From 35735a54b86195cd6608a171e0cd63a609379d0d Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Mon, 1 Apr 2024 08:45:39 +0200 Subject: [PATCH] Split InternetExplorerHistory definition (#623) --- artifacts/data/triage.yaml | 2 +- artifacts/data/webbrowser.yaml | 22 +++++++++++++++++++++- artifacts/data/windows.yaml | 23 +++++++++++++++++++---- 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/artifacts/data/triage.yaml b/artifacts/data/triage.yaml index d6208e4f..5ecc6ac9 100644 --- a/artifacts/data/triage.yaml +++ b/artifacts/data/triage.yaml @@ -145,7 +145,7 @@ sources: - WindowsActivitiesCacheDatabase - WindowsRDPClientBitmapCache - WindowsRecycleBinMetadata - - WindowsSearchDatabase + - WindowsSearchDatabaseFile - WindowsUserAutomaticDestinationsJumpLists - WindowsUserCustomDestinationsJumpLists - WindowsUserRecentFiles diff --git a/artifacts/data/webbrowser.yaml b/artifacts/data/webbrowser.yaml index 12fb48b9..39bf16a2 100644 --- a/artifacts/data/webbrowser.yaml +++ b/artifacts/data/webbrowser.yaml @@ -1344,6 +1344,27 @@ doc: | * MSIE 4 - 9 Cache files (index.dat); * MSIE 10 WebCacheV*.dat files. sources: +- type: ARTIFACT_GROUP + attributes: + names: + - 'InternetExplorerHistoryDatabaseFile' + - 'InternetExplorerIndexDatFiles' +supported_os: [Windows] +urls: ['https://forensics.wiki/internet_explorer'] +--- +name: InternetExplorerHistoryDatabaseFile +doc: Microsoft Internet Explorer (MSIE) 10 browser history database file (WebCacheV*.dat). +sources: +- type: FILE + attributes: + paths: ['%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat'] + separator: '\' +supported_os: [Windows] +urls: ['https://forensics.wiki/internet_explorer'] +--- +name: InternetExplorerIndexDatFiles +doc: Microsoft Internet Explorer (MSIE) 4 - 9 cache and history files (index.dat). +sources: - type: FILE attributes: paths: @@ -1355,7 +1376,6 @@ sources: - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat' - - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat' - '%%users.userprofile%%\Local Settings\History\History.IE5\index.dat' separator: '\' supported_os: [Windows] diff --git a/artifacts/data/windows.yaml b/artifacts/data/windows.yaml index a75549d3..5509e258 100644 --- a/artifacts/data/windows.yaml +++ b/artifacts/data/windows.yaml @@ -32,12 +32,17 @@ sources: supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html'] --- -name: WindowsActiveDirectoryDatabase -doc: Windows Active Directory data store file. +name: WindowsActiveDirectoryDatabaseFile +aliases: [WindowsActiveDirectoryDatabase] +doc: Windows Active Directory database file (ntds.dit). sources: - type: FILE attributes: - paths: ['%%environ_systemroot%%\ntds\ntds.dit'] + paths: + - '%%environ_systemroot%%\ntds\ntds.dit' + - '%%environ_systemroot%%\ServicePackFiles\*\ntds.dit*' + - '%%environ_systemroot%%\SoftwareDistribution\Download\*\*\ntds.dit*' + - '%%environ_systemroot%%\System32\ntds.dit' separator: '\' supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772829(v=ws.10)'] @@ -1488,6 +1493,15 @@ supported_os: [Windows] urls: - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- +name: WindowsHelpCenterDatabaseFile +doc: Windows Help Center database file (HCdata.edb). +sources: +- type: FILE + attributes: + paths: ['%%environ_systemroot%%\PCHEALTH\HELPCTR\Database\HCdata.edb'] + separator: '\' +supported_os: [Windows] +--- name: WindowsHostsFiles doc: The Windows hosts and lmhosts file. sources: @@ -2220,7 +2234,8 @@ urls: - 'https://technet.microsoft.com/en-us/library/cc737855(v=ws.10).aspx' - 'https://technet.microsoft.com/en-us/library/cc957840.aspx' --- -name: WindowsSearchDatabase +name: WindowsSearchDatabaseFile +aliases: [WindowsSearchDatabase] doc: Windows Search database (Windows.edb). sources: - type: FILE