Changes to definitions (#600)

ForensicArtifacts · Jan 12, 2024 · 1f13d00 · 1f13d00
1 parent 40e4726
commit 1f13d00
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 9 deletions.
diff --git a/artifacts/__init__.py b/artifacts/__init__.py
@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 """ForensicArtifacts.com Artifact Repository."""
 
-__version__ = '20240110'
+__version__ = '20240112'
diff --git a/artifacts/data/windows.yaml b/artifacts/data/windows.yaml
@@ -2639,6 +2639,15 @@ sources:
 supported_os: [Windows]
 urls: ['http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2']
 ---
+name: WindowsSmsRouterInterceptStoreDatabaseFile
+doc: Windows SmsRouter intercept store database file (SmsInterceptStore.db)
+sources:
+- type: FILE
+  attributes:
+    paths: ['%%environ_programdata%%\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db']
+    separator: '\'
+supported_os: [Windows]
+---
 name: WindowsSetupApiLogs
 doc: Windows setup API logs.
 sources:
@@ -3111,6 +3120,25 @@ sources:
 supported_os: [Windows]
 urls: ['https://social.technet.microsoft.com/Forums/en-US/cadee4de-24d0-403e-9f3e-75868abf8f34']
 ---
+name: WindowsUpdateCatalogDatabaseFile
+doc: Windows Update catalog package signatures database file (catdb).
+sources:
+- type: FILE
+  attributes:
+    paths: ['%%environ_systemroot%%\System32\catroot2\{*-*-*-*-*}\catdb']
+    separator: '\'
+supported_os: [Windows]
+urls: ['https://learn.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files']
+---
+name: WindowsUpdateDataStoreDatabaseFile
+doc: Windows Update data store database file (DataStore.edb).
+sources:
+- type: FILE
+  attributes:
+    paths: ['%%environ_windir%%\SoftwareDistribution\DataStore\DataStore.edb']
+    separator: '\'
+supported_os: [Windows]
+---
 name: WindowsUpdateLogFile
 doc: Windows Update log files.
 sources:
@@ -3327,6 +3355,15 @@ provides:
 - users.temp
 supported_os: [Windows]
 ---
+name: WindowsWebCacheStorageQuotaDatabaseFile
+doc: Windows WebCache storage quota database file (CacheStorage.edb)
+sources:
+- type: FILE
+  attributes:
+    paths: ['%%users.localappdata%%\Packages\*\AppData\CacheStorage\CacheStorage.edb']
+    separator: '\'
+supported_os: [Windows]
+---
 name: WindowsWinlogonGinaDLL
 doc: Windows Gina DLL replacement.
 sources:

diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -1,5 +1,5 @@
-artifacts (20240110-1) unstable; urgency=low
+artifacts (20240112-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Forensic artifacts <[email protected]>  Wed, 10 Jan 2024 05:21:25 +0100
+ -- Forensic artifacts <[email protected]>  Fri, 12 Jan 2024 05:40:26 +0100
diff --git a/docs/sources/background/Stats.md b/docs/sources/background/Stats.md
@@ -4,12 +4,12 @@ The artifact definitions can be found in the
 [artifacts/data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/artifacts/data) and the format is described
 in detail in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).
 
-Status of the repository as of 2024-01-10
+Status of the repository as of 2024-01-12
 
 Description | Number
 --- | ---
-Number of artifact definitions: | 818
-Number of file paths: | 2167
+Number of artifact definitions: | 822
+Number of file paths: | 2171
 Number of Windows Registry key paths: | 677
 
 ### Artifact definition source types
@@ -18,7 +18,7 @@ Identifier | Number
 --- | ---
 ARTIFACT_GROUP | 47
 COMMAND | 10
-FILE | 533
+FILE | 537
 PATH | 28
 REGISTRY_KEY | 57
 REGISTRY_VALUE | 116
@@ -31,5 +31,5 @@ Identifier | Number
 Darwin | 204
 ESXi | 16
 Linux | 248
-Windows | 374
+Windows | 378
 
diff --git a/setup.cfg b/setup.cfg
@@ -1,6 +1,6 @@
 [metadata]
 name = artifacts
-version = 20240110
+version = 20240112
 description = ForensicArtifacts.com Artifact Repository.
 long_description = A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
 long_description_content_type = text/plain