From 0eb7b2bcda74209cf5fff8e8fa3dd53dc0497fc3 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Thu, 9 Jan 2025 20:17:51 +0100 Subject: [PATCH 1/2] Update macos_unified_logs.yaml Collect macOS Apple System Logs (ASL) files. --- artifacts/files/logs/macos_unified_logs.yaml | 22 ++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/artifacts/files/logs/macos_unified_logs.yaml b/artifacts/files/logs/macos_unified_logs.yaml index f28c3618..46c4cd74 100644 --- a/artifacts/files/logs/macos_unified_logs.yaml +++ b/artifacts/files/logs/macos_unified_logs.yaml @@ -1,4 +1,4 @@ -version: 4.0 +version: 4.1 artifacts: - description: Collect macOS Unified Logs tracev3 files. @@ -16,4 +16,22 @@ artifacts: supported_os: [macos] collector: file path: /private/var/db/diagnostics/timesync - \ No newline at end of file + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl.db + max_file_size: 1073741824 # 1GB + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl.log + max_file_size: 1073741824 # 1GB + - + description: Collect macOS Apple System Logs (ASL) files. + supported_os: [macos] + collector: file + path: /private/var/log/asl/* + max_file_size: 1073741824 # 1GB + From 662b0dde6ea8d19f9a9ba1ebdb40c9704880d3f2 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Tue, 21 Jan 2025 08:15:40 -0300 Subject: [PATCH 2/2] artif: add reference and CHANGELOG --- CHANGELOG.md | 1 + artifacts/files/logs/macos_unified_logs.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89ce5d85..fa930266 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd]. - files/applications/nano.yaml: Added collection of nano history file [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd]. +- files/logs/macos_unified_logs.yaml: Updated to include the collection of ASL logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd]. - files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd]. - files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. diff --git a/artifacts/files/logs/macos_unified_logs.yaml b/artifacts/files/logs/macos_unified_logs.yaml index 46c4cd74..c69d5c25 100644 --- a/artifacts/files/logs/macos_unified_logs.yaml +++ b/artifacts/files/logs/macos_unified_logs.yaml @@ -35,3 +35,5 @@ artifacts: path: /private/var/log/asl/* max_file_size: 1073741824 # 1GB +# References: +# https://darkdefender.medium.com/brief-introduction-to-macos-forensics-f817c9c83609 \ No newline at end of file