Added Mac OS artifact definitions (#575)

ForensicArtifacts · Aug 14, 2023 · 3db0c86 · 3db0c86
1 parent d4e8cd6
commit 3db0c86
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 16 deletions.
diff --git a/artifacts/__init__.py b/artifacts/__init__.py
@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 """ForensicArtifacts.com Artifact Repository."""
 
-__version__ = '20230811'
+__version__ = '20230814'
diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -1,5 +1,5 @@
-artifacts (20230811-1) unstable; urgency=low
+artifacts (20230814-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Forensic artifacts <forensicartifacts@googlegroups.com>  Fri, 11 Aug 2023 07:07:36 +0200
+ -- Forensic artifacts <forensicartifacts@googlegroups.com>  Mon, 14 Aug 2023 06:50:59 +0200
diff --git a/data/macos.yaml b/data/macos.yaml
@@ -6,7 +6,7 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - 'Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/SampleContent/Library/AddressBook/AddressBookImages.sqlitedb'
+    - '/Applications/Xcode.app/Contents/Developer/Platforms/*.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/*.simruntime/Contents/Resources/SampleContent/Library/AddressBook/AddressBookImages.sqlitedb'
     - '%%users.homedir%%/Library/Developer/CoreSimulator/Devices/*/data/Library/AddressBook/AddressBookImages.sqlitedb'
 supported_os: [Darwin]
 ---
@@ -31,13 +31,33 @@ sources:
   attributes: {paths: ['/Library/Caches/com.apple.AssetCache/AssetInfo.db']}
 supported_os: [Darwin]
 ---
+name: MacOSAuthorizationRulesSQLiteDatabaseFile
+doc: |
+  Authorization rules SQLite database file.
+
+  Superscedes /etc/authorization seen Mac OS X 10.8 Mountain Lion and earlier versions.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/db/auth.db'
+    - '/var/db/auth.db'
+supported_os: [Darwin]
+---
 name: MacOSCalendarCacheSQLiteDatabaseFile
 doc: Calendar cache SQLite database file.
 sources:
 - type: FILE
   attributes: {paths: ['%%users.homedir%%/Library/Calendars/Calendar Cache']}
 supported_os: [Darwin]
 ---
+name: MacOSCallHistoryCacheSQLiteDatabaseFile
+doc: Call history cache SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Application Support/CallHistoryDB/CallHistory.storedata']}
+supported_os: [Darwin]
+---
 name: MacOSAirportPreferencesPlistFile
 aliases: [MacOSWirelessNetworks]
 doc: Airport (wireless networking) preferences property list (plist) file.
@@ -163,6 +183,16 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences']
 ---
+name: MacOSDuetSQLiteDatabaseFile
+doc: Duet database.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/db/CoreDuet/coreduetd.db'
+    - '/var/db/CoreDuet/coreduetd.db'
+supported_os: [Darwin]
+---
 name: MacOSDuetinteractionCSQLiteDatabaseFile
 doc: Duet interactionC database.
 sources:
@@ -186,6 +216,16 @@ sources:
 supported_os: [Darwin]
 urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage']
 ---
+name: MacOSDuetSystemEventsSQLiteDatabaseFile
+doc: Duet system events database.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/db/CoreDuet/coreduetd.db'
+    - '/var/db/CoreDuet/coreduetd.db'
+supported_os: [Darwin]
+---
 name: MacOSFSEventsFile
 aliases: [MacOSFSEvents]
 doc: File system events disk log stream (fsevents) files.
@@ -704,15 +744,15 @@ supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#sleep.2fhibernate-and-swap-image-file']
 ---
 name: MacOSSystemConfigurationPreferencesPlistFile
-doc: System configuration preferences property list (plist) file
+doc: System configuration preferences property list (plist) file.
 sources:
 - type: FILE
   attributes: {paths: ['/Library/Preferences/SystemConfiguration/preferences.plist']}
 supported_os: [Darwin]
 ---
 name: MacOSSystemLogFile
 aliases: [MacOSSystemLogFiles]
-doc: System log files
+doc: System log file.
 sources:
 - type: FILE
   attributes:
@@ -722,6 +762,16 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-logs']
 ---
+name: MacOSSystemPolicySQLiteDatabaseFile
+doc: System policy database.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/db/SystemPolicy'
+    - '/var/db/SystemPolicy'
+supported_os: [Darwin]
+---
 name: MacOSSystemPreferencesPlistFile
 aliases: [MacOSSystemPreferencesPlistFiles]
 doc: System Preferences property list (plist) files
@@ -807,6 +857,13 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories']
 ---
+name: MacOSUserDockDesktopPictureSQLiteDatabaseFile
+doc: Dock user desktop picture SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Application Support/Dock/desktoppicture.db']}
+supported_os: [Darwin]
+---
 name: MacOSUserDocumentsDirectory
 doc: Contents of the user Documents directories.
 sources:
@@ -926,15 +983,16 @@ urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories
 ---
 name: MacOSUserAccountsSQLiteDatabaseFile
 aliases: [MacOSUserSocialAccounts]
-doc: User Accounts SQLite database files.
+doc: |
+  User Accounts SQLite database files.
+
+  Seen Accounts3.sqlite and Accounts4.sqlite
 sources:
 - type: FILE
   attributes:
     paths:
-    - '%%users.homedir%%/Library/Accounts/Accounts3.sqlite'
-    - '%%users.homedir%%/Library/Accounts/Accounts3.sqlite-wal'
-    - '%%users.homedir%%/Library/Accounts/Accounts4.sqlite'
-    - '%%users.homedir%%/Library/Accounts/Accounts4.sqlite-wal'
+    - '%%users.homedir%%/Library/Accounts/Accounts*.sqlite'
+    - '%%users.homedir%%/Library/Accounts/Accounts*.sqlite-wal'
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user.27s-accounts']
 ---

diff --git a/docs/sources/background/Stats.md b/docs/sources/background/Stats.md
@@ -4,12 +4,12 @@ The artifact definitions can be found in the
 [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail
 in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).
 
-Status of the repository as of 2023-08-11
+Status of the repository as of 2023-08-14
 
 Description | Number
 --- | ---
-Number of artifact definitions: | 791
-Number of file paths: | 2029
+Number of artifact definitions: | 797
+Number of file paths: | 2037
 Number of Windows Registry key paths: | 677
 
 ### Artifact definition source types
@@ -18,7 +18,7 @@ Identifier | Number
 --- | ---
 ARTIFACT_GROUP | 47
 COMMAND | 10
-FILE | 506
+FILE | 512
 PATH | 28
 REGISTRY_KEY | 57
 REGISTRY_VALUE | 116
@@ -28,7 +28,7 @@ WMI | 27
 
 Identifier | Number
 --- | ---
-Darwin | 191
+Darwin | 197
 ESXi | 16
 Linux | 243
 Windows | 366