Skip to content
Permalink
Browse files

Changed artifact definitions to collect SQLite journal and wal files (#…

  • Loading branch information...
Onager authored and joachimmetz committed Sep 2, 2019
1 parent 9fdf452 commit a4da56b4afe0f6d1fee1a42b496433baf5d4ad80
Showing with 51 additions and 14 deletions.
  1. +4 −1 data/linux.yaml
  2. +7 −1 data/macos.yaml
  3. +40 −12 data/webbrowser.yaml
@@ -622,7 +622,10 @@ name: ZeitgeistDatabase
doc: Zeitgeist user activity database.
sources:
- type: FILE
attributes: {paths: ['%%users.homedir%%/.local/share/zeitgeist/activity.sqlite']}
attributes:
paths:
- '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite'
- '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite-wal'
labels: [Users, Logs]
urls: ['http://forensicswiki.org/wiki/Zeitgeist']
supported_os: [Linux]
@@ -948,12 +948,18 @@ name: MacOSUserSocialAccounts
doc: User's Social Accounts
sources:
- type: FILE
attributes: {paths: ['%%users.homedir%%/Library/Accounts/Accounts3.sqlite']}
attributes:
paths:
- '%%users.homedir%%/Library/Accounts/Accounts3.sqlite'
- '%%users.homedir%%/Library/Accounts/Accounts3.sqlite-wal'
- '%%users.homedir%%/Library/Accounts/Accounts4.sqlite'
- '%%users.homedir%%/Library/Accounts/Accounts4.sqlite-wal'
labels: [Users, ExternalAccount]
supported_os: [Darwin]
urls:
- 'http://forensicswiki.org/wiki/Mac_OS_X'
- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts'
- 'https://lab.wallarm.com/hunting-the-files-34caa0c1496'
---
name: MacOSUserTrash
doc: User Trash Folder
@@ -109,31 +109,51 @@ sources:
- type: FILE
attributes:
paths:
- '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History'
- '%%users.localappdata%%\Google\Chrome\User Data\*\History'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History'
- '%%users.localappdata%%\Chromium\User Data\*\Archived History'
- '%%users.localappdata%%\Chromium\User Data\*\Archived History-journal'
- '%%users.localappdata%%\Chromium\User Data\*\History'
- '%%users.localappdata%%\Chromium\User Data\*\History-journal'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History-journal'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History-journal'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History-journal'
- '%%users.localappdata%%\Google\Chrome\User Data\*\History'
- '%%users.localappdata%%\Google\Chrome\User Data\*\History-journal'
separator: '\'
supported_os: [Windows]
- type: FILE
attributes:
paths:
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal'
- '%%users.homedir%%/Library/Application Support/Chromium/*/History'
- '%%users.homedir%%/Library/Application Support/Chromium/*/History-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal'
supported_os: [Darwin]
- type: FILE
attributes:
paths:
- '%%users.homedir%%/.config/google-chrome/*/Archived History'
- '%%users.homedir%%/.config/google-chrome/*/History'
- '%%users.homedir%%/.config/chromium/*/Archived History'
- '%%users.homedir%%/.config/chromium/*/Archived History-journal'
- '%%users.homedir%%/.config/chromium/*/History'
- '%%users.homedir%%/.config/chromium/*/History-journal'
- '%%users.homedir%%/.config/google-chrome/*/Archived History'
- '%%users.homedir%%/.config/google-chrome/*/Archived History-journal'
- '%%users.homedir%%/.config/google-chrome/*/History'
- '%%users.homedir%%/.config/google-chrome/*/History-journal'
- '%%users.homedir%%/.config/google-chrome-beta/*/Archived History'
- '%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal'
- '%%users.homedir%%/.config/google-chrome-beta/*/History'
- '%%users.homedir%%/.config/google-chrome-beta/*/History-journal'
supported_os: [Linux]
supported_os: [Windows,Darwin,Linux]
labels: [Browser]
@@ -276,14 +296,22 @@ sources:
attributes:
paths:
- '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite'
- '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal'
- '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite'
- '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal'
separator: '\'
supported_os: [Windows]
- type: FILE
attributes: {paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite']}
attributes:
paths:
- '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite'
- '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal'
supported_os: [Darwin]
- type: FILE
attributes: {paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite']}
attributes:
paths:
- '%%users.homedir%%/.mozilla/firefox/*/places.sqlite'
- '%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal'
supported_os: [Linux]
supported_os: [Windows,Darwin,Linux]
labels: [Browser]

0 comments on commit a4da56b

Please sign in to comment.
You can’t perform that action at this time.