,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: SkypeMainDirectory
 doc: Skype Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes:
     paths: ['%%users.homedir%%/Library/Application Support/Skype/*']
   supported_os: [Darwin]

data/legacy.yaml

@@ -53,18 +53,6 @@ provides: [os_release, os_major_version, os_minor_version]
 labels: [Software]
 supported_os: [Linux]
 ---
-name: OSXUsers
-doc: Users directories in /Users
-sources:
-- type: DIRECTORY
-  attributes: {paths: ['/Users/*']}
-labels: [Users]
-supported_os: [Darwin]
-provides: [users.username]
-urls:
-- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
-- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users'
----
 name: ProgramFiles
 doc: The %ProgramFiles% environment variable.
 sources:

data/macos.yaml

@@ -15,7 +15,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSApplications
 doc: Applications
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['/Applications/*']}
 labels: [Users, Software]
 supported_os: [Darwin]
@@ -33,7 +33,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSApplicationSupport
 doc: Application Support Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Library/Application Support/*']}
 labels: [Users, Software]
 supported_os: [Darwin]
@@ -47,7 +47,7 @@ sources:
 labels: [System]
 supported_os: [Darwin]
 urls:
-- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
+- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc'
 - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at'
 ---
 name: MacOSAuditLogFiles
@@ -56,8 +56,10 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '/private/var/audit/*'
-    - '/var/audit/*'
+    # Name of the file consists of "startime.stoptime" where each time is formatted as:
+    # "YYYYMMDDhhmmss". For example: "20141130081343.20141130081943".
+    - '/private/var/audit/[0-9]*.[0-9]*'
+    - '/var/audit/[0-9]*.[0-9]*'
 labels: [System, Logs]
 supported_os: [Darwin]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs']
@@ -520,7 +522,7 @@ sources:
 labels: [System]
 supported_os: [Darwin]
 urls:
-- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
+- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc'
 - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic'
 ---
 name: MacOSQuarantineEvents
@@ -725,7 +727,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUserDesktopDirectory
 doc: Desktop Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Desktop/*']}
 labels: [Users]
 supported_os: [Darwin]
@@ -734,7 +736,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUserDocumentsDirectory
 doc: Documents Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Documents/*']}
 labels: [Users]
 supported_os: [Darwin]
@@ -743,7 +745,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUserDownloadsDirectory
 doc: User downloads directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Downloads/*']}
 labels: [Users]
 supported_os: [Darwin]
@@ -761,7 +763,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUserLibraryDirectory
 doc: Library Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Library/*']}
 labels: [Users]
 supported_os: [Darwin]
@@ -779,7 +781,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUserMoviesDirectory
 doc: Movies Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Movies/*']}
 labels: [Users]
 supported_os: [Darwin]
@@ -788,7 +790,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUserMusicDirectory
 doc: Music Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Music/*']}
 labels: [Users]
 supported_os: [Darwin]
@@ -809,7 +811,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUserPicturesDirectory
 doc: Pictures Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Pictures/*']}
 labels: [Users]
 supported_os: [Darwin]
@@ -827,7 +829,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUserPublicDirectory
 doc: Public Directory
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['%%users.homedir%%/Public/*']}
 labels: [Users]
 supported_os: [Darwin]
@@ -836,7 +838,7 @@ urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts
 name: MacOSUsers
 doc: Users directories in /Users
 sources:
-- type: DIRECTORY
+- type: PATH
   attributes: {paths: ['/Users/*']}
 labels: [Users]
 supported_os: [Darwin]

data/unix_common.yaml

@@ -19,7 +19,7 @@ sources:
   attributes:
     names:
     - 'RootUserShellHistory'
-    - 'UsersShellHistory'
+    - 'UserShellHistory'
 labels: [History Files]
 supported_os: [Linux, Darwin]
 ---
@@ -80,7 +80,7 @@ labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---
 name: RootUserShellConfigs
-doc: Common unix root shell configuration files.
+doc: Common Unix root shell configuration files.
 sources:
 - type: FILE
   attributes:
@@ -100,7 +100,7 @@ labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---
 name: RootUserShellHistory
-doc: Common unix root shell history files.
+doc: Common Unix root shell history files.
 sources:
 - type: FILE
   attributes:
@@ -234,27 +234,4 @@ sources:
     separator: '\'
   supported_os: [Windows]
 labels: [Configuration Files]
-supported_os: [Linux, Darwin, Windows]
----
-name: UsersShellHistory
-doc: Common Unix user shell history files.
-sources:
-- type: FILE
-  attributes:
-    paths:
-    - '%%users.homedir%%/.bash_history'
-    - '%%users.homedir%%/.sh_history'
-    - '%%users.homedir%%/.zhistory'
-    - '%%users.homedir%%/.zsh_history'
-  supported_os: [Linux, Darwin]
-- type: FILE
-  attributes:
-    paths:
-    - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_history'
-    - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.sh_history'
-    - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zhistory'
-    - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zsh_history'
-    separator: '\'
-  supported_os: [Windows]
-labels: [History Files]
-supported_os: [Linux, Darwin, Windows]
+supported_os: [Darwin, Linux, Windows]

data/user.yaml

@@ -0,0 +1,52 @@
+# Platform independent user artifacts.
+---
+name: UserDownloads
+aliases: [WindowsUserDownloadsDirectory]
+doc: User downloaded files.
+sources:
+- type: PATH
+  attributes:
+    paths: ['%%users.homedir%%/Downloads/*']
+  supported_os: [Darwin, Linux]
+- type: PATH
+  attributes:
+    paths: ['%%users.userprofile%%\Downloads\*']
+    separator: '\'
+  supported_os: [Windows]
+labels: [Users]
+supported_os: [Darwin, Linux, Windows]
+---
+name: UserHomeDirectory
+aliases: [OSXUsers]
+doc: User home (or profile) directories.
+sources:
+- type: PATH
+  attributes: {paths: ['/Users/*']}
+labels: [Users]
+supported_os: [Darwin]
+provides: [users.username]
+urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users']
+---
+name: UserShellHistory
+aliases: [UsersShellHistory]
+doc: User shell history files.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '%%users.homedir%%/.bash_history'
+    - '%%users.homedir%%/.sh_history'
+    - '%%users.homedir%%/.zhistory'
+    - '%%users.homedir%%/.zsh_history'
+  supported_os: [Darwin, Linux]
+- type: FILE
+  attributes:
+    paths:
+    - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_history'
+    - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.sh_history'
+    - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zhistory'
+    - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zsh_history'
+    separator: '\'
+  supported_os: [Windows]
+labels: [History Files]
+supported_os: [Darwin, Linux, Windows]

data/windows.yaml

@@ -3182,16 +3182,6 @@ labels: [Users]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html']
 ---
-name: WindowsUserDownloadsDirectory
-doc: User downloads directory
-sources:
-- type: DIRECTORY
-  attributes:
-    paths: ['%%users.userprofile%%\Downloads\*']
-    separator: '\'
-labels: [Users]
-supported_os: [Windows]
----
 name: WindowsUserJumpLists
 doc: Windows user Jump Lists.
 sources:

tools/validator.py

@@ -470,7 +470,14 @@ def CheckFile(self, filename):
                 artifact_definition.supported_os))
 
         for source in artifact_definition.sources:
+          if source.type_indicator == definitions.TYPE_INDICATOR_DIRECTORY:
+            logging.warning((
+                'Use of deprecated source type: DIRECTORY in artifact '
+                'definition: {0:s} in file: {1:s}').format(
+                    artifact_definition.name, filename))
+
           if source.type_indicator in (
+              definitions.TYPE_INDICATOR_DIRECTORY,
               definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH):
 
             if (definitions.SUPPORTED_OS_DARWIN in source.supported_os or (