ForensicArtifacts · joachimmetz · Feb 5, 2019 · Feb 2, 2019 · Feb 2, 2019 · Feb 2, 2019
diff --git a/data/java.yaml b/data/java.yaml
@@ -12,9 +12,8 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%users.localappdata_low%%\Sun\Java\Deployment\cache\**'
-      - '%%users.homedir%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
-      - '%%users.homedir%%\Application Data\Sun\Java\Deployment\cache\**'
+      - '%%users.appdata%%\Sun\Java\Deployment\cache\**'
+      - '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
     separator: '\'
   supported_os: [Windows]
 supported_os: [Windows, Linux, Darwin]
diff --git a/data/kaspersky_careto.yaml b/data/kaspersky_careto.yaml
@@ -82,6 +82,7 @@ sources:
       - '%%users.appdata%%\microsoft\c_27803.nls'
       - '%%users.appdata%%\microsoft\objframe.dll'
       - '%%users.appdata%%\microsoft\shmgr.dll'
+    separator: '\'
 supported_os: [Windows]
 urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
 ---

diff --git a/data/webbrowser.yaml b/data/webbrowser.yaml
@@ -348,14 +348,14 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat'
-      - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat'
-      - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat'
-      - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat'
+      - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat'
+      - '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat'
       - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat'
+      - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat'
       - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat'
-      - '%%users.userprofile%%\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat'
-      - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat'
+      - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat'
+      - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat'
+      - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat'
       - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat'
     separator: '\'
 labels: [Browser]
@@ -457,7 +457,7 @@ name: OperaHistory
 doc: Opera browser history (global_history.dat).
 sources:
 - type: FILE
-  attributes: {paths: ['%%users.homedir%%/Library/Opera//global_history.dat']}
+  attributes: {paths: ['%%users.homedir%%/Library/Opera/global_history.dat']}
   supported_os: [Darwin]
 - type: FILE
   attributes: {paths: ['%%users.homedir%%/.opera/global_history.dat']}

diff --git a/data/windows.yaml b/data/windows.yaml
@@ -23,7 +23,7 @@ doc: |
 sources:
 - type: FILE
   attributes:
-    paths: ['%%users.homedir%%\AppData\Local\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db']
+    paths: ['%%users.localappdata%%\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db']
     separator: '\'
 labels: [Users]
 supported_os: [Windows]
@@ -119,6 +119,7 @@ sources:
     - '%%environ_systemroot%%\WinAppXRT.dll'
     - '%%environ_systemroot%%\System32\Wbem\WinAppXRT.dll'
     - '%%environ_systemroot%%\System32\WindowsPowerShell\v1.0\WinAppXRT.dll'
+    separator: '\'
 supported_os: [Windows]
 conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/']
@@ -177,8 +178,8 @@ doc: Databases that contain the Windows BITS jobs definition and state.
 sources:
 - type: FILE
   attributes:
-    paths:
-      - '%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat'
+    paths: ['%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat']
+    separator: '\'
 supported_os: [Windows]
 urls: ['http://dfrws.org/2015/proceedings/presentations/DFRWS2015-pres3.pdf']
 ---
@@ -1054,7 +1055,9 @@ name: WindowsMetroApplicationCache
 doc: Windows Metro application cache.
 sources:
 - type: FILE
-  attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetCache']}
+  attributes:
+    paths: ['%%users.localappdata%%\Packages\*\AC\INetCache']
+    separator: '\'
 supported_os: [Windows]
 urls:
 - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'
@@ -1063,7 +1066,9 @@ name: WindowsMetroApplicationCookies
 doc: Windows Metro application cookies.
 sources:
 - type: FILE
-  attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetCookies']}
+  attributes:
+    paths: ['%%users.localappdata%%\Packages\*\AC\INetCookies']
+    separator: '\'
 supported_os: [Windows]
 urls:
 - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'
@@ -1072,7 +1077,9 @@ name: WindowsMetroApplicationHistory
 doc: Windows Metro application history.
 sources:
 - type: FILE
-  attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetHistory']}
+  attributes:
+    paths: ['%%users.localappdata%%\Packages\*\AC\INetHistory']
+    separator: '\'
 supported_os: [Windows]
 urls:
 - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'
@@ -1081,7 +1088,9 @@ name: WindowsMetroUserPinnedFavoriteTiles
 doc: Windows Metro user-pinned favorite tiles.
 sources:
 - type: FILE
-  attributes: {paths: ['%%users.homedir%%\AppData\Local\Microsoft\Windows\RoamingTiles']}
+  attributes:
+    paths: ['%%users.localappdata%%\Microsoft\Windows\RoamingTiles']
+    separator: '\'
 supported_os: [Windows]
 urls:
 - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'
@@ -1271,8 +1280,9 @@ sources:
     paths:
       - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1'
       - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1'
-      - '%%users.homedir%%\Documents\WindowsPowerShell\profile.ps1'
-      - '%%users.homedir%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'
+      - '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1'
+      - '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'
+    separator: '\'
 supported_os: [Windows]
 urls:
 - 'https://technet.microsoft.com/en-us/magazine/2008.10.windowspowershell.aspx#id0190010'
@@ -1436,7 +1446,9 @@ doc: |
   userinit.exe will load this file and call its RunMonitor export.
 sources:
 - type: FILE
-  attributes: {paths: ['%%environ_systemroot%%\System32\rover.dll']}
+  attributes:
+    paths: ['%%environ_systemroot%%\System32\rover.dll']
+    separator: '\'
 supported_os: [Windows]
 urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/']
 ---
@@ -1789,7 +1801,9 @@ name: WindowsSetupApiLogs
 doc: Windows setup API logs.
 sources:
 - type: FILE
-  attributes: {paths: ['%%environ_systemroot%%\setupapi.log']}
+  attributes:
+    paths: ['%%environ_systemroot%%\setupapi.log']
+    separator: '\'
   conditions: [os_major_version < 6]
 - type: FILE
   attributes:
@@ -1843,10 +1857,10 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%users.homedir%%\Start Menu\Programs\Startup\*'
-      - '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*'
-      - '%%users.homedir%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*'
       - '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
+      - '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*'
+      - '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
+      - '%%users.userprofile%%\Start Menu\Programs\Startup\*'
     separator: '\'
 supported_os: [Windows]
 ---
@@ -2120,7 +2134,7 @@ doc: User downloads directory
 sources:
 - type: DIRECTORY
   attributes:
-    paths: ['%%users.homedir%%\Downloads\*']
+    paths: ['%%users.userprofile%%\Downloads\*']
     separator: '\'
 labels: [Users]
 supported_os: [Windows]
@@ -2143,8 +2157,8 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%users.homedir%%\NTUSER.DAT'
-      - '%%users.homedir%%\NTUSER.MAN'
+      - '%%users.userprofile%%\NTUSER.DAT'
+      - '%%users.userprofile%%\NTUSER.MAN'
       - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat'
     separator: '\'
 labels: [Users]
@@ -2157,9 +2171,9 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%users.homedir%%\NTUSER.DAT.LOG'
-      - '%%users.homedir%%\NTUSER.DAT.LOG1'
-      - '%%users.homedir%%\NTUSER.DAT.LOG2'
+      - '%%users.userprofile%%\NTUSER.DAT.LOG'
+      - '%%users.userprofile%%\NTUSER.DAT.LOG1'
+      - '%%users.userprofile%%\NTUSER.DAT.LOG2'
       - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG'
       - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1'
       - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2'

diff --git a/tools/validator.py b/tools/validator.py
@@ -52,6 +52,88 @@ def _CheckRegistryKeyPath(self, filename, artifact_definition, key_path):
 
     return result
 
+  def _CheckWindowsPath(self, filename, artifact_definition, source, path):
+    """Checks if a path is a valid Windows path.
+
+    Args:
+      filename (str): name of the artifacts definition file.
+      artifact_definition (ArtifactDefinition): artifact definition.
+      source (SourceType): source definition.
+      path (str): path to validate.
+
+    Returns:
+      bool: True if the Windows path is valid.
+    """
+    result = True
+
+    number_of_forward_slashes = path.count('/')
+    number_of_backslashes = path.count('\\')
+    if (number_of_forward_slashes < number_of_backslashes and
+        source.separator != '\\'):
+      logging.warning((
+          'Incorrect path separator: {0:s} in path: {1:s} defined '
+          'by artifact definition: {2:s} in file: {3:s}').format(
+              source.separator, path, artifact_definition.name,
+              filename))
+      result = False
+
+    if source.separator != '\\':
+      return result
+
+    path_lower = path.lower()
+    path_segments = path_lower.split(source.separator)
+
+    if path_segments[0].startswith('%%users.') and path_segments[0] not in (
+        '%%users.appdata%%', '%%users.homedir%%', '%%users.localappdata%%',
+        '%%users.temp%%', '%%users.username%%', '%%users.userprofile%%'):
+      logging.warning((
+          'Unsupported "{0:s}" in path: {1:s} defined by artifact '
+          'definition: {2:s} in file: {3:s}').format(
+              path_segments[0], path, artifact_definition.name, filename))
+      result = False
+
+    elif path_segments[0] == '%%users.homedir%%':
+      logging.warning((
+          'Replace "%%users.homedir%%" by "%%users.userprofile%%" in path: '
+          '{0:s} defined by artifact definition: {1:s} in file: '
+          '{2:s}').format(path, artifact_definition.name, filename))
+      result = False
+
+    elif path_lower.startswith('%%users.userprofile%%\\appdata\\local\\'):
+      logging.warning((
+          'Replace "%%users.userprofile%%\\AppData\\Local" by '
+          '"%%users.localappdata%%" in path: {0:s} defined by artifact '
+          'definition: {1:s} in file: {2:s}').format(
+              path, artifact_definition.name, filename))
+      result = False
+
+    elif path_lower.startswith('%%users.userprofile%%\\appdata\\roaming\\'):
+      logging.warning((
+          'Replace "%%users.userprofile%%\\AppData\\Roaming" by '
+          '"%%users.appdata%%" in path: {0:s} defined by artifact '
+          'definition: {1:s} in file: {2:s}').format(
+              path, artifact_definition.name, filename))
+      result = False
+
+    elif path_lower.startswith('%%users.userprofile%%\\application data\\'):
+      logging.warning((
+          'Replace "%%users.userprofile%%\\Application Data" by '
+          '"%%users.appdata%%" in path: {0:s} defined by artifact '
+          'definition: {1:s} in file: {2:s}').format(
+              path, artifact_definition.name, filename))
+      result = False
+
+    elif path_lower.startswith(
+        '%%users.userprofile%%\\local settings\\application data\\'):
+      logging.warning((
+          'Replace "%%users.userprofile%%\\Local Settings\\Application Data" '
+          'by "%%users.localappdata%%" in path: {0:s} defined by artifact '
+          'definition: {1:s} in file: {2:s}').format(
+              path, artifact_definition.name, filename))
+      result = False
+
+    return result
+
   def _HasDuplicateRegistryKeyPaths(
       self, filename, artifact_definition, source):
     """Checks if Registry key paths are not already defined by other artifacts.
@@ -104,20 +186,18 @@ def CheckFile(self, filename):
                   artifact_definition.name, filename))
           result = False
 
+        artifact_definition_supports_windows = (
+            definitions.SUPPORTED_OS_WINDOWS in (
+                artifact_definition.supported_os))
+
         for source in artifact_definition.sources:
           if source.type_indicator in (
               definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH):
-            if definitions.SUPPORTED_OS_WINDOWS in source.supported_os:
+            if (artifact_definition_supports_windows or
+                definitions.SUPPORTED_OS_WINDOWS in source.supported_os):
               for path in source.paths:
-                number_of_forward_slashes = path.count('/')
-                number_of_backslashes = path.count('\\')
-                if (number_of_forward_slashes < number_of_backslashes and
-                    source.separator != '\\'):
-                  logging.warning((
-                      'Incorrect path separator: {0:s} in path: {1:s} defined '
-                      'by artifact definition: {2:s} in file: {3:s}').format(
-                          source.separator, path, artifact_definition.name,
-                          filename))
+                if not self._CheckWindowsPath(
+                    filename, artifact_definition, source, path):
                   result = False
 
           elif source.type_indicator == (