Worked on script to check artifact definitions (#9)

ForensicArtifacts · Mar 20, 2022 · a5dc58a · a5dc58a
1 parent 5f29245
commit a5dc58a
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/artifactsrc/formats.yaml b/artifactsrc/formats.yaml
@@ -76,6 +76,15 @@ layout:
 - data_type: scca_compressed_file_header
   offset: 0
 ---
+name: sqlite
+type: format
+description: SQLite database file format
+attributes:
+  byte_order: little-endian
+layout:
+- data_type: sqlite_file_header
+  offset: 0
+---
 name: byte
 type: integer
 attributes:
@@ -364,3 +373,13 @@ members:
   value: "MAM\x04"
 - name: uncompressed_data_size
   data_type: uint32
+---
+name: sqlite_file_header
+type: structure
+description: SQLite database file header
+members:
+- name: signature
+  type: stream
+  element_data_type: byte
+  elements_data_size: 16
+  value: "SQLite format 3\x00"
diff --git a/artifactsrc/volume_scanner.py b/artifactsrc/volume_scanner.py
@@ -387,7 +387,7 @@ def ScanForOperatingSystemVolumes(self, source_path, options=None):
         if relative_path:
           system_directories.append(relative_path.lower())
 
-      if system_directories:
+      if system_directories or len(base_path_specs) == 1:
         self._file_system_searcher = file_system_searcher
         self._file_system = file_system
         self._mount_point = mount_point

diff --git a/data/checks.yaml b/data/checks.yaml
@@ -1,4 +1,4 @@
-# Artifact checks.
+# Artifact definition checks.
 ---
 name: MacOSBluetoothPlistFile
 formats: ['binary_plist']
@@ -21,6 +21,18 @@ formats: ['binary_plist']
 name: MacOSLoginWindowPlistFile
 formats: ['binary_plist']
 ---
+name: MacOSNotificationCenterSQLiteDatabaseFile
+formats: ['sqlite']
+---
+name: MacOSQuarantineEventsSQLiteDatabaseFile
+formats: ['sqlite']
+---
+name: MacOSRecentItemsPlistFile
+formats: ['binary_plist']
+---
+name: MacOSSidebarListsPlistFile
+formats: ['binary_plist']
+---
 name: MacOSSystemConfigurationPreferencesPlistFile
 formats: ['binary_plist']
 ---