Skip to content

artif: new google drive artifact #378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tclahr merged 1 commit into from
Jul 9, 2025
Merged

artif: new google drive artifact #378

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file.

### Artifacts

- `files/applications/google_drive.yaml`: Added collection of Google Drive metadata databases and log files [macos].
- `files/browsers/cache.yaml`: Added collection of browser cache data. This artifact is resource-intensive and time-consuming, so it is disabled by default in all profiles [freebsd, linux, macos].
- `files/logs/advanced_log_search.yaml`: `file_type: [f]` was removed to also collect symlinks. ([#355](https://github.com/tclahr/uac/issues/355))
- `files/logs/apache.yaml`: `file_type: [f]` was removed to also collect symlinks. ([#355](https://github.com/tclahr/uac/issues/355))
Expand Down Expand Up @@ -58,10 +59,6 @@ All notable changes to this project will be documented in this file.
- Fixed a bug where sftp ssh options were not being set correctly. ([#366](https://github.com/tclahr/uac/issues/366))
- Fixed a bug where the bodyfile artifact was returning corrupted file names when `statx` was being used with `xargs -0`. ([#369](https://github.com/tclahr/uac/issues/369)) (by [halpomeranz](https://github.com/halpomeranz))

### Profiles

### Command Line Option Changes

- `--sftp-ssh-options` is now `--sftp-ssh-option`: This allows setting SSH options as key=value pairs. Can be used multiple times to set multiple options. ([#366](https://github.com/tclahr/uac/issues/366))

### New Artifact Properties
28 changes: 28 additions & 0 deletions artifacts/files/applications/google_drive.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
version: 1.0
artifacts:
# References:
# https://forensafe.com/blogs/windows_google_drive.html
-
description: Collect the database that contains information about all of the devices that have been partially or completely backed to Google Drive or any device that has been connected to the computer while Google Drive App was running. The database also stores information about the root (folders) synced to the cloud using Google Drive desktop app.
supported_os: [macos]
collector: file
path: /%user_home%/Library/"Application Support"/Google/DriveFS/root_preference_sqlite.db*
exclude_nologin_users: true
-
description: Collect the database that contains information about all of the items (root folders, sub-folders, or files) synced to the cloud using Google Drive desktop app.
supported_os: [macos]
collector: file
path: /%user_home%/Library/"Application Support"/Google/DriveFS/*/mirror_sqlite.db*
exclude_nologin_users: true
-
description: Collect the databases that contain information about the items stored in the cloud using Google Drive, deleted items, as well as information related to the user’s account.
supported_os: [macos]
collector: file
path: /%user_home%/Library/"Application Support"/Google/DriveFS/*/metadata_sqlite_db* /Library/Application\ Support/Google/DriveFS/*/mirror_metadata_sqlite.db*
exclude_nologin_users: true
-
description: Collect Google Drive logs.
supported_os: [macos]
collector: file
path: /%user_home%/Library/"Application Support"/Google/DriveFS/Logs
exclude_nologin_users: true