Added Mac OS artifact definitions (#573)

ForensicArtifacts · Aug 10, 2023 · 1cabc64 · 1cabc64
1 parent fd850d9
commit 1cabc64
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 15 deletions.
diff --git a/artifacts/__init__.py b/artifacts/__init__.py
@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 """ForensicArtifacts.com Artifact Repository."""
 
-__version__ = '20230809'
+__version__ = '20230810'
diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -1,5 +1,5 @@
-artifacts (20230809-1) unstable; urgency=low
+artifacts (20230810-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Forensic artifacts <forensicartifacts@googlegroups.com>  Wed, 09 Aug 2023 06:00:32 +0200
+ -- Forensic artifacts <forensicartifacts@googlegroups.com>  Thu, 10 Aug 2023 06:04:42 +0200
diff --git a/data/macos.yaml b/data/macos.yaml
@@ -197,6 +197,13 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences']
 ---
+name: MacOSIdentityServicesSQLiteDatabaseFile
+doc: Identity services SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/IdentityServices/ids.db']}
+supported_os: [Darwin]
+---
 name: MacOSiDevices
 doc: Attached iDevices
 sources:
@@ -265,13 +272,6 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#idevice-backup']
 ---
-name: MacOSKeyboardLayoutPlistFile
-doc: Keyboard layout property list (plist) file.
-sources:
-- type: FILE
-  attributes: {paths: ['/Library/Preferences/com.apple.HIToolbox.plist']}
-supported_os: [Darwin]
----
 name: MacOSKernelExtensionFile
 aliases: [MacOSKextFiles]
 doc: Kernel extension (.kext) files.
@@ -284,6 +284,13 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#kernel-extension']
 ---
+name: MacOSKeyboardLayoutPlistFile
+doc: Keyboard layout property list (plist) file.
+sources:
+- type: FILE
+  attributes: {paths: ['/Library/Preferences/com.apple.HIToolbox.plist']}
+supported_os: [Darwin]
+---
 name: MacOSLastlogFile
 doc: Lastlog file.
 sources:
@@ -696,6 +703,13 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/tcc_database']
 ---
+name: MacOSTextReplacementsSQLiteDatabaseFile
+doc: Text replacements SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/KeyboardServices/TextReplacements.db']}
+supported_os: [Darwin]
+---
 name: MacOSTimeMachinePlistFile
 doc: Time Machine information property list (plist) file
 sources:
@@ -771,6 +785,13 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#misc']
 ---
+name: MacOSUserKeychainOCSPCacheSQLiteDatabaseFile
+doc: User keychain CRL and OCSP cache SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Keychains/*/ocspcache.sqlite3']}
+supported_os: [Darwin]
+---
 name: MacOSUserLibraryDirectory
 doc: Contents of the user Library directories.
 sources:
@@ -779,6 +800,20 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories']
 ---
+name: MacOSUserLocalItemsKeychainKeybagSQLiteDatabaseFile
+doc: User (iCloud) local items keychain keybag SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Keychains/*/user.db']}
+supported_os: [Darwin]
+---
+name: MacOSUserLocalItemsKeychainRecordsSQLiteDatabaseFile
+doc: User (iCloud) local items keychain encrypted records SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Keychains/*/keychain-2.db']}
+supported_os: [Darwin]
+---
 name: MacOSUserLoginItemsPlistFile
 aliases: [MacOSUserLoginItems]
 doc: User login items property list (plist) file.
@@ -874,3 +909,10 @@ sources:
     - '/var/run/utmpx'
 supported_os: [Darwin]
 urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc']
+---
+name: MacOSWalletSQLiteDatabaseFile
+doc: Apple Wallet SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Passes/passes23.sqlite']}
+supported_os: [Darwin]
diff --git a/docs/sources/background/Stats.md b/docs/sources/background/Stats.md
@@ -4,12 +4,12 @@ The artifact definitions can be found in the
 [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail
 in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).
 
-Status of the repository as of 2023-08-09
+Status of the repository as of 2023-08-10
 
 Description | Number
 --- | ---
-Number of artifact definitions: | 773
-Number of file paths: | 2007
+Number of artifact definitions: | 782
+Number of file paths: | 2017
 Number of Windows Registry key paths: | 677
 
 ### Artifact definition source types
@@ -18,7 +18,7 @@ Identifier | Number
 --- | ---
 ARTIFACT_GROUP | 47
 COMMAND | 10
-FILE | 488
+FILE | 497
 PATH | 28
 REGISTRY_KEY | 57
 REGISTRY_VALUE | 116
@@ -28,7 +28,7 @@ WMI | 27
 
 Identifier | Number
 --- | ---
-Darwin | 173
+Darwin | 182
 ESXi | 16
 Linux | 243
 Windows | 366