Changes to Mac OS definitions (#615)

ForensicArtifacts · Feb 18, 2024 · 422d7fe · 422d7fe
1 parent 8e8f075
commit 422d7fe
Showing 1 changed file with 126 additions and 0 deletions.
diff --git a/artifacts/data/macos.yaml b/artifacts/data/macos.yaml
@@ -61,6 +61,16 @@ sources:
   attributes: {paths: ['%%users.homedir%%/Library/Caches/*/Cache.db']}
 supported_os: [Darwin]
 ---
+name: MacOSApplicationResourcesStringsPlistFile
+doc: Application resources strings plist file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/Applications/*.app/Contents/Resources/*.lproj/*.strings'
+    - '/Applications/*/*.app/Contents/Resources/*.lproj/*.strings'
+supported_os: [Darwin]
+---
 name: MacOSAssetCacheInfoSQLiteDatabaseFile
 doc: Asset cache information SQLite database file.
 sources:
@@ -144,6 +154,66 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences']
 ---
+name: MacOSCodeSignatureCodeResourcesPlistFile
+doc: Code signature CodeResources plist file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/Applications/Utilities/*.app/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/CoreServices/*.app/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/Extensions/*.kext/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/PlugIns/*.plugin/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/Resources/*.bundle/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/Extensions/*.kext/Contents/Resources/*.bundle/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/Filesystems/*/*.kext/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/Filesystems/*/Encodings/*.kext/Contents/_CodeSignature/CodeResources'
+    - '/System/Library/PrivateFrameworks/*.framework/Versions/A/Resources/*.kext/Contents/_CodeSignature/CodeResources'
+supported_os: [Darwin]
+---
+name: MacOSContentsInfoPlistFile
+doc: Contents Info.plist file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/Applications/*/*.app/Contents/Info.plist'
+    - '/Applications/*/*.app/Contents/Resources/*.help/Contents/Info.plist'
+    - '/System/Library/CoreServices/*.app/Contents/Info.plist'
+    - '/System/Library/Extensions/*.kext/Contents/Info.plist'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/Info.plist'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/PlugIns/*.plugin/Contents/Info.plist'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/Resources/*.bundle/Contents/Info.plist'
+    - '/System/Library/Extensions/*.kext/Contents/Resources/*.bundle/Contents/Info.plist'
+    - '/System/Library/Extensions/*.kext/PlugIns/*.kext/Info.plist'
+    - '/System/Library/Filesystems/*/*.kext/Contents/Info.plist'
+    - '/System/Library/Filesystems/*/Encodings/*.kext/Contents/Info.plist'
+    - '/System/Library/Frameworks/*.framework/Versions/A/Resources/Info.plist'
+    - '/System/Library/PrivateFrameworks/*.framework/Versions/A/Resources/*.kext/Contents/Info.plist'
+supported_os: [Darwin]
+---
+name: MacOSContentsVersionPlistFile
+doc: Contents version.plist file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/Applications/*/*.app/Contents/version.plist'
+    - '/Applications/*/*.app/Contents/Resources/*.help/Contents/version.plist'
+    - '/System/Library/CoreServices/*.app/Contents/version.plist'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/version.plist'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/PlugIns/*.plugin/Contents/version.plist'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/Resources/*.bundle/Contents/version.plist'
+    - '/System/Library/Extensions/*.kext/Contents/Resources/*.bundle/Contents/version.plist'
+    - '/System/Library/Extensions/*.kext/Contents/version.plist'
+    - '/System/Library/Extensions/*.kext/PlugIns/*.kext/version.plist'
+    - '/System/Library/Filesystems/*/*.kext/Contents/version.plist'
+    - '/System/Library/Filesystems/*/Encodings/*.kext/Contents/version.plist'
+    - '/System/Library/Frameworks/*.framework/Versions/A/Resources/version.plist'
+    - '/System/Library/PrivateFrameworks/*.framework/Versions/A/Resources/*.kext/Contents/version.plist'
+supported_os: [Darwin]
+---
 name: MacOSCoreAnalyticsFile
 aliases: [MacOSCoreAnalyticsFiles]
 doc: CoreAnalytics log files.
@@ -326,6 +396,13 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-logs']
 ---
+name: MacOSiTunesInterfaceBuilderDocumentPlistFile
+doc: iTunes Interface Builder document (*.itxib) plist file.
+sources:
+- type: FILE
+  attributes: {paths: ['/Applications/iTunes.app/Contents/Resources/*.lproj/*.itxib']}
+supported_os: [Darwin]
+---
 name: MacOSiOSBackupInfo
 doc: iOS device backup information
 sources:
@@ -446,6 +523,7 @@ sources:
   attributes:
     paths:
     - '/Library/Preferences/com.apple.loginwindow.plist'
+    - '%%users.homedir%%/Library/Preferences/loginwindow.plist'
     - '%%users.homedir%%/Library/Preferences/ByHost/com.apple.loginwindow.plist'
     - '%%users.homedir%%/Library/Preferences/ByHost/com.apple.loginwindow.*.plist'
     - '/var/root/Library/Preferences/com.apple.loginwindow.plist'
@@ -686,6 +764,40 @@ urls:
 - 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html'
 - 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse'
 ---
+name: MacOSResourcesInfoStringsPlistFile
+doc: Resources InfoPlist.strings plist file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/Applications/*.app/Contents/Resources/*.help/Contents/Resources/*.lproj/InfoPlist.strings'
+    - '/Applications/*/*.app/Contents/Resources/*.help/Contents/Resources/*.lproj/InfoPlist.strings'
+    - '/System/Library/CoreServices/*.app/Contents/Resources/*.lproj/InfoPlist.strings'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.bundle/Contents/Resources/*.lproj/InfoPlist.strings'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/Resources/*.bundle/Contents/Resources/*.lproj/InfoPlist.strings'
+    - '/System/Library/Extensions/*.kext/Contents/Resources/InfoPlist.strings'
+    - '/System/Library/Extensions/*.kext/Contents/Resources/*.lproj/InfoPlist.strings'
+    - '/System/Library/Filesystems/*/*.kext/Contents/Resources/*.lproj/InfoPlist.strings'
+    - '/System/Library/Filesystems/*/Encodings/*.kext/Contents/Resources/*.lproj/InfoPlist.strings'
+    - '/System/Library/PrivateFrameworks/*.framework/Versions/A/Resources/*.kext/Contents/Resources/*.lproj/InfoPlist.strings'
+supported_os: [Darwin]
+---
+name: MacOSResourcesLocalizableStringsPlistFile
+doc: Resources Localizable.strings plist file.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/System/Library/CoreServices/*.app/Contents/Resources/*.lproj/Localizable.strings'
+    - '/System/Library/Extensions/*.kext/Contents/Resources/*.lproj/Localizable.strings'
+    - '/System/Library/Extensions/*.kext/Contents/PlugIns/*.kext/Contents/Resources/*.lproj/Localizable.strings'
+    - '/System/Library/Frameworks/*.framework/Versions/A/Frameworks/*.framework/Versions/A/Resources/*.lproj/Localizable.strings'
+    - '/System/Library/PreferencePanes/*.prefPane/Contents/Resources/*.lproj/Localizable.strings'
+    - '/System/Library/PrivateFrameworks/*.framework/Versions/A/Plugins/*.bundle/Contents/Resources/*.lproj/Localizable.strings'
+    - '/System/Library/PrivateFrameworks/*.framework/Versions/A/Resources/*.lproj/Localizable.strings'
+    - '/System/Library/SystemProfiler/*/Contents/Resources/*.lproj/Localizable.strings'
+supported_os: [Darwin]
+---
 name: MacOSSidebarListsPlistFile
 aliases: [MacOSSidebarLists]
 doc: |
@@ -758,6 +870,20 @@ sources:
 supported_os: [Darwin]
 urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#software-installation']
 ---
+name: MacOSSpotlightStoreVolumeConfigurationPlistFile
+doc: Spotlight store volume configuration plist file.
+sources:
+- type: FILE
+  attributes: {paths: ['/.Spotlight-V100/Store-V1/VolumeConfig.plist']}
+supported_os: [Darwin]
+---
+name: MacOSSpotlightVolumeConfigurationPlistFile
+doc: Spotlight volume configuration plist file.
+sources:
+- type: FILE
+  attributes: {paths: ['/.Spotlight-V100/VolumeConfiguration.plist']}
+supported_os: [Darwin]
+---
 name: MacOSStartupItemsPlistFile
 aliases: [MacOSStartupItemsPlistFiles]
 doc: Startup Items property list (plist) files.