v0.2.0b-alpha

v0.2.0b-alpha

First public release version - now b version: Binary for macOS included! 😄

Of note:

• At the moment you will have to build executables on your own system for Windows, they will be included in future releases
  • Take consideration that you may have to set the execution permissions of the binary on some systems (such as chmod +x for macOS)
• The configs/ folder contains a mac and windows config sample, all present keys are required
• The modules listed in each are what exist at this time, comments will denote WIP/experimental work
• Debug statements (and comments in actual module code) will denote unimplemented features
• At this time, output format is restricted to CSV for modules and JSON for logging

Note: All existing modules are runnable, they will produce output 😄 Please read all documentation and review before running on your own system.

Changes

💎 Release v0.2.0-alpha

• ❤️ Add CODE_OF_CONDUCT.md
• ❤️ Add CONTRIBUTING.md
• 📝 CONTRIBUTING.md - Document getting started, how to contribute, where to start, styleguide, etc.
• 📝 Update README.md
• 🎨 Update mac and windows config TOML files
• 🔥 Remove dead code and comments from various modules under windows/ and mac/
• 🐛 Refactor Github username change
• 📝 Other misc. documentation updates

Mac Modules

Module	Description
MacAppleSystemLogModule	Reads and parses the .asl files on disk
MacAuditLogModule	Reads and parses audit log files on disk
MacAutorunsModule	Reads and parses various persistent and auto-start programs, daemons, services. Tries to parse plist configuration files and check code signatures on programs. I.e.: Cron, Kernel Extensions, LaunchAgents and LaunchDaemons, Login Items, Login Restart Apps, Periodic Items/ RC Items / emond Items, Sandboxed Login Items, Startup Items, Scripting Additions
MacBashModule	Reads and parses the .*_history and .bash_sessions on disk
MacChromeModule	Reads and parses the Chrome history database for each user on disk
MacCookiesModule	Reads and parses the cookies database for each user and browser
MacDirlistModule	Configurable in config; Walks the filesystem and collects data from each item encountered as specified in the config file
MacEventTapsModule	Parses eventtaps via Core Graphics API
MacFirefoxModule	Reads and parses the firefox history database for each user on disk
MacInstallHistoryModule	Parses the InstallHistory.plist file
MacMRUModule	Reads and parses the SFL, SFL2, and other various MRU plist files
MacNetconfigModule	Reads and parses the network config plist
MacQuarantinesModule	Parses the QuarantineEventsV2 databases
MacSSHModule	Reads and parses the SSH known_hosts and authorized_keys on disk
MacSampleModule	Sample retrieving system version from System/Library/CoreServices/SystemVersion.plist
MacSpotlightShortcutsModule	Parses the com.apple.spotlight.Shortcuts.plist file. Contains a record of every application opened with Spotlight and associated timestamp of when it was last opened
MacSystemInfoModule	Reads and parses the system.log files on disk
MacSystemLogModule
MacTerminalStateModule	Parse the com.apple.Terminal.savedState for each user on disk
MacUsersModule	enumerate both deleted and current user profiles on the system. This module will also determine the last logged in user, and identify administrative users
MacUtmpxModule	Parse the utmpx file located in /private/var/run/utmpx

Windows Modules

Module	Description
WindowsDirlistModule	Configurable in config; Walks the filesystem and collects data from each item encountered as specified in the config file

Note: WindowsDirlistModule is experimental/proof of concept at the moment 🚧

Roadmap options

• Community feedback and suggestions
• Continue testing and polishing existing modules
• Ensure documentation is sufficient
• "Graceful" exit on SIGINT
• More modules for Windows
• Support Linux module writing
• Support for module output in other formats than CSV
• Support for tarballing module output
• Support for uploading module output
• AWS...?