From c4741d9434e857bc544b5f09e2ce612ef111fcab Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sat, 14 Dec 2024 14:28:46 +0100 Subject: [PATCH 1/8] Create apk.yaml --- artifacts/live_response/packages/apk.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 artifacts/live_response/packages/apk.yaml diff --git a/artifacts/live_response/packages/apk.yaml b/artifacts/live_response/packages/apk.yaml new file mode 100644 index 00000000..02eebbec --- /dev/null +++ b/artifacts/live_response/packages/apk.yaml @@ -0,0 +1,10 @@ +version: 2.0 +condition: command_exists "apk" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: apk info -vv + output_file: apk_query_list.txt From 0eb7b2bcda74209cf5fff8e8fa3dd53dc0497fc3 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Thu, 9 Jan 2025 20:17:51 +0100 Subject: [PATCH 2/8] Update macos_unified_logs.yaml Collect macOS Apple System Logs (ASL) files. --- artifacts/files/logs/macos_unified_logs.yaml | 22 ++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/artifacts/files/logs/macos_unified_logs.yaml b/artifacts/files/logs/macos_unified_logs.yaml index f28c3618..46c4cd74 100644 --- a/artifacts/files/logs/macos_unified_logs.yaml +++ b/artifacts/files/logs/macos_unified_logs.yaml @@ -1,4 +1,4 @@ -version: 4.0 +version: 4.1 artifacts: - description: Collect macOS Unified Logs tracev3 files. @@ -16,4 +16,22 @@ artifacts: supported_os: [macos] collector: file path: /private/var/db/diagnostics/timesync - \ No newline at end of file + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl.db + max_file_size: 1073741824 # 1GB + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl.log + max_file_size: 1073741824 # 1GB + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl/* + max_file_size: 1073741824 # 1GB + From 036a8f4b71c01c1152d948b893b2c19adb6d3e48 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:59:46 +0100 Subject: [PATCH 3/8] Create nano.yaml --- artifacts/files/applications/nano.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 artifacts/files/applications/nano.yaml diff --git a/artifacts/files/applications/nano.yaml b/artifacts/files/applications/nano.yaml new file mode 100644 index 00000000..d49444fe --- /dev/null +++ b/artifacts/files/applications/nano.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect nano history files. + supported_os: [all] + collector: file + path: /%user_home% + name_pattern: [".nano_history"] + max_depth: 4 + From beb5d162a17dca99e990e050273a678b7827b8d2 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:02:55 +0100 Subject: [PATCH 4/8] Create atftp.yaml --- artifacts/files/applications/atftp.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 artifacts/files/applications/atftp.yaml diff --git a/artifacts/files/applications/atftp.yaml b/artifacts/files/applications/atftp.yaml new file mode 100644 index 00000000..00b66d46 --- /dev/null +++ b/artifacts/files/applications/atftp.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect atftp history files. + supported_os: [all] + collector: file + path: /%user_home% + name_pattern: [".atftp_history"] + max_depth: 4 + From 51774718a0e0320fad063c854efd1b2a404ffd3d Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Mon, 20 Jan 2025 08:46:07 -0300 Subject: [PATCH 5/8] artif: change output_file and add CHANGELOG --- CHANGELOG.md | 1 + artifacts/live_response/packages/apk.yaml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c2a620b..92cbd77d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ - files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. - files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux]. - live_response/packages/0install.yaml: Added collection of the list of installed packages managed by Zero Install package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). +- live_response/packages/apk.yaml: Added collection of the list of installed packages managed by the apk package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). diff --git a/artifacts/live_response/packages/apk.yaml b/artifacts/live_response/packages/apk.yaml index 02eebbec..eaf055f1 100644 --- a/artifacts/live_response/packages/apk.yaml +++ b/artifacts/live_response/packages/apk.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 1.0 condition: command_exists "apk" output_directory: /live_response/packages artifacts: @@ -7,4 +7,4 @@ artifacts: supported_os: [linux] collector: command command: apk info -vv - output_file: apk_query_list.txt + output_file: apk_info_-vv.txt From 84a1ae5c57a7ecb323c90e1576492f5ae00ab3a7 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Mon, 20 Jan 2025 08:50:16 -0300 Subject: [PATCH 6/8] artif: add CHANGELOG --- CHANGELOG.md | 1 + artifacts/files/applications/nano.yaml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92cbd77d..6f7d7696 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ - files/applications/gedit.yaml: Added collection of metadata about recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd]. - files/applications/gnome_text_editor.yaml: Added collection of metadata about recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd]. - files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd]. +- files/applications/nano.yaml: Added collection of nano history file [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd]. - files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd]. - files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd]. diff --git a/artifacts/files/applications/nano.yaml b/artifacts/files/applications/nano.yaml index d49444fe..148ed3eb 100644 --- a/artifacts/files/applications/nano.yaml +++ b/artifacts/files/applications/nano.yaml @@ -7,4 +7,3 @@ artifacts: path: /%user_home% name_pattern: [".nano_history"] max_depth: 4 - From 04c6832ded9631fa4acabac845dbf57b03daa03e Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Mon, 20 Jan 2025 08:53:45 -0300 Subject: [PATCH 7/8] artif: add CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f7d7696..89ce5d85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection of hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux] ([mnrkbys](https://github.com/mnrkbys)). - files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd]. +- files/applications/atftp.yaml: Added collection of atftp history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd]. - files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd]. - files/applications/geany.yaml: Added collection of metadata about recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd]. From 662b0dde6ea8d19f9a9ba1ebdb40c9704880d3f2 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Tue, 21 Jan 2025 08:15:40 -0300 Subject: [PATCH 8/8] artif: add reference and CHANGELOG --- CHANGELOG.md | 1 + artifacts/files/logs/macos_unified_logs.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89ce5d85..fa930266 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd]. - files/applications/nano.yaml: Added collection of nano history file [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd]. +- files/logs/macos_unified_logs.yaml: Updated to include the collection of ASL logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd]. - files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd]. - files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. diff --git a/artifacts/files/logs/macos_unified_logs.yaml b/artifacts/files/logs/macos_unified_logs.yaml index 46c4cd74..c69d5c25 100644 --- a/artifacts/files/logs/macos_unified_logs.yaml +++ b/artifacts/files/logs/macos_unified_logs.yaml @@ -35,3 +35,5 @@ artifacts: path: /private/var/log/asl/* max_file_size: 1073741824 # 1GB +# References: +# https://darkdefender.medium.com/brief-introduction-to-macos-forensics-f817c9c83609 \ No newline at end of file