diff --git a/artifacts/__init__.py b/artifacts/__init__.py index 4121e993..6b64e2ee 100644 --- a/artifacts/__init__.py +++ b/artifacts/__init__.py @@ -1,4 +1,4 @@ # -*- coding: utf-8 -*- """ForensicArtifacts.com Artifact Repository.""" -__version__ = '20230723' +__version__ = '20230808' diff --git a/config/dpkg/changelog b/config/dpkg/changelog index 2638a8a8..ca65085a 100644 --- a/config/dpkg/changelog +++ b/config/dpkg/changelog @@ -1,5 +1,5 @@ -artifacts (20230723-1) unstable; urgency=low +artifacts (20230808-1) unstable; urgency=low * Auto-generated - -- Forensic artifacts Sun, 23 Jul 2023 11:23:02 +0200 + -- Forensic artifacts Tue, 08 Aug 2023 07:40:30 +0200 diff --git a/data/macos.yaml b/data/macos.yaml index 308e2f92..4ecea4b9 100644 --- a/data/macos.yaml +++ b/data/macos.yaml @@ -1,5 +1,31 @@ # Mac OS (Darwin) specific artifacts. --- +name: MacOSAddressBookImagesSQLiteDatabaseFile +doc: Address book images SQLite database file. +sources: +- type: FILE + attributes: + paths: + - 'Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/SampleContent/Library/AddressBook/AddressBookImages.sqlitedb' + - '%%users.homedir%%/Library/Developer/CoreSimulator/Devices/*/data/Library/AddressBook/AddressBookImages.sqlitedb' +supported_os: [Darwin] +--- +name: MacOSApplePushServiceSQLiteDatabaseFile +doc: Apple push service SQLite database file. +sources: +- type: FILE + attributes: + paths: ['/Library/Application Support/ApplePushService/aps.db'] +supported_os: [Darwin] +--- +name: MacOSAssetCacheInfoSQLiteDatabaseFile +doc: Asset cache information SQLite database file. +sources: +- type: FILE + attributes: + paths: ['/Library/Caches/com.apple.AssetCache/AssetInfo.db'] +supported_os: [Darwin] +--- name: MacOSAirportPreferencesPlistFile aliases: [MacOSWirelessNetworks] doc: Airport (wireless networking) preferences property list (plist) file. @@ -125,7 +151,8 @@ sources: supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- -name: MacOSDuetKnowledgeBase +name: MacOSDuetKnowledgeCSQLiteDatabaseFile +aliases: [MacOSDuetKnowledgeBase] doc: KnowledgeC User and Application usage database. sources: - type: FILE @@ -542,6 +569,36 @@ sources: supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- +name: MacOSSiriSuggestionsEnttitiesSQLiteDatabaseFile +doc: Siri suggestions entities SQLite database file. +sources: +- type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Suggestions/entities.db' + - '%%users.homedir%%/Library/Suggestions/entities.db-wal' +supported_os: [Darwin] +--- +name: MacOSSiriSuggestionsPendingQueueSQLiteDatabaseFile +doc: Siri suggestions pending queue SQLite database file. +sources: +- type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Suggestions/pending/queue.db' + - '%%users.homedir%%/Library/Suggestions/pending/queue.db-wal' +supported_os: [Darwin] +--- +name: MacOSSiriSuggestionsSnippetsSQLiteDatabaseFile +doc: Siri suggestions snippets SQLite database file. +sources: +- type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Suggestions/snippets.db' + - '%%users.homedir%%/Library/Suggestions/snippets.db-wal' +supported_os: [Darwin] +--- name: MacOSSleepimageFile doc: Sleepimage file which contains the content of memory before going to sleep sources: @@ -576,7 +633,7 @@ urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-location --- name: MacOSSwapFile aliases: [MacOSSwapFiles] -doc: Swap files +doc: Swap file sources: - type: FILE attributes: @@ -629,8 +686,8 @@ sources: - type: FILE attributes: paths: - - '%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db' - '/Library/Application Support/com.apple.TCC/TCC.db' + - '%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db' supported_os: [Darwin] urls: ['https://forensics.wiki/tcc_database'] --- diff --git a/data/webbrowser.yaml b/data/webbrowser.yaml index d1d342ba..9b21da79 100644 --- a/data/webbrowser.yaml +++ b/data/webbrowser.yaml @@ -1312,8 +1312,8 @@ sources: paths: - '%%users.homedir%%/Library/Cookies/Cookies.binarycookies' - '%%users.homedir%%/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies' - supported_os: [Darwin] supported_os: [Darwin] +urls: ['https://forensics.wiki/apple_safari'] --- name: SafariDownloadsPlistFile aliases: [SafariDownloads] diff --git a/docs/sources/background/Stats.md b/docs/sources/background/Stats.md index f8ce1f10..b9d7a0e8 100644 --- a/docs/sources/background/Stats.md +++ b/docs/sources/background/Stats.md @@ -4,12 +4,12 @@ The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html). -Status of the repository as of 2023-07-23 +Status of the repository as of 2023-08-08 Description | Number --- | --- -Number of artifact definitions: | 763 -Number of file paths: | 1989 +Number of artifact definitions: | 773 +Number of file paths: | 2007 Number of Windows Registry key paths: | 677 ### Artifact definition source types @@ -18,7 +18,7 @@ Identifier | Number --- | --- ARTIFACT_GROUP | 47 COMMAND | 10 -FILE | 478 +FILE | 488 PATH | 28 REGISTRY_KEY | 57 REGISTRY_VALUE | 116 @@ -28,7 +28,7 @@ WMI | 27 Identifier | Number --- | --- -Darwin | 76 +Darwin | 75 Linux | 70 Windows | 59 diff --git a/tools/stats.py b/tools/stats.py index 2e88091b..8f2e958b 100755 --- a/tools/stats.py +++ b/tools/stats.py @@ -70,6 +70,7 @@ def BuildStats(self): self._total_count = 0 for artifact_definition in artifact_reader.ReadDirectory('data'): + # TODO: add support for artifact_definition.supported_os for source in artifact_definition.sources: self._total_count += 1 source_type = source.type_indicator