diff --git a/artifacts/data/legacy.yaml b/artifacts/data/legacy.yaml index 788d498c..1065a326 100644 --- a/artifacts/data/legacy.yaml +++ b/artifacts/data/legacy.yaml @@ -9,7 +9,6 @@ doc: The %ProgramData% environment variable. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}]} -provides: [environ_allusersappdata] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] --- @@ -21,7 +20,6 @@ sources: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' -provides: [environ_allusersprofile] supported_os: [Windows] urls: ['http://support.microsoft.com/kb//214653'] --- @@ -40,7 +38,6 @@ sources: - '/etc/oracle-release' - '/etc/redhat-release' - '/etc/system-release' -provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] --- name: SystemDriveEnvironmentVariable @@ -52,7 +49,6 @@ doc: | sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}]} -provides: [environ_systemdrive] supported_os: [Windows] urls: - 'http://environmentvariables.org/SystemDrive' @@ -63,7 +59,6 @@ doc: The Windows domain the system is connected to. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'}]} -provides: [domain] supported_os: [Windows] --- name: WindowsEnvironmentVariableAllUsersAppData @@ -73,6 +68,5 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} -provides: [environ_allusersappdata] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] diff --git a/artifacts/data/linux.yaml b/artifacts/data/linux.yaml index 7dc52fe8..780fe7da 100644 --- a/artifacts/data/linux.yaml +++ b/artifacts/data/linux.yaml @@ -87,7 +87,6 @@ doc: Debian version information. sources: - type: FILE attributes: {paths: ['/etc/debian_version']} -provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] --- name: DNSResolvConfFile @@ -285,7 +284,6 @@ sources: - '/etc/rocky-release' - '/etc/SuSE-release' - '/etc/system-release' -provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] --- name: LinuxDSDTTable @@ -410,7 +408,6 @@ doc: Linux Standard Base (LSB) release information sources: - type: FILE attributes: {paths: ['/etc/lsb-release']} -provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] urls: ['https://linux.die.net/man/1/lsb_release'] --- @@ -499,7 +496,6 @@ sources: - LinuxDistributionRelease - LinuxLSBRelease - LinuxSystemdOSRelease -provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] --- name: LinuxRsyslogConfigs @@ -613,7 +609,6 @@ sources: paths: - '/etc/os-release' - '/usr/lib/os-release' -provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] urls: ['https://www.freedesktop.org/software/systemd/man/os-release.html'] --- @@ -736,7 +731,6 @@ doc: Linux wtmp login record file sources: - type: FILE attributes: {paths: ['/var/log/wtmp']} -provides: [users.username, users.last_logon] supported_os: [Linux] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] --- @@ -821,7 +815,6 @@ doc: Linux netgroup configuration. sources: - type: FILE attributes: {paths: ['/etc/netgroup']} -provides: [users.username] supported_os: [Linux] --- name: NtpConfFile diff --git a/artifacts/data/macos.yaml b/artifacts/data/macos.yaml index e2d8fcbd..62912eb8 100644 --- a/artifacts/data/macos.yaml +++ b/artifacts/data/macos.yaml @@ -971,7 +971,6 @@ sources: - '%%users.homedir%%/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm' - '/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm' - '/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm' - supported_os: [Darwin] urls: - 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations-2' diff --git a/artifacts/data/user.yaml b/artifacts/data/user.yaml index 7dfdc782..48cfc28b 100644 --- a/artifacts/data/user.yaml +++ b/artifacts/data/user.yaml @@ -22,6 +22,5 @@ doc: Contents of the Users directory. sources: - type: PATH attributes: {paths: ['/Users/*']} -supported_os: [Darwin] -provides: [users.username] +supported_os: [Darwin, Windows] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#users'] diff --git a/artifacts/data/windows.yaml b/artifacts/data/windows.yaml index d32e6cac..3cd4a1a8 100644 --- a/artifacts/data/windows.yaml +++ b/artifacts/data/windows.yaml @@ -427,7 +427,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'} -provides: [code_page] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Codepage.html'] --- @@ -767,7 +766,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'} -provides: [domain] supported_os: [Windows] --- name: WindowsDisallowedSystemCertificates @@ -810,7 +808,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'} -provides: [environ_allusersprofile] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -834,7 +831,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir'} -provides: [environ_commonprogramfiles] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -845,7 +841,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir (x86)'} -provides: [environ_commonprogramfilesx86] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -856,7 +851,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'ComSpec'} -provides: [environ_comspec] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -867,7 +861,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'DriverData'} -provides: [environ_driverdata] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -879,7 +872,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'} -provides: [environ_path] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -890,7 +882,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} -provides: [environ_profilesdirectory] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -901,7 +892,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} -provides: [environ_programdata] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -917,7 +907,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'} -provides: [environ_programfiles] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -933,7 +922,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'} -provides: [environ_programfilesx86] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -945,7 +933,6 @@ doc: | sources: - type: ARTIFACT_GROUP attributes: {names: ['WindowsEnvironmentVariableSystemRoot']} -provides: [environ_systemdrive] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -965,7 +952,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'} -provides: [environ_systemroot] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -977,7 +963,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'} -provides: [environ_temp] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -997,7 +982,6 @@ sources: attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'} -provides: [environ_windir] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- @@ -2075,7 +2059,6 @@ doc: The current control set of the Windows Registry. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]} -provides: [current_control_set] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] --- @@ -2101,7 +2084,6 @@ doc: | sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*', value: 'ProfileImagePath'}]} -provides: [users.sid, users.userprofile, users.homedir, users.username] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx'] --- @@ -3065,7 +3047,6 @@ sources: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'} -provides: [time_zone] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Time-zones.html'] --- @@ -3340,19 +3321,6 @@ sources: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*' - 'HKEY_USERS\%%users.sid%%\Environment\*' - 'HKEY_USERS\%%users.sid%%\Volatile Environment\*' -provides: -- users.cookies -- users.appdata -- users.personal -- users.startup -- users.homedir -- users.desktop -- users.internet_cache -- users.localappdata -- users.localappdata_low -- users.recent -- users.userprofile -- users.temp supported_os: [Windows] --- name: WindowsWebCacheStorageQuotaDatabaseFile diff --git a/artifacts/data/wmi.yaml b/artifacts/data/wmi.yaml index 4b8a9940..be1de09a 100644 --- a/artifacts/data/wmi.yaml +++ b/artifacts/data/wmi.yaml @@ -16,7 +16,6 @@ doc: | sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'} -provides: [users.userdomain] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx'] --- @@ -184,7 +183,6 @@ doc: | sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'} -provides: [users.homedir] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx'] --- diff --git a/artifacts/definitions.py b/artifacts/definitions.py index 53b3ac72..c8a9d7ee 100644 --- a/artifacts/definitions.py +++ b/artifacts/definitions.py @@ -29,7 +29,7 @@ # labels have been deprecated as of version 20220311. 'labels', 'name', - # `provides` have been deprecated. + # provides have been deprecated as of version 20240210. 'provides', 'sources', 'supported_os',