Merge pull request #378 from tclahr/new_artifacts

artif: new google drive artifact

Author: tclahr

CHANGELOG.md

@@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file.
 
 ### Artifacts
 
+- `files/applications/google_drive.yaml`: Added collection of Google Drive metadata databases and log files [macos].
 - `files/browsers/cache.yaml`: Added collection of browser cache data. This artifact is resource-intensive and time-consuming, so it is disabled by default in all profiles [freebsd, linux, macos].
 - `files/logs/advanced_log_search.yaml`: `file_type: [f]` was removed to also collect symlinks. ([#355](https://github.com/tclahr/uac/issues/355))
 - `files/logs/apache.yaml`: `file_type: [f]` was removed to also collect symlinks. ([#355](https://github.com/tclahr/uac/issues/355))
@@ -58,10 +59,6 @@ All notable changes to this project will be documented in this file.
 - Fixed a bug where sftp ssh options were not being set correctly. ([#366](https://github.com/tclahr/uac/issues/366))
 - Fixed a bug where the bodyfile artifact was returning corrupted file names when `statx` was being used with `xargs -0`. ([#369](https://github.com/tclahr/uac/issues/369)) (by [halpomeranz](https://github.com/halpomeranz))
 
-### Profiles
-
 ### Command Line Option Changes
 
 - `--sftp-ssh-options` is now `--sftp-ssh-option`: This allows setting SSH options as key=value pairs. Can be used multiple times to set multiple options. ([#366](https://github.com/tclahr/uac/issues/366))
-
-### New Artifact Properties

artifacts/files/applications/google_drive.yaml

@@ -0,0 +1,28 @@
+version: 1.0
+artifacts:
+# References:
+# https://forensafe.com/blogs/windows_google_drive.html
+  -
+    description: Collect the database that contains information about all of the devices that have been partially or completely backed to Google Drive or any device that has been connected to the computer while Google Drive App was running. The database also stores information about the root (folders) synced to the cloud using Google Drive desktop app.
+    supported_os: [macos]
+    collector: file
+    path: /%user_home%/Library/"Application Support"/Google/DriveFS/root_preference_sqlite.db*
+    exclude_nologin_users: true
+  -
+    description: Collect the database that contains information about all of the items (root folders, sub-folders, or files) synced to the cloud using Google Drive desktop app.
+    supported_os: [macos]
+    collector: file
+    path: /%user_home%/Library/"Application Support"/Google/DriveFS/*/mirror_sqlite.db*
+    exclude_nologin_users: true
+  -
+    description: Collect the databases that contain information about the items stored in the cloud using Google Drive, deleted items, as well as information related to the user’s account.
+    supported_os: [macos]
+    collector: file
+    path: /%user_home%/Library/"Application Support"/Google/DriveFS/*/metadata_sqlite_db* /Library/Application\ Support/Google/DriveFS/*/mirror_metadata_sqlite.db*
+    exclude_nologin_users: true
+  -
+    description: Collect Google Drive logs.
+    supported_os: [macos]
+    collector: file
+    path: /%user_home%/Library/"Application Support"/Google/DriveFS/Logs
+    exclude_nologin_users: true