2023-05-12 20:17:10 +00:00
|
|
|
-- Returns a list of recently written files
|
|
|
|
--
|
|
|
|
-- tags: postmortem
|
|
|
|
-- platform: posix
|
|
|
|
-- interval: 3600
|
|
|
|
SELECT *
|
|
|
|
FROM file
|
|
|
|
WHERE (
|
2023-05-16 21:18:39 +00:00
|
|
|
path LIKE "/var/tmp/%"
|
|
|
|
OR path LIKE "/var/tmp/%/%"
|
|
|
|
OR path LIKE "/Applications/%"
|
|
|
|
OR path LIKE "/Applications/%/%"
|
|
|
|
OR path LIKE "/home/%/%"
|
|
|
|
OR path LIKE "/home/%/.%/%"
|
|
|
|
OR path LIKE "/home/%/.%/%/%"
|
|
|
|
OR path LIKE "/home/%/.config/%"
|
|
|
|
OR path LIKE "/home/%/.config/%/%"
|
|
|
|
OR path LIKE "/Library/%/%"
|
2023-05-12 20:17:10 +00:00
|
|
|
OR path LIKE "/Library/.%"
|
|
|
|
OR path LIKE "/Library/Application Support/%"
|
|
|
|
OR path LIKE "/Library/Application Support/.%"
|
2023-05-16 21:18:39 +00:00
|
|
|
OR path LIKE "/tmp/%"
|
|
|
|
OR path LIKE "/tmp/%/%"
|
2023-05-12 20:17:10 +00:00
|
|
|
OR path LIKE "/tmp/.%/%%"
|
2023-05-16 21:18:39 +00:00
|
|
|
OR path LIKE "/Users/%/%"
|
|
|
|
OR path LIKE "/Users/%/%/%"
|
|
|
|
OR path LIKE "/Users/%/.%/%"
|
|
|
|
OR path LIKE "/Users/%/.%/%/%"
|
|
|
|
OR path LIKE "/Users/Library/%"
|
|
|
|
OR path LIKE "/Users/Library/%/%"
|
2023-05-12 20:17:10 +00:00
|
|
|
OR path LIKE "/Users/Library/.%"
|
2023-05-16 21:18:39 +00:00
|
|
|
OR path LIKE "/Users/Library/Application Support/%"
|
|
|
|
OR path LIKE "/Users/Library/Application Support/%/%"
|
2023-05-12 20:17:10 +00:00
|
|
|
OR path LIKE "/Users/Library/Application Support/.%"
|
2023-05-16 21:18:39 +00:00
|
|
|
OR path LIKE "/var/%"
|
|
|
|
OR path LIKE "/var/%/%"
|
2023-05-12 20:17:10 +00:00
|
|
|
)
|
|
|
|
AND (
|
|
|
|
mtime > (strftime('%s', 'now') -3600)
|
|
|
|
OR (
|
|
|
|
atime > (strftime('%s', 'now') -3600)
|
|
|
|
AND file.type = "regular"
|
|
|
|
)
|
|
|
|
OR ctime > (strftime('%s', 'now') -3600)
|
|
|
|
OR btime > (strftime('%s', 'now') -3600)
|
|
|
|
)
|
|
|
|
AND NOT path LIKE "%/../%"
|
|
|
|
GROUP BY inode;
|