diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c2a620b..fa930266 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,18 +6,22 @@ - chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection of hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux] ([mnrkbys](https://github.com/mnrkbys)). - files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd]. +- files/applications/atftp.yaml: Added collection of atftp history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd]. - files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd]. - files/applications/geany.yaml: Added collection of metadata about recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd]. - files/applications/gedit.yaml: Added collection of metadata about recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd]. - files/applications/gnome_text_editor.yaml: Added collection of metadata about recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd]. - files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd]. +- files/applications/nano.yaml: Added collection of nano history file [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd]. +- files/logs/macos_unified_logs.yaml: Updated to include the collection of ASL logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd]. - files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd]. - files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. - files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux]. - live_response/packages/0install.yaml: Added collection of the list of installed packages managed by Zero Install package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). +- live_response/packages/apk.yaml: Added collection of the list of installed packages managed by the apk package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). diff --git a/artifacts/files/applications/atftp.yaml b/artifacts/files/applications/atftp.yaml new file mode 100644 index 00000000..00b66d46 --- /dev/null +++ b/artifacts/files/applications/atftp.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect atftp history files. + supported_os: [all] + collector: file + path: /%user_home% + name_pattern: [".atftp_history"] + max_depth: 4 + diff --git a/artifacts/files/applications/nano.yaml b/artifacts/files/applications/nano.yaml new file mode 100644 index 00000000..148ed3eb --- /dev/null +++ b/artifacts/files/applications/nano.yaml @@ -0,0 +1,9 @@ +version: 1.0 +artifacts: + - + description: Collect nano history files. + supported_os: [all] + collector: file + path: /%user_home% + name_pattern: [".nano_history"] + max_depth: 4 diff --git a/artifacts/files/logs/macos_unified_logs.yaml b/artifacts/files/logs/macos_unified_logs.yaml index f28c3618..c69d5c25 100644 --- a/artifacts/files/logs/macos_unified_logs.yaml +++ b/artifacts/files/logs/macos_unified_logs.yaml @@ -1,4 +1,4 @@ -version: 4.0 +version: 4.1 artifacts: - description: Collect macOS Unified Logs tracev3 files. @@ -16,4 +16,24 @@ artifacts: supported_os: [macos] collector: file path: /private/var/db/diagnostics/timesync - \ No newline at end of file + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl.db + max_file_size: 1073741824 # 1GB + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl.log + max_file_size: 1073741824 # 1GB + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl/* + max_file_size: 1073741824 # 1GB + +# References: +# https://darkdefender.medium.com/brief-introduction-to-macos-forensics-f817c9c83609 \ No newline at end of file diff --git a/artifacts/live_response/packages/apk.yaml b/artifacts/live_response/packages/apk.yaml new file mode 100644 index 00000000..eaf055f1 --- /dev/null +++ b/artifacts/live_response/packages/apk.yaml @@ -0,0 +1,10 @@ +version: 1.0 +condition: command_exists "apk" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: apk info -vv + output_file: apk_info_-vv.txt