Clean up of Mac OS artifact definitions (#474)

ForensicArtifacts · Feb 27, 2022 · 0f657bb · 0f657bb
1 parent 3b401b6
commit 0f657bb
Showing 1 changed file with 22 additions and 22 deletions.
diff --git a/data/macos.yaml b/data/macos.yaml
@@ -6,8 +6,8 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '/private/var/log/asl/*'
-    - '/var/log/asl/*'
+    - '/private/var/log/asl/*.asl'
+    - '/var/log/asl/*.asl'
 labels: [System, Logs]
 supported_os: [Darwin]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs']
@@ -37,7 +37,7 @@ sources:
   attributes: {paths: ['%%users.homedir%%/Library/Application Support/*']}
 labels: [Users, Software]
 supported_os: [Darwin]
-urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.']
+urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc']
 ---
 name: MacOSAtJobs
 doc: MacOS at jobs
@@ -115,7 +115,7 @@ sources:
     - '/usr/lib/cron/tabs/*'
 labels: [System]
 supported_os: [Darwin]
-urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.']
+urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc']
 ---
 name: MacOSDock
 doc: Dock database
@@ -240,13 +240,13 @@ supported_os: [Darwin]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup']
 ---
 name: MacOSKeychains
-doc: Keychain Directory
+doc: User keychain files
 sources:
 - type: FILE
-  attributes: {paths: ['%%users.homedir%%/Library/Keychains/*']}
+  attributes: {paths: ['%%users.homedir%%/Library/Keychains/*.keychain']}
 labels: [Users]
 supported_os: [Darwin]
-urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.']
+urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc']
 ---
 name: MacOSKeyboardLayoutPlistFile
 doc: Keyboard layout plist file
@@ -287,9 +287,9 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '/Library/LaunchAgents/*'
-    - '/System/Library/LaunchAgents/*'
-    - '%%users.homedir%%/Library/LaunchAgents/*'
+    - '/Library/LaunchAgents/*.plist'
+    - '/System/Library/LaunchAgents/*.plist'
+    - '%%users.homedir%%/Library/LaunchAgents/*.plist'
 labels: [System]
 supported_os: [Darwin]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations']
@@ -300,15 +300,15 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '/Library/LaunchDaemons/*'
-    - '/System/Library/LaunchDaemons/*'
-    - '%%users.homedir%%/Library/LaunchDaemons/*'
+    - '/Library/LaunchDaemons/*.plist'
+    - '/System/Library/LaunchDaemons/*.plist'
+    - '%%users.homedir%%/Library/LaunchDaemons/*.plist'
 labels: [System]
 supported_os: [Darwin]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations']
 ---
 name: MacOSLastlogFile
-doc: Mac OS X lastlog file.
+doc: Mac OS lastlog file.
 sources:
 - type: FILE
   attributes:
@@ -338,7 +338,7 @@ sources:
     - '/private/etc/localtime'
 labels: [System]
 supported_os: [Darwin]
-urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.']
+urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc']
 ---
 name: MacOSLoginWindowPlistFile
 doc: Log-in Window information plist file
@@ -611,8 +611,8 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '/Library/StartupItems/*'
-    - '/System/Library/StartupItems/*'
+    - '/Library/StartupItems/*.plist'
+    - '/System/Library/StartupItems/*.plist'
 labels: [System]
 supported_os: [Darwin]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations']
@@ -665,7 +665,7 @@ name: MacOSSystemPreferencesPlistFiles
 doc: System Preferences plist files
 sources:
 - type: FILE
-  attributes: {paths: ['/Library/Preferences/**']}
+  attributes: {paths: ['/Library/Preferences/**/*.plist']}
 labels: [System]
 supported_os: [Darwin]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences']
@@ -866,10 +866,10 @@ sources:
   attributes: {paths: ['%%users.homedir%%/.Trash/*']}
 labels: [Users]
 supported_os: [Darwin]
-urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.']
+urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc']
 ---
 name: MacOSUtmpFile
-doc: Mac OS X utmp and wmtp login record file.
+doc: Mac OS utmp and wmtp login record file.
 sources:
 - type: FILE
   attributes:
@@ -883,7 +883,7 @@ supported_os: [Darwin]
 urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc']
 ---
 name: MacOSUtmpxFile
-doc: Mac OS X 10.5 utmpx login record file.
+doc: Mac OS 10.5 utmpx login record file.
 sources:
 - type: FILE
   attributes:
@@ -904,7 +904,7 @@ supported_os: [Darwin]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking']
 ---
 name: MacOSFSEvents
-doc: Mac OS X file system event log
+doc: Mac OS file system event log
 sources:
 - type: FILE
   attributes: {paths: ['/.fseventsd/*']}