MacOSX Recents Plugin

This is the 8th plugin that has been submitted for the OSDFCon plugin competition. This plugin has been in the works for a while. I have had it mostly completed but need a few artifacts in order to test it. Now I still need artifacts to test it with and help it to grow but I thought I would get it out there and maybe others might get a little use out of it and help suggest artifacts that could be parsed with it.

Now this plugin was designed to take plists and SQLite databases in the Macos and parse out information in it. The plugin is totally database driven. All the information on what artifacts to parse and what attributes to store them under are stored in a SQLite database. So what does that mean to you? It means that when you want to add a new plist or SQLite database to parse all you have to do is add the proper data to the database and it will then start parsing that data. One caveat is that plists may require a modified program in order to parse a plist so that may have to also get added as well.

Lets take a look at the database design.

Database Design

As you can see there are 6 tables in the design. The autopsy_artifacts and autopsy_attribute hold information about the Autopsy’s artifacts and attributes that will be used in the plugin. The autopsy_value_type holds information about the different types of attribute values. The OS_Version table holds information about the different versions of Macos that the plugin can support. The mac_artifact table defines information about the artifact and how to process it. The Art_Att_Mac_Xref table tells the plugin which Macos artifact goes to which Autopsy artifact and attribute.

The artifact and attribute definition tables can have custom artifacts and attributes or Autopsy builtin artifacts and attributes. Depending on which type, custom or builtin, determines if the plugin will need to create it for you.

The mac_artifact is the driving force behind the plugin as this defines what type of artifact it is, plist or SQLite, what program to use to parse it and what SQL to use to pull the information from it as well as what OS version it is.

The following artifacts and versions are what is currently supported

Artifacts currently supported.

As you can see more artifacts are needed. Now if you want to add an artifact yourself then you can do that, just make sure you add all the data in properly. There is a creates.sql script that I left in the plugin directory that gives you an example of what how the data should be inserted so you can just copy that and enter your own data in. If you are not feeling up to that challenge then let me know and I can add it for you and put the new database out there.

If you have any questions or problems please let me know. You can find the plugin here. Enjoy!