- Original path:
profiles/base/forensics.toml
# Forensic Artifacts Profile
# Inspired by KAPE and UAC - detects forensic artifacts and evidence of user activity
decode = ["base64", "hex", "percent-encoding"]
# Windows Forensic Artifacts
[[patterns]]
name = "Windows Event Log"
pattern = "\\.evtx?$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Prefetch File"
pattern = "\\.pf$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Registry Hive"
pattern = "(?:NTUSER\\.DAT|SAM|SYSTEM|SOFTWARE|SECURITY|UsrClass\\.dat|NTUSER\\.DAT\\.LOG)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "ShimCache Reference"
pattern = "AppCompatCache|ShimCache"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Amcache Reference"
pattern = "Amcache\\.hve"
case-insensitive = true
type = "regex"
[[patterns]]
name = "SRUM Database"
pattern = "SRUDB\\.dat"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Recent Files (LNK)"
pattern = "\\.lnk$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Jump List"
pattern = "(?:automaticDestinations|customDestinations)-ms$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Shellbags Reference"
pattern = "BagMRU|Bags"
type = "regex"
[[patterns]]
name = "USN Journal"
pattern = "\\$UsnJrnl|\\$J"
type = "regex"
# Browser Artifacts
[[patterns]]
name = "Browser History"
pattern = "(?:History|WebCacheV|places\\.sqlite)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Browser Cookies"
pattern = "(?:Cookies|cookies\\.sqlite)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Browser Cache"
pattern = "(?:Cache|cache2|CacheStorage)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Browser Downloads"
pattern = "downloads\\.sqlite|download.*history"
case-insensitive = true
type = "regex"
# Unix/Linux Forensic Artifacts
[[patterns]]
name = "Bash History"
pattern = "\\.bash_history"
type = "string"
[[patterns]]
name = "Auth Log"
pattern = "/var/log/auth\\.log"
type = "string"
[[patterns]]
name = "Syslog"
pattern = "/var/log/syslog"
type = "string"
[[patterns]]
name = "Wtmp/Utmp"
pattern = "(?:/var/log/wtmp|/var/run/utmp|/var/log/btmp)"
type = "regex"
[[patterns]]
name = "Lastlog"
pattern = "/var/log/lastlog"
type = "string"
# Timestamps and Timeline Artifacts
[[patterns]]
name = "MFT Record"
pattern = "\\$MFT"
type = "string"
[[patterns]]
name = "Timestamp Pattern"
pattern = "(?:Created|Modified|Accessed|Changed):\\s*\\d{4}-\\d{2}-\\d{2}"
case-insensitive = true
type = "regex"
# Memory and Process Artifacts
[[patterns]]
name = "Memory Dump File"
pattern = "\\.(?:dmp|vmem|raw|mem)$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Hibernation File"
pattern = "hiberfil\\.sys"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Page File"
pattern = "pagefile\\.sys|swapfile\\.sys"
case-insensitive = true
type = "regex"
# Email Artifacts
[[patterns]]
name = "PST/OST File"
pattern = "\\.(?:pst|ost)$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "EML File"
pattern = "\\.eml$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "MBOX File"
pattern = "\\.mbox$"
case-insensitive = true
type = "regex"
# File System Artifacts
[[patterns]]
name = "Volume Shadow Copy"
pattern = "(?:System Volume Information|VSS)"
type = "regex"
[[patterns]]
name = "Recycle Bin"
pattern = "(?:\\$Recycle\\.Bin|\\$RECYCLE\\.BIN|\\$I[A-Z0-9]{6}|\\$R[A-Z0-9]{6})"
type = "regex"
[[patterns]]
name = "Thumbs.db"
pattern = "Thumbs\\.db|thumbcache"
case-insensitive = true
type = "regex"
[[signatures]]
name = "Files with Multiple Forensic Indicators"
query = "SELECT sha256, COUNT(DISTINCT pattern_name) as artifact_count FROM pattern_matches WHERE pattern_name LIKE '%Log%' OR pattern_name LIKE '%History%' OR pattern_name LIKE '%Cache%' GROUP BY sha256 HAVING artifact_count > 2"
[[signatures]]
name = "Browser Forensic Artifacts"
query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE 'Browser%'"