Several macOS new artifacts

[pstirparo]

Added several new artifacts and corrected the path of the one related to Apple Mail application (new versions can have the path different from "V2", but still always V followed by one digit --> "V[0-9]")

[codecov]

Codecov Report

Merging #294 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #294   +/-   ##
=======================================
  Coverage   91.08%   91.08%           
=======================================
  Files           7        7           
  Lines         415      415           
=======================================
  Hits          378      378           
  Misses         37       37

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 60d4829...5c6dbb6. Read the comment docs.

[joachimmetz]

I assume YYYYMMDD THHMMSS should be a wild card? also is the space in the string?

[pstirparo]

Correct, I will change "YYYYMMDD THHMMSS" with "*".
The space was a typo

[joachimmetz]

Know that "YYYYMMDDTHHMMSS" will result in an exact string match

not a glob "[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]T[0-9][0-9][0-9][0-9][0-9][0-9]"

[pstirparo]

Fixed

[pstirparo]

As mentioned in my comments on the PR #298 , I'm referring specifically to the log files *.tracev3 and the resource files under uuidtext folder (this leaves out the log statistics file for example, which are in the same folder). would you prefer to keep them anyway?

[joachimmetz]

Have we seen all 0-9 versions? or is this 1-3 ?

[pstirparo]

I have seen V2, V3 and V5, I thought 0-9 was good to be on the safe side.

[joachimmetz]

ack, SG; maybe add this to the doc string that V2, V3 and V5 have been observed?

[pstirparo]

Done

[joachimmetz]

Seeing this is a cross platform application I opt to move this to applications definitions file

[pstirparo]

ok, I will remove it. Given that there were already Skype related artifacts I just added some new ones. I will start an im application specific yaml file with those in it.

[pstirparo]

Fixed

[joachimmetz]

This one likely as well

[pstirparo]

Fixed (see above)

[joachimmetz]

Doesn't this contain broader account information?

[pstirparo]

Indeed, it has other general account info like home directory, default shells, home dir path, original full user name, user profile picture, etc. Shall we use one of the following

1. name: MacOSUsersAccountsAndPassowrd
   or
2. name: MacOSUsersAccountsAndPassowords
   or just
3. name: MacOSUsersAccounts

with the "doc" being:
doc: Users Accounts Information and hashed Password plist files

[pstirparo]

Actually this was already in the macos.yaml file as "MacOSUserPasswordHashesPlistFiles" same artifacts. I will remove it from this PR and address it in the next one, when cleaning the "plistfile" names

[joachimmetz]

KnowledgeC ? what does this stand for?

Maybe add some urls:
https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage

[pstirparo]

That DB is known as the "knowledgeC DB" that is why I left it as main name. Given it contains the user application usage, we may change it to either:

1. "MacOSKnowledgeUserApplicationUsage", although it sounds too long
2. just "MacOSUserApplicationUsage", better although I would have liked to keep the KnowledgeC in the name, But probably this is more useful.

About the URL, yes it is in the URLs note of the mac4n6 artifacts spreadsheet, but I just didn't parse that field in the conversion. I will add it.

[pstirparo]

ok, proper official name is "Duet Knowledge Base", changing the name to reflect this and moved "knowledgeC" and description to "doc:"

[joachimmetz]

thx SG

[joachimmetz]

Instead of macOS I opt to use the more generic MacOS, unless it is specific to versions of MacOS that are named macOS ;)

[pstirparo]

Correct, it was a typo.

[joachimmetz]

@pstirparo if ready for re-review, please re-assign me as reviewer or add a comment with PTAL

[joachimmetz]

A couple of remaining nits and questions, but overall changes are good, thx for adding these

[joachimmetz]

/var/db/uuidtext/* will only get you the files in /var/db/uuidtext/ you likely want /var/db/uuidtext/*/* as well?

[pstirparo]

Yes, sorry it was a typo. First level is only directories.

[joachimmetz]

thx SG

[joachimmetz]

seeing this is a single url please change to urls: ['https://...']

[pstirparo]

fixed

[joachimmetz]

ack, SG; maybe add this to the doc string that V2, V3 and V5 have been observed?

[joachimmetz]

please rename to "MacOSUnifiedLogging", since this is the name Apple is using.

https://developer.apple.com/videos/play/wwdc2016/721/
https://developer.apple.com/documentation/os/logging?language=occ

[pstirparo]

fixed

[joachimmetz]

Unified Log => Unified Logging / Unified Logging and Activity Tracing / Unified Logging and Tracing System

[pstirparo]

changed to "Apple Unified Logging and Activity Tracing"

[joachimmetz]

I know this is not part of your changes but could you update this to "Mail Backup Table of Contents (TOC)", thx in advance.

[pstirparo]

fixed

[joachimmetz]

LGTM