Extended sources of MacOS startup and login definitions (#604)

ForensicArtifacts · Jan 19, 2024 · b43c274 · b43c274
1 parent f595e50
commit b43c274
Showing 1 changed file with 26 additions and 7 deletions.
diff --git a/artifacts/data/macos.yaml b/artifacts/data/macos.yaml
@@ -443,9 +443,18 @@ name: MacOSLoginWindowPlistFile
 doc: Log-in window information property list (plist) file
 sources:
 - type: FILE
-  attributes: {paths: ['/Library/Preferences/com.apple.loginwindow.plist']}
+  attributes:
+    paths:
+    - '/Library/Preferences/com.apple.loginwindow.plist'
+    - '%%users.homedir%%/Library/Preferences/ByHost/com.apple.loginwindow.plist'
+    - '%%users.homedir%%/Library/Preferences/ByHost/com.apple.loginwindow.*.plist'
+    - '/var/root/Library/Preferences/com.apple.loginwindow.plist'
+    - '/private/var/root/Library/Preferences/com.apple.loginwindow.plist'
 supported_os: [Darwin]
-urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences']
+urls:
+- 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences'
+- 'https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf'
+- 'https://developer.apple.com/documentation/devicemanagement/loginwindowscripts'
 ---
 name: MacOSMailAccounts
 doc: Mail Accounts. Until now only V2, V3 and V5 have been observed.
@@ -756,10 +765,12 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '/Library/StartupItems/*.plist'
-    - '/System/Library/StartupItems/*.plist'
+    - '/Library/StartupItems/**/*.plist'
+    - '/System/Library/StartupItems/**/*.plist'
 supported_os: [Darwin]
-urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations']
+urls:
+- 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations'
+- 'https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html'
 ---
 name: MacOSSwapFile
 aliases: [MacOSSwapFiles]
@@ -954,9 +965,17 @@ aliases: [MacOSUserLoginItems]
 doc: User login items property list (plist) file.
 sources:
 - type: FILE
-  attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist']}
+  attributes:
+    paths:
+    - '%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist'
+    - '%%users.homedir%%/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm'
+    - '/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm'
+    - '/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm'
+
 supported_os: [Darwin]
-urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations-2']
+urls:
+- 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations-2'
+- 'https://objective-see.org/blog/blog_0x31.html'
 ---
 name: MacOSUserMoviesDirectory
 doc: Contents of the user Movies directories.