- Original path:
profiles/modules/linux/user-activity.toml
# Linux User Activity Module
# Collects user activity artifacts for forensic analysis
[module]
name = "Linux User Activity"
description = "User activity artifacts (recent files, trash, thumbnails, etc.)"
category = "linux"
platform = ["linux"]
priority = "medium"
# Recently Used (GNOME/GTK)
[[patterns]]
name = "Recently Used"
pattern = "recently-used\\.xbel"
case-insensitive = true
type = "regex"
# Trash Files
[[patterns]]
name = "Trash Info"
pattern = "\\.Trash.*\\.trashinfo$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Trash Files"
pattern = "\\.Trash-[0-9]+/files/"
case-insensitive = true
type = "regex"
# Thumbnails
[[patterns]]
name = "Thumbnails"
pattern = "\\.cache/thumbnails/"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Thumbnail Database"
pattern = "thumbs-[0-9]+\\.db$"
case-insensitive = true
type = "regex"
# Desktop Files
[[patterns]]
name = "Desktop Entry"
pattern = "\\.desktop$"
case-insensitive = true
type = "regex"
# XDG User Directories
[[patterns]]
name = "User Dirs Config"
pattern = "user-dirs\\.(?:dirs|locale)$"
case-insensitive = true
type = "regex"
# GNOME Tracker Database
[[patterns]]
name = "Tracker Database"
pattern = "tracker.*\\.db$"
case-insensitive = true
type = "regex"
# KDE Activity Manager
[[patterns]]
name = "KDE Activities"
pattern = "kactivitymanagerd.*\\.db$"
case-insensitive = true
type = "regex"
# Zeitgeist (GNOME Activity Journal)
[[patterns]]
name = "Zeitgeist Activity"
pattern = "zeitgeist.*\\.db$"
case-insensitive = true
type = "regex"
# Crontab
[[patterns]]
name = "Crontab"
pattern = "(?:^|[/])crontab$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "User Crontab"
pattern = "/var/spool/cron/"
case-insensitive = false
type = "regex"
# SSH Known Hosts
[[patterns]]
name = "SSH Known Hosts"
pattern = "known_hosts$"
case-insensitive = true
type = "regex"
# SSH Authorized Keys
[[patterns]]
name = "SSH Authorized Keys"
pattern = "authorized_keys$"
case-insensitive = true
type = "regex"
# SSH Config
[[patterns]]
name = "SSH Config"
pattern = "\\.ssh/config$"
case-insensitive = true
type = "regex"
# GPG Keys
[[patterns]]
name = "GPG Keyring"
pattern = "\\.gnupg/"
case-insensitive = true
type = "regex"
# Firefox/Chrome Profiles (for user activity context)
[[patterns]]
name = "Mozilla Profiles"
pattern = "\\.mozilla/"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Chrome Config"
pattern = "\\.config/(?:google-chrome|chromium)/"
case-insensitive = true
type = "regex"
# Systemd User Units
[[patterns]]
name = "Systemd User Units"
pattern = "\\.config/systemd/user/"
case-insensitive = true
type = "regex"
# Autostart Applications
[[patterns]]
name = "Autostart Applications"
pattern = "\\.config/autostart/"
case-insensitive = true
type = "regex"
# X Session Errors
[[patterns]]
name = "X Session Errors"
pattern = "\\.xsession-errors"
case-insensitive = true
type = "regex"