Skip to content

Commit

Permalink
Changes to documentation and definitions (#595)
Browse files Browse the repository at this point in the history
  • Loading branch information
@joachimmetz
joachimmetz authored Jan 7, 2024
1 parent 86064d7 commit ca3b57c
Show file tree
Hide file tree
Showing 5 changed files with 268 additions and 19 deletions.
251 changes: 244 additions & 7 deletions artifacts/data/webbrowser.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ sources:
- type: ARTIFACT_GROUP
attributes:
names:
- 'ChromiumBasedBrowsersHistory'
- 'ChromiumBasedBrowsersHistoryDatabaseFile'
- 'FirefoxHistory'
- 'FirefoxDownloads'
- 'InternetExplorerHistory'
Expand Down Expand Up @@ -379,8 +379,11 @@ sources:
supported_os: [Darwin, Linux, Windows]
urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/ChromeCache.html']
---
name: ChromeCookies
doc: Chrome Cookies database.
name: ChromiumBasedBrowsersCookiesDatabaseFile
aliases: [ChromeCookies]
doc: |
Cookies database file for multiple Chromium-based browsers, such as Google
Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.
sources:
- type: FILE
attributes:
Expand Down Expand Up @@ -566,6 +569,84 @@ sources:
supported_os: [Windows]
urls: ['https://developer.chrome.com/extensions/external_extensions#registry']
---
name: ChromiumBasedBrowsersFaviconsDatabaseFile
doc: |
Favicons database file for multiple Chromium-based browsers, such as Google
Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.
sources:
- type: FILE
attributes:
paths:
- '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Network\Favicons'
- '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Network\Favicons-journal'
- '%%users.localappdata%%\Chromium\User Data\*\Favicons'
- '%%users.localappdata%%\Chromium\User Data\*\Favicons-journal'
- '%%users.localappdata%%\Chromium\User Data\*\Network\Favicons'
- '%%users.localappdata%%\Chromium\User Data\*\Network\Favicons-journal'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Favicons'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Favicons-journal'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Network\Favicons'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Network\Favicons-journal'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Favicons'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Favicons-journal'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Network\Favicons'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Network\Favicons-journal'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Favicons'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Favicons-journal'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Network\Favicons'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Network\Favicons-journal'
- '%%users.appdata%%\Opera Software\Opera Stable\Network\Favicons'
- '%%users.appdata%%\Opera Software\Opera Stable\Network\Favicons-journal'
separator: '\'
supported_os: [Windows]
- type: FILE
attributes:
paths:
- '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Favicons'
- '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Favicons-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Favicons'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Favicons-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Favicons'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Favicons-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Favicons'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Favicons-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Favicons'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Favicons-journal'
- '%%users.homedir%%/.config/chromium/*/Favicons'
- '%%users.homedir%%/.config/chromium/*/Favicons-journal'
- '%%users.homedir%%/.config/chromium/*/Network/Favicons'
- '%%users.homedir%%/.config/chromium/*/Network/Favicons-journal'
- '%%users.homedir%%/.config/google-chrome-beta/*/Favicons'
- '%%users.homedir%%/.config/google-chrome-beta/*/Favicons-journal'
- '%%users.homedir%%/.config/google-chrome-beta/*/Network/Favicons'
- '%%users.homedir%%/.config/google-chrome-beta/*/Network/Favicons-journal'
- '%%users.homedir%%/.config/google-chrome/*/Favicons'
- '%%users.homedir%%/.config/google-chrome/*/Favicons-journal'
- '%%users.homedir%%/.config/google-chrome/*/Network/Favicons'
- '%%users.homedir%%/.config/google-chrome/*/Network/Favicons-journal'
- '%%users.homedir%%/.config/microsoft-edge/*/Favicons'
- '%%users.homedir%%/.config/microsoft-edge/*/Favicons-journal'
- '%%users.homedir%%/.config/opera/Favicons'
- '%%users.homedir%%/.config/opera/Favicons-journal'
supported_os: [Linux]
- type: FILE
attributes:
paths:
- '%%users.homedir%%/Library/Application Support/Chromium/*/Favicons'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Favicons-journal'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Network/Favicons'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Network/Favicons-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Favicons'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Favicons-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Favicons'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Favicons-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Favicons'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Favicons-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Favicons'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Favicons-journal'
supported_os: [Darwin]
supported_os: [Darwin, Linux, Windows]
---
name: ChromeFileSystem
doc: |
Google Chrome, Canary and Chromium File System files.
Expand Down Expand Up @@ -606,11 +687,11 @@ urls:
- 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem'
- 'https://dfir.blog/deciphering-browser-hieroglyphics-leveldb-filesystem/'
---
name: ChromiumBasedBrowsersHistory
aliases: [ChromeHistory]
name: ChromiumBasedBrowsersHistoryDatabaseFile
aliases: [ChromeHistory, ChromiumBasedBrowsersHistory]
doc: |
Browsing history for multiple Chromium-based browsers (Google Chrome,
Brave, Chromium, Yandex, Opera, Edge, EdgeBeta).
Browsing history database file for multiple Chromium-based browsers, such as
Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.
sources:
- type: FILE
attributes:
Expand Down Expand Up @@ -816,6 +897,84 @@ sources:
supported_os: [Windows]
supported_os: [Darwin, Linux, Windows]
---
name: ChromiumBasedBrowsersLoginDataDatabaseFile
doc: |
Login Data database file for multiple Chromium-based browsers, such as Google
Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.
sources:
- type: FILE
attributes:
paths:
- '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Network\Login Data'
- '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Network\Login Data-journal'
- '%%users.localappdata%%\Chromium\User Data\*\Login Data'
- '%%users.localappdata%%\Chromium\User Data\*\Login Data-journal'
- '%%users.localappdata%%\Chromium\User Data\*\Network\Login Data'
- '%%users.localappdata%%\Chromium\User Data\*\Network\Login Data-journal'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Login Data'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Login Data-journal'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Network\Login Data'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Network\Login Data-journal'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Login Data'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Login Data-journal'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Network\Login Data'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Network\Login Data-journal'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Login Data'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Login Data-journal'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Network\Login Data'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Network\Login Data-journal'
- '%%users.appdata%%\Opera Software\Opera Stable\Network\Login Data'
- '%%users.appdata%%\Opera Software\Opera Stable\Network\Login Data-journal'
separator: '\'
supported_os: [Windows]
- type: FILE
attributes:
paths:
- '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Login Data'
- '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Login Data-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Login Data'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Login Data-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Login Data'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Login Data-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Login Data'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Login Data-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Login Data'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Login Data-journal'
- '%%users.homedir%%/.config/chromium/*/Login Data'
- '%%users.homedir%%/.config/chromium/*/Login Data-journal'
- '%%users.homedir%%/.config/chromium/*/Network/Login Data'
- '%%users.homedir%%/.config/chromium/*/Network/Login Data-journal'
- '%%users.homedir%%/.config/google-chrome-beta/*/Login Data'
- '%%users.homedir%%/.config/google-chrome-beta/*/Login Data-journal'
- '%%users.homedir%%/.config/google-chrome-beta/*/Network/Login Data'
- '%%users.homedir%%/.config/google-chrome-beta/*/Network/Login Data-journal'
- '%%users.homedir%%/.config/google-chrome/*/Login Data'
- '%%users.homedir%%/.config/google-chrome/*/Login Data-journal'
- '%%users.homedir%%/.config/google-chrome/*/Network/Login Data'
- '%%users.homedir%%/.config/google-chrome/*/Network/Login Data-journal'
- '%%users.homedir%%/.config/microsoft-edge/*/Login Data'
- '%%users.homedir%%/.config/microsoft-edge/*/Login Data-journal'
- '%%users.homedir%%/.config/opera/Login Data'
- '%%users.homedir%%/.config/opera/Login Data-journal'
supported_os: [Linux]
- type: FILE
attributes:
paths:
- '%%users.homedir%%/Library/Application Support/Chromium/*/Login Data'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Login Data-journal'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Network/Login Data'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Network/Login Data-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Login Data'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Login Data-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Login Data'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Login Data-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Login Data'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Login Data-journal'
supported_os: [Darwin]
supported_os: [Darwin, Linux, Windows]
---
name: ChromePlatformNotifications
aliases: [ChromeNotifications, ChromePlatformNotificationsDatabase]
doc: |
Expand Down Expand Up @@ -940,6 +1099,84 @@ sources:
supported_os: [Windows]
supported_os: [Darwin, Linux, Windows]
---
name: ChromiumBasedBrowsersWebDataDatabaseFile
doc: |
Web Data database file for multiple Chromium-based browsers, such as Google
Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.
sources:
- type: FILE
attributes:
paths:
- '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Network\Web Data'
- '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Network\Web Data-journal'
- '%%users.localappdata%%\Chromium\User Data\*\Web Data'
- '%%users.localappdata%%\Chromium\User Data\*\Web Data-journal'
- '%%users.localappdata%%\Chromium\User Data\*\Network\Web Data'
- '%%users.localappdata%%\Chromium\User Data\*\Network\Web Data-journal'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Web Data'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Web Data-journal'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Network\Web Data'
- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Network\Web Data-journal'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Web Data'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Web Data-journal'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Network\Web Data'
- '%%users.localappdata%%\Google\Chrome\User Data\*\Network\Web Data-journal'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Web Data'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Web Data-journal'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Network\Web Data'
- '%%users.localappdata%%\Microsoft\Edge\User Data\*\Network\Web Data-journal'
- '%%users.appdata%%\Opera Software\Opera Stable\Network\Web Data'
- '%%users.appdata%%\Opera Software\Opera Stable\Network\Web Data-journal'
separator: '\'
supported_os: [Windows]
- type: FILE
attributes:
paths:
- '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Web Data'
- '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Web Data-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Web Data'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Web Data-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Web Data'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Web Data-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Web Data'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Web Data-journal'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Web Data'
- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Web Data-journal'
- '%%users.homedir%%/.config/chromium/*/Web Data'
- '%%users.homedir%%/.config/chromium/*/Web Data-journal'
- '%%users.homedir%%/.config/chromium/*/Network/Web Data'
- '%%users.homedir%%/.config/chromium/*/Network/Web Data-journal'
- '%%users.homedir%%/.config/google-chrome-beta/*/Web Data'
- '%%users.homedir%%/.config/google-chrome-beta/*/Web Data-journal'
- '%%users.homedir%%/.config/google-chrome-beta/*/Network/Web Data'
- '%%users.homedir%%/.config/google-chrome-beta/*/Network/Web Data-journal'
- '%%users.homedir%%/.config/google-chrome/*/Web Data'
- '%%users.homedir%%/.config/google-chrome/*/Web Data-journal'
- '%%users.homedir%%/.config/google-chrome/*/Network/Web Data'
- '%%users.homedir%%/.config/google-chrome/*/Network/Web Data-journal'
- '%%users.homedir%%/.config/microsoft-edge/*/Web Data'
- '%%users.homedir%%/.config/microsoft-edge/*/Web Data-journal'
- '%%users.homedir%%/.config/opera/Web Data'
- '%%users.homedir%%/.config/opera/Web Data-journal'
supported_os: [Linux]
- type: FILE
attributes:
paths:
- '%%users.homedir%%/Library/Application Support/Chromium/*/Web Data'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Web Data-journal'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Network/Web Data'
- '%%users.homedir%%/Library/Application Support/Chromium/*/Network/Web Data-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Web Data'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Web Data-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Web Data'
- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Web Data-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data-journal'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Web Data'
- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Web Data-journal'
supported_os: [Darwin]
supported_os: [Darwin, Linux, Windows]
---
name: FirefoxCache
doc: Mozilla Firefox browser caches.
sources:
Expand Down
11 changes: 11 additions & 0 deletions artifacts/data/windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1802,6 +1802,17 @@ sources:
supported_os: [Windows]
urls: ['https://blog.malwarebytes.com/detections/pum-optional-proxyhijacker/']
---
name: WindowsPushNotificationDatabaseFile
doc: The Windows Push Notification (WPN) database file.
sources:
- type: FILE
attributes:
paths:
- '%%users.localappdata%%\Microsoft\Windows\Notifications\wpndatabase.db'
- '%%environ_systemroot%%\System32\config\ystemprofile\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db'
separator: '\'
supported_os: [Windows]
---
name: WindowsRecentFileCacheBCF
doc: The RecentFileCache.bcf file.
sources:
Expand Down
2 changes: 1 addition & 1 deletion config/dpkg/changelog
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ artifacts (20240107-1) unstable; urgency=low

* Auto-generated

-- Forensic artifacts <[email protected]> Sun, 07 Jan 2024 10:05:41 +0100
-- Forensic artifacts <[email protected]> Sun, 07 Jan 2024 11:23:21 +0100
16 changes: 8 additions & 8 deletions docs/sources/background/Stats.md
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
## Statistics

The artifact definitions can be found in the
[data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail
in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).
[artifacts/data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/artifacts/data) and the format is described
in detail in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).

Status of the repository as of 2024-01-07

Description | Number
--- | ---
Number of artifact definitions: | 808
Number of file paths: | 2058
Number of artifact definitions: | 818
Number of file paths: | 2234
Number of Windows Registry key paths: | 677

### Artifact definition source types
Expand All @@ -18,7 +18,7 @@ Identifier | Number
--- | ---
ARTIFACT_GROUP | 47
COMMAND | 10
FILE | 523
FILE | 533
PATH | 28
REGISTRY_KEY | 57
REGISTRY_VALUE | 116
Expand All @@ -28,8 +28,8 @@ WMI | 27

Identifier | Number
--- | ---
Darwin | 202
Darwin | 205
ESXi | 16
Linux | 246
Windows | 368
Linux | 249
Windows | 372

7 changes: 4 additions & 3 deletions tools/stats.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,8 @@ def BuildStats(self):
def PrintStats(self):
"""Build stats and print in MarkDown format."""
data_directory_url = (
'https://github.com/ForensicArtifacts/artifacts/tree/main/data')
'https://github.com/ForensicArtifacts/artifacts/tree/main/artifacts/'
'data')

style_guide_url = (
'https://artifacts.readthedocs.io/en/latest/sources/'
Expand All @@ -110,8 +111,8 @@ def PrintStats(self):
print(f"""## Statistics
The artifact definitions can be found in the
[data directory]({data_directory_url:s}) and the format is described in detail
in the [Style Guide]({style_guide_url:s}).
[artifacts/data directory]({data_directory_url:s}) and the format is described
in detail in the [Style Guide]({style_guide_url:s}).
""")

self.BuildStats()
Expand Down

0 comments on commit ca3b57c

Please sign in to comment.