Linux.Collection.History :: Velociraptor

Linux.Collection.History
Collect history files from unix/linux utilities and upload them. Based on TriageHistory from forensicartifacts.com

name: Linux.Collection.History
author: alternate
description: |
  Collect history files from unix/linux utilities and upload them.
  Based on TriageHistory from forensicartifacts.com

reference:
  - https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml

precondition: SELECT OS FROM info() WHERE OS = 'linux'

parameters:
- name: BashShellHistoryFile
  default: |
    ["/{root,home/*}/.bash_logout","/{root,home/*}/.bash_profile",
     "/{root,home/*}/.bashrc","/etc/bash.bashrc","/etc/bashrc"]

- name: BourneShellHistoryFile
  default: /{root,home/*}/.sh_history

- name: FishShellHistoryFile
  default: /{root,home/*}/.local/share/fish/fish_history

- name: MySQLHistoryFile
  default: /{root,home/*}/.mysql_history

- name: PostgreSQLHistoryFile
  default: |
    ["/var/lib/postgresql/.psql_history","/var/lib/pgsql/.psql_history","/{root,home/*}/.psql_history"]

- name: PythonHistoryFile
  default: /{root,home/*}/.python_history

- name: SQLiteHistoryFile 
  default: /{root,home/*}/.sqlite_history

- name: ZShellHistoryFile
  default: |
    ["/{root,home/*}/.zhistory","/{root,home/*}/.zsh_history"]

- name: LessHistoryFile
  default: /{root,home/*}/.lesshst

- name: NanoHistoryFile
  default: /{root,home/*}/.nano_history

sources:
- name: uploadBashShellHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=BashShellHistoryFile))

- name: uploadBourneShellHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=BourneShellHistoryFile)

- name: uploadFishShellHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=FishShellHistoryFile)

- name: uploadMySQLHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=MySQLHistoryFile)

- name: uploadPostgreSQLHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=PostgreSQLHistoryFile))

- name: uploadPythonHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=PythonHistoryFile)

- name: uploadSQLiteHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=SQLiteHistoryFile)

- name: uploadZShellHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=ZShellHistoryFile))

- name: uploadLessHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=LessHistoryFile)

- name: uploadNanoHistoryFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=NanoHistoryFile)