1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
|
# Artifact definitions.
---
name: LinuxHostnameFile
doc: Linux hostname file.
sources:
- type: FILE
attributes: {paths: ['/etc/hostname']}
labels: [Configuration Files, System]
supported_os: [Linux]
---
name: LinuxLocalTime
doc: Local time zone configuration.
sources:
- type: FILE
attributes: {paths: ['/etc/localtime']}
labels: [System]
supported_os: [Linux]
---
name: LinuxPasswdFile
doc: |
Linux passwd file.
A passwd file consist of colon separated values in the format:
username:password:uid:gid:full name:home directory:shell
sources:
- type: FILE
attributes: {paths: ['/etc/passwd']}
labels: [Configuration Files, System]
supported_os: [Linux]
---
name: LinuxDistributionRelease
doc: Linux distribution release information of non-LSB compliant systems.
sources:
- type: FILE
attributes:
paths:
- '/etc/enterprise-release'
- '/etc/oracle-release'
- '/etc/redhat-release'
- '/etc/system-release'
provides: [os_release, os_major_version, os_minor_version]
labels: [Software]
supported_os: [Linux]
---
name: LinuxIssueFile
doc: Linux prelogin message and identification (issue) file.
sources:
- type: FILE
attributes:
paths:
- '/etc/issue'
- '/etc/issue.net'
labels: [Configuration Files, System]
supported_os: [Linux]
urls: ['https://linux.die.net/man/5/issue']
---
name: LinuxLSBRelease
doc: Linux Standard Base (LSB) release information
sources:
- type: FILE
attributes: {paths: ['/etc/lsb-release']}
provides: [os_release, os_major_version, os_minor_version]
labels: [Software]
supported_os: [Linux]
urls: ['https://linux.die.net/man/1/lsb_release']
---
name: LinuxSystemdOSRelease
doc: Linux systemd /etc/os-release file
sources:
- type: FILE
attributes:
paths:
- '/etc/os-release'
- '/usr/lib/os-release'
provides: [os_release, os_major_version, os_minor_version]
labels: [Software]
supported_os: [Linux]
urls: ['https://www.freedesktop.org/software/systemd/man/os-release.html']
---
name: MacOSKeyboardLayoutPlistFile
doc: Keyboard layout plist file
sources:
- type: FILE
attributes: {paths: ['/Library/Preferences/com.apple.HIToolbox.plist']}
labels: [System]
supported_os: [Darwin]
---
name: MacOSLocalTime
doc: Current Time Zone
sources:
- type: FILE
attributes:
paths:
- '/etc/localtime'
- '/private/etc/localtime'
labels: [System]
supported_os: [Darwin]
urls:
- 'https://forensics.wiki/mac_os_x'
- 'https://forensics.wiki/mac_os_x_10.9_-_artifacts_location#system_info_misc.'
---
name: MacOSSystemConfigurationPreferencesPlistFile
doc: System configuration preferences plist file
sources:
- type: FILE
attributes: {paths: ['/Library/Preferences/SystemConfiguration/preferences.plist']}
labels: [System]
supported_os: [Darwin]
---
name: MacOSSystemVersionPlistFile
doc: Operating system name and version plist file
sources:
- type: FILE
attributes: {paths: ['/System/Library/CoreServices/SystemVersion.plist']}
labels: [System]
supported_os: [Darwin]
urls:
- 'https://forensics.wiki/mac_os_x'
- 'https://forensics.wiki/mac_os_x_10.9_-_artifacts_location#system_settings_and_informations'
---
name: MacOSUserPasswordHashesPlistFiles
doc: User password hashes plist files
sources:
- type: FILE
attributes:
paths:
- '/var/db/dslocal/nodes/Default/users/*.plist'
- '/private/var/db/dslocal/nodes/Default/users/*.plist'
labels: [System, Users, Authentication]
supported_os: [Darwin]
urls:
- 'https://forensics.wiki/mac_os_x'
- 'https://forensics.wiki/mac_os_x_10.9_-_artifacts_location#system_settings_and_informations'
---
name: WindowsAvailableTimeZones
doc: Timezones available on a Windows system.
sources:
- type: REGISTRY_KEY
attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*']}
supported_os: [Windows]
urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc']
---
name: WindowsCodePage
doc: The system code page.
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'}
provides: [code_page]
supported_os: [Windows]
urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Codepage.html']
---
name: WindowsComputerName
doc: The name of the system.
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: '%%current_control_set%%\Control\ComputerName\ComputerName', value: 'ComputerName'}
provides: [hostname]
supported_os: [Windows]
---
name: WindowsCurrentVersion
doc: The Windows current version
sources:
- type: REGISTRY_VALUE
attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'CurrentVersion'}]}
supported_os: [Windows]
urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc']
---
name: WindowsEnvironmentVariableAllUsersProfile
doc: |
The %AllUsersProfile% environment variable
May or may not depend on registry keys - see urls
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'}
provides: [environ_allusersprofile]
supported_os: [Windows]
urls:
- 'https://www.microsoft.com/en-us/wdsi/help/folder-variables'
- 'https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329d6b/reactos/boot/bootdata/livecd.inf'
- 'http://support.microsoft.com/kb//214653'
---
name: WindowsEnvironmentVariableProgramData
doc: The %ProgramData% environment variable.
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
provides: [environ_allusersappdata]
supported_os: [Windows]
urls: ['http://environmentvariables.org/ProgramData']
---
name: WindowsEnvironmentVariableProgramFiles
doc: The %ProgramFiles% environment variable.
sources:
- type: PATH
attributes:
paths: ['\Program Files']
separator: '\'
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'}
provides: [environ_programfiles]
supported_os: [Windows]
urls: ['http://environmentvariables.org/ProgramFiles']
---
name: WindowsEnvironmentVariableProgramFilesX86
doc: The %ProgramFiles(x86)% environment variable.
sources:
- type: PATH
attributes:
paths: ['\Program Files (x86)']
separator: '\'
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'}
provides: [environ_programfilesx86]
supported_os: [Windows]
urls: ['http://environmentvariables.org/ProgramFiles']
---
name: WindowsEnvironmentVariableSystemRoot
doc: The system root directory path, defined by %SystemRoot%, typically "C:\Windows".
sources:
- type: PATH
attributes:
paths:
- '\Windows'
- '\WinNT'
- '\WINNT35'
- '\WTSRV'
separator: '\'
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}
provides: [environ_systemroot]
supported_os: [Windows]
urls: ['http://environmentvariables.org/SystemRoot']
---
name: WindowsEnvironmentVariableWinDir
doc: The %WinDir% environment variable.
sources:
- type: PATH
attributes:
paths:
- '\Windows'
- '\WinNT'
- '\WINNT35'
- '\WTSRV'
separator: '\'
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: '%%current_control_set%%\Control\Session Manager\Environment', value: 'windir'}
provides: [environ_windir]
supported_os: [Windows]
urls: ['http://environmentvariables.org/WinDir']
---
name: WindowsEventLogPublishers
doc: Windows EventLog publishers (or providers) Registry keys.
sources:
- type: REGISTRY_KEY
attributes:
keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\*']
supported_os: [Windows]
urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html']
---
name: WindowsEventLogSources
doc: Windows EventLog sources Registry keys.
sources:
- type: REGISTRY_KEY
attributes:
keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\*\*']
supported_os: [Windows]
urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html']
---
name: WindowsProductName
doc: The Windows product name
sources:
- type: REGISTRY_VALUE
attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ProductName'}]}
supported_os: [Windows]
urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc']
---
name: WindowsLanguage
doc: The system language.
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language', value: 'Default'}
supported_os: [Windows]
urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Language.html']
---
name: WindowsMountedDevices
doc: Windows mounted devices
sources:
- type: REGISTRY_KEY
attributes: {keys: ['HKEY_LOCAL_MACHINE\System\MountedDevices']}
supported_os: [Windows]
urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Mounted-devices.html']
---
name: WindowsRegistryProfiles
doc: |
Get SIDs for all users on the system with profiles present in the Registry.
This looks in the Windows Registry where the profiles are stored and retrieves
the paths for each profile.
sources:
- type: REGISTRY_VALUE
attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*', value: 'ProfileImagePath'}]}
labels: [Users]
provides: [users.sid, users.userprofile, users.homedir, users.username]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx']
---
name: WindowsServices
doc: Windows services and drivers configuration.
sources:
- type: REGISTRY_KEY
attributes:
keys:
- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*'
labels: [Software]
supported_os: [Windows]
urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ServicesAndDrivers.html']
---
name: WindowsTimezone
doc: The time zone of the system as a Windows time zone name or in MUI form.
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}
- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'}
provides: [time_zone]
supported_os: [Windows]
urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Time-zones.html']
|
