Changes to validator to warn about sort order (ForensicArtifacts#597)

artifacts/data/applications.yaml

@@ -1,5 +1,16 @@
 # Application artifacts.
 ---
+name: GnomeEvolution
+doc: Gnome Evolution files.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '%%users.homedir%%/.cache/evolution/**'
+    - '%%users.homedir%%/.config/evolution/**'
+    - '%%users.homedir%%/.local/share/evolution/**'
+supported_os: [Linux]
+---
 name: MicrosoftOfficeAutosave
 aliases: [WindowsMsOfficeAutosave]
 doc: Automatically created Microsoft Office recovery files.
@@ -122,14 +133,3 @@ sources:
 - type: FILE
   attributes: {paths: ['%%users.homedir%%/.thunderbird/**']}
 supported_os: [Linux]
----
-name: GnomeEvolution
-doc: Gnome Evolution files.
-sources:
-- type: FILE
-  attributes:
-    paths:
-    - '%%users.homedir%%/.cache/evolution/**'
-    - '%%users.homedir%%/.config/evolution/**'
-    - '%%users.homedir%%/.local/share/evolution/**'
-supported_os: [Linux]

artifacts/data/file_systems.yaml

@@ -1,23 +1,23 @@
 # File system artifacts.
 ---
-name: NTFSMFTFiles
-doc: The NTFS $MFT and $MFTMirr file system metadata files.
+name: NTFSLogFile
+doc: The NTFS $LogFile file system metadata file.
 sources:
 - type: FILE
   attributes:
-    paths:
-    - '%%environ_systemdrive%%\$MFT'
-    - '%%environ_systemdrive%%\$MFTMirr'
+    paths: ['%%environ_systemdrive%%\$LogFile']
     separator: '\'
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/file_systems/NTFS.html']
 supported_os: [Windows]
 ---
-name: NTFSLogFile
-doc: The NTFS $LogFile file system metadata file.
+name: NTFSMFTFiles
+doc: The NTFS $MFT and $MFTMirr file system metadata files.
 sources:
 - type: FILE
   attributes:
-    paths: ['%%environ_systemdrive%%\$LogFile']
+    paths:
+    - '%%environ_systemdrive%%\$MFT'
+    - '%%environ_systemdrive%%\$MFTMirr'
     separator: '\'
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/file_systems/NTFS.html']
 supported_os: [Windows]

artifacts/data/hadoop.yaml

@@ -1,5 +1,17 @@
 # Hadoop artifacts
 ---
+name: HadoopAppLogs
+doc: Location where Hadoop application logs are stored
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/hadoop/logs/*'
+    - '/hadoop/logs/userlogs/application_*/container_*/*'
+    - '/**2/hadoop/logs/*'
+    - '/**2/hadoop/logs/userlogs/application_*/container_*/*'
+supported_os: [Linux]
+---
 name: HadoopAppRoot
 doc: Location where Hadoop application files are stored
 sources:
@@ -23,15 +35,3 @@ sources:
     - '/**2/hadoop/yarn/timeline/leveldb-timeline-store.ldb/*'
     - '/**2/hadoop/*/yarn/timeline/leveldb-timeline-store.ldb/*'
 supported_os: [Linux]
----
-name: HadoopAppLogs
-doc: Location where Hadoop application logs are stored
-sources:
-- type: FILE
-  attributes:
-    paths:
-    - '/hadoop/logs/*'
-    - '/hadoop/logs/userlogs/application_*/container_*/*'
-    - '/**2/hadoop/logs/*'
-    - '/**2/hadoop/logs/userlogs/application_*/container_*/*'
-supported_os: [Linux]

artifacts/data/instant_messaging.yaml

@@ -1,5 +1,26 @@
 # Instant Messaging applications specific artifacts.
 ---
+name: SignalApplicationContent
+doc: Signal Application Content and Configuration
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '%%users.homedir%%/.var/app/org.signal.Signal/*/attachments.noindex/*'
+    - '%%users.homedir%%/.var/app/org.signal.Signal/*/Cache/*'
+    - '%%users.homedir%%/.var/app/org.signal.Signal/*/logs/*'
+    - '%%users.homedir%%/.var/app/org.signal.Signal/config.json'
+  supported_os: [Linux]
+supported_os: [Linux]
+---
+name: SignalDatabase
+doc: Signal Database file.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/.var/app/org.signal.Signal/db.sqlite']}
+  supported_os: [Linux]
+supported_os: [Linux]
+---
 name: SkypeChatSync
 doc: Chat Sync Directory
 sources:
@@ -49,27 +70,6 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#skype']
 ---
-name: SignalApplicationContent
-doc: Signal Application Content and Configuration
-sources:
-- type: FILE
-  attributes:
-    paths:
-    - '%%users.homedir%%/.var/app/org.signal.Signal/*/attachments.noindex/*'
-    - '%%users.homedir%%/.var/app/org.signal.Signal/*/Cache/*'
-    - '%%users.homedir%%/.var/app/org.signal.Signal/*/logs/*'
-    - '%%users.homedir%%/.var/app/org.signal.Signal/config.json'
-  supported_os: [Linux]
-supported_os: [Linux]
----
-name: SignalDatabase
-doc: Signal Database file.
-sources:
-- type: FILE
-  attributes: {paths: ['%%users.homedir%%/.var/app/org.signal.Signal/db.sqlite']}
-  supported_os: [Linux]
-supported_os: [Linux]
----
 name: XChatLogs
 doc: XChat Log Files
 sources:

artifacts/data/kubernetes.yaml

@@ -1,12 +1,5 @@
 # Kubernetes artifacts
 ---
-name: KubernetesLogs
-doc: Log files that contain information about the Kubernetes installation of a node.
-sources:
-- type: FILE
-  attributes: {paths: ['/var/log/syslog*']}
-supported_os: [Linux]
----
 name: KubernetesCertificates
 doc: |
   Certificate files that are used for a Kubernetes cluster.
@@ -148,3 +141,10 @@ supported_os: [Linux]
 urls:
 - 'https://github.com/kubernetes/kubernetes/pull/74441'
 - 'https://kubernetes.io/docs/concepts/cluster-administration/logging/'
+---
+name: KubernetesLogs
+doc: Log files that contain information about the Kubernetes installation of a node.
+sources:
+- type: FILE
+  attributes: {paths: ['/var/log/syslog*']}
+supported_os: [Linux]

artifacts/data/macos.yaml

@@ -10,13 +10,50 @@ sources:
     - '%%users.homedir%%/Library/Developer/CoreSimulator/Devices/*/data/Library/AddressBook/AddressBookImages.sqlitedb'
 supported_os: [Darwin]
 ---
+name: MacOSAirportPreferencesPlistFile
+aliases: [MacOSWirelessNetworks]
+doc: Airport (wireless networking) preferences property list (plist) file.
+sources:
+- type: FILE
+  attributes: {paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist']}
+supported_os: [Darwin]
+urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/macos/NetworkSettings.html']
+---
 name: MacOSApplePushServiceSQLiteDatabaseFile
 doc: Apple push service SQLite database file.
 sources:
 - type: FILE
   attributes: {paths: ['/Library/Application Support/ApplePushService/aps.db']}
 supported_os: [Darwin]
 ---
+name: MacOSAppleSetupDoneFile
+aliases: [MacOSSystemInstallationTime]
+doc: Mac OS .AppleSetupDone file that hints to the system installation date and time.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/db/.AppleSetupDone'
+    - '/var/db/.AppleSetupDone'
+supported_os: [Darwin]
+urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-settings-and-informations']
+---
+name: MacOSAppleSystemLogFile
+aliases: [MacOSAppleSystemLogFiles]
+doc: Apple system log (ASL) files.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/private/var/log/asl/*.asl'
+    - '/private/var/log/DiagnosticMessages/*.asl'
+    - '/var/log/asl/*.asl'
+    - '/var/log/DiagnosticMessages/*.asl'
+supported_os: [Darwin]
+urls:
+- 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-logs'
+- 'https://support.apple.com/guide/console/reports-cnsl664be99a/mac'
+---
 name: MacOSApplicationBundleCacheSQLiteDatabaseFile
 doc: Application bundle cache SQLite database file.
 sources:
@@ -58,43 +95,6 @@ sources:
   attributes: {paths: ['%%users.homedir%%/Library/Application Support/CallHistoryDB/CallHistory.storedata']}
 supported_os: [Darwin]
 ---
-name: MacOSAirportPreferencesPlistFile
-aliases: [MacOSWirelessNetworks]
-doc: Airport (wireless networking) preferences property list (plist) file.
-sources:
-- type: FILE
-  attributes: {paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist']}
-supported_os: [Darwin]
-urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/macos/NetworkSettings.html']
----
-name: MacOSAppleSetupDoneFile
-aliases: [MacOSSystemInstallationTime]
-doc: Mac OS .AppleSetupDone file that hints to the system installation date and time.
-sources:
-- type: FILE
-  attributes:
-    paths:
-    - '/private/var/db/.AppleSetupDone'
-    - '/var/db/.AppleSetupDone'
-supported_os: [Darwin]
-urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-settings-and-informations']
----
-name: MacOSAppleSystemLogFile
-aliases: [MacOSAppleSystemLogFiles]
-doc: Apple system log (ASL) files.
-sources:
-- type: FILE
-  attributes:
-    paths:
-    - '/private/var/log/asl/*.asl'
-    - '/private/var/log/DiagnosticMessages/*.asl'
-    - '/var/log/asl/*.asl'
-    - '/var/log/DiagnosticMessages/*.asl'
-supported_os: [Darwin]
-urls:
-- 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-logs'
-- 'https://support.apple.com/guide/console/reports-cnsl664be99a/mac'
----
 name: MacOSApplicationsDirectory
 aliases: [MacOSApplications]
 doc: Contents of the Applications directory.

artifacts/data/user.yaml

@@ -1,15 +1,5 @@
 # Operating system independent user artifact definitions.
 ---
-name: UsersDirectory
-aliases: [MacOSUsers, MacOSUsersDirectory, OSXUsers, UserHomeDirectory]
-doc: Contents of the Users directory.
-sources:
-- type: PATH
-  attributes: {paths: ['/Users/*']}
-supported_os: [Darwin]
-provides: [users.username]
-urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#users']
----
 name: UserDownloadsDirectory
 aliases: [MacOSUserDownloadsDirectory, UserDownloads, WindowsUserDownloadsDirectory]
 doc: Contents of user Downloads directories.
@@ -25,3 +15,13 @@ sources:
   supported_os: [Windows]
 supported_os: [Darwin, Linux, Windows]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories']
+---
+name: UsersDirectory
+aliases: [MacOSUsers, MacOSUsersDirectory, OSXUsers, UserHomeDirectory]
+doc: Contents of the Users directory.
+sources:
+- type: PATH
+  attributes: {paths: ['/Users/*']}
+supported_os: [Darwin]
+provides: [users.username]
+urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#users']