├── requirements.txt ├── setup.py ├── LICENSE ├── .gitignore ├── decryption └── collection_package_decryptor.py ├── README.md ├── main.py └── artifacts ├── 20180320-macOS-artifacts.yaml ├── 20150826-Mavericks.yaml ├── 20180413-macOS-artifacts.yaml └── 20180914-macOS-artifacts.yaml /requirements.txt: -------------------------------------------------------------------------------- 1 | altgraph==0.15 2 | macholib==1.9 3 | modulegraph==0.16 4 | psutil==5.4.5 5 | py2app==0.14 6 | pyaml==17.12.1 7 | pycrypto==2.6.1 8 | PyYAML==3.12 9 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | """ 2 | This is a setup.py script generated by py2applet 3 | 4 | Usage: 5 | python setup.py py2app 6 | """ 7 | 8 | from setuptools import setup 9 | 10 | APP = ['main.py'] 11 | DATA_FILES = ['artifacts/20180413-macOS-artifacts.yaml', 'id_rsa.pub'] 12 | OPTIONS = {} 13 | 14 | setup( 15 | app=APP, 16 | data_files=DATA_FILES, 17 | options={'py2app': OPTIONS}, 18 | setup_requires=['py2app'], 19 | ) 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 nrvana 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # my rsa keys 2 | id_rsa.pub 3 | decryption/id_rsa 4 | 5 | # IDE files 6 | .idea/ 7 | .vscode/ 8 | 9 | # Byte-compiled / optimized / DLL files 10 | __pycache__/ 11 | *.py[cod] 12 | *$py.class 13 | 14 | # C extensions 15 | *.so 16 | 17 | # Distribution / packaging 18 | .Python 19 | env/ 20 | build/ 21 | develop-eggs/ 22 | dist/ 23 | downloads/ 24 | eggs/ 25 | .eggs/ 26 | lib/ 27 | lib64/ 28 | parts/ 29 | sdist/ 30 | var/ 31 | wheels/ 32 | *.egg-info/ 33 | .installed.cfg 34 | *.egg 35 | 36 | # PyInstaller 37 | # Usually these files are written by a python script from a template 38 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 39 | *.manifest 40 | *.spec 41 | 42 | # Installer logs 43 | pip-log.txt 44 | pip-delete-this-directory.txt 45 | 46 | # Unit test / coverage reports 47 | htmlcov/ 48 | .tox/ 49 | .coverage 50 | .coverage.* 51 | .cache 52 | nosetests.xml 53 | coverage.xml 54 | *.cover 55 | .hypothesis/ 56 | 57 | # Translations 58 | *.mo 59 | *.pot 60 | 61 | # Django stuff: 62 | *.log 63 | local_settings.py 64 | 65 | # Flask stuff: 66 | instance/ 67 | .webassets-cache 68 | 69 | # Scrapy stuff: 70 | .scrapy 71 | 72 | # Sphinx documentation 73 | docs/_build/ 74 | 75 | # PyBuilder 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # pyenv 82 | .python-version 83 | 84 | # celery beat schedule file 85 | celerybeat-schedule 86 | 87 | # SageMath parsed files 88 | *.sage.py 89 | 90 | # dotenv 91 | .env 92 | 93 | # virtualenv 94 | .venv 95 | venv/ 96 | ENV/ 97 | 98 | # Spyder project settings 99 | .spyderproject 100 | .spyproject 101 | 102 | # Rope project settings 103 | .ropeproject 104 | 105 | # mkdocs documentation 106 | /site 107 | 108 | # mypy 109 | .mypy_cache/ 110 | -------------------------------------------------------------------------------- /decryption/collection_package_decryptor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import argparse 4 | import hashlib 5 | import base64 6 | import os 7 | import sys 8 | import struct 9 | import logging 10 | from Crypto.PublicKey import RSA 11 | from Crypto.Cipher import AES 12 | 13 | class Decryptor(): 14 | def __init__(self, key_file): 15 | logging.basicConfig(level=logging.DEBUG) 16 | self.logger = logging.getLogger(__name__) 17 | 18 | self.logger.info("Reading private key.") 19 | try: 20 | with open(key_file, 'r') as f: 21 | private_key = f.read() 22 | except: 23 | self.logger.critical("Could not open private key file. Exiting.") 24 | sys.exit(1) 25 | self.private_key = RSA.importKey(private_key) 26 | 27 | def extract_package_key(self, enc_package_file): 28 | self.logger.info("Extracting private key from package file.") 29 | with open(enc_package_file, 'rb') as f: 30 | ciphertext = f.read() 31 | key_position = ciphertext.rindex('PKGKEY') 32 | self.enc_package_key = ciphertext[key_position:].split('PKGKEY')[1] 33 | with open(enc_package_file.replace('.enc', '.tmp'), 'wb') as outfile: 34 | # create copy of package file and trim package key 35 | outfile.write(ciphertext) 36 | outfile.seek(0) 37 | outfile.truncate(key_position) 38 | 39 | def decrypt_package_key(self): 40 | self.logger.info("Decrypting package key.") 41 | return self.private_key.decrypt(self.enc_package_key) 42 | 43 | def decrypt_package(self, key, in_filename, out_filename=None, chunksize=24*1024): 44 | self.logger.info("Decrypting file.") 45 | 46 | if not out_filename: 47 | out_filename = os.path.splitext(in_filename)[0] 48 | 49 | with open(in_filename.replace('.enc', '.tmp'), 'r') as infile: 50 | origsize = struct.unpack('>> from Crypto.PublicKey import RSA 37 | >>> random_generator = Random.new().read 38 | >>> key = RSA.generate(2048, random_generator) 39 | >>> print key.exportKey() 40 | -----BEGIN RSA PRIVATE KEY----- 41 | ... 42 | -----END RSA PRIVATE KEY----- 43 | # save this entire output to a file in a safe place for decryption later 44 | >>> print key.publickey().exportKey() 45 | -----BEGIN PUBLIC KEY----- 46 | ... 47 | -----END PUBLIC KEY----- 48 | # save this entire output to a file named 'id_rsa.pub' in the root of the script directory 49 | 50 | 51 | ## .enc Package Decryption 52 | 53 | To decrypt an encrypted package, perform the following steps: 54 | 55 | python decryption/collection_package_decryptor.py -k -f 56 | 57 | ## "Operation not permitted" Error in macOS Mojave 58 | 59 | As of macOS 10.14 (Mojave), the Terminal app no longer has full disk access. In order to enable it, you must do the following: 60 | 61 | - [ ] Open **System Preferences** from the Apple menu () 62 | - [ ] Select **Security & Privacy** 63 | - [ ] Select the **Privacy** tab 64 | - [ ] Select **Full Disk Access** from the left pane 65 | - [ ] Click the plus (+) button to add the Terminal app to the list of apps approved to access the full disk (you likely need to click the lock in the lower lefthand corner and authenticate with administrator privileges to unlock this functionality) 66 | - [ ] Navigate to `/Applications/Utilities/Terminal.app` to add the Terminal app to the list of approved applications 67 | - [ ] Relaunch the Terminal and you will now have full disk access 68 | 69 | The good news is this should be sufficient for full disk access without having to [disable SIP](http://osxdaily.com/2015/10/05/disable-rootless-system-integrity-protection-mac-os-x/) as of macOS 10.4 (Mojave). 70 | 71 | To learn more, see [this blog post by Paul Horowitz](http://osxdaily.com/2018/10/09/fix-operation-not-permitted-terminal-error-macos/). 72 | 73 | ## TODO 74 | 75 | * ability to package triage script into a single binary with all dependencies and config information 76 | * integrate with https://github.com/wrmsr/pmem/tree/master/OSXPMem 77 | 78 | ## License 79 | 80 | This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details. 81 | 82 | ## Acknowledgments 83 | 84 | * This project is indebted to the work of [@pstirparo](https://github.com/pstirparo) in the 85 | [mac4n6](https://github.com/pstirparo/mac4n6) project for the OSX artifact yaml file and for making it available under 86 | the [Creative Commons Attribution-ShareAlike 2.5 Generic (CC BY-SA 2.5) license](http://creativecommons.org/licenses/by-sa/2.5/). 87 | -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ 3 | macOS triage is a python script to collect various macOS logs, artifacts, and other data. 4 | 5 | Copyright (c) 2018 nrvana 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in all 15 | copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 | SOFTWARE. 24 | """ 25 | 26 | __author__ = "nrvana" 27 | __credits__ = ["Brian Marks", "Dan O'Day", "@pstirparo"] 28 | __license__ = "MIT" 29 | __version__ = "0.2" 30 | 31 | 32 | import argparse 33 | import atexit 34 | import base64 35 | import glob 36 | import hashlib 37 | import json 38 | import logging 39 | import os 40 | import random 41 | import shutil 42 | import struct 43 | import sys 44 | import tarfile 45 | import time 46 | import hashlib 47 | 48 | import psutil 49 | import yaml 50 | from Crypto.Cipher import AES 51 | from Crypto.PublicKey import RSA 52 | 53 | 54 | # thinking about modularizing a few parts of this.. TBD 55 | #from lib import pre-collection 56 | 57 | 58 | class Triage(): 59 | def __init__(self, target, encrypt, user_mode, output_location): 60 | 61 | logging.basicConfig(level=logging.WARN) 62 | self.logger = logging.getLogger(__name__) 63 | 64 | # default collection items 65 | self.triage_items = dict() 66 | items = ["user_mru","unified_audit_log","log_files","persistence", 67 | "mdls_recurse","volatile","hash_binaries","browser_artifacts","im_artifacts", 68 | "ios_artifacts","mail_artifacts","external_media", 69 | "user_artifacts","system_artifacts"] 70 | 71 | for i in items: 72 | self.triage_items[i] = True 73 | 74 | self.triage_items["volatile"] = False 75 | self.triage_items["hash_binaries"] = False 76 | # self.triage_items["user_mru"] = False 77 | self.triage_items["unified_audit_log"] = False 78 | self.triage_items["log_files"] = False 79 | # self.triage_items["persistence"] = False 80 | self.triage_items["mdls_recurse"] = False 81 | self.triage_items["browser_artifacts"] = False 82 | self.triage_items["im_artifacts"] = False 83 | self.triage_items["ios_artifacts"] = False 84 | self.triage_items["mail_artifacts"] = False 85 | # self.triage_items["external_media"] = False 86 | self.triage_items["user_artifacts"] = False 87 | self.triage_items["system_artifacts"] = False 88 | 89 | self.target = target 90 | self.user_mode = user_mode 91 | self.encrypt = encrypt 92 | 93 | self.live_triage = True 94 | self.key_file = 'id_rsa.pub' 95 | self.load_rsa_public_key() 96 | 97 | self.collection_time = int(time.time()) 98 | self.collection_dir = output_location + '/{}.collection'.format(self.collection_time) 99 | self.logger.info("Making collection staging directory.") 100 | os.makedirs(self.collection_dir) 101 | self.artifact_yaml_file = "20180914-macOS-artifacts.yaml" 102 | self.load_artifact_yaml_file() 103 | 104 | self.logger.info('Performing triage with the following options:') 105 | self.logger.info('Triage items: {}'.format(self.triage_items)) 106 | self.logger.info('Encrypted output: {}'.format(self.rsa_public_key != '')) 107 | 108 | ########################################## 109 | # HELPER FUNCTIONS 110 | ########################################## 111 | 112 | # PRE-COLLECTION 113 | def load_rsa_public_key(self): 114 | self.logger.info("Reading public key for encryption.") 115 | try: 116 | with open(self.key_file, 'r') as f: 117 | self.rsa_public_key = f.read() 118 | except: 119 | self.logger.critical("Could not open public key file. Exiting.") 120 | sys.exit(1) 121 | 122 | # PRE-COLLECTION 123 | def load_artifact_yaml_file(self): 124 | # needed this workaround for py2app to load yaml file correctly 125 | if os.path.exists('artifacts'): 126 | self.artifact_yaml_file = os.path.join('artifacts', self.artifact_yaml_file) 127 | try: 128 | yaml_artifacts = yaml.load_all(open(self.artifact_yaml_file, 'r')) 129 | except yaml.YAMLError as e: 130 | self.logger.critical("macOS artifact yaml file was not parsed properly: {} Exiting.".format(e)) 131 | sys.exit(1) 132 | except IOError as e: 133 | self.logger.critical("macOS artifact yaml file not found: {} Exiting.".format(e)) 134 | sys.exit(1) 135 | 136 | self.artifact_list = list() 137 | for a in yaml_artifacts: 138 | self.artifact_list.append(a) 139 | 140 | # PRE-COLLECTIOnormcase 141 | def determine_live_or_dead(self): 142 | # if target is the root file system, this is a live triage 143 | if self.target == "/": 144 | self.live_triage = True 145 | else: 146 | self.live_triage = False 147 | 148 | # COLLECTION 149 | def perform_triage(self): 150 | self.determine_live_or_dead() 151 | 152 | # root permission check 153 | if os.getuid() != 0: 154 | self.logger.warn('[!] Triage script is not running as root, artifacts able to be collected will be limited.') 155 | self.is_root = False 156 | if not self.user_mode: 157 | self.logger.critical('[!] Triage attempted to be performed without the user_mode override flag being set. Exiting.') 158 | sys.exit(1) 159 | else: 160 | self.is_root = True 161 | 162 | if self.encrypt and self.rsa_public_key == "": 163 | self.logger.critical('[!] Triage encryption option enabled, but rsa_public_key is empty. Exiting..') 164 | sys.exit(1) 165 | 166 | if self.triage_items["volatile"]: self.collect_volatile() 167 | if self.triage_items["hash_binaries"]: self.hash_binaries() 168 | if self.triage_items["user_mru"]: self.collect_category("MRU") 169 | if self.triage_items["unified_audit_log"]: self.collect_ual() 170 | if self.triage_items["log_files"]: self.collect_category("Logs") 171 | if self.triage_items["persistence"]: self.collect_category("Autoruns") 172 | if self.triage_items["mdls_recurse"]: self.mdls_search() 173 | if self.triage_items["browser_artifacts"]: self.collect_category("Browser") 174 | if self.triage_items["im_artifacts"]: self.collect_category("IM") 175 | if self.triage_items["ios_artifacts"]: self.collect_category("IOS") 176 | if self.triage_items["mail_artifacts"]: self.collect_category("Mail") 177 | if self.triage_items["external_media"]: self.collect_category("External Media") 178 | if self.triage_items["user_artifacts"]: self.collect_category("Users") 179 | if self.triage_items["system_artifacts"]: self.collect_category("System") 180 | 181 | 182 | self.collected_file_sha256() 183 | self.compress_collection() 184 | 185 | if self.rsa_public_key != '' and self.encrypt: 186 | self.logger.info("Encrypting output file.") 187 | self.encrypt_output() 188 | 189 | # COLLECTION 190 | def collect_category(self, category): 191 | self.logger.debug("Attempting to collect category {}".format(category)) 192 | for artifact in self.artifact_list: 193 | if category in artifact['labels']: 194 | for path in artifact['sources'][0]['attributes']['paths']: 195 | # try: 196 | if type(path) == list: path = path[0] 197 | self.collect_artifact(path.replace('%%users.homedir%%','/Users/*')) 198 | 199 | # COLLECTION 200 | def collect_artifact(self, path, collection_subdirectory=''): 201 | 202 | if not self.live_triage: 203 | path = self.target + path 204 | self.logger.debug("Attempting to collect artifact {}".format(path)) 205 | for item in glob.glob(path): 206 | # create collection staging directory path for item. 207 | # collection_subdirectory is used for special cases like unified audit logs and volitile data. 208 | collection_path = self.collection_dir + collection_subdirectory + os.path.abspath(item) 209 | collection_path_dir = self.collection_dir + collection_subdirectory + os.path.dirname(item) 210 | if os.path.exists(collection_path_dir): 211 | self.logger.debug("Directory exists for {}, skipping directory creation.".format(item)) 212 | else: 213 | self.logger.info("Making a new collection directory for {}.".format(item)) 214 | os.makedirs(collection_path_dir) 215 | try: 216 | # directory collection 217 | if os.path.isdir(item): 218 | self.logger.info("Collecting directory {}".format(item)) 219 | self._copytree(item, collection_path) 220 | # file collection 221 | else: 222 | self.logger.info("Collecting file {}".format(item)) 223 | shutil.copy2(item, collection_path) 224 | except IOError as e: 225 | # import pdb; pdb.set_trace() 226 | self.logger.error("Could not collect artifact {}: {}".format(item, e)) 227 | except OSError as e: 228 | # import pdb; pdb.set_trace() 229 | self.logger.error("Could not collect artifact {}: {}".format(item, e)) 230 | 231 | # COLLECTION 232 | def _copytree(self, src, dst, symlinks=False, ignore=None): 233 | # source is directory 234 | try: 235 | shutil.copytree(src, dst, symlinks, ignore) 236 | return 237 | except shutil.Error as e: 238 | self.logger.error("Copytree error: {}".format(e)) 239 | 240 | ########################################## 241 | # NON STANDARD COLLECTION FUNCTIONS 242 | ########################################## 243 | def collect_volatile(self): 244 | ps_list = list() 245 | open_files = list() 246 | 247 | for p in psutil.pids(): 248 | try: 249 | ps_list.append(psutil.Process(p).as_dict()) 250 | for f in psutil.Process(p).open_files(): 251 | tmp = f._asdict() 252 | tmp['pid'] = p 253 | open_files.append(json.dumps(tmp)) 254 | except psutil._exceptions.AccessDenied as e: 255 | self.logger.error("Psutil error: {}".format(e)) 256 | except psutil._exceptions.ZombieProcess as e: 257 | self.logger.error("Psutil error: {}".format(e)) 258 | except OSError as e: 259 | self.logger.error("Psutil error: {}".format(e)) 260 | self.output_volatile('ps_list', ps_list) 261 | self.output_volatile('open_files', open_files) 262 | 263 | try: 264 | self.output_volatile('net_connections', psutil.net_connections()) 265 | except psutil._exceptions.AccessDenied as e: 266 | self.logger.error("Psutil error: {}".format(e)) 267 | 268 | users = list() 269 | for u in psutil.users(): 270 | users.append(json.dumps(u._asdict())) 271 | self.output_volatile('users', users) 272 | 273 | self.output_volatile('net_if_addrs', psutil.net_if_addrs()) 274 | 275 | disks = list() 276 | for d in psutil.disk_partitions(): 277 | disks.append(json.dumps(d._asdict())) 278 | self.output_volatile('disk_partitions', disks) 279 | disk_usage = list() 280 | for disk in psutil.disk_partitions(): 281 | disk_usage.append(json.dumps(psutil.disk_usage(disk.mountpoint)._asdict())) 282 | self.output_volatile('disk_usage', disk_usage) 283 | 284 | self.output_volatile('uptime', os.popen('uptime').read()) 285 | 286 | def output_volatile(self, command, output): 287 | volatile_collection_dir = os.path.join(self.collection_dir, 'volatile_output') 288 | volatile_collection_path = os.path.join(volatile_collection_dir, command) 289 | if os.path.exists(volatile_collection_dir): 290 | self.logger.debug("Directory exists for {}, skipping directory creation.".format(volatile_collection_dir)) 291 | else: 292 | self.logger.info("Making a new collection directory for {}.".format(volatile_collection_dir)) 293 | os.makedirs(volatile_collection_dir) 294 | 295 | with open(volatile_collection_path, 'wb') as f: 296 | if isinstance(output, list): 297 | for line in output: 298 | f.write(str(line) + "\n") 299 | else: 300 | f.write(str(output)) 301 | 302 | def hash_binaries(self): 303 | hash_list = list() 304 | 305 | for p in psutil.pids(): 306 | try: 307 | binary = psutil.Process(p).cmdline()[0] 308 | pid = psutil.Process(p).pid 309 | name = psutil.Process(p).name() 310 | self.logger.info("Hashing process cmdline {}".format(binary)) 311 | filehash = self.get_sha256_hash(binary) 312 | pshash = dict() 313 | pshash['name'] = name 314 | pshash['pid'] = pid 315 | pshash['binary'] = binary 316 | pshash['hash'] = filehash 317 | hash_list.append(pshash) 318 | except psutil._exceptions.AccessDenied as e: 319 | self.logger.error("Psutil error: {}".format(e)) 320 | except psutil._exceptions.ZombieProcess as e: 321 | self.logger.error("Psutil error: {}".format(e)) 322 | except OSError as e: 323 | self.logger.error("Psutil error: {}".format(e)) 324 | except IOError as e: 325 | self.logger.error("File not found on disk: {}".format(e)) 326 | except IndexError as e: 327 | self.logger.error("Process does not have a cmdline entry: {}:{}".format(pid, name)) 328 | 329 | self.output_volatile('hash_binaries', hash_list) 330 | 331 | def get_sha256_hash(self, filepath): 332 | hasher = hashlib.sha256() 333 | BUF_SIZE = 65536 334 | 335 | with open(filepath, 'r') as f: 336 | while True: 337 | data = f.read(BUF_SIZE) 338 | if not data: 339 | break 340 | hasher.update(data) 341 | 342 | return hasher.hexdigest() 343 | 344 | def collect_ual(self): 345 | if self.is_root: 346 | if self.live_triage: 347 | os.system("log collect --output {}/ual_collection.logarchive".format(self.collection_dir)) 348 | else: 349 | try: 350 | # collect UAL directories into COLLECTION_ROOT/ual_collection 351 | # rename COLLECTION_ROOT/ual_collection to COLLECTION_ROOT/ual_collection.logarchive 352 | self.collect_artifact('/var/db/diagnostics/*', "/ual_collection") 353 | self.collect_artifact('/var/db/uuidtext/*', "/ual_collection") 354 | os.rename(self.collection_dir + '/ual_collection', self.collection_dir + '/ual_collection.logarchive') 355 | except IOError as e: 356 | self.logger.error("Could not collect artifact: {}".format(e)) 357 | except OSError as e: 358 | self.logger.error("Could not collect artifact: {}".format(e)) 359 | else: 360 | self.logger.warn("UAL collection selected, but triage is not running as root. Skipping UAL collection.") 361 | 362 | def mdls_search(self): 363 | mdls_user_directories = ['Applications','Desktop','Documents','Downloads','Library'] 364 | 365 | for d in mdls_user_directories: 366 | for directory in glob.glob('/Users/*/{}'.format(d)): 367 | for tgtfile in os.listdir(directory): 368 | try: 369 | self.mdls_collect(tgtfile, directory) 370 | except IOError as e: 371 | self.logger.error("Could not run mdls on artifact: {}".format(e)) 372 | except OSError as e: 373 | self.logger.error("Could not run mdls on artifact: {}".format(e)) 374 | 375 | mdls_system_directories = ["/Applications"] 376 | for directory in mdls_system_directories: 377 | for tgtfile in os.listdir(directory): 378 | try: 379 | self.mdls_collect(tgtfile, directory) 380 | except IOError as e: 381 | self.logger.error("Could not run mdls on artifact: {}".format(e)) 382 | except OSError as e: 383 | self.logger.error("Could not run mdls on artifact: {}".format(e)) 384 | 385 | def mdls_collect(self, tgtfile, directory): 386 | mdls_collection_dir = os.path.join(self.collection_dir, 'mdls_collection') 387 | # os.mkdir(mdls_collection_dir) 388 | mdls_tgt_path = os.path.join(directory, tgtfile) 389 | mdls_collection_path = mdls_collection_dir + directory 390 | # if os.path.isfile(mdls_tgt_path): 391 | if os.path.exists(mdls_collection_path): 392 | self.logger.debug("Directory exists for {}, skipping directory creation.".format(mdls_collection_path)) 393 | else: 394 | self.logger.info("Making a new collection directory for {}.".format(mdls_collection_path)) 395 | os.makedirs(mdls_collection_path) 396 | os.system('mdls -plist "{}" "{}"'.format(mdls_collection_path + '/' + tgtfile + '.mdls.plist', mdls_tgt_path)) 397 | 398 | def md5_program_folders(self): 399 | pass 400 | 401 | def collect_pmem(self): 402 | pass 403 | 404 | # POST-COLLECTION 405 | def collected_file_sha256(self): 406 | self.logger.info("Creating SHA256 manifest file.") 407 | with open(os.path.join(self.collection_dir, 'collection_manifest.sha256'), 'w') as f: 408 | for root, dirs,files in os.walk(self.collection_dir, topdown=True): 409 | for name in files: 410 | FileName = (os.path.join(root, name)) 411 | hasher = hashlib.sha256() 412 | with open(str(FileName), 'rb') as afile: 413 | buf = afile.read() 414 | hasher.update(buf) 415 | f.write("{} SHA256:{}\n".format(os.path.join(root, name), hasher.hexdigest())) 416 | 417 | def compress_collection(self): 418 | self.logger.info("Compressing collection output into tar gzip file.") 419 | tar = tarfile.open('{}.tar.gz'.format(self.collection_dir), 'w:gz') 420 | tar.add(self.collection_dir, recursive=True) 421 | tar.close() 422 | 423 | self.logger.info("Deleting collection directory.") 424 | shutil.rmtree(self.collection_dir) 425 | 426 | # POST-COLLECTION 427 | class AESCipher(object): 428 | 429 | def __init__(self, key): 430 | self.bs = 32 431 | self.key = hashlib.sha256(key.encode()).digest() 432 | 433 | def encrypt(self, raw): 434 | raw = self._pad(raw) 435 | iv = Random.new().read(AES.block_size) 436 | cipher = AES.new(self.key, AES.MODE_CBC, iv) 437 | return base64.b64encode(iv + cipher.encrypt(raw)) 438 | 439 | def decrypt(self, enc): 440 | enc = base64.b64decode(enc) 441 | iv = enc[:AES.block_size] 442 | cipher = AES.new(self.key, AES.MODE_CBC, iv) 443 | return self._unpad(cipher.decrypt(enc[AES.block_size:])).decode('utf-8') 444 | 445 | def _pad(self, s): 446 | return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs) 447 | 448 | @staticmethod 449 | def _unpad(s): 450 | return s[:-ord(s[len(s)-1:])] 451 | 452 | # POST-COLLECTION 453 | def encrypt_output(self, chunksize=64*1024): 454 | # create randomly generated collection key for AES 455 | password = os.urandom(16) 456 | key = hashlib.sha256(password).digest() 457 | 458 | # encrypt collection key with public key to make package key 459 | pubkey = RSA.importKey(self.rsa_public_key) 460 | collection_key = pubkey.encrypt(key.encode('hex'), 16)[0] 461 | 462 | in_filename = '{}.tar.gz'.format(self.collection_dir) 463 | out_filename = in_filename + '.enc' 464 | 465 | iv = ''.join(chr(random.randint(0, 0xFF)) for i in range(16)) 466 | encryptor = AES.new(key, AES.MODE_CBC, iv) 467 | filesize = os.path.getsize(in_filename) 468 | 469 | # encrypt collection package and 470 | # append encrypted collection key to collection package 471 | with open(in_filename, 'rb') as infile: 472 | with open(out_filename, 'wb') as outfile: 473 | outfile.write(struct.pack('\' for a mounted volume.\ 503 | Default option is live system.') 504 | 505 | argument_parser.add_argument( 506 | u'-o', u'--output', dest=u'output_location', action=u'store', type=str, default='.', 507 | help=u'Specify an output location other than the current working directory.') 508 | 509 | options = argument_parser.parse_args() 510 | 511 | t = Triage(options.target, options.encrypt, options.user_mode, options.output_location) 512 | 513 | @atexit.register 514 | def exit_handler(): 515 | if os.path.exists(t.collection_dir): 516 | t.logger.info("Cleaning up collection directory {}.".format(t.collection_dir)) 517 | shutil.rmtree(t.collection_dir) 518 | 519 | t.perform_triage() 520 | 521 | if __name__ == "__main__": 522 | main() 523 | -------------------------------------------------------------------------------- /artifacts/20180320-macOS-artifacts.yaml: -------------------------------------------------------------------------------- 1 | # Mac OS X (Darwin) specific artifacts. 2 | # mac4n6: https://github.com/pstirparo/mac4n6 3 | # Reference: http://forensicswiki.org/wiki/Mac_OS_X 4 | # Reference: http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location 5 | 6 | --- 7 | name: OSXLaunchAgents 8 | doc: Launch Agents files 9 | sources: 10 | - type: FILE 11 | attributes: 12 | paths: 13 | - ['/Library/LaunchAgents/*'] 14 | - ['/System/Library/LaunchAgents/*'] 15 | labels: [System, Autoruns] 16 | supported_os: [Darwin] 17 | --- 18 | name: OSXLaunchDaemons 19 | doc: Launch Daemons files 20 | sources: 21 | - type: FILE 22 | attributes: 23 | paths: 24 | - ['/Library/LaunchDaemons/*'] 25 | - ['/System/Library/LaunchDaemons/*'] 26 | labels: [System, Autoruns] 27 | supported_os: [Darwin] 28 | --- 29 | name: OSXStartupItems 30 | doc: Startup Items file 31 | sources: 32 | - type: FILE 33 | attributes: 34 | paths: 35 | - ['/Library/StartupItems/*'] 36 | - ['/System/Library/StartupItems/*'] 37 | labels: [System, Autoruns] 38 | supported_os: [Darwin] 39 | --- 40 | name: OSXGeneralSystemLogs 41 | doc: System Log files main folder 42 | sources: 43 | - type: FILE 44 | attributes: 45 | paths: ['/var/log/*'] 46 | labels: [System, Logs] 47 | supported_os: [Darwin] 48 | --- 49 | name: OSXAppleSystemLogs 50 | doc: Apple System Log 51 | sources: 52 | - type: FILE 53 | attributes: 54 | paths: ['/var/log/asl/*'] 55 | labels: [System, Logs] 56 | supported_os: [Darwin] 57 | --- 58 | name: OSXAuditLogs 59 | doc: Audit Log 60 | sources: 61 | - type: FILE 62 | attributes: 63 | paths: ['/var/audit/*'] 64 | labels: [System, Logs] 65 | supported_os: [Darwin] 66 | --- 67 | name: OSXInstallationLog 68 | doc: Installation log 69 | sources: 70 | - type: FILE 71 | attributes: 72 | paths: ['/var/log/install.log'] 73 | labels: [System, Logs] 74 | supported_os: [Darwin] 75 | --- 76 | name: OSXSystemPreferences 77 | doc: System Preferences files 78 | sources: 79 | - type: FILE 80 | attributes: 81 | paths: ['/Library/Preferences/*'] 82 | labels: [System] 83 | supported_os: [Darwin] 84 | --- 85 | name: OSXGlobalPrefs 86 | doc: Global Preferences 87 | sources: 88 | - type: FILE 89 | attributes: 90 | paths: ['/Library/Preferences/.GlobalPreferences.plist'] 91 | labels: [System] 92 | supported_os: [Darwin] 93 | --- 94 | name: OSXLoginWindow 95 | doc: Login Window Info 96 | sources: 97 | - type: FILE 98 | attributes: 99 | paths: ['/Library/Preferences/com.apple.loginwindow.plist'] 100 | labels: [System, Authentication] 101 | supported_os: [Darwin] 102 | --- 103 | name: OSXBluetooth 104 | doc: Bluetooth Preferences and paierd device info 105 | sources: 106 | - type: FILE 107 | attributes: 108 | paths: ['/Library/Preferences/com.apple.Bluetooth.plist'] 109 | labels: [System, Logs] 110 | supported_os: [Darwin] 111 | --- 112 | name: OSXTimeMachine 113 | doc: Time Machine Info 114 | sources: 115 | - type: FILE 116 | attributes: 117 | paths: ['/Library/Preferences/com.apple.TimeMachine.plist'] 118 | labels: [System] 119 | supported_os: [Darwin] 120 | --- 121 | name: OSXInstallationTime 122 | doc: OS Installation time 123 | sources: 124 | - type: FILE 125 | attributes: 126 | paths: ['/var/db/.AppleSetupDone'] 127 | labels: [System] 128 | supported_os: [Darwin] 129 | --- 130 | name: OSXSystemVersion 131 | doc: OS name and version 132 | sources: 133 | - type: FILE 134 | attributes: 135 | paths: ['/System/Library/CoreServices/SystemVersion.plist'] 136 | labels: [System] 137 | supported_os: [Darwin] 138 | --- 139 | name: OSXPasswordHashes 140 | doc: Users Log In Password Hash Plist 141 | sources: 142 | - type: FILE 143 | attributes: 144 | paths: ['/var/db/dslocal/nodes/Default%%users.homedir%%'] 145 | labels: [System, Users, Authentication] 146 | supported_os: [Darwin] 147 | --- 148 | name: OSXSleepimage 149 | doc: Sleep Image File 150 | sources: 151 | - type: FILE 152 | attributes: 153 | paths: ['/var/vm/sleepimage'] 154 | labels: [System] 155 | supported_os: [Darwin] 156 | --- 157 | name: OSXSwapfiles 158 | doc: Swap Files 159 | sources: 160 | - type: FILE 161 | attributes: 162 | paths: ['/var/vm/swapfile#'] 163 | labels: [System] 164 | supported_os: [Darwin] 165 | --- 166 | name: OSXKexts 167 | doc: Kernel Extension 168 | sources: 169 | - type: FILE 170 | attributes: 171 | paths: 172 | - ['/System/Library/Extensions/*'] 173 | - ['/Library/Extensions/*'] 174 | labels: [System] 175 | supported_os: [Darwin] 176 | --- 177 | name: OSXInstallationHistory 178 | doc: Software Installation History 179 | sources: 180 | - type: FILE 181 | attributes: 182 | paths: ['/Library/Receipts/InstallHistory.plist'] 183 | labels: [System] 184 | supported_os: [Darwin] 185 | --- 186 | name: OSXUpdate 187 | doc: Software Update 188 | sources: 189 | - type: FILE 190 | attributes: 191 | paths: ['/Library/Preferences/com.apple.SoftwareUpdate.plist'] 192 | labels: [System] 193 | supported_os: [Darwin] 194 | --- 195 | name: OSXLocalTime 196 | doc: Current Time Zone 197 | sources: 198 | - type: FILE 199 | attributes: 200 | paths: ['/etc/localtime'] 201 | labels: [System] 202 | supported_os: [Darwin] 203 | --- 204 | name: OSXAtJobs 205 | doc: Mac OS X at jobs 206 | sources: 207 | - type: FILE 208 | attributes: 209 | paths: ['/usr/lib/cron/jobs/*'] 210 | labels: [System] 211 | supported_os: [Darwin] 212 | urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at'] 213 | --- 214 | name: OSXCronTabs 215 | doc: Cron tabs 216 | sources: 217 | - type: FILE 218 | attributes: 219 | paths: 220 | - ['/etc/crontab'] 221 | - ['/usr/lib/cron/tabs/*'] 222 | labels: [System] 223 | supported_os: [Darwin] 224 | --- 225 | name: OSXPeriodicSystemFunctions 226 | doc: Periodic system functions scripts and configuration 227 | sources: 228 | - type: FILE 229 | attributes: 230 | paths: 231 | - ['/etc/defaults/periodic.conf'] 232 | - ['/etc/periodic.conf'] 233 | - ['/etc/periodic.conf.local'] 234 | - ['/etc/periodic/**2'] 235 | - ['/usr/local/etc/periodic/**2'] 236 | - ['/etc/daily.local/*'] 237 | - ['/etc/weekly.local/*'] 238 | - ['/etc/monthly.local/*'] 239 | labels: [System] 240 | supported_os: [Darwin] 241 | urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic'] 242 | --- 243 | name: OSXHostsFIle 244 | doc: Hosts file 245 | sources: 246 | - type: FILE 247 | attributes: 248 | paths: ['/etc/hosts'] 249 | labels: [System, Network] 250 | supported_os: [Darwin] 251 | --- 252 | name: OSXWirelessNetworks 253 | doc: Remembered Wireless Networks 254 | sources: 255 | - type: FILE 256 | attributes: 257 | paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist'] 258 | labels: [System, Network] 259 | supported_os: [Darwin] 260 | --- 261 | name: OSXUserLoginItems 262 | doc: Login Items 263 | sources: 264 | - type: FILE 265 | attributes: 266 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist'] 267 | labels: [Users] 268 | supported_os: [Darwin] 269 | --- 270 | name: OSXUserPref 271 | doc: User preferences directory 272 | sources: 273 | - type: FILE 274 | attributes: 275 | paths: ['%%users.homedir%%/Library/Preferences/*'] 276 | labels: [Users] 277 | supported_os: [Darwin] 278 | --- 279 | name: OSXiCloudPref 280 | doc: iCloud user preferences 281 | sources: 282 | - type: FILE 283 | attributes: 284 | paths: ['%%users.homedir%%/Library/Preferences/MobileMeAccounts.plist'] 285 | labels: [Users, Cloud, Account] 286 | supported_os: [Darwin] 287 | --- 288 | name: OSXSidebarlists 289 | doc: Sidebar Lists Preferences 290 | sources: 291 | - type: FILE 292 | attributes: 293 | paths: ['%%users.homedir%%/Preferences/com.apple.sidebarlists.plist'] 294 | labels: [Users, External Media] 295 | supported_os: [Darwin] 296 | --- 297 | name: OSXGlobalPreferences 298 | doc: Global Preferences 299 | sources: 300 | - type: FILE 301 | attributes: 302 | paths: ['%%users.homedir%%/Library/Preferences/.GlobalPreferences.plist'] 303 | labels: [Users] 304 | supported_os: [Darwin] 305 | --- 306 | name: OSXDock 307 | doc: Dock database 308 | sources: 309 | - type: FILE 310 | attributes: 311 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Dock.plist'] 312 | labels: [Users] 313 | supported_os: [Darwin] 314 | --- 315 | name: OSXiDevices 316 | doc: Attached iDevices 317 | sources: 318 | - type: FILE 319 | attributes: 320 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.iPod.plist'] 321 | labels: [Users, External Media] 322 | supported_os: [Darwin] 323 | --- 324 | name: OSXQuarantineEvents 325 | doc: Quarantine Event Database 326 | sources: 327 | - type: FILE 328 | attributes: 329 | paths: 330 | - ['%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents'] 331 | - ['%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2'] 332 | labels: [Users, Software] 333 | supported_os: [Darwin] 334 | --- 335 | name: OSXUserApplicationLogs 336 | doc: User and Applications Logs Directory 337 | sources: 338 | - type: FILE 339 | attributes: 340 | paths: ['%%users.homedir%%/Library/Logs/*'] 341 | labels: [Users, Logs] 342 | supported_os: [Darwin] 343 | --- 344 | name: OSXMiscLogs 345 | doc: Misc. Logs 346 | sources: 347 | - type: FILE 348 | attributes: 349 | paths: ['/Library/Logs/*'] 350 | labels: [Users, Logs] 351 | supported_os: [Darwin] 352 | --- 353 | name: OSXBashHistory 354 | doc: Terminal Commands History 355 | sources: 356 | - type: FILE 357 | attributes: 358 | paths: ['%%users.homedir%%/.bash_history'] 359 | labels: [Users, Logs] 360 | supported_os: [Darwin] 361 | --- 362 | name: OSXUserSocialAccounts 363 | doc: User's Social Accounts 364 | sources: 365 | - type: FILE 366 | attributes: 367 | paths: ['%%users.homedir%%/Library/Accounts/Accounts3.sqlite'] 368 | labels: [Users, Accounts] 369 | supported_os: [Darwin] 370 | --- 371 | name: OSXiOSBackupsMainDir 372 | doc: iOS device backups directory 373 | sources: 374 | - type: FILE 375 | attributes: 376 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*'] 377 | labels: [Users, iOS] 378 | supported_os: [Darwin] 379 | --- 380 | name: OSXiOSBackupInfo 381 | doc: iOS device backup information 382 | sources: 383 | - type: FILE 384 | attributes: 385 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist'] 386 | labels: [Users, iOS] 387 | supported_os: [Darwin] 388 | --- 389 | name: OSXiOSBackupManifest 390 | doc: iOS device backup apps information 391 | sources: 392 | - type: FILE 393 | attributes: 394 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist'] 395 | labels: [Users, iOS] 396 | supported_os: [Darwin] 397 | --- 398 | name: OSXiOSBackupMbdb 399 | doc: iOS device backup files information 400 | sources: 401 | - type: FILE 402 | attributes: 403 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd'] 404 | labels: [Users, iOS] 405 | supported_os: [Darwin] 406 | --- 407 | name: OSXiOSBackupStatus 408 | doc: iOS device backup status information 409 | sources: 410 | - type: FILE 411 | attributes: 412 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist'] 413 | labels: [Users, iOS] 414 | supported_os: [Darwin] 415 | --- 416 | name: OSXRecentItems 417 | doc: Recent Items 418 | sources: 419 | - type: FILE 420 | attributes: 421 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist'] 422 | labels: [Users] 423 | supported_os: [Darwin] 424 | --- 425 | name: OSXApplicationsRecentItems 426 | doc: Recent Items application specific 427 | sources: 428 | - type: FILE 429 | attributes: 430 | paths: ['%%users.homedir%%/Library/Preferences/*LSSharedFileList.plist'] 431 | labels: [Users, Software] 432 | supported_os: [Darwin] 433 | --- 434 | name: OSXApplicationSupport 435 | doc: Application Support Directory 436 | sources: 437 | - type: FILE 438 | attributes: 439 | paths: ['%%users.homedir%%/Library/Application Support/*'] 440 | labels: [Users, Software] 441 | supported_os: [Darwin] 442 | --- 443 | name: OSXiCloudAccounts 444 | doc: iCloud Accounts 445 | sources: 446 | - type: FILE 447 | attributes: 448 | paths: ['%%users.homedir%%/Library/Application Support/iCloud/Accounts/*'] 449 | labels: [Users, Software, Cloud, Account] 450 | supported_os: [Darwin] 451 | --- 452 | name: OSXSkypeMainDir 453 | doc: Skype Directory 454 | sources: 455 | - type: FILE 456 | attributes: 457 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*'] 458 | labels: [Users, Software, IM] 459 | supported_os: [Darwin] 460 | --- 461 | name: OSXSkypeUserProfile 462 | doc: Skype User profile 463 | sources: 464 | - type: FILE 465 | attributes: 466 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/*'] 467 | labels: [Users, Software, IM] 468 | supported_os: [Darwin] 469 | --- 470 | name: OSXSkypePreferences 471 | doc: Skype Preferences and Recent Searches 472 | sources: 473 | - type: FILE 474 | attributes: 475 | paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist'] 476 | labels: [Users, Software, IM] 477 | supported_os: [Darwin] 478 | --- 479 | name: OSXSkypeDb 480 | doc: Main Skype database 481 | sources: 482 | - type: FILE 483 | attributes: 484 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db'] 485 | labels: [Users, Software, IM] 486 | supported_os: [Darwin] 487 | --- 488 | name: OSXSkypechatsync 489 | doc: Chat Sync Directory 490 | sources: 491 | - type: FILE 492 | attributes: 493 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*'] 494 | labels: [Users, Software, IM] 495 | supported_os: [Darwin] 496 | --- 497 | name: OSXSafariMainDir 498 | doc: Safari Main Folder 499 | sources: 500 | - type: FILE 501 | attributes: 502 | paths: ['%%users.homedir%%/Library/Safari/*'] 503 | labels: [Users, Software, Browser] 504 | supported_os: [Darwin] 505 | --- 506 | name: OSXSafariBookmarks 507 | doc: Safari Bookmarks 508 | sources: 509 | - type: FILE 510 | attributes: 511 | paths: ['%%users.homedir%%/Library/Safari/Bookmarks.plist'] 512 | labels: [Users, Software, Browser] 513 | supported_os: [Darwin] 514 | --- 515 | name: OSXSafariDownloads 516 | doc: Safari Downloads 517 | sources: 518 | - type: FILE 519 | attributes: 520 | paths: ['%%users.homedir%%/Library/Safari/Downloads.plist'] 521 | labels: [Users, Software, Browser] 522 | supported_os: [Darwin] 523 | --- 524 | name: OSXSafariExtensions 525 | doc: Safari Installed Extensions 526 | sources: 527 | - type: FILE 528 | attributes: 529 | paths: 530 | - ['%%users.homedir%%/Library/Safari/Extensions/Extensions.plist'] 531 | - ['%%users.homedir%%/Library/Safari/Extensions/*'] 532 | labels: [Users, Software, Browser] 533 | supported_os: [Darwin] 534 | --- 535 | name: OSXSafariHistory 536 | doc: Safari History 537 | sources: 538 | - type: FILE 539 | attributes: 540 | paths: ['%%users.homedir%%/Library/Safari/History.plist'] 541 | labels: [Users, Software, Browser] 542 | supported_os: [Darwin] 543 | --- 544 | name: OSXSafariHistoryIndex 545 | doc: Safari History Index 546 | sources: 547 | - type: FILE 548 | attributes: 549 | paths: ['%%users.homedir%%/Library/Safari/HistoryIndex.sk'] 550 | labels: [Users, Software, Browser] 551 | supported_os: [Darwin] 552 | --- 553 | name: OSXSafariLastSession 554 | doc: Safari Last Session 555 | sources: 556 | - type: FILE 557 | attributes: 558 | paths: ['%%users.homedir%%/Library/Safari/LastSession.plist'] 559 | labels: [Users, Software, Browser] 560 | supported_os: [Darwin] 561 | --- 562 | name: OSXSafariLocalStorage 563 | doc: Safari Local Storage Directory 564 | sources: 565 | - type: FILE 566 | attributes: 567 | paths: ['%%users.homedir%%/Library/Safari/LocalStorage/*'] 568 | labels: [Users, Software, Browser] 569 | supported_os: [Darwin] 570 | --- 571 | name: OSXSafariStorageTracker 572 | doc: Safari Local Storage Database 573 | sources: 574 | - type: FILE 575 | attributes: 576 | paths: ['%%users.homedir%%/Library/Safari/LocalStorage/StorageTracker.db'] 577 | labels: [Users, Software, Browser] 578 | supported_os: [Darwin] 579 | --- 580 | name: OSXSafariTopSites 581 | doc: Safari Top Sites 582 | sources: 583 | - type: FILE 584 | attributes: 585 | paths: ['%%users.homedir%%/Library/Safari/TopSites.plist'] 586 | labels: [Users, Software, Browser] 587 | supported_os: [Darwin] 588 | --- 589 | name: OSXSafariWebpageIcons 590 | doc: Safari Webpage Icons Database 591 | sources: 592 | - type: FILE 593 | attributes: 594 | paths: ['%%users.homedir%%/Library/Safari/WebpageIcons.db'] 595 | labels: [Users, Software, Browser] 596 | supported_os: [Darwin] 597 | --- 598 | name: OSXSafariDatabases 599 | doc: Safari Webpage Databases 600 | sources: 601 | - type: FILE 602 | attributes: 603 | paths: ['%%users.homedir%%/Library/Safari/Databases/*'] 604 | labels: [Users, Software, Browser] 605 | supported_os: [Darwin] 606 | --- 607 | name: OSXSafariCacheDir 608 | doc: Safari Cache Directory 609 | sources: 610 | - type: FILE 611 | attributes: 612 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/*'] 613 | labels: [Users, Software, Browser] 614 | supported_os: [Darwin] 615 | --- 616 | name: OSXSafariCache 617 | doc: Safari Cache 618 | sources: 619 | - type: FILE 620 | attributes: 621 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db'] 622 | labels: [Users, Software, Browser] 623 | supported_os: [Darwin] 624 | --- 625 | name: OSXSafariCacheExtensions 626 | doc: Safari Extensions Cache 627 | sources: 628 | - type: FILE 629 | attributes: 630 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Extensions/*'] 631 | labels: [Users, Software, Browser] 632 | supported_os: [Darwin] 633 | --- 634 | name: OSXSafariWebPreviews 635 | doc: Safari Webpage Previews 636 | sources: 637 | - type: FILE 638 | attributes: 639 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Webpage Previews/*'] 640 | labels: [Users, Software, Browser] 641 | supported_os: [Darwin] 642 | --- 643 | name: OSXSafariCookies 644 | doc: Safari Cookies 645 | sources: 646 | - type: FILE 647 | attributes: 648 | paths: ['%%users.homedir%%/Library/Cookies/Cookies.binarycookies'] 649 | labels: [Users, Software, Browser] 650 | supported_os: [Darwin] 651 | --- 652 | name: OSXSafariPreferences 653 | doc: Safari Preferences and Search terms 654 | sources: 655 | - type: FILE 656 | attributes: 657 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Safari.plist'] 658 | labels: [Users, Software, Browser] 659 | supported_os: [Darwin] 660 | --- 661 | name: OSXSafariExtPreferences 662 | doc: Safari Extension Preferences 663 | sources: 664 | - type: FILE 665 | attributes: 666 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Safari.Extensions.plist'] 667 | labels: [Users, Software, Browser] 668 | supported_os: [Darwin] 669 | --- 670 | name: OSXSafariCacheBookmarks 671 | doc: Safari Bookmark Cache 672 | sources: 673 | - type: FILE 674 | attributes: 675 | paths: ['%%users.homedir%%/Library/Caches/Metadata/Safari/Bookmarks/*'] 676 | labels: [Users, Software, Browser] 677 | supported_os: [Darwin] 678 | --- 679 | name: OSXSafariCacheHistory 680 | doc: Safari History Cache 681 | sources: 682 | - type: FILE 683 | attributes: 684 | paths: ['%%users.homedir%%/Library/Caches/Metadata/Safari/History/*'] 685 | labels: [Users, Software, Browser] 686 | supported_os: [Darwin] 687 | --- 688 | name: OSXSafariTempImg 689 | doc: Safari Temporary Images 690 | sources: 691 | - type: FILE 692 | attributes: 693 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/fsCachedData/*'] 694 | labels: [Users, Software, Browser] 695 | supported_os: [Darwin] 696 | --- 697 | name: OSXFirefoxDir 698 | doc: Firefox Directory 699 | sources: 700 | - type: FILE 701 | attributes: 702 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/*'] 703 | labels: [Users, Software, Browser] 704 | supported_os: [Darwin] 705 | --- 706 | name: OSXFirefoxProfiles 707 | doc: Firefox Profiles 708 | sources: 709 | - type: FILE 710 | attributes: 711 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*'] 712 | labels: [Users, Software, Browser] 713 | supported_os: [Darwin] 714 | --- 715 | name: OSXFirefoxCookies 716 | doc: Firefox Cookies 717 | sources: 718 | - type: FILE 719 | attributes: 720 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Cookies.sqlite'] 721 | labels: [Users, Software, Browser] 722 | supported_os: [Darwin] 723 | --- 724 | name: OSXFirefoxDownloads 725 | doc: Firefox Downloads 726 | sources: 727 | - type: FILE 728 | attributes: 729 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Downloads.sqlite'] 730 | labels: [Users, Software, Browser] 731 | supported_os: [Darwin] 732 | --- 733 | name: OSXFirefoxFormhistory 734 | doc: Firefox Form History 735 | sources: 736 | - type: FILE 737 | attributes: 738 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Formhistory.sqlite'] 739 | labels: [Users, Software, Browser] 740 | supported_os: [Darwin] 741 | --- 742 | name: OSXFirefoxHistory 743 | doc: Firefox History 744 | sources: 745 | - type: FILE 746 | attributes: 747 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Places.sqlite'] 748 | labels: [Users, Software, Browser] 749 | supported_os: [Darwin] 750 | --- 751 | name: OSXFirefoxPassword 752 | doc: Firefox Signon 753 | sources: 754 | - type: FILE 755 | attributes: 756 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/signons.sqlite'] 757 | labels: [Users, Software, Browser] 758 | supported_os: [Darwin] 759 | --- 760 | name: OSXFirefoxKey 761 | doc: Firefox Key 762 | sources: 763 | - type: FILE 764 | attributes: 765 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/key3.db'] 766 | labels: [Users, Software, Browser] 767 | supported_os: [Darwin] 768 | --- 769 | name: OSXFirefoxPermission 770 | doc: Firefox Permissions 771 | sources: 772 | - type: FILE 773 | attributes: 774 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/permissions.sqlite'] 775 | labels: [Users, Software, Browser] 776 | supported_os: [Darwin] 777 | --- 778 | name: OSXFirefoxAddons 779 | doc: Firefox Add-ons 780 | sources: 781 | - type: FILE 782 | attributes: 783 | paths: 784 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.sqlite'] 785 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.json'] 786 | labels: [Users, Software, Browser] 787 | supported_os: [Darwin] 788 | --- 789 | name: OSXFirefoxExtension 790 | doc: Firefox Extension 791 | sources: 792 | - type: FILE 793 | attributes: 794 | paths: 795 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.sqlite'] 796 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.json'] 797 | labels: [Users, Software, Browser] 798 | supported_os: [Darwin] 799 | --- 800 | name: OSXFirefoxContentPrefs 801 | doc: Firefox Pages Settings 802 | sources: 803 | - type: FILE 804 | attributes: 805 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/content-prefs.sqlite'] 806 | labels: [Users, Software, Browser] 807 | supported_os: [Darwin] 808 | --- 809 | name: OSXChromeMainDir 810 | doc: Chrome Main Folder 811 | sources: 812 | - type: FILE 813 | attributes: 814 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*'] 815 | labels: [Users, Software, Browser] 816 | supported_os: [Darwin] 817 | --- 818 | name: OSXChromeDefaultDir 819 | doc: Chrome Default profile 820 | sources: 821 | - type: FILE 822 | attributes: 823 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/default/*'] 824 | labels: [Users, Software, Browser] 825 | supported_os: [Darwin] 826 | --- 827 | name: OSXChromeHistory 828 | doc: Chrome History 829 | sources: 830 | - type: FILE 831 | attributes: 832 | paths: 833 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/History'] 834 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History'] 835 | labels: [Users, Software, Browser] 836 | supported_os: [Darwin] 837 | --- 838 | name: OSXChromeBookmarks 839 | doc: Chrome Bookmarks 840 | sources: 841 | - type: FILE 842 | attributes: 843 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Bookmarks'] 844 | labels: [Users, Software, Browser] 845 | supported_os: [Darwin] 846 | --- 847 | name: OSXChromeCookies 848 | doc: Chrome Cookies 849 | sources: 850 | - type: FILE 851 | attributes: 852 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies'] 853 | labels: [Users, Software, Browser] 854 | supported_os: [Darwin] 855 | --- 856 | name: OSXChromeLocalStorage 857 | doc: Chrome Local Storage 858 | sources: 859 | - type: FILE 860 | attributes: 861 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/*.localstorage'] 862 | labels: [Users, Software, Browser] 863 | supported_os: [Darwin] 864 | --- 865 | name: OSXChromeLogin 866 | doc: Chrome Login Data 867 | sources: 868 | - type: FILE 869 | attributes: 870 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data'] 871 | labels: [Users, Software, Browser] 872 | supported_os: [Darwin] 873 | --- 874 | name: OSXChromeTopSistes 875 | doc: Chrome Top Sites 876 | sources: 877 | - type: FILE 878 | attributes: 879 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Top Sites'] 880 | labels: [Users, Software, Browser] 881 | supported_os: [Darwin] 882 | --- 883 | name: OSXChromeWebData 884 | doc: Chrome Web Data 885 | sources: 886 | - type: FILE 887 | attributes: 888 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data'] 889 | labels: [Users, Software, Browser] 890 | supported_os: [Darwin] 891 | --- 892 | name: OSXChromeExtension 893 | doc: Chrome Extensions 894 | sources: 895 | - type: FILE 896 | attributes: 897 | paths: 898 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/*'] 899 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/Databases.db'] 900 | labels: [Users, Software, Browser] 901 | supported_os: [Darwin] 902 | --- 903 | name: OSXChromeCache 904 | doc: Chrome Cache 905 | sources: 906 | - type: FILE 907 | attributes: 908 | paths: ['%%users.homedir%%/Library/Caches/com.google.Chrome/Cache.db'] 909 | labels: [Users, Software, Browser] 910 | supported_os: [Darwin] 911 | --- 912 | name: OSXChromePreferences 913 | doc: Chrome Preferences Files 914 | sources: 915 | - type: FILE 916 | attributes: 917 | paths: ['%%users.homedir%%/Library/Preferences/com.google.Chrome.plist'] 918 | labels: [Users, Software, Browser] 919 | supported_os: [Darwin] 920 | --- 921 | name: OSXMailBackupTOC 922 | doc: Mail BackupTOC 923 | sources: 924 | - type: FILE 925 | attributes: 926 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/BackupTOC.plist'] 927 | labels: [Users, Software, Mail] 928 | supported_os: [Darwin] 929 | --- 930 | name: OSCMailEnvelopIndex 931 | doc: Mail Envelope Index 932 | sources: 933 | - type: FILE 934 | attributes: 935 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Envelope Index'] 936 | labels: [Users, Software, Mail] 937 | supported_os: [Darwin] 938 | --- 939 | name: OSXMailOpenedAttachments 940 | doc: Mail Opened Attachments 941 | sources: 942 | - type: FILE 943 | attributes: 944 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/OpenedAttachmentsV2.plist'] 945 | labels: [Users, Software, Mail] 946 | supported_os: [Darwin] 947 | --- 948 | name: OSXMailPrefs 949 | doc: Mail Preferences 950 | sources: 951 | - type: FILE 952 | attributes: 953 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Mail.plist'] 954 | labels: [Users, Software, Mail] 955 | supported_os: [Darwin] 956 | --- 957 | name: OSXMailRecentContacts 958 | doc: Mail Recent Contacts 959 | sources: 960 | - type: FILE 961 | attributes: 962 | paths: ['%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr'] 963 | labels: [Users, Software, Mail] 964 | supported_os: [Darwin] 965 | --- 966 | name: OSXMailAccounts 967 | doc: Mail Accounts 968 | sources: 969 | - type: FILE 970 | attributes: 971 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Accounts.plist'] 972 | labels: [Users, Software, Mail] 973 | supported_os: [Darwin] 974 | --- 975 | name: macOS_MRU_files 976 | doc: MRU files 977 | sources: 978 | - type: FILE 979 | attributes: 980 | paths: 981 | - ['%%users.homedir%%/Library/Preferences/*.LSSharedFileList.plist'] 982 | - ['%%users.homedir%%/Library/Preferences/com.apple.finder.plist'] 983 | - ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist'] 984 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/*.sfl'] 985 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl'] 986 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl'] 987 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl'] 988 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl'] 989 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/*.sfl2'] 990 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl2'] 991 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl2'] 992 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl2'] 993 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl2'] 994 | - ['%%users.homedir%%/Library/Preferences/com.microsoft.office.plist'] 995 | - ['%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist'] 996 | - ['%%users.homedir%%/Library/Application Support/com.apple.spotlight.Shortcuts'] 997 | - ['%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist'] 998 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2'] 999 | labels: [Users, MRU] 1000 | supported_os: [Sierra] 1001 | --- 1002 | name: UnifiedAuditLog 1003 | doc: Unified Audit Log 1004 | sources: 1005 | - type: DIRECTORY 1006 | attributes: 1007 | paths: 1008 | - ['/var/db/diagnostics'] 1009 | - ['/var/db/uuidtext'] 1010 | labels: [UAL] 1011 | supported_os: [Sierra] 1012 | -------------------------------------------------------------------------------- /artifacts/20150826-Mavericks.yaml: -------------------------------------------------------------------------------- 1 | # Mac OS X (Darwin) specific artifacts. 2 | # mac4n6: https://github.com/pstirparo/mac4n6 3 | # Reference: http://forensicswiki.org/wiki/Mac_OS_X 4 | # Reference: http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location 5 | # Last update: 2015-08-26 6 | 7 | name: OSXLaunchAgents 8 | doc: Launch Agents files 9 | sources: 10 | - type: FILE 11 | attributes: 12 | paths: 13 | - '/Library/LaunchAgents/*' 14 | - '/System/Library/LaunchAgents/*' 15 | labels: [System] 16 | supported_os: [Darwin] 17 | --- 18 | name: OSXLaunchDaemons 19 | doc: Launch Daemons files 20 | sources: 21 | - type: FILE 22 | attributes: 23 | paths: 24 | - '/Library/LaunchDaemons/*' 25 | - '/System/Library/LaunchDaemons/*' 26 | labels: [System] 27 | supported_os: [Darwin] 28 | --- 29 | name: OSXStartupItems 30 | doc: Startup Items file 31 | sources: 32 | - type: FILE 33 | attributes: 34 | paths: 35 | - '/Library/StartupItems/*' 36 | - '/System/Library/StartupItems/*' 37 | labels: [System] 38 | supported_os: [Darwin] 39 | --- 40 | name: OSXGeneralSystemLogs 41 | doc: System Log files main folder 42 | sources: 43 | - type: FILE 44 | attributes: 45 | paths: ['/var/log/*'] 46 | labels: [System, Logs] 47 | supported_os: [Darwin] 48 | --- 49 | name: OSXAppleSystemLogs 50 | doc: Apple System Log 51 | sources: 52 | - type: FILE 53 | attributes: 54 | paths: ['/var/log/asl/*'] 55 | labels: [System, Logs] 56 | supported_os: [Darwin] 57 | --- 58 | name: OSXAuditLogs 59 | doc: Audit Log 60 | sources: 61 | - type: FILE 62 | attributes: 63 | paths: ['/var/audit/*'] 64 | labels: [System, Logs] 65 | supported_os: [Darwin] 66 | --- 67 | name: OSXInstallationLog 68 | doc: Installation log 69 | sources: 70 | - type: FILE 71 | attributes: 72 | paths: ['/var/log/install.log'] 73 | labels: [System, Logs] 74 | supported_os: [Darwin] 75 | --- 76 | name: OSXSystemPreferences 77 | doc: System Preferences files 78 | sources: 79 | - type: FILE 80 | attributes: 81 | paths: ['/Library/Preferences/*'] 82 | labels: [System] 83 | supported_os: [Darwin] 84 | --- 85 | name: OSXGlobalPrefs 86 | doc: Global Preferences 87 | sources: 88 | - type: FILE 89 | attributes: 90 | paths: ['/Library/Preferences/.GlobalPreferences.plist'] 91 | labels: [System] 92 | supported_os: [Darwin] 93 | --- 94 | name: OSXLoginWindow 95 | doc: Login Window Info 96 | sources: 97 | - type: FILE 98 | attributes: 99 | paths: ['/Library/Preferences/com.apple.loginwindow.plist'] 100 | labels: [System, Authentication] 101 | supported_os: [Darwin] 102 | --- 103 | name: OSXBluetooth 104 | doc: Bluetooth Preferences and paierd device info 105 | sources: 106 | - type: FILE 107 | attributes: 108 | paths: ['/Library/Preferences/com.apple.Bluetooth.plist'] 109 | labels: [System, Logs] 110 | supported_os: [Darwin] 111 | --- 112 | name: OSXTimeMachine 113 | doc: Time Machine Info 114 | sources: 115 | - type: FILE 116 | attributes: 117 | paths: ['/Library/Preferences/com.apple.TimeMachine.plist'] 118 | labels: [System] 119 | supported_os: [Darwin] 120 | --- 121 | name: OSXInstallationTime 122 | doc: OS Installation time 123 | sources: 124 | - type: FILE 125 | attributes: 126 | paths: ['/var/db/.AppleSetupDone'] 127 | labels: [System] 128 | supported_os: [Darwin] 129 | --- 130 | name: OSXSystemVersion 131 | doc: OS name and version 132 | sources: 133 | - type: FILE 134 | attributes: 135 | paths: ['/System/Library/CoreServices/SystemVersion.plist'] 136 | labels: [System] 137 | supported_os: [Darwin] 138 | --- 139 | name: OSXPasswordHashes 140 | doc: Users Log In Password Hash Plist 141 | sources: 142 | - type: FILE 143 | attributes: 144 | paths: ['/var/db/dslocal/nodes/Default/users/*'] 145 | labels: [System, Users, Authentication] 146 | supported_os: [Darwin] 147 | --- 148 | name: OSXSleepimage 149 | doc: Sleep Image File 150 | sources: 151 | - type: FILE 152 | attributes: 153 | paths: ['/var/vm/sleepimage'] 154 | labels: [System] 155 | supported_os: [Darwin] 156 | --- 157 | name: OSXSwapfiles 158 | doc: Swap Files 159 | sources: 160 | - type: FILE 161 | attributes: 162 | paths: ['/var/vm/swapfile#'] 163 | labels: [System] 164 | supported_os: [Darwin] 165 | --- 166 | name: OSXKexts 167 | doc: Kernel Extension 168 | sources: 169 | - type: FILE 170 | attributes: 171 | paths: 172 | - '/System/Library/Extensions/*' 173 | - '/Library/Extensions/*' 174 | labels: [System] 175 | supported_os: [Darwin] 176 | --- 177 | name: OSXInstallationHistory 178 | doc: Software Installation History 179 | sources: 180 | - type: FILE 181 | attributes: 182 | paths: ['/Library/Receipts/InstallHistory.plist'] 183 | labels: [System] 184 | supported_os: [Darwin] 185 | --- 186 | name: OSXUpdate 187 | doc: Software Update 188 | sources: 189 | - type: FILE 190 | attributes: 191 | paths: ['/Library/Preferences/com.apple.SoftwareUpdate.plist'] 192 | labels: [System] 193 | supported_os: [Darwin] 194 | --- 195 | name: OSXLocalTime 196 | doc: Current Time Zone 197 | sources: 198 | - type: FILE 199 | attributes: 200 | paths: ['/etc/localtime'] 201 | labels: [System] 202 | supported_os: [Darwin] 203 | --- 204 | name: OSXAtJobs 205 | doc: Mac OS X at jobs 206 | sources: 207 | - type: FILE 208 | attributes: 209 | paths: ['/usr/lib/cron/jobs/*'] 210 | labels: [System] 211 | supported_os: [Darwin] 212 | urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at'] 213 | --- 214 | name: OSXCronTabs 215 | doc: Cron tabs 216 | sources: 217 | - type: FILE 218 | attributes: 219 | paths: 220 | - '/etc/crontab' 221 | - '/usr/lib/cron/tabs/*' 222 | labels: [System] 223 | supported_os: [Darwin] 224 | --- 225 | name: OSXPeriodicSystemFunctions 226 | doc: Periodic system functions scripts and configuration 227 | sources: 228 | - type: FILE 229 | attributes: 230 | paths: 231 | - '/etc/defaults/periodic.conf' 232 | - '/etc/periodic.conf' 233 | - '/etc/periodic.conf.local' 234 | - '/etc/periodic/**2' 235 | - '/usr/local/etc/periodic/**2' 236 | - '/etc/daily.local/*' 237 | - '/etc/weekly.local/*' 238 | - '/etc/monthly.local/*' 239 | labels: [System] 240 | supported_os: [Darwin] 241 | urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic'] 242 | --- 243 | name: OSXHostsFIle 244 | doc: Hosts file 245 | sources: 246 | - type: FILE 247 | attributes: 248 | paths: ['/etc/hosts'] 249 | labels: [System, Network] 250 | supported_os: [Darwin] 251 | --- 252 | name: OSXWirelessNetworks 253 | doc: Remembered Wireless Networks 254 | sources: 255 | - type: FILE 256 | attributes: 257 | paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist'] 258 | labels: [System, Network] 259 | supported_os: [Darwin] 260 | --- 261 | name: OSXUserLoginItems 262 | doc: Login Items 263 | sources: 264 | - type: FILE 265 | attributes: 266 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist'] 267 | labels: [Users] 268 | supported_os: [Darwin] 269 | --- 270 | name: OSXUsers 271 | doc: Users directories in /Users 272 | sources: 273 | - type: FILE 274 | attributes: 275 | paths: ['/Users/*'] 276 | labels: [Users] 277 | supported_os: [Darwin] 278 | --- 279 | name: OSXUserDownloadsDir 280 | doc: Downloads Directory 281 | sources: 282 | - type: FILE 283 | attributes: 284 | paths: ['%%users.homedir%%/Downloads/*'] 285 | labels: [Users] 286 | supported_os: [Darwin] 287 | --- 288 | name: OSXUserDocumentsDir 289 | doc: Documents Directory 290 | sources: 291 | - type: FILE 292 | attributes: 293 | paths: ['%%users.homedir%%/Documents/*'] 294 | labels: [Users] 295 | supported_os: [Darwin] 296 | --- 297 | name: OSXUserMusicDir 298 | doc: Music Directory 299 | sources: 300 | - type: FILE 301 | attributes: 302 | paths: ['%%users.homedir%%/Music/*'] 303 | labels: [Users] 304 | supported_os: [Darwin] 305 | --- 306 | name: OSXUserDesktopDir 307 | doc: Desktop Directory 308 | sources: 309 | - type: FILE 310 | attributes: 311 | paths: ['%%users.homedir%%/Desktop/*'] 312 | labels: [Users] 313 | supported_os: [Darwin] 314 | --- 315 | name: OSXUserLibraryDir 316 | doc: Library Directory 317 | sources: 318 | - type: FILE 319 | attributes: 320 | paths: ['%%users.homedir%%/Library/*'] 321 | labels: [Users] 322 | supported_os: [Darwin] 323 | --- 324 | name: OSXUserMoviesDir 325 | doc: Movies Directory 326 | sources: 327 | - type: FILE 328 | attributes: 329 | paths: ['%%users.homedir%%/Movies/*'] 330 | labels: [Users] 331 | supported_os: [Darwin] 332 | --- 333 | name: OSXUserPicturesDir 334 | doc: Pictures Directory 335 | sources: 336 | - type: FILE 337 | attributes: 338 | paths: ['%%users.homedir%%/Pictures/*'] 339 | labels: [Users] 340 | supported_os: [Darwin] 341 | --- 342 | name: OSXUserPublicDir 343 | doc: Public Directory 344 | sources: 345 | - type: FILE 346 | attributes: 347 | paths: ['%%users.homedir%%/Public/*'] 348 | labels: [Users] 349 | supported_os: [Darwin] 350 | --- 351 | name: OSXApplications 352 | doc: Applications 353 | sources: 354 | - type: FILE 355 | attributes: 356 | paths: ['/Applications/*'] 357 | labels: [Users, Software] 358 | supported_os: [Darwin] 359 | --- 360 | name: OSXUserPref 361 | doc: User preferences directory 362 | sources: 363 | - type: FILE 364 | attributes: 365 | paths: ['%%users.homedir%%/Library/Preferences/*'] 366 | labels: [Users] 367 | supported_os: [Darwin] 368 | --- 369 | name: OSXiCloudPref 370 | doc: iCloud user preferences 371 | sources: 372 | - type: FILE 373 | attributes: 374 | paths: ['%%users.homedir%%/Library/Preferences/MobileMeAccounts.plist'] 375 | labels: [Users, Cloud, Account] 376 | supported_os: [Darwin] 377 | --- 378 | name: OSXSidebarlists 379 | doc: Sidebar Lists Preferences 380 | sources: 381 | - type: FILE 382 | attributes: 383 | paths: ['%%users.homedir%%/Preferences/com.apple.sidebarlists.plist'] 384 | labels: [Users, External Media] 385 | supported_os: [Darwin] 386 | --- 387 | name: OSXGlobalPreferences 388 | doc: Global Preferences 389 | sources: 390 | - type: FILE 391 | attributes: 392 | paths: ['%%users.homedir%%/Library/Preferences/.GlobalPreferences.plist'] 393 | labels: [Users] 394 | supported_os: [Darwin] 395 | --- 396 | name: OSXDock 397 | doc: Dock database 398 | sources: 399 | - type: FILE 400 | attributes: 401 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Dock.plist'] 402 | labels: [Users] 403 | supported_os: [Darwin] 404 | --- 405 | name: OSXiDevices 406 | doc: Attached iDevices 407 | sources: 408 | - type: FILE 409 | attributes: 410 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.iPod.plist'] 411 | labels: [Users, External Media] 412 | supported_os: [Darwin] 413 | --- 414 | name: OSXQuarantineEvents 415 | doc: Quarantine Event Database 416 | sources: 417 | - type: FILE 418 | attributes: 419 | paths: 420 | - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents' 421 | - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2' 422 | labels: [Users, Software] 423 | supported_os: [Darwin] 424 | --- 425 | name: OSXUserApplicationLogs 426 | doc: User and Applications Logs Directory 427 | sources: 428 | - type: FILE 429 | attributes: 430 | paths: ['%%users.homedir%%/Library/Logs/*'] 431 | labels: [Users, Logs] 432 | supported_os: [Darwin] 433 | --- 434 | name: OSXMiscLogs 435 | doc: Misc. Logs 436 | sources: 437 | - type: FILE 438 | attributes: 439 | paths: ['/Library/Logs/*'] 440 | labels: [Users, Logs] 441 | supported_os: [Darwin] 442 | --- 443 | name: OSXBashHistory 444 | doc: Terminal Commands History 445 | sources: 446 | - type: FILE 447 | attributes: 448 | paths: ['%%users.homedir%%/.bash_history'] 449 | labels: [Users, Logs] 450 | supported_os: [Darwin] 451 | --- 452 | name: OSXUserSocialAccounts 453 | doc: User's Social Accounts 454 | sources: 455 | - type: FILE 456 | attributes: 457 | paths: ['%%users.homedir%%/Library/Accounts/Accounts3.sqlite'] 458 | labels: [Users, Accounts] 459 | supported_os: [Darwin] 460 | --- 461 | name: OSXiOSBackupsMainDir 462 | doc: iOS device backups directory 463 | sources: 464 | - type: FILE 465 | attributes: 466 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*'] 467 | labels: [Users, iOS] 468 | supported_os: [Darwin] 469 | --- 470 | name: OSXiOSBackupInfo 471 | doc: iOS device backup information 472 | sources: 473 | - type: FILE 474 | attributes: 475 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist'] 476 | labels: [Users, iOS] 477 | supported_os: [Darwin] 478 | --- 479 | name: OSXiOSBackupManifest 480 | doc: iOS device backup apps information 481 | sources: 482 | - type: FILE 483 | attributes: 484 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist'] 485 | labels: [Users, iOS] 486 | supported_os: [Darwin] 487 | --- 488 | name: OSXiOSBackupMbdb 489 | doc: iOS device backup files information 490 | sources: 491 | - type: FILE 492 | attributes: 493 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd'] 494 | labels: [Users, iOS] 495 | supported_os: [Darwin] 496 | --- 497 | name: OSXiOSBackupStatus 498 | doc: iOS device backup status information 499 | sources: 500 | - type: FILE 501 | attributes: 502 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist'] 503 | labels: [Users, iOS] 504 | supported_os: [Darwin] 505 | --- 506 | name: OSXRecentItems 507 | doc: Recent Items 508 | sources: 509 | - type: FILE 510 | attributes: 511 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist'] 512 | labels: [Users] 513 | supported_os: [Darwin] 514 | --- 515 | name: OSXApplicationsRecentItems 516 | doc: Recent Items application specific 517 | sources: 518 | - type: FILE 519 | attributes: 520 | paths: ['%%users.homedir%%/Library/Preferences/*LSSharedFileList.plist'] 521 | labels: [Users, Software] 522 | supported_os: [Darwin] 523 | --- 524 | name: OSXApplicationSupport 525 | doc: Application Support Directory 526 | sources: 527 | - type: FILE 528 | attributes: 529 | paths: ['%%users.homedir%%/Library/Application Support/*'] 530 | labels: [Users, Software] 531 | supported_os: [Darwin] 532 | --- 533 | name: OSXKeychains 534 | doc: Keychain Directory 535 | sources: 536 | - type: FILE 537 | attributes: 538 | paths: ['%%users.homedir%%/Library/Keychains/*'] 539 | labels: [Users] 540 | supported_os: [Darwin] 541 | --- 542 | name: OSXUserTrash 543 | doc: User Trash Folder 544 | sources: 545 | - type: FILE 546 | attributes: 547 | paths: ['%%users.homedir%%/.Trash/*'] 548 | labels: [Users] 549 | supported_os: [Darwin] 550 | --- 551 | name: OSXiCloudAccounts 552 | doc: iCloud Accounts 553 | sources: 554 | - type: FILE 555 | attributes: 556 | paths: ['%%users.homedir%%/Library/Application Support/iCloud/Accounts/*'] 557 | labels: [Users, Software, Cloud, Account] 558 | supported_os: [Darwin] 559 | --- 560 | name: OSXSkypeMainDir 561 | doc: Skype Directory 562 | sources: 563 | - type: FILE 564 | attributes: 565 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*'] 566 | labels: [Users, Software, IM] 567 | supported_os: [Darwin] 568 | --- 569 | name: OSXSkypeUserProfile 570 | doc: Skype User profile 571 | sources: 572 | - type: FILE 573 | attributes: 574 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/*'] 575 | labels: [Users, Software, IM] 576 | supported_os: [Darwin] 577 | --- 578 | name: OSXSkypePreferences 579 | doc: Skype Preferences and Recent Searches 580 | sources: 581 | - type: FILE 582 | attributes: 583 | paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist'] 584 | labels: [Users, Software, IM] 585 | supported_os: [Darwin] 586 | --- 587 | name: OSXSkypeDb 588 | doc: Main Skype database 589 | sources: 590 | - type: FILE 591 | attributes: 592 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db'] 593 | labels: [Users, Software, IM] 594 | supported_os: [Darwin] 595 | --- 596 | name: OSXSkypechatsync 597 | doc: Chat Sync Directory 598 | sources: 599 | - type: FILE 600 | attributes: 601 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*'] 602 | labels: [Users, Software, IM] 603 | supported_os: [Darwin] 604 | --- 605 | name: OSXSafariMainDir 606 | doc: Safari Main Folder 607 | sources: 608 | - type: FILE 609 | attributes: 610 | paths: ['%%users.homedir%%/Library/Safari/*'] 611 | labels: [Users, Software, Browser] 612 | supported_os: [Darwin] 613 | --- 614 | name: OSXSafariBookmarks 615 | doc: Safari Bookmarks 616 | sources: 617 | - type: FILE 618 | attributes: 619 | paths: ['%%users.homedir%%/Library/Safari/Bookmarks.plist'] 620 | labels: [Users, Software, Browser] 621 | supported_os: [Darwin] 622 | --- 623 | name: OSXSafariDownloads 624 | doc: Safari Downloads 625 | sources: 626 | - type: FILE 627 | attributes: 628 | paths: ['%%users.homedir%%/Library/Safari/Downloads.plist'] 629 | labels: [Users, Software, Browser] 630 | supported_os: [Darwin] 631 | --- 632 | name: OSXSafariExtensions 633 | doc: Safari Installed Extensions 634 | sources: 635 | - type: FILE 636 | attributes: 637 | paths: 638 | - '%%users.homedir%%/Library/Safari/Extensions/Extensions.plist' 639 | - '%%users.homedir%%/Library/Safari/Extensions/*' 640 | labels: [Users, Software, Browser] 641 | supported_os: [Darwin] 642 | --- 643 | name: OSXSafariHistory 644 | doc: Safari History 645 | sources: 646 | - type: FILE 647 | attributes: 648 | paths: ['%%users.homedir%%/Library/Safari/History.plist'] 649 | labels: [Users, Software, Browser] 650 | supported_os: [Darwin] 651 | --- 652 | name: OSXSafariHistoryIndex 653 | doc: Safari History Index 654 | sources: 655 | - type: FILE 656 | attributes: 657 | paths: ['%%users.homedir%%/Library/Safari/HistoryIndex.sk'] 658 | labels: [Users, Software, Browser] 659 | supported_os: [Darwin] 660 | --- 661 | name: OSXSafariLastSession 662 | doc: Safari Last Session 663 | sources: 664 | - type: FILE 665 | attributes: 666 | paths: ['%%users.homedir%%/Library/Safari/LastSession.plist'] 667 | labels: [Users, Software, Browser] 668 | supported_os: [Darwin] 669 | --- 670 | name: OSXSafariLocalStorage 671 | doc: Safari Local Storage Directory 672 | sources: 673 | - type: FILE 674 | attributes: 675 | paths: ['%%users.homedir%%/Library/Safari/LocalStorage/*'] 676 | labels: [Users, Software, Browser] 677 | supported_os: [Darwin] 678 | --- 679 | name: OSXSafariStorageTracker 680 | doc: Safari Local Storage Database 681 | sources: 682 | - type: FILE 683 | attributes: 684 | paths: ['%%users.homedir%%/Library/Safari/LocalStorage/StorageTracker.db'] 685 | labels: [Users, Software, Browser] 686 | supported_os: [Darwin] 687 | --- 688 | name: OSXSafariTopSites 689 | doc: Safari Top Sites 690 | sources: 691 | - type: FILE 692 | attributes: 693 | paths: ['%%users.homedir%%/Library/Safari/TopSites.plist'] 694 | labels: [Users, Software, Browser] 695 | supported_os: [Darwin] 696 | --- 697 | name: OSXSafariWebpageIcons 698 | doc: Safari Webpage Icons Database 699 | sources: 700 | - type: FILE 701 | attributes: 702 | paths: ['%%users.homedir%%/Library/Safari/WebpageIcons.db'] 703 | labels: [Users, Software, Browser] 704 | supported_os: [Darwin] 705 | --- 706 | name: OSXSafariDatabases 707 | doc: Safari Webpage Databases 708 | sources: 709 | - type: FILE 710 | attributes: 711 | paths: ['%%users.homedir%%/Library/Safari/Databases/*'] 712 | labels: [Users, Software, Browser] 713 | supported_os: [Darwin] 714 | --- 715 | name: OSXSafariCacheDir 716 | doc: Safari Cache Directory 717 | sources: 718 | - type: FILE 719 | attributes: 720 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/*'] 721 | labels: [Users, Software, Browser] 722 | supported_os: [Darwin] 723 | --- 724 | name: OSXSafariCache 725 | doc: Safari Cache 726 | sources: 727 | - type: FILE 728 | attributes: 729 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db'] 730 | labels: [Users, Software, Browser] 731 | supported_os: [Darwin] 732 | --- 733 | name: OSXSafariCacheExtensions 734 | doc: Safari Extensions Cache 735 | sources: 736 | - type: FILE 737 | attributes: 738 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Extensions/*'] 739 | labels: [Users, Software, Browser] 740 | supported_os: [Darwin] 741 | --- 742 | name: OSXSafariWebPreviews 743 | doc: Safari Webpage Previews 744 | sources: 745 | - type: FILE 746 | attributes: 747 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Webpage Previews/*'] 748 | labels: [Users, Software, Browser] 749 | supported_os: [Darwin] 750 | --- 751 | name: OSXSafariCookies 752 | doc: Safari Cookies 753 | sources: 754 | - type: FILE 755 | attributes: 756 | paths: ['%%users.homedir%%/Library/Cookies/Cookies.binarycookies'] 757 | labels: [Users, Software, Browser] 758 | supported_os: [Darwin] 759 | --- 760 | name: OSXSafariPreferences 761 | doc: Safari Preferences and Search terms 762 | sources: 763 | - type: FILE 764 | attributes: 765 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Safari.plist'] 766 | labels: [Users, Software, Browser] 767 | supported_os: [Darwin] 768 | --- 769 | name: OSXSafariExtPreferences 770 | doc: Safari Extension Preferences 771 | sources: 772 | - type: FILE 773 | attributes: 774 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Safari.Extensions.plist'] 775 | labels: [Users, Software, Browser] 776 | supported_os: [Darwin] 777 | --- 778 | name: OSXSafariCacheBookmarks 779 | doc: Safari Bookmark Cache 780 | sources: 781 | - type: FILE 782 | attributes: 783 | paths: ['%%users.homedir%%/Library/Caches/Metadata/Safari/Bookmarks/*'] 784 | labels: [Users, Software, Browser] 785 | supported_os: [Darwin] 786 | --- 787 | name: OSXSafariCacheHistory 788 | doc: Safari History Cache 789 | sources: 790 | - type: FILE 791 | attributes: 792 | paths: ['%%users.homedir%%/Library/Caches/Metadata/Safari/History/*'] 793 | labels: [Users, Software, Browser] 794 | supported_os: [Darwin] 795 | --- 796 | name: OSXSafariTempImg 797 | doc: Safari Temporary Images 798 | sources: 799 | - type: FILE 800 | attributes: 801 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/fsCachedData/*'] 802 | labels: [Users, Software, Browser] 803 | supported_os: [Darwin] 804 | --- 805 | name: OSXFirefoxDir 806 | doc: Firefox Directory 807 | sources: 808 | - type: FILE 809 | attributes: 810 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/*'] 811 | labels: [Users, Software, Browser] 812 | supported_os: [Darwin] 813 | --- 814 | name: OSXFirefoxProfiles 815 | doc: Firefox Profiles 816 | sources: 817 | - type: FILE 818 | attributes: 819 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*'] 820 | labels: [Users, Software, Browser] 821 | supported_os: [Darwin] 822 | --- 823 | name: OSXFirefoxCookies 824 | doc: Firefox Cookies 825 | sources: 826 | - type: FILE 827 | attributes: 828 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Cookies.sqlite'] 829 | labels: [Users, Software, Browser] 830 | supported_os: [Darwin] 831 | --- 832 | name: OSXFirefoxDownloads 833 | doc: Firefox Downloads 834 | sources: 835 | - type: FILE 836 | attributes: 837 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Downloads.sqlite'] 838 | labels: [Users, Software, Browser] 839 | supported_os: [Darwin] 840 | --- 841 | name: OSXFirefoxFormhistory 842 | doc: Firefox Form History 843 | sources: 844 | - type: FILE 845 | attributes: 846 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Formhistory.sqlite'] 847 | labels: [Users, Software, Browser] 848 | supported_os: [Darwin] 849 | --- 850 | name: OSXFirefoxHistory 851 | doc: Firefox History 852 | sources: 853 | - type: FILE 854 | attributes: 855 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Places.sqlite'] 856 | labels: [Users, Software, Browser] 857 | supported_os: [Darwin] 858 | --- 859 | name: OSXFirefoxPassword 860 | doc: Firefox Signon 861 | sources: 862 | - type: FILE 863 | attributes: 864 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/signons.sqlite'] 865 | labels: [Users, Software, Browser] 866 | supported_os: [Darwin] 867 | --- 868 | name: OSXFirefoxKey 869 | doc: Firefox Key 870 | sources: 871 | - type: FILE 872 | attributes: 873 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/key3.db'] 874 | labels: [Users, Software, Browser] 875 | supported_os: [Darwin] 876 | --- 877 | name: OSXFirefoxPermission 878 | doc: Firefox Permissions 879 | sources: 880 | - type: FILE 881 | attributes: 882 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/permissions.sqlite'] 883 | labels: [Users, Software, Browser] 884 | supported_os: [Darwin] 885 | --- 886 | name: OSXFirefoxAddons 887 | doc: Firefox Add-ons 888 | sources: 889 | - type: FILE 890 | attributes: 891 | paths: 892 | - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.sqlite' 893 | - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.json' 894 | labels: [Users, Software, Browser] 895 | supported_os: [Darwin] 896 | --- 897 | name: OSXFirefoxExtension 898 | doc: Firefox Extension 899 | sources: 900 | - type: FILE 901 | attributes: 902 | paths: 903 | - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.sqlite' 904 | - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.json' 905 | labels: [Users, Software, Browser] 906 | supported_os: [Darwin] 907 | --- 908 | name: OSXFirefoxContentPrefs 909 | doc: Firefox Pages Settings 910 | sources: 911 | - type: FILE 912 | attributes: 913 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/content-prefs.sqlite'] 914 | labels: [Users, Software, Browser] 915 | supported_os: [Darwin] 916 | --- 917 | name: OSXChromeMainDir 918 | doc: Chrome Main Folder 919 | sources: 920 | - type: FILE 921 | attributes: 922 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*'] 923 | labels: [Users, Software, Browser] 924 | supported_os: [Darwin] 925 | --- 926 | name: OSXChromeDefaultDir 927 | doc: Chrome Default profile 928 | sources: 929 | - type: FILE 930 | attributes: 931 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/default/*'] 932 | labels: [Users, Software, Browser] 933 | supported_os: [Darwin] 934 | --- 935 | name: OSXChromeHistory 936 | doc: Chrome History 937 | sources: 938 | - type: FILE 939 | attributes: 940 | paths: 941 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History' 942 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History' 943 | labels: [Users, Software, Browser] 944 | supported_os: [Darwin] 945 | --- 946 | name: OSXChromeBookmarks 947 | doc: Chrome Bookmarks 948 | sources: 949 | - type: FILE 950 | attributes: 951 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Bookmarks'] 952 | labels: [Users, Software, Browser] 953 | supported_os: [Darwin] 954 | --- 955 | name: OSXChromeCookies 956 | doc: Chrome Cookies 957 | sources: 958 | - type: FILE 959 | attributes: 960 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies'] 961 | labels: [Users, Software, Browser] 962 | supported_os: [Darwin] 963 | --- 964 | name: OSXChromeLocalStorage 965 | doc: Chrome Local Storage 966 | sources: 967 | - type: FILE 968 | attributes: 969 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/*.localstorage'] 970 | labels: [Users, Software, Browser] 971 | supported_os: [Darwin] 972 | --- 973 | name: OSXChromeLogin 974 | doc: Chrome Login Data 975 | sources: 976 | - type: FILE 977 | attributes: 978 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data'] 979 | labels: [Users, Software, Browser] 980 | supported_os: [Darwin] 981 | --- 982 | name: OSXChromeTopSistes 983 | doc: Chrome Top Sites 984 | sources: 985 | - type: FILE 986 | attributes: 987 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Top Sites'] 988 | labels: [Users, Software, Browser] 989 | supported_os: [Darwin] 990 | --- 991 | name: OSXChromeWebData 992 | doc: Chrome Web Data 993 | sources: 994 | - type: FILE 995 | attributes: 996 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data'] 997 | labels: [Users, Software, Browser] 998 | supported_os: [Darwin] 999 | --- 1000 | name: OSXChromeExtension 1001 | doc: Chrome Extensions 1002 | sources: 1003 | - type: FILE 1004 | attributes: 1005 | paths: 1006 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/*' 1007 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/Databases.db' 1008 | labels: [Users, Software, Browser] 1009 | supported_os: [Darwin] 1010 | --- 1011 | name: OSXChromeCache 1012 | doc: Chrome Cache 1013 | sources: 1014 | - type: FILE 1015 | attributes: 1016 | paths: ['%%users.homedir%%/Library/Caches/com.google.Chrome/Cache.db'] 1017 | labels: [Users, Software, Browser] 1018 | supported_os: [Darwin] 1019 | --- 1020 | name: OSXChromePreferences 1021 | doc: Chrome Preferences Files 1022 | sources: 1023 | - type: FILE 1024 | attributes: 1025 | paths: ['%%users.homedir%%/Library/Preferences/com.google.Chrome.plist'] 1026 | labels: [Users, Software, Browser] 1027 | supported_os: [Darwin] 1028 | --- 1029 | name: OSXMailMainDir 1030 | doc: Mail Main Folder 1031 | sources: 1032 | - type: FILE 1033 | attributes: 1034 | paths: ['%%users.homedir%%/Library/Mail/V2/*'] 1035 | labels: [Users, Software, Mail] 1036 | supported_os: [Darwin] 1037 | --- 1038 | name: OSXMailboxes 1039 | doc: Mail Mailbox Directory 1040 | sources: 1041 | - type: FILE 1042 | attributes: 1043 | paths: ['%%users.homedir%%/Library/Mail/V2/Mailboxes/*'] 1044 | labels: [Users, Software, Mail] 1045 | supported_os: [Darwin] 1046 | --- 1047 | name: OSXMailIMAP 1048 | doc: Mail IMAP Synched Mailboxes 1049 | sources: 1050 | - type: FILE 1051 | attributes: 1052 | paths: ['%%users.homedir%%/Library/Mail/V2/IMAP-/*'] 1053 | labels: [Users, Software, Mail] 1054 | supported_os: [Darwin] 1055 | --- 1056 | name: OSXMailPOP 1057 | doc: Mail POP Synched Mailboxes 1058 | sources: 1059 | - type: FILE 1060 | attributes: 1061 | paths: ['%%users.homedir%%/Library/Mail/V2/POP-/*'] 1062 | labels: [Users, Software, Mail] 1063 | supported_os: [Darwin] 1064 | --- 1065 | name: OSXMailBackupTOC 1066 | doc: Mail BackupTOC 1067 | sources: 1068 | - type: FILE 1069 | attributes: 1070 | paths: ['%%users.homedir%%/Library/Mail/V*/MailData/BackupTOC.plist'] 1071 | labels: [Users, Software, Mail] 1072 | supported_os: [Darwin] 1073 | --- 1074 | name: OSCMailEnvelopIndex 1075 | doc: Mail Envelope Index 1076 | sources: 1077 | - type: FILE 1078 | attributes: 1079 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Envelope Index'] 1080 | labels: [Users, Software, Mail] 1081 | supported_os: [Darwin] 1082 | --- 1083 | name: OSXMailOpenedAttachments 1084 | doc: Mail Opened Attachments 1085 | sources: 1086 | - type: FILE 1087 | attributes: 1088 | paths: ['%%users.homedir%%/Library/Mail/V*s/MailData/OpenedAttachmentsV2.plist'] 1089 | labels: [Users, Software, Mail] 1090 | supported_os: [Darwin] 1091 | --- 1092 | name: OSXMailSignatures 1093 | doc: Mail Signatures by Account 1094 | sources: 1095 | - type: FILE 1096 | attributes: 1097 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Signatures/*'] 1098 | labels: [Users, Software, Mail] 1099 | supported_os: [Darwin] 1100 | --- 1101 | name: OSXMailDownloadAttachment 1102 | doc: Mail Downloads Directory 1103 | sources: 1104 | - type: FILE 1105 | attributes: 1106 | paths: ['%%users.homedir%%/Library/Containers/com.apple.mail/Data/Library/Mail Downloads/*'] 1107 | labels: [Users, Software, Mail] 1108 | supported_os: [Darwin] 1109 | --- 1110 | name: OSXMailPrefs 1111 | doc: Mail Preferences 1112 | sources: 1113 | - type: FILE 1114 | attributes: 1115 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Mail.plist'] 1116 | labels: [Users, Software, Mail] 1117 | supported_os: [Darwin] 1118 | --- 1119 | name: OSXMailRecentContacts 1120 | doc: Mail Recent Contacts 1121 | sources: 1122 | - type: FILE 1123 | attributes: 1124 | paths: ['%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr'] 1125 | labels: [Users, Software, Mail] 1126 | supported_os: [Darwin] 1127 | --- 1128 | name: OSXMailAccounts 1129 | doc: Mail Accounts 1130 | sources: 1131 | - type: FILE 1132 | attributes: 1133 | paths: ['%%users.homedir%%/Library/Mail/V*/MailData/Accounts.plist'] 1134 | labels: [Users, Software, Mail] 1135 | supported_os: [Darwin] 1136 | --- 1137 | -------------------------------------------------------------------------------- /artifacts/20180413-macOS-artifacts.yaml: -------------------------------------------------------------------------------- 1 | # Mac OS X (Darwin) specific artifacts. 2 | # mac4n6: https://github.com/pstirparo/mac4n6 3 | # Reference: http://forensicswiki.org/wiki/Mac_OS_X 4 | # Reference: http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location 5 | 6 | --- 7 | name: OSXLaunchAgents 8 | doc: Launch Agents files 9 | sources: 10 | - type: FILE 11 | attributes: 12 | paths: 13 | - ['/Library/LaunchAgents/*'] 14 | - ['/System/Library/LaunchAgents/*'] 15 | labels: [System, Autoruns] 16 | supported_os: [Darwin] 17 | --- 18 | name: OSXLaunchDaemons 19 | doc: Launch Daemons files 20 | sources: 21 | - type: FILE 22 | attributes: 23 | paths: 24 | - ['/Library/LaunchDaemons/*'] 25 | - ['/System/Library/LaunchDaemons/*'] 26 | labels: [System, Autoruns] 27 | supported_os: [Darwin] 28 | --- 29 | name: OSXStartupItems 30 | doc: Startup Items file 31 | sources: 32 | - type: FILE 33 | attributes: 34 | paths: 35 | - ['/Library/StartupItems/*'] 36 | - ['/System/Library/StartupItems/*'] 37 | labels: [System, Autoruns] 38 | supported_os: [Darwin] 39 | --- 40 | name: OSXGeneralSystemLogs 41 | doc: System Log files main folder 42 | sources: 43 | - type: FILE 44 | attributes: 45 | paths: ['/var/log/*'] 46 | labels: [System, Logs] 47 | supported_os: [Darwin] 48 | --- 49 | name: OSXAppleSystemLogs 50 | doc: Apple System Log 51 | sources: 52 | - type: FILE 53 | attributes: 54 | paths: ['/var/log/asl/*'] 55 | labels: [System, Logs] 56 | supported_os: [Darwin] 57 | --- 58 | name: OSXAuditLogs 59 | doc: Audit Log 60 | sources: 61 | - type: FILE 62 | attributes: 63 | paths: ['/var/audit/*'] 64 | labels: [System, Logs] 65 | supported_os: [Darwin] 66 | --- 67 | name: OSXInstallationLog 68 | doc: Installation log 69 | sources: 70 | - type: FILE 71 | attributes: 72 | paths: ['/var/log/install.log'] 73 | labels: [System, Logs] 74 | supported_os: [Darwin] 75 | --- 76 | name: OSXSystemPreferences 77 | doc: System Preferences files 78 | sources: 79 | - type: FILE 80 | attributes: 81 | paths: ['/Library/Preferences/*'] 82 | labels: [System] 83 | supported_os: [Darwin] 84 | --- 85 | name: OSXGlobalPrefs 86 | doc: Global Preferences 87 | sources: 88 | - type: FILE 89 | attributes: 90 | paths: ['/Library/Preferences/.GlobalPreferences.plist'] 91 | labels: [System] 92 | supported_os: [Darwin] 93 | --- 94 | name: OSXLoginWindow 95 | doc: Login Window Info 96 | sources: 97 | - type: FILE 98 | attributes: 99 | paths: ['/Library/Preferences/com.apple.loginwindow.plist'] 100 | labels: [System, Authentication] 101 | supported_os: [Darwin] 102 | --- 103 | name: OSXBluetooth 104 | doc: Bluetooth Preferences and paierd device info 105 | sources: 106 | - type: FILE 107 | attributes: 108 | paths: ['/Library/Preferences/com.apple.Bluetooth.plist'] 109 | labels: [System, Logs] 110 | supported_os: [Darwin] 111 | --- 112 | name: OSXTimeMachine 113 | doc: Time Machine Info 114 | sources: 115 | - type: FILE 116 | attributes: 117 | paths: ['/Library/Preferences/com.apple.TimeMachine.plist'] 118 | labels: [System] 119 | supported_os: [Darwin] 120 | --- 121 | name: OSXInstallationTime 122 | doc: OS Installation time 123 | sources: 124 | - type: FILE 125 | attributes: 126 | paths: ['/var/db/.AppleSetupDone'] 127 | labels: [System] 128 | supported_os: [Darwin] 129 | --- 130 | name: OSXSystemVersion 131 | doc: OS name and version 132 | sources: 133 | - type: FILE 134 | attributes: 135 | paths: ['/System/Library/CoreServices/SystemVersion.plist'] 136 | labels: [System] 137 | supported_os: [Darwin] 138 | --- 139 | name: OSXPasswordHashes 140 | doc: Users Log In Password Hash Plist 141 | sources: 142 | - type: FILE 143 | attributes: 144 | paths: ['/var/db/dslocal/nodes/Default%%users.homedir%%'] 145 | labels: [System, Users, Authentication] 146 | supported_os: [Darwin] 147 | --- 148 | name: OSXSleepimage 149 | doc: Sleep Image File 150 | sources: 151 | - type: FILE 152 | attributes: 153 | paths: ['/var/vm/sleepimage'] 154 | labels: [System] 155 | supported_os: [Darwin] 156 | --- 157 | name: OSXSwapfiles 158 | doc: Swap Files 159 | sources: 160 | - type: FILE 161 | attributes: 162 | paths: ['/var/vm/swapfile#'] 163 | labels: [System] 164 | supported_os: [Darwin] 165 | --- 166 | name: OSXKexts 167 | doc: Kernel Extension 168 | sources: 169 | - type: FILE 170 | attributes: 171 | paths: 172 | - ['/System/Library/Extensions/*'] 173 | - ['/Library/Extensions/*'] 174 | labels: [System] 175 | supported_os: [Darwin] 176 | --- 177 | name: OSXInstallationHistory 178 | doc: Software Installation History 179 | sources: 180 | - type: FILE 181 | attributes: 182 | paths: ['/Library/Receipts/InstallHistory.plist'] 183 | labels: [System] 184 | supported_os: [Darwin] 185 | --- 186 | name: OSXUpdate 187 | doc: Software Update 188 | sources: 189 | - type: FILE 190 | attributes: 191 | paths: ['/Library/Preferences/com.apple.SoftwareUpdate.plist'] 192 | labels: [System] 193 | supported_os: [Darwin] 194 | --- 195 | name: OSXLocalTime 196 | doc: Current Time Zone 197 | sources: 198 | - type: FILE 199 | attributes: 200 | paths: ['/etc/localtime'] 201 | labels: [System] 202 | supported_os: [Darwin] 203 | --- 204 | name: OSXAtJobs 205 | doc: Mac OS X at jobs 206 | sources: 207 | - type: FILE 208 | attributes: 209 | paths: ['/usr/lib/cron/jobs/*'] 210 | labels: [System] 211 | supported_os: [Darwin] 212 | urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at'] 213 | --- 214 | name: OSXCronTabs 215 | doc: Cron tabs 216 | sources: 217 | - type: FILE 218 | attributes: 219 | paths: 220 | - ['/etc/crontab'] 221 | - ['/usr/lib/cron/tabs/*'] 222 | labels: [System] 223 | supported_os: [Darwin] 224 | --- 225 | name: OSXPeriodicSystemFunctions 226 | doc: Periodic system functions scripts and configuration 227 | sources: 228 | - type: FILE 229 | attributes: 230 | paths: 231 | - ['/etc/defaults/periodic.conf'] 232 | - ['/etc/periodic.conf'] 233 | - ['/etc/periodic.conf.local'] 234 | - ['/etc/periodic/**2'] 235 | - ['/usr/local/etc/periodic/**2'] 236 | - ['/etc/daily.local/*'] 237 | - ['/etc/weekly.local/*'] 238 | - ['/etc/monthly.local/*'] 239 | - ['/etc/periodic/daily/*'] 240 | - ['/etc/periodic/weekly/*'] 241 | - ['/etc/periodic/monthly/*'] 242 | labels: [System] 243 | supported_os: [Darwin] 244 | urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic'] 245 | --- 246 | name: OSXHostsFIle 247 | doc: Hosts file 248 | sources: 249 | - type: FILE 250 | attributes: 251 | paths: ['/etc/hosts'] 252 | labels: [System, Network] 253 | supported_os: [Darwin] 254 | --- 255 | name: OSXWirelessNetworks 256 | doc: Remembered Wireless Networks 257 | sources: 258 | - type: FILE 259 | attributes: 260 | paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist'] 261 | labels: [System, Network] 262 | supported_os: [Darwin] 263 | --- 264 | name: OSXUserLoginItems 265 | doc: Login Items 266 | sources: 267 | - type: FILE 268 | attributes: 269 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist'] 270 | labels: [Users] 271 | supported_os: [Darwin] 272 | --- 273 | name: OSXUserPref 274 | doc: User preferences directory 275 | sources: 276 | - type: FILE 277 | attributes: 278 | paths: ['%%users.homedir%%/Library/Preferences/*'] 279 | labels: [Users] 280 | supported_os: [Darwin] 281 | --- 282 | name: OSXiCloudPref 283 | doc: iCloud user preferences 284 | sources: 285 | - type: FILE 286 | attributes: 287 | paths: ['%%users.homedir%%/Library/Preferences/MobileMeAccounts.plist'] 288 | labels: [Users, Cloud, Account] 289 | supported_os: [Darwin] 290 | --- 291 | name: OSXSidebarlists 292 | doc: Sidebar Lists Preferences 293 | sources: 294 | - type: FILE 295 | attributes: 296 | paths: 297 | - ['%%users.homedir%%/Preferences/com.apple.sidebarlists.plist'] 298 | - ['%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist'] 299 | 300 | labels: [Users, External Media] 301 | supported_os: [Darwin] 302 | --- 303 | name: OSXGlobalPreferences 304 | doc: Global Preferences 305 | sources: 306 | - type: FILE 307 | attributes: 308 | paths: ['%%users.homedir%%/Library/Preferences/.GlobalPreferences.plist'] 309 | labels: [Users] 310 | supported_os: [Darwin] 311 | --- 312 | name: OSXDock 313 | doc: Dock database 314 | sources: 315 | - type: FILE 316 | attributes: 317 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Dock.plist'] 318 | labels: [Users] 319 | supported_os: [Darwin] 320 | --- 321 | name: OSXiDevices 322 | doc: Attached iDevices 323 | sources: 324 | - type: FILE 325 | attributes: 326 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.iPod.plist'] 327 | labels: [Users, External Media] 328 | supported_os: [Darwin] 329 | --- 330 | name: OSXQuarantineEvents 331 | doc: Quarantine Event Database 332 | sources: 333 | - type: FILE 334 | attributes: 335 | paths: 336 | - ['%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents'] 337 | - ['%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2'] 338 | labels: [Users, Software] 339 | supported_os: [Darwin] 340 | --- 341 | name: OSXUserApplicationLogs 342 | doc: User and Applications Logs Directory 343 | sources: 344 | - type: FILE 345 | attributes: 346 | paths: ['%%users.homedir%%/Library/Logs/*'] 347 | labels: [Users, Logs] 348 | supported_os: [Darwin] 349 | --- 350 | name: OSXMiscLogs 351 | doc: Misc. Logs 352 | sources: 353 | - type: FILE 354 | attributes: 355 | paths: ['/Library/Logs/*'] 356 | labels: [Users, Logs] 357 | supported_os: [Darwin] 358 | --- 359 | name: OSXBashHistory 360 | doc: Terminal Commands History 361 | sources: 362 | - type: FILE 363 | attributes: 364 | paths: ['%%users.homedir%%/.bash_history'] 365 | labels: [Users, Logs] 366 | supported_os: [Darwin] 367 | --- 368 | name: OSXUserSocialAccounts 369 | doc: User's Social Accounts 370 | sources: 371 | - type: FILE 372 | attributes: 373 | paths: ['%%users.homedir%%/Library/Accounts/Accounts3.sqlite'] 374 | labels: [Users, Accounts] 375 | supported_os: [Darwin] 376 | --- 377 | name: OSXiOSBackupsMainDir 378 | doc: iOS device backups directory 379 | sources: 380 | - type: FILE 381 | attributes: 382 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*'] 383 | labels: [Users, iOS] 384 | supported_os: [Darwin] 385 | --- 386 | name: OSXiOSBackupInfo 387 | doc: iOS device backup information 388 | sources: 389 | - type: FILE 390 | attributes: 391 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist'] 392 | labels: [Users, iOS] 393 | supported_os: [Darwin] 394 | --- 395 | name: OSXiOSBackupManifest 396 | doc: iOS device backup apps information 397 | sources: 398 | - type: FILE 399 | attributes: 400 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist'] 401 | labels: [Users, iOS] 402 | supported_os: [Darwin] 403 | --- 404 | name: OSXiOSBackupMbdb 405 | doc: iOS device backup files information 406 | sources: 407 | - type: FILE 408 | attributes: 409 | paths: 410 | - ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd'] 411 | - ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mbdb'] 412 | labels: [Users, iOS] 413 | supported_os: [Darwin] 414 | --- 415 | name: OSXiOSBackupStatus 416 | doc: iOS device backup status information 417 | sources: 418 | - type: FILE 419 | attributes: 420 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist'] 421 | labels: [Users, iOS] 422 | supported_os: [Darwin] 423 | --- 424 | name: OSXRecentItems 425 | doc: Recent Items 426 | sources: 427 | - type: FILE 428 | attributes: 429 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist'] 430 | labels: [Users] 431 | supported_os: [Darwin] 432 | --- 433 | name: OSXApplicationsRecentItems 434 | doc: Recent Items application specific 435 | sources: 436 | - type: FILE 437 | attributes: 438 | paths: ['%%users.homedir%%/Library/Preferences/*LSSharedFileList.plist'] 439 | labels: [Users, Software] 440 | supported_os: [Darwin] 441 | --- 442 | name: OSXApplicationSupport 443 | doc: Application Support Directory 444 | sources: 445 | - type: FILE 446 | attributes: 447 | paths: ['%%users.homedir%%/Library/Application Support/*'] 448 | labels: [Users, Software] 449 | supported_os: [Darwin] 450 | --- 451 | name: OSXiCloudAccounts 452 | doc: iCloud Accounts 453 | sources: 454 | - type: FILE 455 | attributes: 456 | paths: ['%%users.homedir%%/Library/Application Support/iCloud/Accounts/*'] 457 | labels: [Users, Software, Cloud, Account] 458 | supported_os: [Darwin] 459 | --- 460 | name: OSXSkypeMainDir 461 | doc: Skype Directory 462 | sources: 463 | - type: FILE 464 | attributes: 465 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*'] 466 | labels: [Users, Software, IM] 467 | supported_os: [Darwin] 468 | --- 469 | name: OSXSkypeUserProfile 470 | doc: Skype User profile 471 | sources: 472 | - type: FILE 473 | attributes: 474 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/*'] 475 | labels: [Users, Software, IM] 476 | supported_os: [Darwin] 477 | --- 478 | name: OSXSkypePreferences 479 | doc: Skype Preferences and Recent Searches 480 | sources: 481 | - type: FILE 482 | attributes: 483 | paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist'] 484 | labels: [Users, Software, IM] 485 | supported_os: [Darwin] 486 | --- 487 | name: OSXSkypeDb 488 | doc: Main Skype database 489 | sources: 490 | - type: FILE 491 | attributes: 492 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db'] 493 | labels: [Users, Software, IM] 494 | supported_os: [Darwin] 495 | --- 496 | name: OSXSkypechatsync 497 | doc: Chat Sync Directory 498 | sources: 499 | - type: FILE 500 | attributes: 501 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*'] 502 | labels: [Users, Software, IM] 503 | supported_os: [Darwin] 504 | --- 505 | name: OSXSafariMainDir 506 | doc: Safari Main Folder 507 | sources: 508 | - type: FILE 509 | attributes: 510 | paths: ['%%users.homedir%%/Library/Safari/*'] 511 | labels: [Users, Software, Browser] 512 | supported_os: [Darwin] 513 | --- 514 | name: OSXSafariBookmarks 515 | doc: Safari Bookmarks 516 | sources: 517 | - type: FILE 518 | attributes: 519 | paths: ['%%users.homedir%%/Library/Safari/Bookmarks.plist'] 520 | labels: [Users, Software, Browser] 521 | supported_os: [Darwin] 522 | --- 523 | name: OSXSafariDownloads 524 | doc: Safari Downloads 525 | sources: 526 | - type: FILE 527 | attributes: 528 | paths: ['%%users.homedir%%/Library/Safari/Downloads.plist'] 529 | labels: [Users, Software, Browser] 530 | supported_os: [Darwin] 531 | --- 532 | name: OSXSafariExtensions 533 | doc: Safari Installed Extensions 534 | sources: 535 | - type: FILE 536 | attributes: 537 | paths: 538 | - ['%%users.homedir%%/Library/Safari/Extensions/Extensions.plist'] 539 | - ['%%users.homedir%%/Library/Safari/Extensions/*'] 540 | labels: [Users, Software, Browser] 541 | supported_os: [Darwin] 542 | --- 543 | name: OSXSafariHistory 544 | doc: Safari History 545 | sources: 546 | - type: FILE 547 | attributes: 548 | paths: ['%%users.homedir%%/Library/Safari/History.plist'] 549 | labels: [Users, Software, Browser] 550 | supported_os: [Darwin] 551 | --- 552 | name: OSXSafariHistoryIndex 553 | doc: Safari History Index 554 | sources: 555 | - type: FILE 556 | attributes: 557 | paths: ['%%users.homedir%%/Library/Safari/HistoryIndex.sk'] 558 | labels: [Users, Software, Browser] 559 | supported_os: [Darwin] 560 | --- 561 | name: OSXSafariLastSession 562 | doc: Safari Last Session 563 | sources: 564 | - type: FILE 565 | attributes: 566 | paths: ['%%users.homedir%%/Library/Safari/LastSession.plist'] 567 | labels: [Users, Software, Browser] 568 | supported_os: [Darwin] 569 | --- 570 | name: OSXSafariLocalStorage 571 | doc: Safari Local Storage Directory 572 | sources: 573 | - type: FILE 574 | attributes: 575 | paths: ['%%users.homedir%%/Library/Safari/LocalStorage/*'] 576 | labels: [Users, Software, Browser] 577 | supported_os: [Darwin] 578 | --- 579 | name: OSXSafariStorageTracker 580 | doc: Safari Local Storage Database 581 | sources: 582 | - type: FILE 583 | attributes: 584 | paths: ['%%users.homedir%%/Library/Safari/LocalStorage/StorageTracker.db'] 585 | labels: [Users, Software, Browser] 586 | supported_os: [Darwin] 587 | --- 588 | name: OSXSafariTopSites 589 | doc: Safari Top Sites 590 | sources: 591 | - type: FILE 592 | attributes: 593 | paths: ['%%users.homedir%%/Library/Safari/TopSites.plist'] 594 | labels: [Users, Software, Browser] 595 | supported_os: [Darwin] 596 | --- 597 | name: OSXSafariWebpageIcons 598 | doc: Safari Webpage Icons Database 599 | sources: 600 | - type: FILE 601 | attributes: 602 | paths: ['%%users.homedir%%/Library/Safari/WebpageIcons.db'] 603 | labels: [Users, Software, Browser] 604 | supported_os: [Darwin] 605 | --- 606 | name: OSXSafariDatabases 607 | doc: Safari Webpage Databases 608 | sources: 609 | - type: FILE 610 | attributes: 611 | paths: ['%%users.homedir%%/Library/Safari/Databases/*'] 612 | labels: [Users, Software, Browser] 613 | supported_os: [Darwin] 614 | --- 615 | name: OSXSafariCacheDir 616 | doc: Safari Cache Directory 617 | sources: 618 | - type: FILE 619 | attributes: 620 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/*'] 621 | labels: [Users, Software, Browser] 622 | supported_os: [Darwin] 623 | --- 624 | name: OSXSafariCache 625 | doc: Safari Cache 626 | sources: 627 | - type: FILE 628 | attributes: 629 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db'] 630 | labels: [Users, Software, Browser] 631 | supported_os: [Darwin] 632 | --- 633 | name: OSXSafariCacheExtensions 634 | doc: Safari Extensions Cache 635 | sources: 636 | - type: FILE 637 | attributes: 638 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Extensions/*'] 639 | labels: [Users, Software, Browser] 640 | supported_os: [Darwin] 641 | --- 642 | name: OSXSafariWebPreviews 643 | doc: Safari Webpage Previews 644 | sources: 645 | - type: FILE 646 | attributes: 647 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Webpage Previews/*'] 648 | labels: [Users, Software, Browser] 649 | supported_os: [Darwin] 650 | --- 651 | name: OSXSafariCookies 652 | doc: Safari Cookies 653 | sources: 654 | - type: FILE 655 | attributes: 656 | paths: ['%%users.homedir%%/Library/Cookies/Cookies.binarycookies'] 657 | labels: [Users, Software, Browser] 658 | supported_os: [Darwin] 659 | --- 660 | name: OSXSafariPreferences 661 | doc: Safari Preferences and Search terms 662 | sources: 663 | - type: FILE 664 | attributes: 665 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Safari.plist'] 666 | labels: [Users, Software, Browser] 667 | supported_os: [Darwin] 668 | --- 669 | name: OSXSafariExtPreferences 670 | doc: Safari Extension Preferences 671 | sources: 672 | - type: FILE 673 | attributes: 674 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Safari.Extensions.plist'] 675 | labels: [Users, Software, Browser] 676 | supported_os: [Darwin] 677 | --- 678 | name: OSXSafariCacheBookmarks 679 | doc: Safari Bookmark Cache 680 | sources: 681 | - type: FILE 682 | attributes: 683 | paths: ['%%users.homedir%%/Library/Caches/Metadata/Safari/Bookmarks/*'] 684 | labels: [Users, Software, Browser] 685 | supported_os: [Darwin] 686 | --- 687 | name: OSXSafariCacheHistory 688 | doc: Safari History Cache 689 | sources: 690 | - type: FILE 691 | attributes: 692 | paths: ['%%users.homedir%%/Library/Caches/Metadata/Safari/History/*'] 693 | labels: [Users, Software, Browser] 694 | supported_os: [Darwin] 695 | --- 696 | name: OSXSafariTempImg 697 | doc: Safari Temporary Images 698 | sources: 699 | - type: FILE 700 | attributes: 701 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/fsCachedData/*'] 702 | labels: [Users, Software, Browser] 703 | supported_os: [Darwin] 704 | --- 705 | name: OSXFirefoxDir 706 | doc: Firefox Directory 707 | sources: 708 | - type: FILE 709 | attributes: 710 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/*'] 711 | labels: [Users, Software, Browser] 712 | supported_os: [Darwin] 713 | --- 714 | name: OSXFirefoxProfiles 715 | doc: Firefox Profiles 716 | sources: 717 | - type: FILE 718 | attributes: 719 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*'] 720 | labels: [Users, Software, Browser] 721 | supported_os: [Darwin] 722 | --- 723 | name: OSXFirefoxCookies 724 | doc: Firefox Cookies 725 | sources: 726 | - type: FILE 727 | attributes: 728 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Cookies.sqlite'] 729 | labels: [Users, Software, Browser] 730 | supported_os: [Darwin] 731 | --- 732 | name: OSXFirefoxDownloads 733 | doc: Firefox Downloads 734 | sources: 735 | - type: FILE 736 | attributes: 737 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Downloads.sqlite'] 738 | labels: [Users, Software, Browser] 739 | supported_os: [Darwin] 740 | --- 741 | name: OSXFirefoxFormhistory 742 | doc: Firefox Form History 743 | sources: 744 | - type: FILE 745 | attributes: 746 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Formhistory.sqlite'] 747 | labels: [Users, Software, Browser] 748 | supported_os: [Darwin] 749 | --- 750 | name: OSXFirefoxHistory 751 | doc: Firefox History 752 | sources: 753 | - type: FILE 754 | attributes: 755 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Places.sqlite'] 756 | labels: [Users, Software, Browser] 757 | supported_os: [Darwin] 758 | --- 759 | name: OSXFirefoxPassword 760 | doc: Firefox Signon 761 | sources: 762 | - type: FILE 763 | attributes: 764 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/signons.sqlite'] 765 | labels: [Users, Software, Browser] 766 | supported_os: [Darwin] 767 | --- 768 | name: OSXFirefoxKey 769 | doc: Firefox Key 770 | sources: 771 | - type: FILE 772 | attributes: 773 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/key3.db'] 774 | labels: [Users, Software, Browser] 775 | supported_os: [Darwin] 776 | --- 777 | name: OSXFirefoxPermission 778 | doc: Firefox Permissions 779 | sources: 780 | - type: FILE 781 | attributes: 782 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/permissions.sqlite'] 783 | labels: [Users, Software, Browser] 784 | supported_os: [Darwin] 785 | --- 786 | name: OSXFirefoxAddons 787 | doc: Firefox Add-ons 788 | sources: 789 | - type: FILE 790 | attributes: 791 | paths: 792 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.sqlite'] 793 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.json'] 794 | labels: [Users, Software, Browser] 795 | supported_os: [Darwin] 796 | --- 797 | name: OSXFirefoxExtension 798 | doc: Firefox Extension 799 | sources: 800 | - type: FILE 801 | attributes: 802 | paths: 803 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.sqlite'] 804 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.json'] 805 | labels: [Users, Software, Browser] 806 | supported_os: [Darwin] 807 | --- 808 | name: OSXFirefoxContentPrefs 809 | doc: Firefox Pages Settings 810 | sources: 811 | - type: FILE 812 | attributes: 813 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/content-prefs.sqlite'] 814 | labels: [Users, Software, Browser] 815 | supported_os: [Darwin] 816 | --- 817 | name: OSXChromeMainDir 818 | doc: Chrome Main Folder 819 | sources: 820 | - type: FILE 821 | attributes: 822 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*'] 823 | labels: [Users, Software, Browser] 824 | supported_os: [Darwin] 825 | --- 826 | name: OSXChromeDefaultDir 827 | doc: Chrome Default profile 828 | sources: 829 | - type: FILE 830 | attributes: 831 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/default/*'] 832 | labels: [Users, Software, Browser] 833 | supported_os: [Darwin] 834 | --- 835 | name: OSXChromeHistory 836 | doc: Chrome History 837 | sources: 838 | - type: FILE 839 | attributes: 840 | paths: 841 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/History'] 842 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History'] 843 | labels: [Users, Software, Browser] 844 | supported_os: [Darwin] 845 | --- 846 | name: OSXChromeBookmarks 847 | doc: Chrome Bookmarks 848 | sources: 849 | - type: FILE 850 | attributes: 851 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Bookmarks'] 852 | labels: [Users, Software, Browser] 853 | supported_os: [Darwin] 854 | --- 855 | name: OSXChromeCookies 856 | doc: Chrome Cookies 857 | sources: 858 | - type: FILE 859 | attributes: 860 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies'] 861 | labels: [Users, Software, Browser] 862 | supported_os: [Darwin] 863 | --- 864 | name: OSXChromeLocalStorage 865 | doc: Chrome Local Storage 866 | sources: 867 | - type: FILE 868 | attributes: 869 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/*.localstorage'] 870 | labels: [Users, Software, Browser] 871 | supported_os: [Darwin] 872 | --- 873 | name: OSXChromeLogin 874 | doc: Chrome Login Data 875 | sources: 876 | - type: FILE 877 | attributes: 878 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data'] 879 | labels: [Users, Software, Browser] 880 | supported_os: [Darwin] 881 | --- 882 | name: OSXChromeTopSistes 883 | doc: Chrome Top Sites 884 | sources: 885 | - type: FILE 886 | attributes: 887 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Top Sites'] 888 | labels: [Users, Software, Browser] 889 | supported_os: [Darwin] 890 | --- 891 | name: OSXChromeWebData 892 | doc: Chrome Web Data 893 | sources: 894 | - type: FILE 895 | attributes: 896 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data'] 897 | labels: [Users, Software, Browser] 898 | supported_os: [Darwin] 899 | --- 900 | name: OSXChromeExtension 901 | doc: Chrome Extensions 902 | sources: 903 | - type: FILE 904 | attributes: 905 | paths: 906 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/*'] 907 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/Databases.db'] 908 | labels: [Users, Software, Browser] 909 | supported_os: [Darwin] 910 | --- 911 | name: OSXChromeCache 912 | doc: Chrome Cache 913 | sources: 914 | - type: FILE 915 | attributes: 916 | paths: ['%%users.homedir%%/Library/Caches/com.google.Chrome/Cache.db'] 917 | labels: [Users, Software, Browser] 918 | supported_os: [Darwin] 919 | --- 920 | name: OSXChromePreferences 921 | doc: Chrome Preferences Files 922 | sources: 923 | - type: FILE 924 | attributes: 925 | paths: ['%%users.homedir%%/Library/Preferences/com.google.Chrome.plist'] 926 | labels: [Users, Software, Browser] 927 | supported_os: [Darwin] 928 | --- 929 | name: OSXMailBackupTOC 930 | doc: Mail BackupTOC 931 | sources: 932 | - type: FILE 933 | attributes: 934 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/BackupTOC.plist'] 935 | labels: [Users, Software, Mail] 936 | supported_os: [Darwin] 937 | --- 938 | name: OSCMailEnvelopIndex 939 | doc: Mail Envelope Index 940 | sources: 941 | - type: FILE 942 | attributes: 943 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Envelope Index'] 944 | labels: [Users, Software, Mail] 945 | supported_os: [Darwin] 946 | --- 947 | name: OSXMailOpenedAttachments 948 | doc: Mail Opened Attachments 949 | sources: 950 | - type: FILE 951 | attributes: 952 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/OpenedAttachmentsV2.plist'] 953 | labels: [Users, Software, Mail] 954 | supported_os: [Darwin] 955 | --- 956 | name: OSXMailPrefs 957 | doc: Mail Preferences 958 | sources: 959 | - type: FILE 960 | attributes: 961 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Mail.plist'] 962 | labels: [Users, Software, Mail] 963 | supported_os: [Darwin] 964 | --- 965 | name: OSXMailRecentContacts 966 | doc: Mail Recent Contacts 967 | sources: 968 | - type: FILE 969 | attributes: 970 | paths: ['%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr'] 971 | labels: [Users, Software, Mail] 972 | supported_os: [Darwin] 973 | --- 974 | name: OSXMailAccounts 975 | doc: Mail Accounts 976 | sources: 977 | - type: FILE 978 | attributes: 979 | paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Accounts.plist'] 980 | labels: [Users, Software, Mail] 981 | supported_os: [Darwin] 982 | --- 983 | name: macOS_MRU_files 984 | doc: MRU files 985 | sources: 986 | - type: FILE 987 | attributes: 988 | paths: 989 | - ['%%users.homedir%%/Library/Preferences/*.LSSharedFileList.plist'] 990 | - ['%%users.homedir%%/Library/Preferences/com.apple.finder.plist'] 991 | - ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist'] 992 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/*.sfl'] 993 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl'] 994 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl'] 995 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl'] 996 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl'] 997 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/*.sfl2'] 998 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl2'] 999 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl2'] 1000 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl2'] 1001 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl2'] 1002 | - ['%%users.homedir%%/Library/Preferences/com.microsoft.office.plist'] 1003 | - ['%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist'] 1004 | - ['%%users.homedir%%/Library/Application Support/com.apple.spotlight.Shortcuts'] 1005 | - ['%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist'] 1006 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2'] 1007 | labels: [Users, MRU] 1008 | supported_os: [Sierra] 1009 | --- 1010 | name: UnifiedAuditLog 1011 | doc: Unified Audit Log 1012 | sources: 1013 | - type: DIRECTORY 1014 | attributes: 1015 | paths: 1016 | - ['/var/db/diagnostics'] 1017 | - ['/var/db/uuidtext'] 1018 | labels: [UAL] 1019 | supported_os: [Sierra] 1020 | --- 1021 | name: SSHKnownHosts 1022 | doc: SSH Known Hosts 1023 | sources: 1024 | - type: FILE 1025 | attributes: 1026 | paths: ['%%users.homedir%%/.ssh/known_hosts'] 1027 | labels: [Users, SSH] 1028 | supported_os: [Darwin] 1029 | --- 1030 | name: OSXMailRecentContacts2 1031 | doc: Mail Accounts 1032 | sources: 1033 | - type: FILE 1034 | attributes: 1035 | paths: ['%%users.homedir%%/Library/Containers/com.apple.corerecents.recentd/Data/Library/Recents/Recents'] 1036 | labels: [Users, Software, Mail] 1037 | supported_os: [Sierra] 1038 | --- 1039 | name: CoreAnalytics 1040 | doc: Core Analytics 1041 | sources: 1042 | - type: FILE 1043 | attributes: 1044 | paths: ['/Library/Logs/DiagnosticReports/*.core_analytics', '/private/var/db/analyticsd/aggregates/*.core_analytics'] 1045 | labels: [Users, Software, MRU] 1046 | supported_os: [Sierra] 1047 | urls: ['https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/'] 1048 | --- 1049 | name: SpotlightDatabase 1050 | doc: Spotlight Database 1051 | sources: 1052 | - type: DIRECTORY 1053 | attributes: 1054 | paths: ['/.Spotlight-V100/Store-V2/*'] 1055 | labels: [Users, MRU] 1056 | supported_os: [Sierra] 1057 | urls: ['https://github.com/ydkhatri/spotlight_parser'] 1058 | --- 1059 | name: FSEventsd 1060 | doc: FSEventsd 1061 | sources: 1062 | - type: DIRECTORY 1063 | attributes: 1064 | paths: ['/.fseventsd/'] 1065 | labels: [System, Users] 1066 | supported_os: [Sierra] 1067 | urls: ['https://github.com/dlcowen/FSEventsParser'] 1068 | --- 1069 | name: BashSessions 1070 | doc: Bash Sessions 1071 | sources: 1072 | - type: DIRECTORY 1073 | attributes: 1074 | paths: ['%%users.homedir%%/.bash_sessions'] 1075 | labels: [Users, MRU] 1076 | supported_os: [Sierra] 1077 | urls: ['https://www.swiftforensics.com/2018/05/bash-sessions-in-macos.html'] 1078 | --- 1079 | name: knowledgeC-DB 1080 | doc: knowledgeC Database 1081 | sources: 1082 | - type: DIRECTORY 1083 | attributes: 1084 | paths: ['/private/var/db/CoreDuet/Knowledge', '%%users.homedir%%/Library/Application Support/Knowledge'] 1085 | labels: [System, Users, MRU, Browser] 1086 | supported_os: [Sierra] 1087 | urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage'] -------------------------------------------------------------------------------- /artifacts/20180914-macOS-artifacts.yaml: -------------------------------------------------------------------------------- 1 | # Mac OS X (Darwin) specific artifacts. 2 | # mac4n6: https://github.com/pstirparo/mac4n6 3 | # Reference: http://forensicswiki.org/wiki/Mac_OS_X 4 | # Reference: http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location 5 | 6 | --- 7 | name: macOSLaunchAgents 8 | doc: Launch Agents files 9 | sources: 10 | - type: FILE 11 | attributes: 12 | paths: 13 | - ['/Library/LaunchAgents/*'] 14 | - ['/System/Library/LaunchAgents/*'] 15 | - ['%%users.homedir%%/Library/LaunchAgents/*'] 16 | labels: [System, Autoruns] 17 | supported_os: [Darwin] 18 | --- 19 | name: macOSLaunchDaemons 20 | doc: Launch Daemons files 21 | sources: 22 | - type: FILE 23 | attributes: 24 | paths: 25 | - ['/Library/LaunchDaemons/*'] 26 | - ['/System/Library/LaunchDaemons/*'] 27 | - ['%%users.homedir%%/Library/LaunchDaemons/*'] 28 | labels: [System, Autoruns] 29 | supported_os: [Darwin] 30 | --- 31 | name: macOSStartupItems 32 | doc: Startup Items file 33 | sources: 34 | - type: FILE 35 | attributes: 36 | paths: 37 | - ['/Library/StartupItems/*'] 38 | - ['/System/Library/StartupItems/*'] 39 | labels: [System, Autoruns] 40 | supported_os: [Darwin] 41 | --- 42 | name: macOSSystemLogs 43 | doc: System Log files main folder 44 | sources: 45 | - type: FILE 46 | attributes: 47 | paths: ['/var/log/*'] 48 | labels: [System, Logs] 49 | supported_os: [Darwin] 50 | --- 51 | name: macOSAppleSystemLogs 52 | doc: Apple System Log 53 | sources: 54 | - type: FILE 55 | attributes: 56 | paths: ['/var/log/asl/*'] 57 | labels: [System, Logs] 58 | supported_os: [Darwin] 59 | --- 60 | name: macOSAuditLogs 61 | doc: Audit Log 62 | sources: 63 | - type: FILE 64 | attributes: 65 | paths: ['/var/audit/*'] 66 | labels: [System, Logs] 67 | supported_os: [Darwin] 68 | --- 69 | name: macOSInstallationLog 70 | doc: Installation log 71 | sources: 72 | - type: FILE 73 | attributes: 74 | paths: ['/var/log/install.log'] 75 | labels: [System, Logs] 76 | supported_os: [Darwin] 77 | --- 78 | name: macOSUtmpFile 79 | doc: Mac OS X utmp and wmtp login record file 80 | sources: 81 | - type: FILE 82 | attributes: 83 | paths: 84 | - ['/var/log/wtmp'] 85 | - ['/var/log/utmp'] 86 | labels: [Logs, Authentication] 87 | supported_os: [Darwin] 88 | urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] 89 | --- 90 | name: macOSLastlogFile 91 | doc: Mac OS X lastlog file 92 | sources: 93 | - type: FILE 94 | attributes: 95 | paths: ['/var/log/lastlog'] 96 | labels: [Logs, Authentication] 97 | supported_os: [Darwin] 98 | --- 99 | name: macOSUtmpxFile 100 | doc: Mac OS X 10.5 utmpx login record file 101 | sources: 102 | - type: FILE 103 | attributes: 104 | paths: ['/var/run/utmpx'] 105 | labels: [Logs, Authentication] 106 | supported_os: [Darwin] 107 | urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] 108 | --- 109 | name: macOSSystemPreferences 110 | doc: System Preferences files 111 | sources: 112 | - type: FILE 113 | attributes: 114 | paths: ['/Library/Preferences/*'] 115 | labels: [System] 116 | supported_os: [Darwin] 117 | --- 118 | name: macOSGlobalPreferences 119 | doc: Global Preferences 120 | sources: 121 | - type: FILE 122 | attributes: 123 | paths: ['/Library/Preferences/.GlobalPreferences.plist'] 124 | labels: [System] 125 | supported_os: [Darwin] 126 | --- 127 | name: macOSLoginWindow 128 | doc: Login Window Info 129 | sources: 130 | - type: FILE 131 | attributes: 132 | paths: ['/Library/Preferences/com.apple.loginwindow.plist'] 133 | labels: [System, Authentication] 134 | supported_os: [Darwin] 135 | --- 136 | name: macOSBluetooth 137 | doc: Bluetooth Preferences and paierd device info 138 | sources: 139 | - type: FILE 140 | attributes: 141 | paths: ['/Library/Preferences/com.apple.Bluetooth.plist'] 142 | labels: [System, Logs] 143 | supported_os: [Darwin] 144 | --- 145 | name: macOSTimeMachine 146 | doc: Time Machine Info 147 | sources: 148 | - type: FILE 149 | attributes: 150 | paths: ['/Library/Preferences/com.apple.TimeMachine.plist'] 151 | labels: [System] 152 | supported_os: [Darwin] 153 | --- 154 | name: macOSKeyboardLayoutPlistFile 155 | doc: Keyboard layout plist file 156 | sources: 157 | - type: FILE 158 | attributes: 159 | paths: ['/Library/Preferences/com.apple.HIToolbox.plist'] 160 | labels: [System] 161 | supported_os: [Darwin] 162 | --- 163 | name: macOSSystemConfigurationPreferences 164 | doc: System configuration preferences plist file 165 | sources: 166 | - type: FILE 167 | attributes: 168 | paths: ['/Library/Preferences/SystemConfiguration/preferences.plist'] 169 | labels: [System] 170 | supported_os: [Darwin] 171 | --- 172 | name: macOSSystemInstallationTime 173 | doc: OS Installation time 174 | sources: 175 | - type: FILE 176 | attributes: 177 | paths: ['/var/db/.AppleSetupDone'] 178 | labels: [System] 179 | supported_os: [Darwin] 180 | --- 181 | name: macOSSystemVersion 182 | doc: OS name and version 183 | sources: 184 | - type: FILE 185 | attributes: 186 | paths: ['/System/Library/CoreServices/SystemVersion.plist'] 187 | labels: [System] 188 | supported_os: [Darwin] 189 | --- 190 | name: macOSPasswordHashes 191 | doc: Users Log In Password Hash Plist 192 | sources: 193 | - type: FILE 194 | attributes: 195 | paths: 196 | - ['/var/db/dslocal/nodes/Default%%users.homedir%%'] 197 | - ['/var/db/dslocal/nodes/Default/users/*.plist'] 198 | labels: [System, Users, Authentication] 199 | supported_os: [Darwin] 200 | --- 201 | name: macOSSleepimage 202 | doc: Sleep Image File 203 | sources: 204 | - type: FILE 205 | attributes: 206 | paths: ['/var/vm/sleepimage'] 207 | labels: [System] 208 | supported_os: [Darwin] 209 | --- 210 | name: macOSSwapFiles 211 | doc: Swap Files 212 | sources: 213 | - type: FILE 214 | attributes: 215 | paths: ['/var/vm/swapfile#'] 216 | labels: [System] 217 | supported_os: [Darwin] 218 | --- 219 | name: macOSKexts 220 | doc: Kernel Extension 221 | sources: 222 | - type: FILE 223 | attributes: 224 | paths: 225 | - ['/System/Library/Extensions/*'] 226 | - ['/Library/Extensions/*'] 227 | labels: [System] 228 | supported_os: [Darwin] 229 | --- 230 | name: macOSInstallationHistory 231 | doc: Software Installation History 232 | sources: 233 | - type: FILE 234 | attributes: 235 | paths: ['/Library/Receipts/InstallHistory.plist'] 236 | labels: [System] 237 | supported_os: [Darwin] 238 | --- 239 | name: macOSUpdate 240 | doc: Software Update 241 | sources: 242 | - type: FILE 243 | attributes: 244 | paths: ['/Library/Preferences/com.apple.SoftwareUpdate.plist'] 245 | labels: [System] 246 | supported_os: [Darwin] 247 | --- 248 | name: macOSLocalTime 249 | doc: Current Time Zone 250 | sources: 251 | - type: FILE 252 | attributes: 253 | paths: ['/etc/localtime'] 254 | labels: [System] 255 | supported_os: [Darwin] 256 | --- 257 | name: macOSAtJobs 258 | doc: Mac OS X at jobs 259 | sources: 260 | - type: FILE 261 | attributes: 262 | paths: ['/usr/lib/cron/jobs/*'] 263 | labels: [System] 264 | supported_os: [Darwin] 265 | urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at'] 266 | --- 267 | name: macOSCronTabs 268 | doc: Cron tabs 269 | sources: 270 | - type: FILE 271 | attributes: 272 | paths: 273 | - ['/etc/crontab'] 274 | - ['/usr/lib/cron/tabs/*'] 275 | labels: [System] 276 | supported_os: [Darwin] 277 | --- 278 | name: macOSPeriodicSystemFunctions 279 | doc: Periodic system functions scripts and configuration 280 | sources: 281 | - type: FILE 282 | attributes: 283 | paths: 284 | - ['/etc/defaults/periodic.conf'] 285 | - ['/etc/periodic.conf'] 286 | - ['/etc/periodic.conf.local'] 287 | - ['/etc/periodic/**2'] 288 | - ['/usr/local/etc/periodic/**2'] 289 | - ['/etc/daily.local/*'] 290 | - ['/etc/weekly.local/*'] 291 | - ['/etc/monthly.local/*'] 292 | - ['/etc/periodic/daily/*'] 293 | - ['/etc/periodic/weekly/*'] 294 | - ['/etc/periodic/monthly/*'] 295 | labels: [System] 296 | supported_os: [Darwin] 297 | urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic'] 298 | --- 299 | name: macOSHostsFIle 300 | doc: Hosts file 301 | sources: 302 | - type: FILE 303 | attributes: 304 | paths: ['/etc/hosts'] 305 | labels: [System, Network] 306 | supported_os: [Darwin] 307 | --- 308 | name: macOSWirelessNetworks 309 | doc: Remembered Wireless Networks 310 | sources: 311 | - type: FILE 312 | attributes: 313 | paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist'] 314 | labels: [System, Network] 315 | supported_os: [Darwin] 316 | --- 317 | name: macOSUserLoginItems 318 | doc: Login Items 319 | sources: 320 | - type: FILE 321 | attributes: 322 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist'] 323 | labels: [Users] 324 | supported_os: [Darwin] 325 | --- 326 | name: macOSUserPreferences 327 | doc: User preferences directory 328 | sources: 329 | - type: FILE 330 | attributes: 331 | paths: ['%%users.homedir%%/Library/Preferences/*'] 332 | labels: [Users] 333 | supported_os: [Darwin] 334 | --- 335 | name: macOSiCloudPreferences 336 | doc: iCloud user preferences 337 | sources: 338 | - type: FILE 339 | attributes: 340 | paths: ['%%users.homedir%%/Library/Preferences/MobileMeAccounts.plist'] 341 | labels: [Users, Cloud, Account] 342 | supported_os: [Darwin] 343 | --- 344 | name: macOSSidebarLists 345 | doc: Sidebar Lists Preferences 346 | sources: 347 | - type: FILE 348 | attributes: 349 | paths: 350 | - ['%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist'] 351 | - ['%%users.homedir%%/Preferences/com.apple.sidebarlists.plist'] 352 | labels: [Users, External Media] 353 | supported_os: [Darwin] 354 | --- 355 | name: macOSUserGlobalPreferences 356 | doc: Global Preferences 357 | sources: 358 | - type: FILE 359 | attributes: 360 | paths: ['%%users.homedir%%/Library/Preferences/.GlobalPreferences.plist'] 361 | labels: [Users] 362 | supported_os: [Darwin] 363 | --- 364 | name: macOSDock 365 | doc: Dock database 366 | sources: 367 | - type: FILE 368 | attributes: 369 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Dock.plist'] 370 | labels: [Users] 371 | supported_os: [Darwin] 372 | --- 373 | name: macOSiDevices 374 | doc: Attached iDevices 375 | sources: 376 | - type: FILE 377 | attributes: 378 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.iPod.plist'] 379 | labels: [Users, External Media] 380 | supported_os: [Darwin] 381 | --- 382 | name: macOSQuarantineEvents 383 | doc: Quarantine Event Database 384 | sources: 385 | - type: FILE 386 | attributes: 387 | paths: 388 | - ['%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents'] 389 | - ['%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2'] 390 | labels: [Users, Software] 391 | supported_os: [Darwin] 392 | --- 393 | name: macOSUserApplicationLogs 394 | doc: User and Applications Logs Directory 395 | sources: 396 | - type: FILE 397 | attributes: 398 | paths: ['%%users.homedir%%/Library/Logs/*'] 399 | labels: [Users, Logs] 400 | supported_os: [Darwin] 401 | --- 402 | name: macOSMiscLogs 403 | doc: Misc. Logs 404 | sources: 405 | - type: FILE 406 | attributes: 407 | paths: ['/Library/Logs/*'] 408 | labels: [Users, Logs] 409 | supported_os: [Darwin] 410 | --- 411 | name: macOSBashHistory 412 | doc: Terminal Commands History 413 | sources: 414 | - type: FILE 415 | attributes: 416 | paths: ['%%users.homedir%%/.bash_history'] 417 | labels: [Users, Logs] 418 | supported_os: [Darwin] 419 | --- 420 | name: macOSUserSocialAccounts 421 | doc: User's Social Accounts 422 | sources: 423 | - type: FILE 424 | attributes: 425 | paths: ['%%users.homedir%%/Library/Accounts/Accounts3.sqlite'] 426 | labels: [Users, Accounts] 427 | supported_os: [Darwin] 428 | --- 429 | name: macOSiOSBackupsMainDirectory 430 | doc: iOS device backups directory 431 | sources: 432 | - type: FILE 433 | attributes: 434 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*'] 435 | labels: [Users, iOS] 436 | supported_os: [Darwin] 437 | --- 438 | name: macOSiOSBackupInfo 439 | doc: iOS device backup information 440 | sources: 441 | - type: FILE 442 | attributes: 443 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist'] 444 | labels: [Users, iOS] 445 | supported_os: [Darwin] 446 | --- 447 | name: macOSiOSBackupManifest 448 | doc: iOS device backup apps information 449 | sources: 450 | - type: FILE 451 | attributes: 452 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist'] 453 | labels: [Users, iOS] 454 | supported_os: [Darwin] 455 | --- 456 | name: macOSiOSBackupMbdb 457 | doc: iOS device backup files information 458 | sources: 459 | - type: FILE 460 | attributes: 461 | paths: 462 | - ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mbdb'] 463 | labels: [Users, iOS] 464 | supported_os: [Darwin] 465 | --- 466 | name: macOSiOSBackupStatus 467 | doc: iOS device backup status information 468 | sources: 469 | - type: FILE 470 | attributes: 471 | paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist'] 472 | labels: [Users, iOS] 473 | supported_os: [Darwin] 474 | --- 475 | name: macOSRecentItems 476 | doc: Recent Items 477 | sources: 478 | - type: FILE 479 | attributes: 480 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist'] 481 | labels: [Users] 482 | supported_os: [Darwin] 483 | --- 484 | name: macOSApplicationsRecentItems 485 | doc: Recent Items application specific 486 | sources: 487 | - type: FILE 488 | attributes: 489 | paths: ['%%users.homedir%%/Library/Preferences/*LSSharedFileList.plist'] 490 | labels: [Users, Software] 491 | supported_os: [Darwin] 492 | --- 493 | name: macOSApplicationSupport 494 | doc: Application Support Directory 495 | sources: 496 | - type: FILE 497 | attributes: 498 | paths: ['%%users.homedir%%/Library/Application Support/*'] 499 | labels: [Users, Software] 500 | supported_os: [Darwin] 501 | --- 502 | name: macOSNotificationCenter 503 | doc: macOS NotificationCenter database 504 | sources: 505 | - type: FILE 506 | attributes: 507 | paths: 508 | - ['/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db'] 509 | - ['/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db'] 510 | - ['%%users.homedir%%/Library/Application Support/NotificationCenter/*.db'] 511 | labels: [Users, Logs] 512 | supported_os: [Darwin] 513 | urls: ['https://objective-see.com/blog/blog_0x2E.html'] 514 | --- 515 | name: macOSiCloudAccounts 516 | doc: iCloud Accounts 517 | sources: 518 | - type: FILE 519 | attributes: 520 | paths: ['%%users.homedir%%/Library/Application Support/iCloud/Accounts/*'] 521 | labels: [Users, Software, Cloud, Account] 522 | supported_os: [Darwin] 523 | --- 524 | name: macOSSkypeMainDirectory 525 | doc: Skype Directory 526 | sources: 527 | - type: FILE 528 | attributes: 529 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*'] 530 | labels: [Users, Software, IM] 531 | supported_os: [Darwin] 532 | --- 533 | name: macOSSkypeUserProfile 534 | doc: Skype User profile 535 | sources: 536 | - type: FILE 537 | attributes: 538 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/*'] 539 | labels: [Users, Software, IM] 540 | supported_os: [Darwin] 541 | --- 542 | name: macOSSkypePreferences 543 | doc: Skype Preferences and Recent Searches 544 | sources: 545 | - type: FILE 546 | attributes: 547 | paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist'] 548 | labels: [Users, Software, IM] 549 | supported_os: [Darwin] 550 | --- 551 | name: macOSSkypeDb 552 | doc: Main Skype database 553 | sources: 554 | - type: FILE 555 | attributes: 556 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db'] 557 | labels: [Users, Software, IM] 558 | supported_os: [Darwin] 559 | --- 560 | name: macOSSkypechatsync 561 | doc: Chat Sync Directory 562 | sources: 563 | - type: FILE 564 | attributes: 565 | paths: ['%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*'] 566 | labels: [Users, Software, IM] 567 | supported_os: [Darwin] 568 | --- 569 | name: macOSSafariMainDirectory 570 | doc: Safari Main Folder 571 | sources: 572 | - type: FILE 573 | attributes: 574 | paths: ['%%users.homedir%%/Library/Safari/*'] 575 | labels: [Users, Software, Browser] 576 | supported_os: [Darwin] 577 | --- 578 | name: macOSSafariBookmarks 579 | doc: Safari Bookmarks 580 | sources: 581 | - type: FILE 582 | attributes: 583 | paths: ['%%users.homedir%%/Library/Safari/Bookmarks.plist'] 584 | labels: [Users, Software, Browser] 585 | supported_os: [Darwin] 586 | --- 587 | name: macOSSafariDownloads 588 | doc: Safari Downloads 589 | sources: 590 | - type: FILE 591 | attributes: 592 | paths: ['%%users.homedir%%/Library/Safari/Downloads.plist'] 593 | labels: [Users, Software, Browser] 594 | supported_os: [Darwin] 595 | --- 596 | name: macOSSafariExtensions 597 | doc: Safari Installed Extensions 598 | sources: 599 | - type: FILE 600 | attributes: 601 | paths: 602 | - ['%%users.homedir%%/Library/Safari/Extensions/Extensions.plist'] 603 | - ['%%users.homedir%%/Library/Safari/Extensions/*'] 604 | labels: [Users, Software, Browser] 605 | supported_os: [Darwin] 606 | --- 607 | name: macOSSafariHistory 608 | doc: Safari History 609 | sources: 610 | - type: FILE 611 | attributes: 612 | paths: 613 | - ['%%users.homedir%%/Library/Safari/History.plist'] 614 | - ['%%users.homedir%%/Library/Safari/History.db'] 615 | labels: [Users, Software, Browser] 616 | supported_os: [Darwin] 617 | --- 618 | name: macOSSafariHistoryIndex 619 | doc: Safari History Index 620 | sources: 621 | - type: FILE 622 | attributes: 623 | paths: ['%%users.homedir%%/Library/Safari/HistoryIndex.sk'] 624 | labels: [Users, Software, Browser] 625 | supported_os: [Darwin] 626 | --- 627 | name: macOSSafariLastSession 628 | doc: Safari Last Session 629 | sources: 630 | - type: FILE 631 | attributes: 632 | paths: ['%%users.homedir%%/Library/Safari/LastSession.plist'] 633 | labels: [Users, Software, Browser] 634 | supported_os: [Darwin] 635 | --- 636 | name: macOSSafariLocalStorage 637 | doc: Safari Local Storage Directory 638 | sources: 639 | - type: FILE 640 | attributes: 641 | paths: ['%%users.homedir%%/Library/Safari/LocalStorage/*'] 642 | labels: [Users, Software, Browser] 643 | supported_os: [Darwin] 644 | --- 645 | name: macOSSafariStorageTracker 646 | doc: Safari Local Storage Database 647 | sources: 648 | - type: FILE 649 | attributes: 650 | paths: ['%%users.homedir%%/Library/Safari/LocalStorage/StorageTracker.db'] 651 | labels: [Users, Software, Browser] 652 | supported_os: [Darwin] 653 | --- 654 | name: macOSSafariTopSites 655 | doc: Safari Top Sites 656 | sources: 657 | - type: FILE 658 | attributes: 659 | paths: ['%%users.homedir%%/Library/Safari/TopSites.plist'] 660 | labels: [Users, Software, Browser] 661 | supported_os: [Darwin] 662 | --- 663 | name: macOSSafariWebpageIcons 664 | doc: Safari Webpage Icons Database 665 | sources: 666 | - type: FILE 667 | attributes: 668 | paths: ['%%users.homedir%%/Library/Safari/WebpageIcons.db'] 669 | labels: [Users, Software, Browser] 670 | supported_os: [Darwin] 671 | --- 672 | name: macOSSafariDatabases 673 | doc: Safari Webpage Databases 674 | sources: 675 | - type: FILE 676 | attributes: 677 | paths: ['%%users.homedir%%/Library/Safari/Databases/*'] 678 | labels: [Users, Software, Browser] 679 | supported_os: [Darwin] 680 | --- 681 | name: macOSSafariCacheDirectory 682 | doc: Safari Cache Directory 683 | sources: 684 | - type: FILE 685 | attributes: 686 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/*'] 687 | labels: [Users, Software, Browser] 688 | supported_os: [Darwin] 689 | --- 690 | name: macOSSafariCache 691 | doc: Safari Cache 692 | sources: 693 | - type: FILE 694 | attributes: 695 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db'] 696 | labels: [Users, Software, Browser] 697 | supported_os: [Darwin] 698 | --- 699 | name: macOSSafariCacheExtensions 700 | doc: Safari Extensions Cache 701 | sources: 702 | - type: FILE 703 | attributes: 704 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Extensions/*'] 705 | labels: [Users, Software, Browser] 706 | supported_os: [Darwin] 707 | --- 708 | name: macOSSafariWebPreviews 709 | doc: Safari Webpage Previews 710 | sources: 711 | - type: FILE 712 | attributes: 713 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/Webpage Previews/*'] 714 | labels: [Users, Software, Browser] 715 | supported_os: [Darwin] 716 | --- 717 | name: macOSSafariCookies 718 | doc: Safari Cookies 719 | sources: 720 | - type: FILE 721 | attributes: 722 | paths: ['%%users.homedir%%/Library/Cookies/Cookies.binarycookies'] 723 | labels: [Users, Software, Browser] 724 | supported_os: [Darwin] 725 | --- 726 | name: macOSSafariPreferences 727 | doc: Safari Preferences and Search terms 728 | sources: 729 | - type: FILE 730 | attributes: 731 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Safari.plist'] 732 | labels: [Users, Software, Browser] 733 | supported_os: [Darwin] 734 | --- 735 | name: macOSSafariExtPreferences 736 | doc: Safari Extension Preferences 737 | sources: 738 | - type: FILE 739 | attributes: 740 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Safari.Extensions.plist'] 741 | labels: [Users, Software, Browser] 742 | supported_os: [Darwin] 743 | --- 744 | name: macOSSafariCacheBookmarks 745 | doc: Safari Bookmark Cache 746 | sources: 747 | - type: FILE 748 | attributes: 749 | paths: ['%%users.homedir%%/Library/Caches/Metadata/Safari/Bookmarks/*'] 750 | labels: [Users, Software, Browser] 751 | supported_os: [Darwin] 752 | --- 753 | name: macOSSafariCacheHistory 754 | doc: Safari History Cache 755 | sources: 756 | - type: FILE 757 | attributes: 758 | paths: ['%%users.homedir%%/Library/Caches/Metadata/Safari/History/*'] 759 | labels: [Users, Software, Browser] 760 | supported_os: [Darwin] 761 | --- 762 | name: macOSSafariTempImg 763 | doc: Safari Temporary Images 764 | sources: 765 | - type: FILE 766 | attributes: 767 | paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/fsCachedData/*'] 768 | labels: [Users, Software, Browser] 769 | supported_os: [Darwin] 770 | --- 771 | name: macOSFirefoxDirectory 772 | doc: Firefox Directory 773 | sources: 774 | - type: FILE 775 | attributes: 776 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/*'] 777 | labels: [Users, Software, Browser] 778 | supported_os: [Darwin] 779 | --- 780 | name: macOSFirefoxProfiles 781 | doc: Firefox Profiles 782 | sources: 783 | - type: FILE 784 | attributes: 785 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*'] 786 | labels: [Users, Software, Browser] 787 | supported_os: [Darwin] 788 | --- 789 | name: macOSFirefoxCookies 790 | doc: Firefox Cookies 791 | sources: 792 | - type: FILE 793 | attributes: 794 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Cookies.sqlite'] 795 | labels: [Users, Software, Browser] 796 | supported_os: [Darwin] 797 | --- 798 | name: macOSFirefoxDownloads 799 | doc: Firefox Downloads 800 | sources: 801 | - type: FILE 802 | attributes: 803 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Downloads.sqlite'] 804 | labels: [Users, Software, Browser] 805 | supported_os: [Darwin] 806 | --- 807 | name: macOSFirefoxFormhistory 808 | doc: Firefox Form History 809 | sources: 810 | - type: FILE 811 | attributes: 812 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Formhistory.sqlite'] 813 | labels: [Users, Software, Browser] 814 | supported_os: [Darwin] 815 | --- 816 | name: macOSFirefoxHistory 817 | doc: Firefox History 818 | sources: 819 | - type: FILE 820 | attributes: 821 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Places.sqlite'] 822 | labels: [Users, Software, Browser] 823 | supported_os: [Darwin] 824 | --- 825 | name: macOSFirefoxPassword 826 | doc: Firefox Signon 827 | sources: 828 | - type: FILE 829 | attributes: 830 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/signons.sqlite'] 831 | labels: [Users, Software, Browser] 832 | supported_os: [Darwin] 833 | --- 834 | name: macOSFirefoxKey 835 | doc: Firefox Key 836 | sources: 837 | - type: FILE 838 | attributes: 839 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/key3.db'] 840 | labels: [Users, Software, Browser] 841 | supported_os: [Darwin] 842 | --- 843 | name: macOSFirefoxPermission 844 | doc: Firefox Permissions 845 | sources: 846 | - type: FILE 847 | attributes: 848 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/permissions.sqlite'] 849 | labels: [Users, Software, Browser] 850 | supported_os: [Darwin] 851 | --- 852 | name: macOSFirefoxAddons 853 | doc: Firefox Add-ons 854 | sources: 855 | - type: FILE 856 | attributes: 857 | paths: 858 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.sqlite'] 859 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.json'] 860 | labels: [Users, Software, Browser] 861 | supported_os: [Darwin] 862 | --- 863 | name: macOSFirefoxExtension 864 | doc: Firefox Extension 865 | sources: 866 | - type: FILE 867 | attributes: 868 | paths: 869 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.sqlite'] 870 | - ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.json'] 871 | labels: [Users, Software, Browser] 872 | supported_os: [Darwin] 873 | --- 874 | name: macOSFirefoxContentPreferences 875 | doc: Firefox Pages Settings 876 | sources: 877 | - type: FILE 878 | attributes: 879 | paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/content-prefs.sqlite'] 880 | labels: [Users, Software, Browser] 881 | supported_os: [Darwin] 882 | --- 883 | name: macOSFirefoxCache 884 | doc: Firefox Cache 885 | sources: 886 | - type: FILE 887 | attributes: 888 | paths: 889 | - ['%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/Cache/*'] 890 | - ['%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/*'] 891 | - ['%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/doomed/*'] 892 | - ['%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/entries/*'] 893 | labels: [Users, Software, Browser] 894 | supported_os: [Darwin] 895 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/FirefoxCache.md'] 896 | --- 897 | name: macOSChromeMainDirectory 898 | doc: Chrome Main Folder 899 | sources: 900 | - type: FILE 901 | attributes: 902 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*'] 903 | labels: [Users, Software, Browser] 904 | supported_os: [Darwin] 905 | --- 906 | name: macOSChromeDefaultProfileDirectory 907 | doc: Chrome Default profile 908 | sources: 909 | - type: FILE 910 | attributes: 911 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/default/*'] 912 | labels: [Users, Software, Browser] 913 | supported_os: [Darwin] 914 | --- 915 | name: macOSChromeHistory 916 | doc: Chrome History 917 | sources: 918 | - type: FILE 919 | attributes: 920 | paths: 921 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome*/*/History'] 922 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome*/*/Archived History'] 923 | labels: [Users, Software, Browser] 924 | supported_os: [Darwin] 925 | --- 926 | name: macOSChromeBookmarks 927 | doc: Chrome Bookmarks 928 | sources: 929 | - type: FILE 930 | attributes: 931 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Bookmarks'] 932 | labels: [Users, Software, Browser] 933 | supported_os: [Darwin] 934 | --- 935 | name: macOSChromeCookies 936 | doc: Chrome Cookies 937 | sources: 938 | - type: FILE 939 | attributes: 940 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies'] 941 | labels: [Users, Software, Browser] 942 | supported_os: [Darwin] 943 | --- 944 | name: macOSChromeLocalStorage 945 | doc: Chrome Local Storage 946 | sources: 947 | - type: FILE 948 | attributes: 949 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/*.localstorage'] 950 | labels: [Users, Software, Browser] 951 | supported_os: [Darwin] 952 | --- 953 | name: macOSChromeLogin 954 | doc: Chrome Login Data 955 | sources: 956 | - type: FILE 957 | attributes: 958 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data'] 959 | labels: [Users, Software, Browser] 960 | supported_os: [Darwin] 961 | --- 962 | name: macOSChromeTopSistes 963 | doc: Chrome Top Sites 964 | sources: 965 | - type: FILE 966 | attributes: 967 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Top Sites'] 968 | labels: [Users, Software, Browser] 969 | supported_os: [Darwin] 970 | --- 971 | name: macOSChromeWebData 972 | doc: Chrome Web Data 973 | sources: 974 | - type: FILE 975 | attributes: 976 | paths: ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data'] 977 | labels: [Users, Software, Browser] 978 | supported_os: [Darwin] 979 | --- 980 | name: macOSChromeExtension 981 | doc: Chrome Extensions 982 | sources: 983 | - type: FILE 984 | attributes: 985 | paths: 986 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/*'] 987 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/Databases.db'] 988 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome*/*/Extensions/**10'] 989 | labels: [Users, Software, Browser] 990 | supported_os: [Darwin] 991 | --- 992 | name: macOSChromeCache 993 | doc: Chrome Cache 994 | sources: 995 | - type: FILE 996 | attributes: 997 | paths: 998 | - ['%%users.homedir%%/Library/Caches/com.google.Chrome/Cache.db'] 999 | - ['%%users.homedir%%/Library/Caches/Google/Chrome*/*/Cache/*'] 1000 | labels: [Users, Software, Browser] 1001 | supported_os: [Darwin] 1002 | --- 1003 | name: macOSChromeMediaCache 1004 | doc: Chrome Media Cache 1005 | sources: 1006 | - type: FILE 1007 | attributes: 1008 | paths: 1009 | - ['%%users.homedir%%/Library/Caches/Google/Chrome*/*/Media Cache/*'] 1010 | labels: [Users, Software, Browser] 1011 | supported_os: [Darwin] 1012 | --- 1013 | name: macOSChromeApplicationCache 1014 | doc: Chrome Application Cache 1015 | sources: 1016 | - type: FILE 1017 | attributes: 1018 | paths: 1019 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome*/*/Application Cache/Cache/*'] 1020 | labels: [Users, Software, Browser] 1021 | supported_os: [Darwin] 1022 | --- 1023 | name: macOSChromeGPUCache 1024 | doc: Chrome GPU Cache 1025 | sources: 1026 | - type: FILE 1027 | attributes: 1028 | paths: 1029 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome*/*/GPUCache/*'] 1030 | labels: [Users, Software, Browser] 1031 | supported_os: [Darwin] 1032 | --- 1033 | name: macOSChromePNaClCache 1034 | doc: Chrome PNaCl translation cache 1035 | sources: 1036 | - type: FILE 1037 | attributes: 1038 | paths: 1039 | - ['%%users.homedir%%/Library/Caches/Google/Chrome*/PnaclTranslationCache/*'] 1040 | labels: [Users, Software, Browser] 1041 | supported_os: [Darwin] 1042 | --- 1043 | name: macOSChromePreferences 1044 | doc: Chrome Preferences Files 1045 | sources: 1046 | - type: FILE 1047 | attributes: 1048 | paths: 1049 | - ['%%users.homedir%%/Library/Preferences/com.google.Chrome.plist'] 1050 | - ['%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences'] 1051 | labels: [Users, Software, Browser] 1052 | supported_os: [Darwin] 1053 | --- 1054 | name: macOSChromiumHistory 1055 | doc: Chromium History 1056 | sources: 1057 | - type: FILE 1058 | attributes: 1059 | paths: 1060 | - ['%%users.homedir%%/Library/Application Support/Chromium/*/Archived History'] 1061 | - ['%%users.homedir%%/Library/Application Support/Chromium/*/History'] 1062 | labels: [Users, Software, Browser] 1063 | supported_os: [Darwin] 1064 | --- 1065 | name: macOSChromiumCache 1066 | doc: Chromium Cache 1067 | sources: 1068 | - type: FILE 1069 | attributes: 1070 | paths: 1071 | - ['%%users.homedir%%/Caches/Chromium/*/Cache/*'] 1072 | - ['%%users.homedir%%/Library/Caches/Chromium/*/Cache/*'] 1073 | labels: [Users, Software, Browser] 1074 | supported_os: [Darwin] 1075 | --- 1076 | name: macOSChromiumApplicationCache 1077 | doc: Chromium Application Cache 1078 | sources: 1079 | - type: FILE 1080 | attributes: 1081 | paths: ['%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/Cache/*'] 1082 | labels: [Users, Software, Browser] 1083 | supported_os: [Darwin] 1084 | --- 1085 | name: macOSChromiumMediaCache 1086 | doc: Chromium Media Cache 1087 | sources: 1088 | - type: FILE 1089 | attributes: 1090 | paths: ['%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*'] 1091 | labels: [Users, Software, Browser] 1092 | supported_os: [Darwin] 1093 | --- 1094 | name: macOSChromiumGPUCache 1095 | doc: Chromium GPU Cache 1096 | sources: 1097 | - type: FILE 1098 | attributes: 1099 | paths: ['%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*'] 1100 | labels: [Users, Software, Browser] 1101 | supported_os: [Darwin] 1102 | --- 1103 | name: macOSChromiumPNaClCache 1104 | doc: Chromium PNaCl translation cache 1105 | sources: 1106 | - type: FILE 1107 | attributes: 1108 | paths: ['%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*'] 1109 | labels: [Users, Software, Browser] 1110 | supported_os: [Darwin] 1111 | urls: ['https://chromium.googlesource.com/native_client/src/native_client/+/master/docs/pnacl_translation_cache.md'] 1112 | --- 1113 | name: macOSChromiumPreferences 1114 | doc: Chromium Preferences 1115 | sources: 1116 | - type: FILE 1117 | attributes: 1118 | paths: ['%%users.homedir%%/Library/Application Support/Chromium/*/Preferences'] 1119 | labels: [Users, Software, Browser] 1120 | supported_os: [Darwin] 1121 | --- 1122 | name: macOSChromiumExtension 1123 | doc: Chromium Extensions 1124 | sources: 1125 | - type: FILE 1126 | attributes: 1127 | paths: ['%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10'] 1128 | labels: [Users, Software, Browser] 1129 | supported_os: [Darwin] 1130 | --- 1131 | name: macOSChromiumExtensionActivity 1132 | doc: Chromium Extensions Activity 1133 | sources: 1134 | - type: FILE 1135 | attributes: 1136 | paths: ['%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity'] 1137 | labels: [Users, Software, Browser] 1138 | supported_os: [Darwin] 1139 | --- 1140 | name: macOSMailBackupTOC 1141 | doc: Mail BackupTOC 1142 | sources: 1143 | - type: FILE 1144 | attributes: 1145 | paths: ['%%users.homedir%%/Library/Mail/V*/MailData/BackupTOC.plist'] 1146 | labels: [Users, Software, Mail] 1147 | supported_os: [Darwin] 1148 | --- 1149 | name: OSCMailEnvelopIndex 1150 | doc: Mail Envelope Index 1151 | sources: 1152 | - type: FILE 1153 | attributes: 1154 | paths: ['%%users.homedir%%/Library/Mail/V*/MailData/Envelope Index'] 1155 | labels: [Users, Software, Mail] 1156 | supported_os: [Darwin] 1157 | --- 1158 | name: macOSMailOpenedAttachments 1159 | doc: Mail Opened Attachments 1160 | sources: 1161 | - type: FILE 1162 | attributes: 1163 | paths: ['%%users.homedir%%/Library/Mail/V*/MailData/OpenedAttachmentsV2.plist'] 1164 | labels: [Users, Software, Mail] 1165 | supported_os: [Darwin] 1166 | --- 1167 | name: macOSMailPreferences 1168 | doc: Mail Preferences 1169 | sources: 1170 | - type: FILE 1171 | attributes: 1172 | paths: ['%%users.homedir%%/Library/Preferences/com.apple.Mail.plist'] 1173 | labels: [Users, Software, Mail] 1174 | supported_os: [Darwin] 1175 | --- 1176 | name: macOSMailRecentContacts 1177 | doc: Mail Recent Contacts 1178 | sources: 1179 | - type: FILE 1180 | attributes: 1181 | paths: ['%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr'] 1182 | labels: [Users, Software, Mail] 1183 | supported_os: [Darwin] 1184 | --- 1185 | name: macOSMailAccounts 1186 | doc: Mail Accounts 1187 | sources: 1188 | - type: FILE 1189 | attributes: 1190 | paths: ['%%users.homedir%%/Library/Mail/V*/MailData/Accounts.plist'] 1191 | labels: [Users, Software, Mail] 1192 | supported_os: [Darwin] 1193 | --- 1194 | name: macOS_MRU_files 1195 | doc: MRU files 1196 | sources: 1197 | - type: FILE 1198 | attributes: 1199 | paths: 1200 | - ['%%users.homedir%%/Library/Preferences/*.LSSharedFileList.plist'] 1201 | - ['%%users.homedir%%/Library/Preferences/com.apple.finder.plist'] 1202 | - ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist'] 1203 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/*.sfl'] 1204 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl'] 1205 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl'] 1206 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl'] 1207 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl'] 1208 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/*.sfl2'] 1209 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl2'] 1210 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl2'] 1211 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl2'] 1212 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl2'] 1213 | - ['%%users.homedir%%/Library/Preferences/com.microsoft.office.plist'] 1214 | - ['%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist'] 1215 | - ['%%users.homedir%%/Library/Application Support/com.apple.spotlight.Shortcuts'] 1216 | - ['%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist'] 1217 | - ['%%users.homedir%%/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2'] 1218 | labels: [Users, MRU] 1219 | supported_os: [Sierra] 1220 | --- 1221 | name: UnifiedAuditLog 1222 | doc: Unified Audit Log 1223 | sources: 1224 | - type: DIRECTORY 1225 | attributes: 1226 | paths: 1227 | - ['/var/db/diagnostics'] 1228 | - ['/var/db/uuidtext'] 1229 | labels: [UAL] 1230 | supported_os: [Sierra] 1231 | --- 1232 | name: SSHKnownHosts 1233 | doc: SSH Known Hosts 1234 | sources: 1235 | - type: FILE 1236 | attributes: 1237 | paths: ['%%users.homedir%%/.ssh/known_hosts'] 1238 | labels: [Users, SSH] 1239 | supported_os: [Darwin] 1240 | --- 1241 | name: macOSMailRecentContacts2 1242 | doc: Mail Accounts 1243 | sources: 1244 | - type: FILE 1245 | attributes: 1246 | paths: ['%%users.homedir%%/Library/Containers/com.apple.corerecents.recentd/Data/Library/Recents/Recents'] 1247 | labels: [Users, Software, Mail] 1248 | supported_os: [Sierra] 1249 | --- 1250 | name: CoreAnalytics 1251 | doc: Core Analytics 1252 | sources: 1253 | - type: FILE 1254 | attributes: 1255 | paths: ['/Library/Logs/DiagnosticReports/*.core_analytics', '/private/var/db/analyticsd/aggregates/*.core_analytics'] 1256 | labels: [Users, Software, MRU] 1257 | supported_os: [Sierra] 1258 | urls: ['https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/'] 1259 | --- 1260 | name: SpotlightDatabase 1261 | doc: Spotlight Database 1262 | sources: 1263 | - type: DIRECTORY 1264 | attributes: 1265 | paths: 1266 | - ['/.Spotlight-V100/Store-V2'] 1267 | - ['%%users.homedir%%/Library/Metadata/CoreSpotlight/index.spotlightV3'] 1268 | labels: [Users, MRU] 1269 | supported_os: [Sierra] 1270 | urls: ['https://github.com/ydkhatri/spotlight_parser'] 1271 | --- 1272 | name: FSEventsd 1273 | doc: FSEventsd 1274 | sources: 1275 | - type: DIRECTORY 1276 | attributes: 1277 | paths: ['/.fseventsd/'] 1278 | labels: [System, Users] 1279 | supported_os: [Sierra] 1280 | urls: ['https://github.com/dlcowen/FSEventsParser'] 1281 | --- 1282 | name: BashSessions 1283 | doc: Bash Sessions 1284 | sources: 1285 | - type: DIRECTORY 1286 | attributes: 1287 | paths: ['%%users.homedir%%/.bash_sessions'] 1288 | labels: [Users, MRU] 1289 | supported_os: [Sierra] 1290 | urls: ['https://www.swiftforensics.com/2018/05/bash-sessions-in-macos.html'] 1291 | --- 1292 | name: BashStartup 1293 | doc: Bash Statrup 1294 | sources: 1295 | - type: FILE 1296 | attributes: 1297 | paths: ['%%users.homedir%%/.bash_profile', '%%users.homedir%%/.bashrc', '%%users.homedir%%/.profile'] 1298 | labels: [Users] 1299 | supported_os: [Sierra] 1300 | --- 1301 | name: macOSKnowledgeC 1302 | doc: KnowledgeC User and Application usage database 1303 | sources: 1304 | - type: DIRECTORY 1305 | attributes: 1306 | paths: ['/private/var/db/CoreDuet/Knowledge', '%%users.homedir%%/Library/Application Support/Knowledge'] 1307 | labels: [System, Users, MRU, Browser] 1308 | supported_os: [Sierra] 1309 | urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage'] 1310 | --------------------------------------------------------------------------------