OSX module InstallHistory.plist file treated as a directory

fox-it / acquire

acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.

GNU Affero General Public License v3.0

91 stars 26 forks source link

OSX module InstallHistory.plist file treated as a directory #159

Open Politie-SOC opened 8 months ago

Politie-SOC commented 8 months ago

https://github.com/fox-it/acquire/blob/00533952ace6d432c230edc338a7f01b8e650b1f/acquire/acquire.py#L1410

This file is wrongly marked as a directory. It is, in fact, a regular file:

$ ls -lah
total 40
drwxrwxr-x   4 root        admin   128B Mar 18 21:58 .
drwxr-xr-x  72 root        wheel   2.3K Mar 15 11:21 ..
-rw-rw-r--   1 root        admin    20K Mar 18 21:58 InstallHistory.plist

pyrco commented 1 month ago

Hi, thanks for reporting this. This is indeed confusing wording, functionally it doesn't matter as file, dir and symlink artifacts are all treated as a path artifact. At some point we will replace all the mentions of file, dir and symlink by path and this confusion will go away.