Added Mac OS artifact definitions (ForensicArtifacts#570)

artifacts/__init__.py

@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 """ForensicArtifacts.com Artifact Repository."""
 
-__version__ = '20230723'
+__version__ = '20230808'

config/dpkg/changelog

@@ -1,5 +1,5 @@
-artifacts (20230723-1) unstable; urgency=low
+artifacts (20230808-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Forensic artifacts <[email protected]>  Sun, 23 Jul 2023 11:23:02 +0200
+ -- Forensic artifacts <[email protected]>  Tue, 08 Aug 2023 07:40:30 +0200

data/macos.yaml

@@ -1,5 +1,31 @@
 # Mac OS (Darwin) specific artifacts.
 ---
+name: MacOSAddressBookImagesSQLiteDatabaseFile
+doc: Address book images SQLite database file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - 'Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/SampleContent/Library/AddressBook/AddressBookImages.sqlitedb'
+    - '%%users.homedir%%/Library/Developer/CoreSimulator/Devices/*/data/Library/AddressBook/AddressBookImages.sqlitedb'
+supported_os: [Darwin]
+---
+name: MacOSApplePushServiceSQLiteDatabaseFile
+doc: Apple push service SQLite database file.
+sources:
+- type: FILE
+  attributes:
+    paths: ['/Library/Application Support/ApplePushService/aps.db']
+supported_os: [Darwin]
+---
+name: MacOSAssetCacheInfoSQLiteDatabaseFile
+doc: Asset cache information SQLite database file.
+sources:
+- type: FILE
+  attributes:
+    paths: ['/Library/Caches/com.apple.AssetCache/AssetInfo.db']
+supported_os: [Darwin]
+---
 name: MacOSAirportPreferencesPlistFile
 aliases: [MacOSWirelessNetworks]
 doc: Airport (wireless networking) preferences property list (plist) file.
@@ -125,7 +151,8 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences']
 ---
-name: MacOSDuetKnowledgeBase
+name: MacOSDuetKnowledgeCSQLiteDatabaseFile
+aliases: [MacOSDuetKnowledgeBase]
 doc: KnowledgeC User and Application usage database.
 sources:
 - type: FILE
@@ -542,6 +569,36 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences']
 ---
+name: MacOSSiriSuggestionsEnttitiesSQLiteDatabaseFile
+doc: Siri suggestions entities SQLite database file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '%%users.homedir%%/Library/Suggestions/entities.db'
+    - '%%users.homedir%%/Library/Suggestions/entities.db-wal'
+supported_os: [Darwin]
+---
+name: MacOSSiriSuggestionsPendingQueueSQLiteDatabaseFile
+doc: Siri suggestions pending queue SQLite database file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '%%users.homedir%%/Library/Suggestions/pending/queue.db'
+    - '%%users.homedir%%/Library/Suggestions/pending/queue.db-wal'
+supported_os: [Darwin]
+---
+name: MacOSSiriSuggestionsSnippetsSQLiteDatabaseFile
+doc: Siri suggestions snippets SQLite database file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '%%users.homedir%%/Library/Suggestions/snippets.db'
+    - '%%users.homedir%%/Library/Suggestions/snippets.db-wal'
+supported_os: [Darwin]
+---
 name: MacOSSleepimageFile
 doc: Sleepimage file which contains the content of memory before going to sleep
 sources:
@@ -576,7 +633,7 @@ urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-location
 ---
 name: MacOSSwapFile
 aliases: [MacOSSwapFiles]
-doc: Swap files
+doc: Swap file
 sources:
 - type: FILE
   attributes:
@@ -629,8 +686,8 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db'
     - '/Library/Application Support/com.apple.TCC/TCC.db'
+    - '%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db'
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/tcc_database']
 ---

data/webbrowser.yaml

@@ -1312,8 +1312,8 @@ sources:
     paths:
     - '%%users.homedir%%/Library/Cookies/Cookies.binarycookies'
     - '%%users.homedir%%/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies'
-  supported_os: [Darwin]
 supported_os: [Darwin]
+urls: ['https://forensics.wiki/apple_safari']
 ---
 name: SafariDownloadsPlistFile
 aliases: [SafariDownloads]

docs/sources/background/Stats.md

@@ -4,12 +4,12 @@ The artifact definitions can be found in the
 [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail
 in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).
 
-Status of the repository as of 2023-07-23
+Status of the repository as of 2023-08-08
 
 Description | Number
 --- | ---
-Number of artifact definitions: | 763
-Number of file paths: | 1989
+Number of artifact definitions: | 773
+Number of file paths: | 2007
 Number of Windows Registry key paths: | 677
 
 ### Artifact definition source types
@@ -18,7 +18,7 @@ Identifier | Number
 --- | ---
 ARTIFACT_GROUP | 47
 COMMAND | 10
-FILE | 478
+FILE | 488
 PATH | 28
 REGISTRY_KEY | 57
 REGISTRY_VALUE | 116
@@ -28,7 +28,7 @@ WMI | 27
 
 Identifier | Number
 --- | ---
-Darwin | 76
+Darwin | 75
 Linux | 70
 Windows | 59
 

tools/stats.py

@@ -70,6 +70,7 @@ def BuildStats(self):
     self._total_count = 0
 
     for artifact_definition in artifact_reader.ReadDirectory('data'):
+      # TODO: add support for artifact_definition.supported_os
       for source in artifact_definition.sources:
         self._total_count += 1
         source_type = source.type_indicator