Added Mac OS artifact definitions (#574)

ForensicArtifacts · Aug 11, 2023 · d4e8cd6 · d4e8cd6
1 parent 1cabc64
commit d4e8cd6
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 10 deletions.
diff --git a/artifacts/__init__.py b/artifacts/__init__.py
@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 """ForensicArtifacts.com Artifact Repository."""
 
-__version__ = '20230810'
+__version__ = '20230811'
diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -1,5 +1,5 @@
-artifacts (20230810-1) unstable; urgency=low
+artifacts (20230811-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Forensic artifacts <forensicartifacts@googlegroups.com>  Thu, 10 Aug 2023 06:04:42 +0200
+ -- Forensic artifacts <forensicartifacts@googlegroups.com>  Fri, 11 Aug 2023 07:07:36 +0200
diff --git a/data/macos.yaml b/data/macos.yaml
@@ -17,13 +17,27 @@ sources:
   attributes: {paths: ['/Library/Application Support/ApplePushService/aps.db']}
 supported_os: [Darwin]
 ---
+name: MacOSApplicationBundleCacheSQLiteDatabaseFile
+doc: Application bundle cache SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Caches/*/Cache.db']}
+supported_os: [Darwin]
+---
 name: MacOSAssetCacheInfoSQLiteDatabaseFile
 doc: Asset cache information SQLite database file.
 sources:
 - type: FILE
   attributes: {paths: ['/Library/Caches/com.apple.AssetCache/AssetInfo.db']}
 supported_os: [Darwin]
 ---
+name: MacOSCalendarCacheSQLiteDatabaseFile
+doc: Calendar cache SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Calendars/Calendar Cache']}
+supported_os: [Darwin]
+---
 name: MacOSAirportPreferencesPlistFile
 aliases: [MacOSWirelessNetworks]
 doc: Airport (wireless networking) preferences property list (plist) file.
@@ -149,9 +163,19 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences']
 ---
+name: MacOSDuetinteractionCSQLiteDatabaseFile
+doc: Duet interactionC database.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/db/CoreDuet/People/interactionC.db'
+    - '/var/db/CoreDuet/People/interactionC.db'
+supported_os: [Darwin]
+---
 name: MacOSDuetKnowledgeCSQLiteDatabaseFile
 aliases: [MacOSDuetKnowledgeBase]
-doc: KnowledgeC User and Application usage database.
+doc: Duet knowledgeC User and Application usage database.
 sources:
 - type: FILE
   attributes:
@@ -465,6 +489,23 @@ sources:
     cmd: /usr/bin/hdiutil
 supported_os: [Darwin]
 ---
+name: MacOSNetworkUsageSQLiteDatabaseFile
+doc: Network usage SQLite database file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/networkd/netusage.sqlite'
+    - '/var/networkd/netusage.sqlite'
+supported_os: [Darwin]
+---
+name: MacOSNotesSQLiteDatabaseFile
+doc: Notes SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV*.storedata']}
+supported_os: [Darwin]
+---
 name: MacOSNotificationCenterSQLiteDatabaseFile
 aliases: [MacOSNotificationCenter]
 doc: MacOS NotificationCenter SQLite database files.
@@ -581,7 +622,14 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences']
 ---
-name: MacOSSiriSuggestionsEnttitiesSQLiteDatabaseFile
+name: MacOSSiriAnalyticsSQLiteDatabaseFile
+doc: Siri analytics SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Assistant/SiriAnalytics.db']}
+supported_os: [Darwin]
+---
+name: MacOSSiriSuggestionsEntitiesSQLiteDatabaseFile
 doc: Siri suggestions entities SQLite database file.
 sources:
 - type: FILE
@@ -916,3 +964,20 @@ sources:
 - type: FILE
   attributes: {paths: ['%%users.homedir%%/Library/Passes/passes23.sqlite']}
 supported_os: [Darwin]
+---
+name: MacOSWirelessDiagnosticDataPersistentSQLiteDatabaseFile
+doc: Apple Wireless Diagnostic Data (AWDD) persistent SQLite database file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/db/awdd/persistent.db'
+    - '/var/db/awdd/persistent.db'
+supported_os: [Darwin]
+---
+name: MacOSXcodeiOSDeviceLogsSQLiteDatabaseFile
+doc: Xcode iOS Device Logs SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Developer/Xcode/iOS Device Logs/iOS Device Logs *.db']}
+supported_os: [Darwin]
diff --git a/data/webbrowser.yaml b/data/webbrowser.yaml
@@ -1400,6 +1400,14 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/apple_safari']
 ---
+name: SafariTabSnapshotsMetadataSQLiteDatabaseFile
+doc: Safari browser tab snapshots metadata SQLite database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/TabSnapshots/Metadata.db']}
+supported_os: [Darwin]
+urls: ['https://forensics.wiki/apple_safari']
+---
 name: SafariTouchIconCacheSettingsSQLiteDatabaseFile
 doc: Safari browser touch icon cache settings SQLite database file.
 sources:

diff --git a/docs/sources/background/Stats.md b/docs/sources/background/Stats.md
@@ -4,12 +4,12 @@ The artifact definitions can be found in the
 [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail
 in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).
 
-Status of the repository as of 2023-08-10
+Status of the repository as of 2023-08-11
 
 Description | Number
 --- | ---
-Number of artifact definitions: | 782
-Number of file paths: | 2017
+Number of artifact definitions: | 791
+Number of file paths: | 2029
 Number of Windows Registry key paths: | 677
 
 ### Artifact definition source types
@@ -18,7 +18,7 @@ Identifier | Number
 --- | ---
 ARTIFACT_GROUP | 47
 COMMAND | 10
-FILE | 497
+FILE | 506
 PATH | 28
 REGISTRY_KEY | 57
 REGISTRY_VALUE | 116
@@ -28,7 +28,7 @@ WMI | 27
 
 Identifier | Number
 --- | ---
-Darwin | 182
+Darwin | 191
 ESXi | 16
 Linux | 243
 Windows | 366