Commit 0f203dfd7f9745809d81ef34eda73d97f2f98b13 - forensic-artifacts

+17

-15

.pylintrc less more

0		# Pylint 1.7.x - 1.9.x configuration file
	0	# Pylint 2.1.x - 2.2.x configuration file
1	1	#
2	2	# This file is generated by l2tdevtools update-dependencies.py, any dependency
3	3	# related changes should be made in dependencies.ini.

55	55	# --disable=W"
56	56	#
57	57	disable=
	58	assignment-from-none,
	59	bad-inline-option,
	60	deprecated-pragma,
58	61	duplicate-code,
	62	eq-without-hash,
	63	file-ignored,
	64	fixme,
	65	locally-disabled,
	66	locally-enabled,
	67	logging-format-interpolation,
	68	metaclass-assignment,
	69	missing-param-doc,
	70	no-absolute-import,
	71	no-self-use,
59	72	parameter-unpacking,
60	73	raw-checker-failed,
61		bad-inline-option,
62		locally-disabled,
63		locally-enabled,
64		file-ignored,
65	74	suppressed-message,
66		useless-suppression,
67		deprecated-pragma,
68		no-absolute-import,
69		missing-param-doc,
70		metaclass-assignment,
71		eq-without-hash,
72		fixme,
73		logging-format-interpolation,
74		no-self-use,
75	75	too-few-public-methods,
76	76	too-many-ancestors,
77	77	too-many-boolean-expressions,

83	83	too-many-public-methods,
84	84	too-many-return-statements,
85	85	too-many-statements,
86		unsubscriptable-object
	86	unsubscriptable-object,
	87	useless-object-inheritance,
	88	useless-suppression
87	89
88	90	# Enable the message, report, category or checker with the given id(s). You can
89	91	# either give multiple identifier separated by comma (,) or put this option

+70

-39

.travis.yml less more

0	0	matrix:
1	1	include:
2		- env: TARGET="pylint"
	2	- name: "Pylint on Ubuntu Xenial (16.04) with Python 3.5"
	3	env: TARGET="pylint"
3	4	os: linux
4		dist: trusty
	5	dist: xenial
5	6	sudo: required
6	7	group: edge
7	8	language: python
8		python: 2.7
	9	python: 3.5
9	10	virtualenv:
10	11	system_site_packages: true
11		- env: TARGET="linux-python27"
	12	- name: "Ubuntu Xenial (16.04) with Python 2.7"
	13	env: TARGET="linux-python27"
12	14	os: linux
13	15	dist: xenial
14	16	sudo: required

17	19	python: 2.7
18	20	virtualenv:
19	21	system_site_packages: true
20		- env: TARGET="linux-python35"
	22	- name: "Ubuntu Xenial (16.04) with Python 3.5"
	23	env: TARGET="linux-python35"
21	24	os: linux
22	25	dist: xenial
23	26	sudo: required

26	29	python: 3.5
27	30	virtualenv:
28	31	system_site_packages: true
29		- env: [TARGET="linux-python27-tox", TOXENV="py27"]
	32	- name: "Fedora Core 29 (Docker) with Python 2.7"
	33	env: FEDORA_VERSION="29"
30	34	os: linux
31	35	dist: xenial
32	36	sudo: required
33	37	group: edge
34	38	language: python
35	39	python: 2.7
36		virtualenv:
37		system_site_packages: false
38		- env: [TARGET="linux-python34-tox", TOXENV="py34"]
	40	services:
	41	- docker
	42	- name: "Fedora Core 29 (Docker) with Python 3.7"
	43	env: FEDORA_VERSION="29"
	44	os: linux
	45	dist: xenial
	46	sudo: required
	47	group: edge
	48	language: python
	49	python: 3.7
	50	services:
	51	- docker
	52	- name: "Ubuntu Bionic (18.04) (Docker) with Python 2.7"
	53	env: UBUNTU_VERSION="18.04"
	54	os: linux
	55	dist: xenial
	56	sudo: required
	57	group: edge
	58	language: python
	59	python: 2.7
	60	services:
	61	- docker
	62	- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6"
	63	env: UBUNTU_VERSION="18.04"
	64	os: linux
	65	dist: xenial
	66	sudo: required
	67	group: edge
	68	language: python
	69	python: 3.6
	70	services:
	71	- docker
	72	- name: "Ubuntu Bionic (18.04) (Docker) with Python 2.7 and tox"
	73	env: [TOXENV="py27", UBUNTU_VERSION="18.04"]
	74	os: linux
	75	dist: xenial
	76	sudo: required
	77	group: edge
	78	language: python
	79	python: 2.7
	80	services:
	81	- docker
	82	- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.4 and tox"
	83	env: [TOXENV="py34", UBUNTU_VERSION="18.04"]
39	84	os: linux
40	85	dist: xenial
41	86	sudo: required
42	87	group: edge
43	88	language: python
44	89	python: 3.4
45		virtualenv:
46		system_site_packages: false
47		- env: [TARGET="linux-python35-tox", TOXENV="py35"]
	90	services:
	91	- docker
	92	- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.5 and tox"
	93	env: [TOXENV="py35", UBUNTU_VERSION="18.04"]
48	94	os: linux
49	95	dist: xenial
50	96	sudo: required
51	97	group: edge
52	98	language: python
53	99	python: 3.5
54		virtualenv:
55		system_site_packages: false
56		- env: [TARGET="linux-python36-tox", TOXENV="py36"]
	100	services:
	101	- docker
	102	- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 and tox"
	103	env: [TOXENV="py36", UBUNTU_VERSION="18.04"]
57	104	os: linux
58	105	dist: xenial
59	106	sudo: required
60	107	group: edge
61	108	language: python
62	109	python: 3.6
63		virtualenv:
64		system_site_packages: false
65		- env: [TARGET="linux-python37-tox", TOXENV="py37"]
	110	services:
	111	- docker
	112	- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.7 and tox"
	113	env: [TOXENV="py37", UBUNTU_VERSION="18.04"]
66	114	os: linux
67	115	dist: xenial
68	116	sudo: required
69	117	group: edge
70	118	language: python
71	119	python: 3.7
72		virtualenv:
73		system_site_packages: false
74		- env: [TARGET="macos-python27", PYTHONPATH="/Library/Python/2.7/site-packages/"]
	120	services:
	121	- docker
	122	- name: "MacOS with Python 2.7.10"
	123	env: [TARGET="macos-python27", PYTHONPATH="/Library/Python/2.7/site-packages/"]
75	124	os: osx
76	125	osx_image: xcode9.2
77	126	language: generic
78		- env: TARGET="trusty-python27"
79		os: linux
80		dist: trusty
81		sudo: required
82		group: edge
83		language: python
84		python: 2.7
85		virtualenv:
86		system_site_packages: true
87		- env: TARGET="trusty-python34"
88		os: linux
89		dist: trusty
90		sudo: required
91		group: edge
92		language: python
93		python: 3.4
94		virtualenv:
95		system_site_packages: true
96	127	install:
97	128	- ./config/travis/install.sh
98	129	script:

+1

-1

appveyor.yml less more

21	21	- cmd: if [%TARGET%]==[windows_python27] (
22	22	mkdir dependencies &&
23	23	set PYTHONPATH=..\l2tdevtools &&
24		"%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track dev PyYAML funcsigs mock pbr six yapf )
	24	"%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track dev PyYAML funcsigs mock pbr six )
25	25	- cmd: if [%TARGET%]==[windows_python36] (
26	26	mkdir dependencies &&
27	27	set PYTHONPATH=..\l2tdevtools &&

+1

-1

artifacts/__init__.py less more

0	0	# -- coding: utf-8 --
1	1	"""ForensicArtifacts.com Artifact Repository."""
2	2
3		__version__ = '20190113'
	3	__version__ = '20190320'

+0

-2

artifacts/artifact.py less more

87	87	source_definition['supported_os'] = source.supported_os
88	88	if source.conditions:
89	89	source_definition['conditions'] = source.conditions
90		if source.returned_types:
91		source_definition['returned_types'] = source.returned_types
92	90	sources.append(source_definition)
93	91
94	92	artifact_definition = {

+2

-2

artifacts/definitions.py less more

33	33	'Mail': 'Mail client applications artifacts.',
34	34	'Memory': 'Artifacts retrieved from memory.',
35	35	'Network': 'Describe networking state.',
	36	'Plist': 'Artifact that is a plist.',
36	37	'Processes': 'Describe running processes.',
37	38	'Rekall': 'Artifacts using the Rekall memory forensics framework.',
38	39	'Software': 'Installed software.',
	40	'SQLiteDB': 'Artifact that is a SQLite database.',
39	41	'System': 'Core system artifacts.',
40	42	'Users': 'Information about users.'
41	43	}

44	46	SUPPORTED_OS_LINUX = 'Linux'
45	47	SUPPORTED_OS_WINDOWS = 'Windows'
46	48
47		# yapf: disable
48	49	SUPPORTED_OS = frozenset([
49	50	SUPPORTED_OS_DARWIN,
50	51	SUPPORTED_OS_LINUX,

59	60	'sources',
60	61	'supported_os',
61	62	'urls'])
62		# yapf: enable

+17

-6

artifacts/reader.py less more

4	4
5	5	import abc
6	6	import glob
	7	import io
7	8	import os
8	9	import json
9	10	import yaml

187	188
188	189	# TODO: deprecate these left overs from the collector definition.
189	190	if source_type:
	191	if source.get('returned_types', None):
	192	raise errors.FormatError((
	193	'Invalid artifact definition: {0:s} returned_types no longer '
	194	'supported.').format(name))
	195
190	196	source_type.conditions = source.get('conditions', [])
191		source_type.returned_types = source.get('returned_types', [])
192	197	self._ReadSupportedOS(source, source_type, name)
193	198	if set(source_type.supported_os) - set(
194	199	artifact_definition.supported_os):
195		raise errors.FormatError(
196		('Invalid artifact definition: {0:s} missing '
197		'supported_os.').format(name))
	200	raise errors.FormatError((
	201	'Invalid artifact definition: {0:s} missing '
	202	'supported_os.').format(name))
198	203
199	204	def ReadArtifactDefinitionValues(self, artifact_definition_values):
200	205	"""Reads an artifact definition from a dictionary.

236	241	if artifact_definition_values.get('collectors', []):
237	242	raise errors.FormatError(
238	243	'Invalid artifact definition: {0:s} still uses collectors.'.format(
	244	name))
	245
	246	urls = artifact_definition_values.get('urls', [])
	247	if not isinstance(urls, list):
	248	raise errors.FormatError(
	249	'Invalid artifact definition: {0:s} urls is not a list.'.format(
239	250	name))
240	251
241	252	# TODO: check conditions.

245	256	'provides', [])
246	257	self._ReadLabels(artifact_definition_values, artifact_definition, name)
247	258	self._ReadSupportedOS(artifact_definition_values, artifact_definition, name)
248		artifact_definition.urls = artifact_definition_values.get('urls', [])
	259	artifact_definition.urls = urls
249	260	self._ReadSources(artifact_definition_values, artifact_definition, name)
250	261
251	262	return artifact_definition

280	291	Yields:
281	292	ArtifactDefinition: an artifact definition.
282	293	"""
283		with open(filename, 'r') as file_object:
	294	with io.open(filename, 'r', encoding='utf-8') as file_object:
284	295	for artifact_definition in self.ReadFileObject(file_object):
285	296	yield artifact_definition
286	297

+1

-0

artifacts.ini less more

3	3	name_description: ForensicArtifacts.com Artifact Repository
4	4	maintainer: Forensic artifacts <forensicartifacts@googlegroups.com>
5	5	homepage_url: https://github.com/ForensicArtifacts/artifacts
	6	git_url: https://github.com/ForensicArtifacts/artifacts.git
6	7	description_short: ForensicArtifacts.com Artifact Repository.
7	8	description_long: A free, community-sourced, machine-readable knowledge base of forensic
8	9	artifacts that the world can use both as an information source and within other tools.

+2

-2

config/dpkg/changelog less more

0		artifacts (20190113-1) unstable; urgency=low
	0	artifacts (20190320-1) unstable; urgency=low
1	1
2	2	* Auto-generated
3	3
4		-- Forensic artifacts <forensicartifacts@googlegroups.com> Sun, 13 Jan 2019 09:44:56 +0100⏎
	4	-- Forensic artifacts <forensicartifacts@googlegroups.com> Wed, 20 Mar 2019 05:20:33 +0100⏎

+3

-3

config/dpkg/control less more

16	16
17	17	Package: python-artifacts
18	18	Architecture: all
19		Depends: artifacts-data, python-yaml (>= 3.10), ${python:Depends}, ${misc:Depends}
	19	Depends: artifacts-data (>= ${binary:Version}), python-yaml (>= 3.10), ${python:Depends}, ${misc:Depends}
20	20	Description: Python 2 module of ForensicArtifacts.com Artifact Repository
21	21	A free, community-sourced, machine-readable knowledge base of forensic
22	22	artifacts that the world can use both as an information source and within other tools.
23	23
24	24	Package: python3-artifacts
25	25	Architecture: all
26		Depends: artifacts-data, python3-yaml (>= 3.10), ${python3:Depends}, ${misc:Depends}
	26	Depends: artifacts-data (>= ${binary:Version}), python3-yaml (>= 3.10), ${python3:Depends}, ${misc:Depends}
27	27	Description: Python 3 module of ForensicArtifacts.com Artifact Repository
28	28	A free, community-sourced, machine-readable knowledge base of forensic
29	29	artifacts that the world can use both as an information source and within other tools.
30	30
31	31	Package: artifacts-tools
32	32	Architecture: all
33		Depends: python-artifacts, python (>= 2.7~), ${python:Depends}, ${misc:Depends}
	33	Depends: python-artifacts (>= ${binary:Version}), ${python:Depends}, ${misc:Depends}
34	34	Description: Tools of ForensicArtifacts.com Artifact Repository
35	35	A free, community-sourced, machine-readable knowledge base of forensic
36	36	artifacts that the world can use both as an information source and within other tools.

+74

-11

config/travis/install.sh less more

6	6
7	7	L2TBINARIES_DEPENDENCIES="PyYAML";
8	8
9		L2TBINARIES_TEST_DEPENDENCIES="funcsigs mock pbr six yapf";
	9	L2TBINARIES_TEST_DEPENDENCIES="funcsigs mock pbr six";
10	10
11		PYTHON2_DEPENDENCIES="python-yaml";
	11	DPKG_PYTHON2_DEPENDENCIES="python-yaml";
12	12
13		PYTHON2_TEST_DEPENDENCIES="python-coverage python-funcsigs python-mock python-pbr python-six python-tox python-yapf yapf";
	13	DPKG_PYTHON2_TEST_DEPENDENCIES="python-coverage python-funcsigs python-mock python-pbr python-six";
14	14
15		PYTHON3_DEPENDENCIES="python3-yaml";
	15	DPKG_PYTHON3_DEPENDENCIES="python3-yaml";
16	16
17		PYTHON3_TEST_DEPENDENCIES="python-yapf python3-mock python3-pbr python3-setuptools python3-six python3-tox yapf";
	17	DPKG_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-setuptools python3-six";
	18
	19	RPM_PYTHON2_DEPENDENCIES="python2-pyyaml";
	20
	21	RPM_PYTHON2_TEST_DEPENDENCIES="python2-funcsigs python2-mock python2-pbr python2-six";
	22
	23	RPM_PYTHON3_DEPENDENCIES="python3-pyyaml";
	24
	25	RPM_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-six";
18	26
19	27	# Exit on error.
20	28	set -e;

41	49	sudo /usr/bin/hdiutil detach /Volumes/${PACKAGE}-*.pkg
42	50	done
43	51
	52	elif test -n "${FEDORA_VERSION}";
	53	then
	54	CONTAINER_NAME="fedora${FEDORA_VERSION}";
	55
	56	docker pull registry.fedoraproject.org/fedora:${FEDORA_VERSION};
	57
	58	docker run --name=${CONTAINER_NAME} --detach -i registry.fedoraproject.org/fedora:${FEDORA_VERSION};
	59
	60	docker exec ${CONTAINER_NAME} dnf install -y dnf-plugins-core;
	61
	62	docker exec ${CONTAINER_NAME} dnf copr -y enable @gift/dev;
	63
	64	if test -n "${TOXENV}";
	65	then
	66	docker exec ${CONTAINER_NAME} dnf install -y python3-tox;
	67
	68	elif test ${TRAVIS_PYTHON_VERSION} = "2.7";
	69	then
	70	docker exec ${CONTAINER_NAME} dnf install -y git python2 ${RPM_PYTHON2_DEPENDENCIES} ${RPM_PYTHON2_TEST_DEPENDENCIES};
	71	else
	72	docker exec ${CONTAINER_NAME} dnf install -y git python3 ${RPM_PYTHON3_DEPENDENCIES} ${RPM_PYTHON3_TEST_DEPENDENCIES};
	73	fi
	74
	75	docker cp ../artifacts ${CONTAINER_NAME}:/
	76
	77	elif test -n "${UBUNTU_VERSION}";
	78	then
	79	CONTAINER_NAME="ubuntu${UBUNTU_VERSION}";
	80
	81	docker pull ubuntu:${UBUNTU_VERSION};
	82
	83	docker run --name=${CONTAINER_NAME} --detach -i ubuntu:${UBUNTU_VERSION};
	84
	85	docker exec ${CONTAINER_NAME} apt-get update -q;
	86	docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y locales software-properties-common";
	87
	88	docker exec ${CONTAINER_NAME} add-apt-repository ppa:gift/dev -y;
	89
	90	docker exec ${CONTAINER_NAME} locale-gen en_US.UTF-8;
	91
	92	if test -n "${TOXENV}";
	93	then
	94	docker exec ${CONTAINER_NAME} add-apt-repository universe;
	95	docker exec ${CONTAINER_NAME} add-apt-repository ppa:deadsnakes/ppa -y;
	96
	97	DPKG_PYTHON="python${TRAVIS_PYTHON_VERSION} python${TRAVIS_PYTHON_VERSION}-dev";
	98
	99	docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential ${DPKG_PYTHON} tox";
	100
	101	elif test ${TRAVIS_PYTHON_VERSION} = "2.7";
	102	then
	103	docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y git python ${DPKG_PYTHON2_DEPENDENCIES} ${DPKG_PYTHON2_TEST_DEPENDENCIES}";
	104	else
	105	docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y git python3 ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES}";
	106	fi
	107
	108	docker cp ../artifacts ${CONTAINER_NAME}:/
	109
44	110	elif test ${TRAVIS_OS_NAME} = "linux" && test ${TARGET} != "jenkins";
45	111	then
46	112	sudo rm -f /etc/apt/sources.list.d/travis_ci_zeromq3-source.list;
47	113
48	114	if test ${TARGET} = "pylint";
49	115	then
50		if test ${TRAVIS_PYTHON_VERSION} = "2.7";
51		then
52		sudo add-apt-repository ppa:gift/pylint2 -y;
53		fi
	116	sudo add-apt-repository ppa:gift/pylint3 -y;
54	117	fi
55	118
56	119	sudo add-apt-repository ppa:gift/dev -y;

58	121
59	122	if test ${TRAVIS_PYTHON_VERSION} = "2.7";
60	123	then
61		sudo apt-get install -y ${PYTHON2_DEPENDENCIES} ${PYTHON2_TEST_DEPENDENCIES};
	124	sudo apt-get install -y ${DPKG_PYTHON2_DEPENDENCIES} ${DPKG_PYTHON2_TEST_DEPENDENCIES};
62	125	else
63		sudo apt-get install -y ${PYTHON3_DEPENDENCIES} ${PYTHON3_TEST_DEPENDENCIES};
	126	sudo apt-get install -y ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES};
64	127	fi
65	128	if test ${TARGET} = "pylint";
66	129	then

+30

-0

config/travis/runtests.sh less more

35	35	if test -f tests/end-to-end.py;
36	36	then
37	37	PYTHONPATH=. python ./tests/end-to-end.py --debug -c config/end-to-end.ini;
	38	fi
	39
	40	elif test -n "${FEDORA_VERSION}";
	41	then
	42	CONTAINER_NAME="fedora${FEDORA_VERSION}";
	43
	44	if test -n "${TOXENV}";
	45	then
	46	docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && tox -e ${TOXENV}";
	47
	48	elif test ${TRAVIS_PYTHON_VERSION} = "2.7";
	49	then
	50	docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python2 run_tests.py";
	51	else
	52	docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python3 run_tests.py";
	53	fi
	54
	55	elif test -n "${UBUNTU_VERSION}";
	56	then
	57	CONTAINER_NAME="ubuntu${UBUNTU_VERSION}";
	58
	59	if test -n "${TOXENV}";
	60	then
	61	docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && tox -e ${TOXENV}";
	62
	63	elif test ${TRAVIS_PYTHON_VERSION} = "2.7";
	64	then
	65	docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python2 run_tests.py";
	66	else
	67	docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python3 run_tests.py";
38	68	fi
39	69
40	70	elif test "${TRAVIS_OS_NAME}" = "linux";

+14

-0

data/config_files.yaml less more

3	3	doc: NFS Exports configuration
4	4	sources:
5	5	- type: FILE
	6	attributes:
	7	paths:
	8	- '/etc/exports'
	9	- '/private/etc/exports'
	10	supported_os: [Darwin]
	11	- type: FILE
6	12	attributes: {paths: ['/etc/exports']}
	13	supported_os: [Linux]
7	14	labels: [Configuration Files]
8	15	supported_os: [Linux, Darwin]
9	16	---

11	18	doc: Sshd configuration
12	19	sources:
13	20	- type: FILE
	21	attributes:
	22	paths:
	23	- '/etc/ssh/sshd_config'
	24	- '/private/etc/ssh/sshd_config'
	25	supported_os: [Darwin]
	26	- type: FILE
14	27	attributes: {paths: ['/etc/ssh/sshd_config']}
	28	supported_os: [Linux]
15	29	labels: [Configuration Files]
16	30	supported_os: [Linux, Darwin]
17	31	---

+54

-13

data/installed_modules.yaml less more

10	10	- type: FILE
11	11	attributes:
12	12	paths:
13		- '%%users.homedir%%/.local/lib/python/{dist,site}-packages/.dist-info/*'
14		- '/usr/{lib,lib64}/python/{dist,site}-packages/.dist-info/*'
15		- '/usr/local/{lib,lib64}/python/{dist,site}-packages/.dist-info/*'
	13	- '%%users.homedir%%/.local/lib/python/dist-packages/.dist-info/*'
	14	- '%%users.homedir%%/.local/lib/python/site-packages/.dist-info/*'
	15	- '/usr/lib/python/dist-packages/.dist-info/*'
	16	- '/usr/lib/python/site-packages/.dist-info/*'
	17	- '/usr/lib64/python/dist-packages/.dist-info/*'
	18	- '/usr/lib64/python/site-packages/.dist-info/*'
	19	- '/usr/local/lib/python/dist-packages/.dist-info/*'
	20	- '/usr/local/lib/python/site-packages/.dist-info/*'
	21	- '/usr/local/lib64/python/dist-packages/.dist-info/*'
	22	- '/usr/local/lib64/python/site-packages/.dist-info/*'
16	23	supported_os: [Linux]
17	24	supported_os: [Linux]
18	25	labels: [Software]

34	41	attributes:
35	42	paths:
36	43	# Files containing the install metadata in either a flat file or zipfile.
37		- '%%users.homedir%%/.local/lib/python/site-packages/.{egg,egg-info}'
38		- '%%users.homedir%%/.cache/pip/*.{egg,egg-info}'
39		- '/usr/{lib,lib64}/python/{dist,site}-packages/.{egg,egg-info}'
40		- '/usr/local/{lib,lib64}/python/{dist,site}-packages/.{egg,egg-info}'
41		- '/usr/share/pyshared/*.{egg,egg-info}'
	44	- '%%users.homedir%%/.local/lib/python/site-packages/.egg'
	45	- '%%users.homedir%%/.local/lib/python/site-packages/.egg-info'
	46	- '%%users.homedir%%/.cache/pip/*.egg'
	47	- '%%users.homedir%%/.cache/pip/*.egg-info'
	48	- '/usr/lib/python/dist-packages/.egg'
	49	- '/usr/lib/python/dist-packages/.egg-info'
	50	- '/usr/lib/python/site-packages/.egg'
	51	- '/usr/lib/python/site-packages/.egg-info'
	52	- '/usr/lib64/python/dist-packages/.egg'
	53	- '/usr/lib64/python/dist-packages/.egg-info'
	54	- '/usr/lib64/python/site-packages/.egg'
	55	- '/usr/lib64/python/site-packages/.egg-info'
	56	- '/usr/local/lib/python/dist-packages/.egg'
	57	- '/usr/local/lib/python/dist-packages/.egg-info'
	58	- '/usr/local/lib/python/site-packages/.egg'
	59	- '/usr/local/lib/python/site-packages/.egg-info'
	60	- '/usr/local/lib64/python/dist-packages/.egg'
	61	- '/usr/local/lib64/python/dist-packages/.egg-info'
	62	- '/usr/local/lib64/python/site-packages/.egg'
	63	- '/usr/local/lib64/python/site-packages/.egg-info'
	64	- '/usr/share/pyshared/*.egg'
	65	- '/usr/share/pyshared/*.egg-info'
42	66	# Directories containing the install metadata as separate files.
43		- '%%users.homedir%%/.local/lib/python/site-packages/.{egg,egg-info}/*'
44		- '%%users.homedir%%/.cache/pip/.{egg,egg-info}/'
45		- '/usr/{lib,lib64}/python/{dist,site}-packages/.{egg,egg-info}/*'
46		- '/usr/local/{lib,lib64}/python/{dist,site}-packages/.{egg,egg-info}/*'
47		- '/usr/share/pyshared/.{egg,egg-info}/'
	67	- '%%users.homedir%%/.local/lib/python/site-packages/.egg/*'
	68	- '%%users.homedir%%/.local/lib/python/site-packages/.egg-info/*'
	69	- '%%users.homedir%%/.cache/pip/.egg/'
	70	- '%%users.homedir%%/.cache/pip/.egg-info/'
	71	- '/usr/lib/python/dist-packages/.egg/*'
	72	- '/usr/lib/python/dist-packages/.egg-info/*'
	73	- '/usr/lib/python/site-packages/.egg/*'
	74	- '/usr/lib/python/site-packages/.egg-info/*'
	75	- '/usr/lib64/python/dist-packages/.egg/*'
	76	- '/usr/lib64/python/dist-packages/.egg-info/*'
	77	- '/usr/lib64/python/site-packages/.egg/*'
	78	- '/usr/lib64/python/site-packages/.egg-info/*'
	79	- '/usr/local/lib/python/dist-packages/.egg/*'
	80	- '/usr/local/lib/python/dist-packages/.egg-info/*'
	81	- '/usr/local/lib/python/site-packages/.egg/*'
	82	- '/usr/local/lib/python/site-packages/.egg-info/*'
	83	- '/usr/local/lib64/python/dist-packages/.egg/*'
	84	- '/usr/local/lib64/python/dist-packages/.egg-info/*'
	85	- '/usr/local/lib64/python/site-packages/.egg/*'
	86	- '/usr/local/lib64/python/site-packages/.egg-info/*'
	87	- '/usr/share/pyshared/.egg/'
	88	- '/usr/share/pyshared/.egg-info/'
48	89	supported_os: [Linux]
49	90	supported_os: [Linux]
50	91	labels: [Software]

+58

-0

data/instant_messaging.yaml less more

	0	# Instant Messaging applications specific artifacts.
	1
	2	name: SkypeChatSync
	3	doc: Chat Sync Directory
	4	sources:
	5	- type: FILE
	6	attributes:
	7	paths: ['%%users.homedir%%/Library/Application Support/Skype//chatsync/']
	8	supported_os: [Darwin]
	9	supported_os: [Darwin]
	10	urls:
	11	- 'http://forensicswiki.org/wiki/Mac_OS_X'
	12	- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'
	13	---
	14	name: SkypeDb
	15	doc: Main Skype database
	16	sources:
	17	- type: FILE
	18	attributes:
	19	paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db']
	20	supported_os: [Darwin]
	21	supported_os: [Darwin]
	22	urls:
	23	- 'http://forensicswiki.org/wiki/Mac_OS_X'
	24	- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'
	25	---
	26	name: SkypeMainDirectory
	27	doc: Skype Directory
	28	sources:
	29	- type: DIRECTORY
	30	attributes:
	31	paths: ['%%users.homedir%%/Library/Application Support/Skype/*']
	32	supported_os: [Darwin]
	33	supported_os: [Darwin]
	34	---
	35	name: SkypePreferences
	36	doc: Skype Preferences and Recent Searches
	37	sources:
	38	- type: FILE
	39	attributes:
	40	paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist']
	41	supported_os: [Darwin]
	42	supported_os: [Darwin]
	43	urls:
	44	- 'http://forensicswiki.org/wiki/Mac_OS_X'
	45	- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'
	46	---
	47	name: SkypeUserProfile
	48	doc: Skype User profile
	49	sources:
	50	- type: FILE
	51	attributes:
	52	paths: ['%%users.homedir%%/Library/Application Support/Skype//']
	53	supported_os: [Darwin]
	54	supported_os: [Darwin]
	55	urls:
	56	- 'http://forensicswiki.org/wiki/Mac_OS_X'
	57	- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'⏎

+2

-3

data/java.yaml less more

11	11	- type: FILE
12	12	attributes:
13	13	paths:
14		- '%%users.localappdata_low%%\Sun\Java\Deployment\cache\**'
15		- '%%users.homedir%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
16		- '%%users.homedir%%\Application Data\Sun\Java\Deployment\cache\**'
	14	- '%%users.appdata%%\Sun\Java\Deployment\cache\**'
	15	- '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
17	16	separator: '\'
18	17	supported_os: [Windows]
19	18	supported_os: [Windows, Linux, Darwin]

+1

-0

data/kaspersky_careto.yaml less more

81	81	- '%%users.appdata%%\microsoft\c_27803.nls'
82	82	- '%%users.appdata%%\microsoft\objframe.dll'
83	83	- '%%users.appdata%%\microsoft\shmgr.dll'
	84	separator: '\'
84	85	supported_os: [Windows]
85	86	urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
86	87	---

+11

-0

data/legacy.yaml less more

165	165	provides: [domain]
166	166	supported_os: [Windows]
167	167	---
	168	name: WindowsEnvironmentVariableAllUsersAppData
	169	doc: The %ProgramData% environment variable.
	170	sources:
	171	- type: REGISTRY_VALUE
	172	attributes:
	173	key_value_pairs:
	174	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
	175	provides: [environ_allusersappdata]
	176	supported_os: [Windows]
	177	urls: ['http://environmentvariables.org/ProgramData']
	178	---
168	179	name: WinPathEnvironmentVariable
169	180	doc: The %PATH% environment variable.
170	181	sources:

+13

-0

data/linux.yaml less more

358	358	labels: [Configuration Files, System]
359	359	supported_os: [Linux]
360	360	---
	361	name: LinuxReleaseInfo
	362	doc: Release information for Linux platforms.
	363	sources:
	364	- type: ARTIFACT_GROUP
	365	attributes:
	366	names:
	367	- LinuxDistributionRelease
	368	- LinuxLSBRelease
	369	- LinuxSystemdOSRelease
	370	provides: [os_release, os_major_version, os_minor_version]
	371	labels: [Software]
	372	supported_os: [Linux]
	373	---
361	374	name: LinuxRsyslogConfigs
362	375	doc: Linux rsyslog configurations.
363	376	sources:

+67

-20

data/macos.yaml less more

3	3	doc: Apple system log (ASL) files
4	4	sources:
5	5	- type: FILE
6		attributes: {paths: ['/var/log/asl/*']}
	6	attributes:
	7	paths:
	8	- '/private/var/log/asl/*'
	9	- '/var/log/asl/*'
7	10	labels: [System, Logs]
8	11	supported_os: [Darwin]
9	12	urls:

59	62	doc: Audit log files
60	63	sources:
61	64	- type: FILE
62		attributes: {paths: ['/var/audit/*']}
	65	attributes:
	66	paths:
	67	- '/private/var/audit/*'
	68	- '/var/audit/*'
63	69	labels: [System, Logs]
64	70	supported_os: [Darwin]
65	71	urls:

105	111	paths:
106	112	- '/Library/Logs/DiagnosticReports/*.core_analytics'
107	113	- '/private/var/db/analyticsd/aggregates/*'
	114	- '/var/db/analyticsd/aggregates/*'
108	115	labels: [Logs, System]
109	116	supported_os: [Darwin]
110	117	urls:

119	126	attributes:
120	127	paths:
121	128	- '/etc/crontab'
	129	- '/private/etc/crontab'
122	130	- '/usr/lib/cron/tabs/*'
123	131	labels: [System]
124	132	supported_os: [Darwin]

152	160	doc: Hosts file
153	161	sources:
154	162	- type: FILE
155		attributes: {paths: ['/etc/hosts']}
	163	attributes:
	164	paths:
	165	- '/etc/hosts'
	166	- '/private/etc/hosts'
156	167	labels: [System, Network]
157	168	supported_os: [Darwin]
158	169	urls:

204	215	doc: Installation log file
205	216	sources:
206	217	- type: FILE
207		attributes: {paths: ['/var/log/install.log']}
	218	attributes:
	219	paths:
	220	- '/private/var/log/install.log'
	221	- '/var/log/install.log'
208	222	labels: [System, Logs]
209	223	supported_os: [Darwin]
210	224	urls:

307	321	paths:
308	322	- '%%users.homedir%%/Library/Application Support/Knowledge/knowledgeC.db'
309	323	- '/private/var/db/CoreDuet/Knowledge/knowledgeC.db'
	324	- '/var/db/CoreDuet/Knowledge/knowledgeC.db'
310	325	labels: [Users, Logs]
311	326	supported_os: [Darwin]
312	327	urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage']

345	360	doc: Mac OS X lastlog file.
346	361	sources:
347	362	- type: FILE
348		attributes: {paths: ['/var/log/lastlog']}
	363	attributes:
	364	paths:
	365	- '/private/var/log/lastlog'
	366	- '/var/log/lastlog'
349	367	labels: [Logs, Authentication]
350	368	supported_os: [Darwin]
351	369	---

543	561	- type: FILE
544	562	attributes:
545	563	paths:
	564	- '%%users.homedir%%/Library/Application Support/NotificationCenter/*.db'
	565	- '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db'
546	566	- '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db'
547		- '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db'
548		- '%%users.homedir%%/Library/Application Support/NotificationCenter/*.db'
	567	- '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db'
	568	- '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db'
549	569	labels: [Users, Logs]
550	570	supported_os: [Darwin]
551	571	---

555	575	- type: FILE
556	576	attributes:
557	577	paths:
	578	- '/etc/daily.local/*'
558	579	- '/etc/defaults/periodic.conf'
	580	- '/etc/monthly.local/*'
	581	- '/etc/periodic/**2'
559	582	- '/etc/periodic.conf'
560	583	- '/etc/periodic.conf.local'
561		- '/etc/periodic/**2'
	584	- '/etc/periodic/daily/*'
	585	- '/etc/periodic/monthly/*'
	586	- '/etc/periodic/weekly/*'
	587	- '/etc/weekly.local/*'
	588	- '/private/etc/daily.local/*'
	589	- '/private/etc/defaults/periodic.conf'
	590	- '/private/etc/monthly.local/*'
	591	- '/private/etc/periodic/**2'
	592	- '/private/etc/periodic.conf'
	593	- '/private/etc/periodic.conf.local'
	594	- '/private/etc/periodic/daily/*'
	595	- '/private/etc/periodic/monthly/*'
	596	- '/private/etc/periodic/weekly/*'
	597	- '/private/etc/weekly.local/*'
562	598	- '/usr/local/etc/periodic/**2'
563		- '/etc/daily.local/*'
564		- '/etc/weekly.local/*'
565		- '/etc/monthly.local/*'
566		- '/etc/periodic/daily/*'
567		- '/etc/periodic/weekly/*'
568		- '/etc/periodic/monthly/*'
569	599	labels: [System]
570	600	supported_os: [Darwin]
571	601	urls:

647	677	doc: Swap files
648	678	sources:
649	679	- type: FILE
650		attributes: {paths: ['/var/vm/swapfile#']}
	680	attributes:
	681	paths:
	682	- '/private/var/vm/swapfile[0-9]'
	683	- '/var/vm/swapfile[0-9]'
651	684	labels: [System]
652	685	supported_os: [Darwin]
653	686	urls:

666	699	doc: System installation time
667	700	sources:
668	701	- type: FILE
669		attributes: {paths: ['/var/db/.AppleSetupDone']}
	702	attributes:
	703	paths:
	704	- '/private/var/db/.AppleSetupDone'
	705	- '/var/db/.AppleSetupDone'
670	706	labels: [System]
671	707	supported_os: [Darwin]
672	708	urls:

677	713	doc: System log files
678	714	sources:
679	715	- type: FILE
680		attributes: {paths: ['/var/log/*']}
	716	attributes:
	717	paths:
	718	- '/private/var/log/*'
	719	- '/var/log/*'
681	720	labels: [System, Logs]
682	721	supported_os: [Darwin]
683	722	urls:

723	762	- type: FILE
724	763	attributes:
725	764	paths:
	765	- '/private/var/db/diagnostics/*.tracev3'
	766	- '/private/var/db/diagnostics//.tracev3'
	767	- '/private/var/db/uuidtext//'
726	768	- '/var/db/diagnostics/*.tracev3'
727	769	- '/var/db/diagnostics//.tracev3'
728	770	- '/var/db/uuidtext//'

848	890	- type: FILE
849	891	attributes:
850	892	paths:
	893	- '/private/var/db/dslocal/nodes/Default/users/*.plist'
851	894	- '/var/db/dslocal/nodes/Default/users/*.plist'
852		- '/private/var/db/dslocal/nodes/Default/users/*.plist'
853	895	labels: [System, Users, Authentication]
854	896	supported_os: [Darwin]
855	897	urls:

929	971	- type: FILE
930	972	attributes:
931	973	paths:
	974	- '/private/var/run/utmp'
	975	- '/private/var/log/wtmp'
	976	- '/var/run/utmp'
932	977	- '/var/log/wtmp'
933		- '/var/run/utmp'
934	978	labels: [Logs, Authentication]
935	979	supported_os: [Darwin]
936	980	urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']

939	983	doc: Mac OS X 10.5 utmpx login record file.
940	984	sources:
941	985	- type: FILE
942		attributes: {paths: ['/var/run/utmpx']}
	986	attributes:
	987	paths:
	988	- '/private/var/run/utmpx'
	989	- '/var/run/utmpx'
943	990	labels: [Logs, Authentication]
944	991	supported_os: [Darwin]
945	992	urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']

+16

-0

data/ntfs.yaml less more

15	15	separator: '\'
16	16	labels: [System]
17	17	supported_os: [Windows]
	18	---
	19	name: NTFSLogFile
	20	doc: \|
	21	The NTFS $LogFile file system metadata file.
	22
	23	GRR collection note: you currently need to specify 'use tsk' and
	24	'ignore download size limits' for this artifact to work. This will go away in
	25	the future.
	26	sources:
	27	- type: FILE
	28	attributes:
	29	paths: ['%%environ_systemdrive%%\$LogFile']
	30	separator: '\'
	31	urls: ['https://sourceforge.net/projects/linux-ntfs/']
	32	labels: [System]
	33	supported_os: [Windows]

+51

-50

data/tomcat.yaml less more

16	16	- type: FILE
17	17	attributes:
18	18	paths:
19		- '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
20		- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
21		- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
22		- '%%environ_programfiles%%\Apache Software Foundation\Tomcat\logs\*\catalina.out'
23		- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat\logs\*\catalina.out'
24		- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat\logs\*\catalina.out'
25		- '%%environ_programfiles%%\Apache Software Foundation\Tomcat\logs\access_log'
26		- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat\logs\access_log'
27		- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat\logs\access_log'
28		- '%%environ_programfiles%%\Apache Software Foundation\Tomcat\logs\\access_log'
29		- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat\logs\\access_log'
30		- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat\logs\\access_log'
	19	- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat\logs\\access_log'
	20	- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat\logs\access_log'
	21	- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat\logs\*\catalina.out'
	22	- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
	23	- '%%environ_programfiles%%\Apache Software Foundation\Tomcat\logs\\access_log'
	24	- '%%environ_programfiles%%\Apache Software Foundation\Tomcat\logs\access_log'
	25	- '%%environ_programfiles%%\Apache Software Foundation\Tomcat\logs\*\catalina.out'
	26	- '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
	27	- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat\logs\\access_log'
	28	- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat\logs\access_log'
	29	- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat\logs\*\catalina.out'
	30	- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
31	31	separator: '\'
32	32	supported_os: [Windows]
33	33	- type: FILE
34	34	attributes:
35	35	paths:
36		- '/usr/local/tomcat*/logs/catalina.out'
37		- '/opt/tomcat*/logs/catalina.out'
38		- '/usr/share/tomcat*/logs/catalina.out'
39		- '/var/lib/tomcat*/logs/catalina.out'
40		- '/usr/local/tomcat/logs/access_log'
41		- '/opt/tomcat/logs/access_log'
42		- '/usr/share/tomcat/logs/access_log'
43		- '/var/lib/tomcat/logs/access_log'
44		- '/usr/local/tomcat/logs/*/catalina.out'
45		- '/opt/tomcat/logs/*/catalina.out'
46		- '/usr/share/tomcat/logs/*/catalina.out'
47		- '/var/lib/tomcat/logs/*/catalina.out'
48		- '/usr/local/tomcat/logs//access_log'
49		- '/opt/tomcat/logs//access_log'
50		- '/usr/share/tomcat/logs//access_log'
51		- '/var/lib/tomcat/logs//access_log'
	36	- '/opt/tomcat/logs//access_log'
	37	- '/opt/tomcat/logs/access_log'
	38	- '/opt/tomcat/logs/*/catalina.out'
	39	- '/opt/tomcat*/logs/catalina.out'
	40	- '/usr/local/tomcat/logs//access_log'
	41	- '/usr/local/tomcat/logs/access_log'
	42	- '/usr/local/tomcat/logs/*/catalina.out'
	43	- '/usr/local/tomcat*/logs/catalina.out'
	44	- '/usr/share/tomcat/logs//access_log'
	45	- '/usr/share/tomcat/logs/access_log'
	46	- '/usr/share/tomcat/logs/*/catalina.out'
	47	- '/usr/share/tomcat*/logs/catalina.out'
	48	- '/var/lib/tomcat/logs//access_log'
	49	- '/var/lib/tomcat/logs/access_log'
	50	- '/var/lib/tomcat/logs/*/catalina.out'
	51	- '/var/lib/tomcat*/logs/catalina.out'
52	52	supported_os: [Linux]
53	53	- type: FILE
54	54	attributes:
55	55	paths:
56		- '/Library/Tomcat/logs/catalina.out'
57		- '/usr/local/apache-tomcat*/logs/catalina.out'
58		- '/usr/local/Cellar/tomcat*/logs/catalina.out' # Default location for Homebrew
59		- '/Library/Tomcat/logs/**/catalina.out'
60		- '/usr/local/apache-tomcat/logs/*/catalina.out'
61		- '/usr/local/Cellar/tomcat/logs/*/catalina.out' # Default location for Homebrew
62		- '/Library/Tomcat/logs/access_log*'
63		- '/usr/local/apache-tomcat/logs/access_log'
64		- '/usr/local/Cellar/tomcat/logs/access_log' # Default location for Homebrew
65		- '/Library/Tomcat/logs/*/access_log'
66		- '/usr/local/apache-tomcat/logs//access_log'
67		- '/usr/local/Cellar/tomcat/logs//access_log' # Default location for Homebrew
	56	- '/Library/Tomcat/logs/*/access_log'
	57	- '/Library/Tomcat/logs/access_log*'
	58	- '/Library/Tomcat/logs/**/catalina.out'
	59	- '/Library/Tomcat/logs/catalina.out'
	60	- '/usr/local/apache-tomcat/logs//access_log'
	61	- '/usr/local/apache-tomcat/logs/access_log'
	62	- '/usr/local/apache-tomcat/logs/*/catalina.out'
	63	- '/usr/local/apache-tomcat*/logs/catalina.out'
	64	- '/usr/local/Cellar/tomcat/logs//access_log' # Default location for Homebrew
	65	- '/usr/local/Cellar/tomcat/logs/access_log' # Default location for Homebrew
	66	- '/usr/local/Cellar/tomcat/logs/*/catalina.out' # Default location for Homebrew
	67	- '/usr/local/Cellar/tomcat*/logs/catalina.out' # Default location for Homebrew
68	68	supported_os: [Darwin]
69	69	supported_os: [Windows,Linux,Darwin]
70	70	urls:

77	77	- type: FILE
78	78	attributes:
79	79	paths:
80		- '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
81		- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
82		- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
	80	- '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
	81	- '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
	82	- '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
83	83	separator: '\'
84	84	supported_os: [Windows]
85	85	- type: FILE
86	86	attributes:
87	87	paths:
88		- '/opt/tomcat*/conf/tomcat-users.xml'
89		- '/usr/local/tomcat*/conf/tomcat-users.xml'
90		- '/usr/share/tomcat*/conf/tomcat-users.xml'
91		- '/var/lib/tomcat*/conf/tomcat-users.xml'
	88	- '/opt/tomcat*/conf/tomcat-users.xml'
	89	- '/private/var/lib/tomcat*/conf/tomcat-users.xml'
	90	- '/usr/local/tomcat*/conf/tomcat-users.xml'
	91	- '/usr/share/tomcat*/conf/tomcat-users.xml'
	92	- '/var/lib/tomcat*/conf/tomcat-users.xml'
92	93	supported_os: [Linux]
93	94	- type: FILE
94	95	attributes:
95	96	paths:
96		- '/Library/Tomcat/conf/tomcat-users.xml'
97		- '/usr/local/apache-tomcat-*/conf/tomcat-users.xml'
98		- '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' # Default location for Homebrew
	97	- '/Library/Tomcat/conf/tomcat-users.xml'
	98	- '/usr/local/apache-tomcat-*/conf/tomcat-users.xml'
	99	- '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' # Default location for Homebrew
99	100	supported_os: [Darwin]
100	101	supported_os: [Windows,Linux,Darwin]
101	102	urls: ['https://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access']

+120

-52

data/unix_common.yaml less more

5	5	- type: ARTIFACT_GROUP
6	6	attributes:
7	7	names:
8		- GlobalShellConfigs
9		- UsersShellConfigs
10		- RootUserShellConfigs
	8	- 'GlobalShellConfigs'
	9	- 'RootUserShellConfigs'
	10	- 'UsersShellConfigs'
11	11	labels: [Configuration Files]
12	12	supported_os: [Linux, Darwin]
13	13	---

17	17	- type: ARTIFACT_GROUP
18	18	attributes:
19	19	names:
20		- UsersShellHistory
21		- RootUserShellHistory
	20	- 'RootUserShellHistory'
	21	- 'UsersShellHistory'
22	22	labels: [History Files]
23	23	supported_os: [Linux, Darwin]
24	24	---

28	28	- type: FILE
29	29	attributes:
30	30	paths:
31		- '/etc/bashrc'
32		- '/etc/bash.bashrc'
33		- '/etc/kshrc'
34		- '/etc/csh.cshrc'
35		- '/etc/csh.login'
36		- '/etc/csh.logout'
37		- '/etc/profile'
38		- '/etc/zsh/zlogin'
39		- '/etc/zsh/zlogout'
40		- '/etc/zsh/zprofile'
41		- '/etc/zsh/zshenv'
42		- '/etc/zsh/zshrc'
43		- '/etc/zshenv'
44		- '/etc/zshrc'
	31	- '/etc/bash.bashrc'
	32	- '/etc/bashrc'
	33	- '/etc/csh.cshrc'
	34	- '/etc/csh.login'
	35	- '/etc/csh.logout'
	36	- '/etc/kshrc'
	37	- '/etc/profile'
	38	- '/etc/zshenv'
	39	- '/etc/zshrc'
	40	- '/etc/zsh/zlogin'
	41	- '/etc/zsh/zlogout'
	42	- '/etc/zsh/zprofile'
	43	- '/etc/zsh/zshenv'
	44	- '/etc/zsh/zshrc'
	45	- '/private/etc/bash.bashrc'
	46	- '/private/etc/bashrc'
	47	- '/private/etc/csh.cshrc'
	48	- '/private/etc/csh.login'
	49	- '/private/etc/csh.logout'
	50	- '/private/etc/kshrc'
	51	- '/private/etc/profile'
	52	- '/private/etc/zshenv'
	53	- '/private/etc/zshrc'
	54	- '/private/etc/zsh/zlogin'
	55	- '/private/etc/zsh/zlogout'
	56	- '/private/etc/zsh/zprofile'
	57	- '/private/etc/zsh/zshenv'
	58	- '/private/etc/zsh/zshrc'
	59	supported_os: [Darwin]
	60	- type: FILE
	61	attributes:
	62	paths:
	63	- '/etc/bash.bashrc'
	64	- '/etc/bashrc'
	65	- '/etc/csh.cshrc'
	66	- '/etc/csh.login'
	67	- '/etc/csh.logout'
	68	- '/etc/kshrc'
	69	- '/etc/profile'
	70	- '/etc/zshenv'
	71	- '/etc/zshrc'
	72	- '/etc/zsh/zlogin'
	73	- '/etc/zsh/zlogout'
	74	- '/etc/zsh/zprofile'
	75	- '/etc/zsh/zshenv'
	76	- '/etc/zsh/zshrc'
	77	supported_os: [Linux]
45	78	labels: [Configuration Files]
46	79	supported_os: [Linux, Darwin]
47	80	---

51	84	- type: FILE
52	85	attributes:
53	86	paths:
54		- '/root/.bashrc'
55		- '/root/.bash_profile'
56		- '/root/.bash_logout'
57		- '/root/.cshrc'
58		- '/root/.ksh'
59		- '/root/.logout'
60		- '/root/.profile'
61		- '/root/.tcsh'
62		- '/root/.zlogin'
63		- '/root/.zlogout'
64		- '/root/.zprofile'
	87	- '/root/.bash_logout'
	88	- '/root/.bash_profile'
	89	- '/root/.bashrc'
	90	- '/root/.cshrc'
	91	- '/root/.ksh'
	92	- '/root/.logout'
	93	- '/root/.profile'
	94	- '/root/.tcsh'
	95	- '/root/.zlogin'
	96	- '/root/.zlogout'
	97	- '/root/.zprofile'
65	98	labels: [Configuration Files]
66	99	supported_os: [Linux, Darwin]
67	100	---

71	104	- type: FILE
72	105	attributes:
73	106	paths:
74		- '/root/.bash_history'
75		- '/root/.sh_history'
76		- '/root/.zhistory'
77		- '/root/.zsh_history'
	107	- '/root/.bash_history'
	108	- '/root/.sh_history'
	109	- '/root/.zhistory'
	110	- '/root/.zsh_history'
78	111	labels: [History Files]
79	112	supported_os: [Linux, Darwin]
80	113	---

82	115	doc: Unix groups file.
83	116	sources:
84	117	- type: FILE
	118	attributes:
	119	paths:
	120	- '/etc/group'
	121	- '/private/etc/group'
	122	supported_os: [Darwin]
	123	- type: FILE
85	124	attributes: {paths: ['/etc/group']}
	125	supported_os: [Linux]
86	126	labels: [Authentication]
87	127	supported_os: [Linux, Darwin]
88	128	---

90	130	doc: Unix hosts file
91	131	sources:
92	132	- type: FILE
	133	attributes:
	134	paths:
	135	- '/etc/hosts'
	136	- '/private/etc/hosts'
	137	supported_os: [Darwin]
	138	- type: FILE
93	139	attributes: {paths: ['/etc/hosts']}
	140	supported_os: [Linux]
94	141	labels: [Configuration Files]
95	142	supported_os: [Linux, Darwin]
96	143	---

98	145	doc: Unix /etc/passwd file.
99	146	sources:
100	147	- type: FILE
	148	attributes:
	149	paths:
	150	- '/etc/passwd'
	151	- '/private/etc/passwd'
	152	supported_os: [Darwin]
	153	- type: FILE
101	154	attributes: {paths: ['/etc/passwd']}
	155	supported_os: [Linux]
102	156	labels: [Authentication]
103	157	supported_os: [Linux, Darwin]
104	158	---

106	160	doc: Unix /etc/shadow file.
107	161	sources:
108	162	- type: FILE
	163	attributes:
	164	paths:
	165	- '/etc/shadow'
	166	- '/private/etc/shadow'
	167	supported_os: [Darwin]
	168	- type: FILE
109	169	attributes: {paths: ['/etc/shadow']}
	170	supported_os: [Linux]
110	171	labels: [Authentication]
111	172	supported_os: [Linux, Darwin]
112	173	---

114	175	doc: Unix sudoers configuration.
115	176	sources:
116	177	- type: FILE
	178	attributes:
	179	paths:
	180	- '/etc/sudoers'
	181	- '/private/etc/sudoers'
	182	supported_os: [Darwin]
	183	- type: FILE
117	184	attributes: {paths: ['/etc/sudoers']}
	185	supported_os: [Linux]
118	186	labels: [Authentication, Configuration Files]
119	187	supported_os: [Linux, Darwin]
120	188	---

124	192	- type: ARTIFACT_GROUP
125	193	attributes:
126	194	names:
127		- 'UnixPasswd'
128		- 'UnixShadowFile'
129		- 'UnixGroups'
	195	- 'UnixGroups'
	196	- 'UnixPasswd'
	197	- 'UnixShadowFile'
130	198	labels: [Authentication]
131	199	supported_os: [Linux, Darwin]
132	200	---

136	204	- type: FILE
137	205	attributes:
138	206	paths:
139		- '%%users.homedir%%/.bashrc'
140		- '%%users.homedir%%/.bash_profile'
141		- '%%users.homedir%%/.bash_logout'
142		- '%%users.homedir%%/.cshrc'
143		- '%%users.homedir%%/.ksh'
144		- '%%users.homedir%%/.logout'
145		- '%%users.homedir%%/.profile'
146		- '%%users.homedir%%/.tcsh'
147		- '%%users.homedir%%/.zlogin'
148		- '%%users.homedir%%/.zlogout'
149		- '%%users.homedir%%/.zprofile'
	207	- '%%users.homedir%%/.bash_logout'
	208	- '%%users.homedir%%/.bash_profile'
	209	- '%%users.homedir%%/.bashrc'
	210	- '%%users.homedir%%/.cshrc'
	211	- '%%users.homedir%%/.ksh'
	212	- '%%users.homedir%%/.logout'
	213	- '%%users.homedir%%/.profile'
	214	- '%%users.homedir%%/.tcsh'
	215	- '%%users.homedir%%/.zlogin'
	216	- '%%users.homedir%%/.zlogout'
	217	- '%%users.homedir%%/.zprofile'
150	218	labels: [Configuration Files]
151	219	supported_os: [Linux, Darwin]
152	220	---

156	224	- type: FILE
157	225	attributes:
158	226	paths:
159		- '%%users.homedir%%/.bash_history'
160		- '%%users.homedir%%/.sh_history'
161		- '%%users.homedir%%/.zhistory'
162		- '%%users.homedir%%/.zsh_history'
	227	- '%%users.homedir%%/.bash_history'
	228	- '%%users.homedir%%/.sh_history'
	229	- '%%users.homedir%%/.zhistory'
	230	- '%%users.homedir%%/.zsh_history'
163	231	labels: [History Files]
164	232	supported_os: [Linux, Darwin]

+7

-7

data/webbrowser.yaml less more

347	347	- type: FILE
348	348	attributes:
349	349	paths:
	350	- '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat'
	351	- '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat'
	352	- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat'
	353	- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat'
	354	- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat'
	355	- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat'
350	356	- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat'
351	357	- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat'
352		- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat'
353		- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat'
354		- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat'
355		- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat'
356		- '%%users.userprofile%%\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat'
357		- '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat'
358	358	- '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat'
359	359	separator: '\'
360	360	labels: [Browser]

456	456	doc: Opera browser history (global_history.dat).
457	457	sources:
458	458	- type: FILE
459		attributes: {paths: ['%%users.homedir%%/Library/Opera//global_history.dat']}
	459	attributes: {paths: ['%%users.homedir%%/Library/Opera/global_history.dat']}
460	460	supported_os: [Darwin]
461	461	- type: FILE
462	462	attributes: {paths: ['%%users.homedir%%/.opera/global_history.dat']}

+9

-7

data/webservers.yaml less more

5	5	- type: FILE
6	6	attributes:
7	7	paths:
8		- '/var/log/nginx/access.log*'
	8	- '/var/log/nginx/access.log*'
9	9	labels: [Software, Logs]
10	10	supported_os: [Linux]
11	11	---

15	15	- type: FILE
16	16	attributes:
17	17	paths:
18		- '/var/log/apache/access.log*'
19		- '/var/log/apache2/access.log*'
20		- '/var/log/httpd/access.log'
	18	- '/var/log/apache/access.log*'
	19	- '/var/log/apache2/access.log*'
	20	- '/var/log/httpd/access.log'
21	21	labels: [Software, Logs]
22	22	supported_os: [Linux]
23	23	---

27	27	- type: FILE
28	28	attributes:
29	29	paths:
30		- '/wp/wp-config.php'
31		- '/var/www/wp-config.php'
32		- '/var/www/**/wp-config.php'
	30	- '/private/var/www/**/wp-config.php'
	31	- '/private/var/www/wp-config.php'
	32	- '/var/www/**/wp-config.php'
	33	- '/var/www/wp-config.php'
	34	- '/wp/wp-config.php'
33	35	labels: [Configuration Files]
34	36	supported_os: [Linux, Darwin]

+96

-46

data/windows.yaml less more

22	22	sources:
23	23	- type: FILE
24	24	attributes:
25		paths: ['%%users.homedir%%\AppData\Local\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db']
	25	paths: ['%%users.localappdata%%\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db']
26	26	separator: '\'
27	27	labels: [Users]
28	28	supported_os: [Windows]

118	118	- '%%environ_systemroot%%\WinAppXRT.dll'
119	119	- '%%environ_systemroot%%\System32\Wbem\WinAppXRT.dll'
120	120	- '%%environ_systemroot%%\System32\WindowsPowerShell\v1.0\WinAppXRT.dll'
	121	separator: '\'
121	122	supported_os: [Windows]
122	123	conditions: [os_major_version >= 6 AND os_minor_version >= 2]
123	124	urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/']

176	177	sources:
177	178	- type: FILE
178	179	attributes:
179		paths:
180		- '%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat'
	180	paths: ['%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat']
	181	separator: '\'
181	182	supported_os: [Windows]
182	183	urls: ['http://dfrws.org/2015/proceedings/presentations/DFRWS2015-pres3.pdf']
183	184	---

192	193	urls:
193	194	- 'https://technet.microsoft.com/en-us/library/cc786702(WS.10).aspx'
194	195	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'
	196	---
	197	name: WindowsCIMRepositoryFiles
	198	doc: \|
	199	Windows Common Information Model (CIM) repository.
	200
	201	Persistent database that holds the schema, also called the object repository or class store,
	202	that models the managed environment and defines every piece of data exposed by WMI.
	203
	204	This definition does not specify the copies of the CIM repository that are stored in system restore points.
	205	sources:
	206	- type: FILE
	207	attributes:
	208	paths:
	209	# Windows 95 OSR 2.5, 98, Millennium Edition (Me)
	210	- '%%environ_windir%%\System\Wbem\Repository\cim.rep'
	211	# Windows NT4 and 2000
	212	- '%%environ_systemroot%%\System32\wbem\Repository\CIM.REC'
	213	- '%%environ_systemroot%%\System32\wbem\Repository\CIM.REP'
	214	# Windows Vista and later
	215	- '%%environ_systemroot%%\System32\wbem\Repository\INDEX.BTR'
	216	- '%%environ_systemroot%%\System32\wbem\Repository\INDEX.MAP'
	217	- '%%environ_systemroot%%\System32\wbem\Repository\MAPPING.VER'
	218	- '%%environ_systemroot%%\System32\wbem\Repository\MAPPING[1-3].MAP'
	219	- '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.DATA'
	220	- '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.MAP'
	221	# Windows XP and Windows 2003
	222	- '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.BTR'
	223	- '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.MAP'
	224	- '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING.VER'
	225	- '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING[1-2].MAP'
	226	- '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.DATA'
	227	- '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.MAP'
	228	separator: '\'
	229	supported_os: [Windows]
	230	urls:
	231	- 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf'
	232	- 'https://github.com/libyal/dtformats/blob/master/documentation/WMI%20repository%20file%20format.asciidoc'
195	233	---
196	234	name: WindowsCodePage
197	235	doc: The code page of the system.

426	464	- 'http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/'
427	465	- 'https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/cb6f1d6f-60a6-4369-803e-ec03d902e638/gina-how-to-run-domain-scripts-after-logon'
428	466	---
429		name: WindowsEnvironmentVariableAllUsersAppData
430		doc: The %ProgramData% environment variable.
431		sources:
432		- type: REGISTRY_VALUE
433		attributes:
434		key_value_pairs:
435		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
436		provides: [environ_allusersappdata]
437		supported_os: [Windows]
438		urls: ['http://environmentvariables.org/ProgramData']
439		---
440		name: WindowsEnvironmentVariableProfilesDirectory
441		doc: Folder that typically contains users' profile directories; default is '%SystemDrive%\Users'
442		sources:
443		- type: REGISTRY_VALUE
444		attributes:
445		key_value_pairs:
446		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'}
447		provides: [environ_profilesdirectory]
448		supported_os: [Windows]
449		urls:
450		- 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx'
451		- 'https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables'
452		- 'http://support.microsoft.com/kb//214653'
453		---
454	467	name: WindowsEnvironmentVariableAllUsersProfile
455	468	doc: \|
456	469	The %AllUsersProfile% environment variable

493	506	provides: [environ_path]
494	507	supported_os: [Windows]
495	508	urls: ['http://environmentvariables.org/Path']
	509	---
	510	name: WindowsEnvironmentVariableProfilesDirectory
	511	doc: Folder that typically contains users' profile directories; default is '%SystemDrive%\Users'
	512	sources:
	513	- type: REGISTRY_VALUE
	514	attributes:
	515	key_value_pairs:
	516	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'}
	517	provides: [environ_profilesdirectory]
	518	supported_os: [Windows]
	519	urls:
	520	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx'
	521	- 'https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables'
	522	- 'http://support.microsoft.com/kb//214653'
	523	---
	524	name: WindowsEnvironmentVariableProgramData
	525	doc: The %ProgramData% environment variable.
	526	sources:
	527	- type: REGISTRY_VALUE
	528	attributes:
	529	key_value_pairs:
	530	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
	531	provides: [environ_programdata]
	532	supported_os: [Windows]
	533	urls: ['http://environmentvariables.org/ProgramData']
496	534	---
497	535	name: WindowsEnvironmentVariableProgramFiles
498	536	doc: The %ProgramFiles% environment variable.

1053	1091	doc: Windows Metro application cache.
1054	1092	sources:
1055	1093	- type: FILE
1056		attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetCache']}
	1094	attributes:
	1095	paths: ['%%users.localappdata%%\Packages\*\AC\INetCache']
	1096	separator: '\'
1057	1097	supported_os: [Windows]
1058	1098	urls:
1059	1099	- 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'

1062	1102	doc: Windows Metro application cookies.
1063	1103	sources:
1064	1104	- type: FILE
1065		attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetCookies']}
	1105	attributes:
	1106	paths: ['%%users.localappdata%%\Packages\*\AC\INetCookies']
	1107	separator: '\'
1066	1108	supported_os: [Windows]
1067	1109	urls:
1068	1110	- 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'

1071	1113	doc: Windows Metro application history.
1072	1114	sources:
1073	1115	- type: FILE
1074		attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetHistory']}
	1116	attributes:
	1117	paths: ['%%users.localappdata%%\Packages\*\AC\INetHistory']
	1118	separator: '\'
1075	1119	supported_os: [Windows]
1076	1120	urls:
1077	1121	- 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'

1080	1124	doc: Windows Metro user-pinned favorite tiles.
1081	1125	sources:
1082	1126	- type: FILE
1083		attributes: {paths: ['%%users.homedir%%\AppData\Local\Microsoft\Windows\RoamingTiles']}
	1127	attributes:
	1128	paths: ['%%users.localappdata%%\Microsoft\Windows\RoamingTiles']
	1129	separator: '\'
1084	1130	supported_os: [Windows]
1085	1131	urls:
1086	1132	- 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'

1174	1220	- WindowsPersistenceRegistryKeys
1175	1221	- WindowsPowerShellDefaultProfiles
1176	1222	- WindowsServices
1177		returned_types: [PersistenceFile]
1178	1223	labels: [Software]
1179	1224	supported_os: [Windows]
1180	1225	---

1270	1315	paths:
1271	1316	- '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1'
1272	1317	- '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1'
1273		- '%%users.homedir%%\Documents\WindowsPowerShell\profile.ps1'
1274		- '%%users.homedir%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'
	1318	- '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1'
	1319	- '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'
	1320	separator: '\'
1275	1321	supported_os: [Windows]
1276	1322	urls:
1277	1323	- 'https://technet.microsoft.com/en-us/magazine/2008.10.windowspowershell.aspx#id0190010'

1435	1481	userinit.exe will load this file and call its RunMonitor export.
1436	1482	sources:
1437	1483	- type: FILE
1438		attributes: {paths: ['%%environ_systemroot%%\System32\rover.dll']}
	1484	attributes:
	1485	paths: ['%%environ_systemroot%%\System32\rover.dll']
	1486	separator: '\'
1439	1487	supported_os: [Windows]
1440	1488	urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/']
1441	1489	---

1788	1836	doc: Windows setup API logs.
1789	1837	sources:
1790	1838	- type: FILE
1791		attributes: {paths: ['%%environ_systemroot%%\setupapi.log']}
	1839	attributes:
	1840	paths: ['%%environ_systemroot%%\setupapi.log']
	1841	separator: '\'
1792	1842	conditions: [os_major_version < 6]
1793	1843	- type: FILE
1794	1844	attributes:

1842	1892	- type: FILE
1843	1893	attributes:
1844	1894	paths:
1845		- '%%users.homedir%%\Start Menu\Programs\Startup\*'
	1895	- '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
1846	1896	- '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*'
1847		- '%%users.homedir%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*'
1848		- '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
	1897	- '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
	1898	- '%%users.userprofile%%\Start Menu\Programs\Startup\*'
1849	1899	separator: '\'
1850	1900	supported_os: [Windows]
1851	1901	---

2119	2169	sources:
2120	2170	- type: DIRECTORY
2121	2171	attributes:
2122		paths: ['%%users.homedir%%\Downloads\*']
	2172	paths: ['%%users.userprofile%%\Downloads\*']
2123	2173	separator: '\'
2124	2174	labels: [Users]
2125	2175	supported_os: [Windows]

2142	2192	- type: FILE
2143	2193	attributes:
2144	2194	paths:
2145		- '%%users.homedir%%\NTUSER.DAT'
2146		- '%%users.homedir%%\NTUSER.MAN'
	2195	- '%%users.userprofile%%\NTUSER.DAT'
	2196	- '%%users.userprofile%%\NTUSER.MAN'
2147	2197	- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat'
2148	2198	separator: '\'
2149	2199	labels: [Users]

2156	2206	- type: FILE
2157	2207	attributes:
2158	2208	paths:
2159		- '%%users.homedir%%\NTUSER.DAT.LOG'
2160		- '%%users.homedir%%\NTUSER.DAT.LOG1'
2161		- '%%users.homedir%%\NTUSER.DAT.LOG2'
	2209	- '%%users.userprofile%%\NTUSER.DAT.LOG'
	2210	- '%%users.userprofile%%\NTUSER.DAT.LOG1'
	2211	- '%%users.userprofile%%\NTUSER.DAT.LOG2'
2162	2212	- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG'
2163	2213	- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1'
2164	2214	- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2'

+36

-6

docs/Artifacts definition format and style guide.asciidoc less more

6	6	:numbered!:
7	7	[abstract]
8	8	== Summary
	9
9	10	This guide contains a description of the forensics artifacts definitions.
10	11	The artifacts definitions are
11	12	link:http://www.yaml.org/spec/1.2/spec.html[YAML]-based. The format is

15	16
16	17	[preface]
17	18	== Revision history
	19
18	20	[cols="1,1,1,5",options="header"]
19	21	\|===
20	22	\| Version \| Author \| Date \| Comments

23	25	\| 0.0.3 \| J.B. Metz \| April 2015 \| Merged style guide and artifact definitions wiki page.
24	26	\| 0.0.3 \| J.B. Metz \| September 2015 \| Additional label.
25	27	\| 0.0.4 \| J.B. Metz \| July 2016 \| Added information about a naming convention.
	28	\| 0.0.5 \| J.B. Metz \| February 2019 \| Removed returned_types as keyword and format changes.
26	29	\|===
27	30
28	31	:numbered:
29	32	== Background
	33
30	34	The first version of the artifact definitions originated from the
31	35	https://github.com/google/grr[GRR project], where it is used to describe and
32	36	quickly collect data of interest, e.g. specific files or Windows Registry keys.

43	47	various between tools.
44	48
45	49	=== Terminology
46		The term artifact (or artefact) is widely used within computer (or digital) forensics, though there is no official definition of this term.
47
48		The definition closest to the meaning of the word within computer forensics is that of the word artifact within http://en.wikipedia.org/wiki/Artifact_(archaeology)[archaeology]. The term should not be confused with the word artifact used within http://en.wikipedia.org/wiki/Artifact_(software_development)[software development].
	50
	51	The term artifact (or artefact) is widely used within computer (or digital)
	52	forensics, though there is no official definition of this term.
	53
	54	The definition closest to the meaning of the word within computer forensics is
	55	that of the word artifact within
	56	http://en.wikipedia.org/wiki/Artifact_(archaeology)[archaeology]. The term
	57	should not be confused with the word artifact used within
	58	http://en.wikipedia.org/wiki/Artifact_(software_development)[software development].
49	59
50	60	If archaeology defines an artifact as:
51	61	```

58	68	An object of digital archaeological interest.
59	69	```
60	70
61		Where digital archaeology roughly refers to computer forensics without the forensic (legal) context.
	71	Where digital archaeology roughly refers to computer forensics without the
	72	forensic (legal) context.
62	73
63	74	== The artifact definition
	75
64	76	The best way to show what an artifact definition is, is by example. The
65	77	following example is the artifact definition for the Windows EVTX System Event
66	78	Logs.

102	114	\|===
103	115
104	116	=== [[artifact_name]]Name
	117
105	118	Style note: The name of an artifact defintion should be in CamelCase name without spaces.
106	119
107	120	As of July 2016 we are migrating to the following naming convention:

115	128	files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity.
116	129
117	130	=== [[artifact_long_docs]]Long docs form
	131
118	132	Multi-line documentation should use the YAML Literal Style as indicated by the \|
119	133	character.
120	134

133	147	Style note: explicit newlines (\n) should not be used.
134	148
135	149	== [[sources]]Sources
	150
136	151	Every source definition starts with a `type` followed by arguments e.g.
137	152
138	153	[source,yaml]

178	193	\| type \| The source type.
179	194	\| conditions \| Optional list of conditions to when the artifact definition should apply. +
180	195	See section: <<conditions,Conditions>>.
181		\| returned_types \| Optional list of returned artifact definition types.
182	196	\| supported_os \| Optional list that indicates which operating systems the artifact definition applies to. +
183	197	See section: <<supported_os,Supported operating system>>.
184	198	\|===
185	199
186	200	=== Source types
	201
187	202	Currently the following different source types are defined:
188	203
189	204	[cols="1,5",options="header"]

203	218	as TYPE_INDICATOR constants.
204	219
205	220	=== Artifact group source
	221
206	222	The artifact group source is a source that consists of a group of other artifacts e.g.
207	223
208	224	[source,yaml]

210	226	- type: ARTIFACT_GROUP
211	227	attributes:
212	228	names: [WindowsRunKeys, WindowsServices]
213		returned_types: [PersistenceFile]
214	229	----
215	230
216	231	Where `attributes` can contain the following values:

223	238	\|===
224	239
225	240	=== Command source
	241
226	242	The command source is a source that consists of the output of a command e.g.
227	243
228	244	[source,yaml]

243	259	\|===
244	260
245	261	=== File source
	262
246	263	The file source is a source that consists of the contents of files e.g.
247	264
248	265	[source,yaml]

263	280	\|===
264	281
265	282	=== Path source
	283
266	284	The path source is a source that consists of the contents of paths e.g.
267	285
268	286	[source,yaml]

284	302	\|===
285	303
286	304	=== Windows Registry key source
	305
287	306	The Windows Registry key source is a source that consists of the contents of
288	307	Windows Registry keys e.g.
289	308

307	326	\|===
308	327
309	328	=== Windows Registry value source
	329
310	330	The Windows Registry value source is a source that consists of the contents of
311	331	Windows Registry values e.g.
312	332

329	349	\|===
330	350
331	351	=== Windows Management Instrumentation (WMI) query source
	352
332	353	The Windows Management Instrumentation (WMI) query source is a source that
333	354	consists of the output of Windows Management Instrumentation (WMI) queries e.g.
334	355

350	371	\|===
351	372
352	373	== [[conditions]]Conditions
	374
353	375	TODO: work is in progress to move this out of GRR into something more portable.
354	376
355	377	Artifact conditions are currently implemented using the

366	388	----
367	389
368	390	=== [[supported_os]]Supported operating system
	391
369	392	Since operating system (OS) conditions are a very common constraint, this has
370	393	been provided as a separate option "supported_os" to simplify syntax. For
371	394	supported_os no quotes are required. The currently supported operating systems

388	411	----
389	412
390	413	== [[labels]]Labels
	414
391	415	Currently the following different labels are defined:
392	416
393	417	[cols="1,5",options="header"]

415	439	link:https://github.com/ForensicArtifacts/artifacts/blob/master/artifacts/definitions.py[definitions.py].
416	440
417	441	== Style notes
	442
418	443	=== Artifact definition YAML files
	444
419	445	Artifact definition YAML filenames should be of the form:
420	446	....
421	447	$FILENAME.yaml

433	459	----
434	460
435	461	=== Lists
	462
436	463	Generally use the short [] format for single-item lists that fit inside 80
437	464	characters to save on unnecessary line breaks:
438	465

456	483	----
457	484
458	485	=== Quotes
	486
459	487	Quotes should not be used for doc strings, artifact names, and simple lists
460	488	like labels and supported_os.
461	489

476	504	----
477	505
478	506	=== Minimize the number of definitions by using multiple sources
	507
479	508	To minimize the number of artifacts in the list, combine them using the
480	509	supported_os and conditions attributes where it makes sense. e.g. rather than
481	510	having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do:

504	533	----
505	534
506	535	== [[parameter_expansion]]Parameter expansion and globs
	536
507	537	TODO
508	538

+1

-1

setup.cfg less more

7	7	AUTHORS
8	8	LICENSE
9	9	README
10		build_requires = python-setuptools
	10	build_requires = python2-setuptools
11	11	requires = python2-pyyaml >= 3.10
12	12
13	13	[bdist_wheel]

+25

-7

setup.py less more

92	92	python_spec_file = []
93	93	for line in iter(spec_file):
94	94	if line.startswith('Summary: '):
95		summary = line
	95	summary = line[9:]
96	96
97	97	elif line.startswith('BuildRequires: '):
98	98	line = 'BuildRequires: {0:s}-setuptools, {0:s}-devel'.format(

103	103	if python_package == 'python3':
104	104	requires = requires.replace('python-', 'python3-')
105	105	requires = requires.replace('python2-', 'python3-')
	106	continue
106	107
107	108	elif line.startswith('%description'):
108	109	in_description = True

120	121	line = '%py2_install'
121	122
122	123	elif line.startswith('%files'):
	124	python_spec_file.extend([
	125	'%package -n %{name}-tools',
	126	'Requires: {0:s}-artifacts >= %{{version}}'.format(
	127	python_package),
	128	'Summary: Tools for {0:s}'.format(summary),
	129	'',
	130	'%description -n %{name}-tools'])
	131
	132	python_spec_file.extend(description)
	133
123	134	lines = [
124	135	'%files -n %{name}-data',
125	136	'%defattr(644,root,root,755)',

138	149	'%{python3_sitelib}/artifacts.egg-info/',
139	150	'',
140	151	'%exclude %{_prefix}/share/doc/*',
141		'%exclude %{python3_sitelib}/artifacts/__pycache__/*',
142		'%exclude %{_bindir}/*.py'])
	152	'%exclude %{python3_sitelib}/artifacts/__pycache__/*'])
143	153
144	154	else:
145	155	lines.extend([

148	158	'',
149	159	'%exclude %{_prefix}/share/doc/*',
150	160	'%exclude %{python2_sitelib}/artifacts/*.pyc',
151		'%exclude %{python2_sitelib}/artifacts/*.pyo',
152		'%exclude %{_bindir}/*.py'])
	161	'%exclude %{python2_sitelib}/artifacts/*.pyo'])
153	162
154	163	python_spec_file.extend(lines)
155	164	break

171	180	python_spec_file.extend([
172	181	'Obsoletes: python-artifacts < %{version}',
173	182	'Provides: python-artifacts = %{version}'])
	183	python_summary = 'Python 2 module of {0:s}'.format(summary)
	184	else:
	185	python_summary = 'Python 3 module of {0:s}'.format(summary)
174	186
175	187	python_spec_file.extend([
176		'Requires: %{{name}}-data, {0:s}'.format(requires),
177		'{0:s}'.format(summary),
	188	'Requires: artifacts-data >= %{{version}} {0:s}'.format(
	189	requires),
	190	'Summary: {0:s}'.format(python_summary),
178	191	'',
179	192	'%description -n {0:s}-%{{name}}'.format(python_package)])
180	193

188	201	description.append(line)
189	202
190	203	python_spec_file.append(line)
	204
	205	python_spec_file.extend([
	206	'',
	207	'%files -n %{name}-tools',
	208	'%{_bindir}/*.py'])
191	209
192	210	return python_spec_file
193	211

+4

-0

test_requirements.txt less more

	0	funcsigs >= 1.0.2 ; python_version < '3.0'
	1	mock >= 2.0.0
	2	pbr >= 4.2.0
	3	six >= 1.1.0

+0

-3

tests/__init__.py less more

0	0	# -- coding: utf-8 --
1		"""Tests for artifacts."""
2
3		__version__ = '20150409'

+166

-116

tests/reader_test.py less more

0	0	# -- coding: utf-8 --
1	1	"""Tests for the artifact definitions readers."""
	2
	3	from __future__ import unicode_literals
2	4
3	5	import io
4	6	import unittest

13	15
14	16	class YamlArtifactsReaderTest(test_lib.BaseTestCase):
15	17	"""YAML artifacts reader tests."""
	18
	19	_DEFINITION_INVALID_LABELS = """\
	20	name: BadLabel
	21	doc: badlabel.
	22	sources:
	23	- type: ARTIFACT_GROUP
	24	attributes:
	25	names:
	26	- 'SystemEventLogEvtx'
	27	labels: Logs
	28	supported_os: [Windows]
	29	"""
	30
	31	_DEFINITION_INVALID_SUPPORTED_OS_1 = """\
	32	name: BadSupportedOS
	33	doc: supported_os should be an array of strings.
	34	sources:
	35	- type: ARTIFACT_GROUP
	36	attributes:
	37	names:
	38	- 'SystemEventLogEvtx'
	39	labels: [Logs]
	40	supported_os: Windows
	41	"""
	42
	43	_DEFINITION_INVALID_SUPPORTED_OS_2 = """\
	44	name: BadTopSupportedOS
	45	doc: Top supported_os should match supported_os from sources.
	46	sources:
	47	- type: ARTIFACT_GROUP
	48	attributes:
	49	names:
	50	- 'SystemEventLogEvtx'
	51	supported_os: [Windows]
	52	labels: [Logs]
	53	"""
	54
	55	_DEFINITION_INVALID_URLS = """\
	56	name: BadUrls
	57	doc: badurls.
	58	sources:
	59	- type: ARTIFACT_GROUP
	60	attributes:
	61	names:
	62	- 'SystemEventLogEvtx'
	63	supported_os: [Windows]
	64	urls: 'http://example.com'
	65	"""
	66
	67	_DEFINITION_WITH_EXTRA_KEY = """\
	68	name: WithExtraKey
	69	doc: definition with extra_key
	70	sources:
	71	- type: ARTIFACT_GROUP
	72	attributes:
	73	names:
	74	- 'SystemEventLogEvtx'
	75	extra_key: 'wrong'
	76	labels: [Logs]
	77	supported_os: [Windows]
	78	"""
	79
	80	_DEFINITION_WITH_RETURN_TYPES = """\
	81	name: WithReturnTypes
	82	doc: definition with return_types
	83	sources:
	84	- type: ARTIFACT_GROUP
	85	attributes:
	86	names: [WindowsRunKeys, WindowsServices]
	87	returned_types: [PersistenceFile]
	88	"""
	89
	90	_DEFINITION_WITHOUT_DOC = """\
	91	name: NoDoc
	92	sources:
	93	- type: ARTIFACT_GROUP
	94	attributes:
	95	names:
	96	- 'SystemEventLogEvtx'
	97	"""
	98
	99	_DEFINITION_WITHOUT_NAME = """\
	100	name: NoNames
	101	doc: Missing names attr.
	102	sources:
	103	- type: ARTIFACT_GROUP
	104	attributes:
	105	- 'SystemEventLogEvtx'
	106	"""
	107
	108	_DEFINITION_WITHOUT_SOURCES = """\
	109	name: BadSources
	110	doc: must have one sources.
	111	labels: [Logs]
	112	supported_os: [Windows]
	113	"""
16	114
17	115	@test_lib.skipUnlessHasTestFile(['definitions.yaml'])
18	116	def testReadFileObject(self):

146	244	self.assertEqual(
147	245	collector_definition.type_indicator, definitions.TYPE_INDICATOR_COMMAND)
148	246
149		def testBadKey(self):
150		"""Tests if top level keys are correct."""
151		artifact_reader = reader.YamlArtifactsReader()
	247	def testReadFileObjectInvalidLabels(self):
	248	"""Tests the ReadFileObject function on an invalid labels."""
	249	artifact_reader = reader.YamlArtifactsReader()
	250
	251	file_object = io.StringIO(initial_value=self._DEFINITION_INVALID_LABELS)
	252	with self.assertRaises(errors.FormatError):
	253	_ = list(artifact_reader.ReadFileObject(file_object))
	254
	255	def testReadFileObjectInvalidSupportedOS(self):
	256	"""Tests the ReadFileObject function on an invalid supported_os."""
	257	artifact_reader = reader.YamlArtifactsReader()
	258
152	259	file_object = io.StringIO(
153		initial_value=u"""name: BadKey
154		doc: bad extra key.
155		sources:
156		- type: ARTIFACT_GROUP
157		attributes:
158		names:
159		- 'SystemEventLogEvtx'
160		extra_key: 'wrong'
161		labels: [Logs]
162		supported_os: [Windows]
163		""")
164
165		with self.assertRaises(errors.FormatError):
166		_ = list(artifact_reader.ReadFileObject(file_object))
167
168		def testMissingSources(self):
169		"""Tests if sources is present."""
170		artifact_reader = reader.YamlArtifactsReader()
	260	initial_value=self._DEFINITION_INVALID_SUPPORTED_OS_1)
	261	with self.assertRaises(errors.FormatError):
	262	_ = list(artifact_reader.ReadFileObject(file_object))
	263
171	264	file_object = io.StringIO(
172		initial_value=u"""name: BadSources
173		doc: must have one sources.
174		labels: [Logs]
175		supported_os: [Windows]
176		""")
177
178		with self.assertRaises(errors.FormatError):
179		_ = list(artifact_reader.ReadFileObject(file_object))
180
181		def testBadSupportedOS(self):
182		"""Tests if supported_os is checked correctly."""
183		artifact_reader = reader.YamlArtifactsReader()
184		file_object = io.StringIO(
185		initial_value=u"""name: BadSupportedOS
186		doc: supported_os should be an array of strings.
187		sources:
188		- type: ARTIFACT_GROUP
189		attributes:
190		names:
191		- 'SystemEventLogEvtx'
192		labels: [Logs]
193		supported_os: Windows
194		""")
195
196		with self.assertRaises(errors.FormatError):
197		_ = list(artifact_reader.ReadFileObject(file_object))
198
199		def testBadTopSupportedOS(self):
200		"""Tests if top level supported_os is checked correctly."""
201		artifact_reader = reader.YamlArtifactsReader()
202		file_object = io.StringIO(
203		initial_value=u"""name: BadTopSupportedOS
204		doc: Top supported_os should match supported_os from sources.
205		sources:
206		- type: ARTIFACT_GROUP
207		attributes:
208		names:
209		- 'SystemEventLogEvtx'
210		supported_os: [Windows]
211		labels: [Logs]
212		""")
213
214		with self.assertRaises(errors.FormatError):
215		_ = list(artifact_reader.ReadFileObject(file_object))
216
217		def testBadLabels(self):
218		"""Tests if labels is checked correctly."""
219		artifact_reader = reader.YamlArtifactsReader()
220		file_object = io.StringIO(
221		initial_value=u"""name: BadLabel
222		doc: badlabel.
223		sources:
224		- type: ARTIFACT_GROUP
225		attributes:
226		names:
227		- 'SystemEventLogEvtx'
228		labels: Logs
229		supported_os: [Windows]
230		""")
231
232		with self.assertRaises(errors.FormatError):
233		_ = list(artifact_reader.ReadFileObject(file_object))
234
235		def testMissingDoc(self):
236		"""Tests if doc is required."""
237		artifact_reader = reader.YamlArtifactsReader()
238		file_object = io.StringIO(
239		initial_value=u"""name: NoDoc
240		sources:
241		- type: ARTIFACT_GROUP
242		attributes:
243		names:
244		- 'SystemEventLogEvtx'
245		""")
246
247		with self.assertRaises(errors.FormatError):
248		_ = list(artifact_reader.ReadFileObject(file_object))
249
250		def testMissingNamesAttribute(self):
251		"""Tests if missing attribute names are checked correctly."""
252		artifact_reader = reader.YamlArtifactsReader()
253		file_object = io.StringIO(
254		initial_value=u"""name: NoNames
255		doc: Missing names attr.
256		sources:
257		- type: ARTIFACT_GROUP
258		attributes:
259		- 'SystemEventLogEvtx'
260		""")
261
	265	initial_value=self._DEFINITION_INVALID_SUPPORTED_OS_2)
	266	with self.assertRaises(errors.FormatError):
	267	_ = list(artifact_reader.ReadFileObject(file_object))
	268
	269	def testReadFileObjectInvalidURLs(self):
	270	"""Tests the ReadFileObject function on an invalid urls."""
	271	artifact_reader = reader.YamlArtifactsReader()
	272
	273	file_object = io.StringIO(initial_value=self._DEFINITION_INVALID_URLS)
	274	with self.assertRaises(errors.FormatError):
	275	_ = list(artifact_reader.ReadFileObject(file_object))
	276
	277	def testReadFileObjectWithExtraKey(self):
	278	"""Tests the ReadFileObject function on a definition with extra key."""
	279	artifact_reader = reader.YamlArtifactsReader()
	280
	281	file_object = io.StringIO(initial_value=self._DEFINITION_WITH_EXTRA_KEY)
	282	with self.assertRaises(errors.FormatError):
	283	_ = list(artifact_reader.ReadFileObject(file_object))
	284
	285	def testReadFileObjectWithReturnTypes(self):
	286	"""Tests the ReadFileObject function on a definition with return types."""
	287	artifact_reader = reader.YamlArtifactsReader()
	288
	289	file_object = io.StringIO(initial_value=self._DEFINITION_WITH_RETURN_TYPES)
	290	with self.assertRaises(errors.FormatError):
	291	_ = list(artifact_reader.ReadFileObject(file_object))
	292
	293	def testReadFileObjectWithoutDoc(self):
	294	"""Tests the ReadFileObject function on a definition without doc."""
	295	artifact_reader = reader.YamlArtifactsReader()
	296
	297	file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_DOC)
	298	with self.assertRaises(errors.FormatError):
	299	_ = list(artifact_reader.ReadFileObject(file_object))
	300
	301	def testReadFileObjectWithoutName(self):
	302	"""Tests the ReadFileObject function on a definition without name."""
	303	artifact_reader = reader.YamlArtifactsReader()
	304
	305	file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_NAME)
	306	with self.assertRaises(errors.FormatError):
	307	_ = list(artifact_reader.ReadFileObject(file_object))
	308
	309	def testReadFileObjectWithoutSources(self):
	310	"""Tests the ReadFileObject function on a definition without sources."""
	311	artifact_reader = reader.YamlArtifactsReader()
	312
	313	file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_SOURCES)
262	314	with self.assertRaises(errors.FormatError):
263	315	_ = list(artifact_reader.ReadFileObject(file_object))
264	316

269	321	test_file = self._GetTestFilePath(['definitions.yaml'])
270	322
271	323	artifact_definitions = list(artifact_reader.ReadFile(test_file))
272
273	324	self.assertEqual(len(artifact_definitions), 7)
274	325
275	326	def testReadDirectory(self):

278	329	test_file = self._GetTestFilePath(['.'])
279	330
280	331	artifact_definitions = list(artifact_reader.ReadDirectory(test_file))
281
282	332	self.assertEqual(len(artifact_definitions), 7)
283	333
284	334	@test_lib.skipUnlessHasTestFile(['definitions.yaml'])

304	354	try:
305	355	artifact_definition = artifact.AsDict()
306	356	except errors.FormatError:
307		error_location = u'At start'
	357	error_location = 'At start'
308	358	if last_artifact_definition:
309		error_location = u'After: {0}'.format(last_artifact_definition.name)
310		self.fail(u'{0} failed to convert to dict'.format(error_location))
	359	error_location = 'After: {0}'.format(last_artifact_definition.name)
	360	self.fail('{0} failed to convert to dict'.format(error_location))
311	361	last_artifact_definition = artifact_definition
312	362
313	363

+13

-11

tests/registry_test.py less more

0	0	# -- coding: utf-8 --
1	1	"""Tests for the artifact definitions registry."""
	2
	3	from __future__ import unicode_literals
2	4
3	5	import io
4	6	import unittest

14	16	class TestSourceType(source_type.SourceType):
15	17	"""Class that implements a test source type."""
16	18
17		TYPE_INDICATOR = u'test'
	19	TYPE_INDICATOR = 'test'
18	20
19	21	def __init__(self, test=None):
20	22	"""Initializes the source type object.

26	28	FormatError: when test is not set.
27	29	"""
28	30	if not test:
29		raise errors.FormatError(u'Missing test value.')
	31	raise errors.FormatError('Missing test value.')
30	32
31	33	super(TestSourceType, self).__init__()
32	34	self.test = test

37	39	Returns:
38	40	dict[str, str]: source type attributes.
39	41	"""
40		return {u'test': self.test}
	42	return {'test': self.test}
41	43
42	44
43	45	class ArtifactDefinitionsRegistryTest(test_lib.BaseTestCase):

59	61	# Make sure the test file got turned into artifacts.
60	62	self.assertEqual(len(artifact_registry.GetDefinitions()), 7)
61	63
62		artifact_definition = artifact_registry.GetDefinitionByName(u'EventLogs')
	64	artifact_definition = artifact_registry.GetDefinitionByName('EventLogs')
63	65	self.assertIsNotNone(artifact_definition)
64	66
65	67	# Try to register something already registered

76	78	self.assertEqual(len(artifact_registry.GetDefinitions()), 6)
77	79
78	80	test_artifact_definition = artifact_registry.GetDefinitionByName(
79		u'SecurityEventLogEvtx')
	81	'SecurityEventLogEvtx')
80	82	self.assertIsNotNone(test_artifact_definition)
81	83
82		self.assertEqual(test_artifact_definition.name, u'SecurityEventLogEvtx')
	84	self.assertEqual(test_artifact_definition.name, 'SecurityEventLogEvtx')
83	85
84	86	expected_description = (
85		u'Windows Security Event log for Vista or later systems.')
	87	'Windows Security Event log for Vista or later systems.')
86	88	self.assertEqual(test_artifact_definition.description, expected_description)
87	89
88	90	bad_args = io.BytesIO(

132	134	registry.ArtifactDefinitionsRegistry.RegisterSourceTypes([TestSourceType])
133	135
134	136	source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType(
135		u'test', {u'test': u'test123'})
	137	'test', {'test': 'test123'})
136	138
137	139	self.assertIsNotNone(source_object)
138		self.assertEqual(source_object.test, u'test123')
	140	self.assertEqual(source_object.test, 'test123')
139	141
140	142	with self.assertRaises(errors.FormatError):
141	143	source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType(
142		u'test', {})
	144	'test', {})
143	145
144	146	with self.assertRaises(errors.FormatError):
145	147	source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType(
146		u'bogus', {})
	148	'bogus', {})
147	149
148	150	registry.ArtifactDefinitionsRegistry.DeregisterSourceType(TestSourceType)
149	151

+19

-17

tests/source_type_test.py less more

0	0	# -- coding: utf-8 --
1	1	"""Tests for the source type objects."""
	2
	3	from __future__ import unicode_literals
2	4
3	5	import unittest
4	6

11	13	class TestSourceType(source_type.SourceType):
12	14	"""Class that implements a test source type."""
13	15
14		TYPE_INDICATOR = u'test'
	16	TYPE_INDICATOR = 'test'
15	17
16	18	def __init__(self, test=None):
17	19	"""Initializes the source type object.

23	25	FormatError: when test is not set.
24	26	"""
25	27	if not test:
26		raise errors.FormatError(u'Missing test value.')
	28	raise errors.FormatError('Missing test value.')
27	29
28	30	super(TestSourceType, self).__init__()
29	31	self.test = test

34	36	Returns:
35	37	dict[str, str]: source type attributes.
36	38	"""
37		return {u'test': self.test}
	39	return {'test': self.test}
38	40
39	41
40	42	class SourceTypeTest(test_lib.BaseTestCase):

46	48
47	49	def testInitialize(self):
48	50	"""Tests the __init__ function."""
49		source_type.ArtifactGroupSourceType(names=[u'test'])
	51	source_type.ArtifactGroupSourceType(names=['test'])
50	52
51	53
52	54	class FileSourceTypeTest(test_lib.BaseTestCase):

54	56
55	57	def testInitialize(self):
56	58	"""Tests the __init__ function."""
57		source_type.FileSourceType(paths=[u'test'])
58		source_type.FileSourceType(paths=[u'test'], separator=u'\\')
	59	source_type.FileSourceType(paths=['test'])
	60	source_type.FileSourceType(paths=['test'], separator='\\')
59	61
60	62
61	63	class PathSourceTypeTest(test_lib.BaseTestCase):

63	65
64	66	def testInitialize(self):
65	67	"""Tests the __init__ function."""
66		source_type.PathSourceType(paths=[u'test'])
67		source_type.PathSourceType(paths=[u'test'], separator=u'\\')
	68	source_type.PathSourceType(paths=['test'])
	69	source_type.PathSourceType(paths=['test'], separator='\\')
68	70
69	71
70	72	class WindowsRegistryKeySourceTypeTest(test_lib.BaseTestCase):

72	74
73	75	def testInitialize(self):
74	76	"""Tests the __init__ function."""
75		source_type.WindowsRegistryKeySourceType(keys=[u'HKEY_LOCAL_MACHINE\\test'])
	77	source_type.WindowsRegistryKeySourceType(keys=['HKEY_LOCAL_MACHINE\\test'])
76	78
77	79	with self.assertRaises(errors.FormatError):
78		source_type.WindowsRegistryKeySourceType(keys=u'HKEY_LOCAL_MACHINE\\test')
	80	source_type.WindowsRegistryKeySourceType(keys='HKEY_LOCAL_MACHINE\\test')
79	81
80	82
81	83	class WindowsRegistryValueSourceTypeTest(test_lib.BaseTestCase):

83	85
84	86	def testInitialize(self):
85	87	"""Tests the __init__ function."""
86		key_value_pair = {'key': u'HKEY_LOCAL_MACHINE\\test', 'value': u'test'}
	88	key_value_pair = {'key': 'HKEY_LOCAL_MACHINE\\test', 'value': 'test'}
87	89	source_type.WindowsRegistryValueSourceType(key_value_pairs=[key_value_pair])
88	90
89		key_value_pair = {'bad': u'test', 'value': u'test'}
	91	key_value_pair = {'bad': 'test', 'value': 'test'}
90	92	with self.assertRaises(errors.FormatError):
91	93	source_type.WindowsRegistryValueSourceType(
92	94	key_value_pairs=[key_value_pair])

100	102
101	103	def testInitialize(self):
102	104	"""Tests the __init__ function."""
103		source_type.WMIQuerySourceType(query=u'test')
	105	source_type.WMIQuerySourceType(query='test')
104	106
105	107
106	108	class SourceTypeFactoryTest(test_lib.BaseTestCase):

114	116	source_type.SourceTypeFactory.RegisterSourceTypes([TestSourceType])
115	117
116	118	source_object = source_type.SourceTypeFactory.CreateSourceType(
117		u'test', {u'test': u'test123'})
	119	'test', {'test': 'test123'})
118	120
119	121	self.assertIsNotNone(source_object)
120		self.assertEqual(source_object.test, u'test123')
	122	self.assertEqual(source_object.test, 'test123')
121	123
122	124	with self.assertRaises(errors.FormatError):
123	125	source_object = source_type.SourceTypeFactory.CreateSourceType(
124		u'test', {})
	126	'test', {})
125	127
126	128	with self.assertRaises(errors.FormatError):
127	129	source_object = source_type.SourceTypeFactory.CreateSourceType(
128		u'bogus', {})
	130	'bogus', {})
129	131
130	132	source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType)
131	133

+0

-29

~~tests/style_test.py~~ less more

0		"""Enforce code style."""
1
2		import subprocess
3		import unittest
4
5		from artifacts import errors
6
7		from tests import test_lib
8
9
10		class StyleTest(test_lib.BaseTestCase):
11		"""Enforce code style requirements."""
12
13		@unittest.skip('yapf deployment need to be fixed')
14		def testCodeStyle(self):
15		"""Check yapf style enforcement runs cleanly."""
16		try:
17		subprocess.check_output(
18		['yapf', '--diff', '-r', 'artifacts tools', 'artifacts', 'tests'])
19		except subprocess.CalledProcessError as exception:
20		if hasattr(exception, 'output'):
21		raise errors.CodeStyleError(
22		'Run "yapf -i -r artifacts tools/ artifacts/ tests/" to correct '
23		'these problems: {0}'.format(exception.output))
24		raise
25
26
27		if __name__ == '__main__':
28		unittest.main()

+9

-7

tests/test_lib.py less more

0	0	# -- coding: utf-8 --
1	1	"""Shared functions and classes for testing."""
	2
	3	from __future__ import unicode_literals
2	4
3	5	import os
4	6	import shutil

17	19	function: to invoke.
18	20	"""
19	21	fail_unless_has_test_file = getattr(
20		unittest, u'fail_unless_has_test_file', False)
	22	unittest, 'fail_unless_has_test_file', False)
21	23
22		path = os.path.join(u'test_data', *path_segments)
	24	path = os.path.join('test_data', *path_segments)
23	25	if fail_unless_has_test_file or os.path.exists(path):
24	26	return lambda function: function
25	27
26	28	if sys.version_info[0] < 3:
27		path = path.encode(u'utf-8')
	29	path = path.encode('utf-8')
28	30
29	31	# Note that the message should be of type str which is different for
30	32	# different versions of Python.

42	44	"""
43	45	# Note that we need to pass the individual path segments to os.path.join
44	46	# and not a list.
45		return os.path.join(os.getcwd(), u'test_data', *path_segments)
	47	return os.path.join(os.getcwd(), 'test_data', *path_segments)
46	48
47	49
48	50	class BaseTestCase(unittest.TestCase):
49	51	"""The base test case."""
50	52
51		_DATA_PATH = os.path.join(os.getcwd(), u'data')
52		_TEST_DATA_PATH = os.path.join(os.getcwd(), u'test_data')
	53	_DATA_PATH = os.path.join(os.getcwd(), 'data')
	54	_TEST_DATA_PATH = os.path.join(os.getcwd(), 'test_data')
53	55
54	56	# Show full diff results, part of TestCase so does not follow our naming
55	57	# conventions.

75	77	def __init__(self):
76	78	"""Initializes a temporary directory."""
77	79	super(TempDirectory, self).__init__()
78		self.name = u''
	80	self.name = ''
79	81
80	82	def __enter__(self):
81	83	"""Make this work with the 'with' statement."""

+2

-0

tests/validator_test.py less more

0	0	#!/usr/bin/env python
1	1	# -- coding: utf-8 --
2	2	"""Tests for the artifact definitions validator."""
	3
	4	from __future__ import unicode_literals
3	5
4	6	import glob
5	7	import os

+2

-0

tests/writer_test.py less more

0	0	# -- coding: utf-8 --
1	1	"""Tests for the artifact definitions readers."""
	2
	3	from __future__ import unicode_literals
2	4
3	5	import os
4	6	import unittest

+171

-10

tools/validator.py less more

19	19	"""Artifact definitions validator."""
20	20
21	21	LEGACY_PATH = os.path.join('data', 'legacy.yaml')
	22
	23	_MACOS_PRIVATE_SUB_PATHS = ('etc', 'tftpboot', 'tmp', 'var')
22	24
23	25	def __init__(self):
24	26	"""Initializes an artifact definitions validator."""

48	50	'%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with '
49	51	'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format(
50	52	artifact_definition.name, filename))
	53
	54	return result
	55
	56	def _CheckMacOSPaths(self, filename, artifact_definition, source, paths):
	57	"""Checks if the paths are valid MacOS paths.
	58
	59	Args:
	60	filename (str): name of the artifacts definition file.
	61	artifact_definition (ArtifactDefinition): artifact definition.
	62	source (SourceType): source definition.
	63	paths (list[str]): paths to validate.
	64
	65	Returns:
	66	bool: True if the MacOS paths is valid.
	67	"""
	68	result = True
	69
	70	paths_with_private = []
	71	paths_with_symbolic_link_to_private = []
	72
	73	for path in paths:
	74	path_lower = path.lower()
	75	path_segments = path_lower.split(source.separator)
	76	if not path_segments:
	77	logging.warning((
	78	'Empty path defined by artifact definition: {0:s} in file: '
	79	'{1:s}').format(artifact_definition.name, filename))
	80	result = False
	81
	82	elif len(path_segments) == 1:
	83	continue
	84
	85	elif path_segments[1] in self._MACOS_PRIVATE_SUB_PATHS:
	86	paths_with_symbolic_link_to_private.append(path)
	87
	88	elif path_segments[1] == 'private' and len(path_segments) >= 2:
	89	if path_segments[2] in self._MACOS_PRIVATE_SUB_PATHS:
	90	paths_with_private.append(path)
	91
	92	else:
	93	logging.warning((
	94	'Unsupported private path: {0:s} defined by artifact definition: '
	95	'{1:s} in file: {2:s}').format(
	96	path, artifact_definition.name, filename))
	97	result = False
	98
	99	for private_path in paths_with_private:
	100	if private_path[8:] not in paths_with_symbolic_link_to_private:
	101	logging.warning((
	102	'Missing symbolic link: {0:s} for path: {1:s} defined by artifact '
	103	'definition: {2:s} in file: {3:s}').format(
	104	private_path[8:], private_path, artifact_definition.name,
	105	filename))
	106	result = False
	107
	108	for path in paths_with_symbolic_link_to_private:
	109	private_path = '/private{0:s}'.format(path)
	110	if private_path not in paths_with_private:
	111	logging.warning((
	112	'Missing path: {0:s} for symbolic link: {1:s} defined by artifact '
	113	'definition: {2:s} in file: {3:s}').format(
	114	private_path, path, artifact_definition.name, filename))
	115	result = False
	116
	117	return result
	118
	119	def _CheckWindowsPath(self, filename, artifact_definition, source, path):
	120	"""Checks if a path is a valid Windows path.
	121
	122	Args:
	123	filename (str): name of the artifacts definition file.
	124	artifact_definition (ArtifactDefinition): artifact definition.
	125	source (SourceType): source definition.
	126	path (str): path to validate.
	127
	128	Returns:
	129	bool: True if the Windows path is valid.
	130	"""
	131	result = True
	132
	133	number_of_forward_slashes = path.count('/')
	134	number_of_backslashes = path.count('\\')
	135	if (number_of_forward_slashes < number_of_backslashes and
	136	source.separator != '\\'):
	137	logging.warning((
	138	'Incorrect path separator: {0:s} in path: {1:s} defined '
	139	'by artifact definition: {2:s} in file: {3:s}').format(
	140	source.separator, path, artifact_definition.name,
	141	filename))
	142	result = False
	143
	144	if source.separator != '\\':
	145	return result
	146
	147	path_lower = path.lower()
	148	path_segments = path_lower.split(source.separator)
	149	if not path_segments:
	150	logging.warning((
	151	'Empty path defined by artifact definition: {0:s} in file: '
	152	'{1:s}').format(artifact_definition.name, filename))
	153	result = False
	154
	155	elif path_segments[0].startswith('%%users.') and path_segments[0] not in (
	156	'%%users.appdata%%', '%%users.homedir%%', '%%users.localappdata%%',
	157	'%%users.temp%%', '%%users.username%%', '%%users.userprofile%%'):
	158	logging.warning((
	159	'Unsupported "{0:s}" in path: {1:s} defined by artifact '
	160	'definition: {2:s} in file: {3:s}').format(
	161	path_segments[0], path, artifact_definition.name, filename))
	162	result = False
	163
	164	elif path_segments[0] == '%%users.homedir%%':
	165	logging.warning((
	166	'Replace "%%users.homedir%%" by "%%users.userprofile%%" in path: '
	167	'{0:s} defined by artifact definition: {1:s} in file: '
	168	'{2:s}').format(path, artifact_definition.name, filename))
	169	result = False
	170
	171	elif path_lower.startswith('%%users.userprofile%%\\appdata\\local\\'):
	172	logging.warning((
	173	'Replace "%%users.userprofile%%\\AppData\\Local" by '
	174	'"%%users.localappdata%%" in path: {0:s} defined by artifact '
	175	'definition: {1:s} in file: {2:s}').format(
	176	path, artifact_definition.name, filename))
	177	result = False
	178
	179	elif path_lower.startswith('%%users.userprofile%%\\appdata\\roaming\\'):
	180	logging.warning((
	181	'Replace "%%users.userprofile%%\\AppData\\Roaming" by '
	182	'"%%users.appdata%%" in path: {0:s} defined by artifact '
	183	'definition: {1:s} in file: {2:s}').format(
	184	path, artifact_definition.name, filename))
	185	result = False
	186
	187	elif path_lower.startswith('%%users.userprofile%%\\application data\\'):
	188	logging.warning((
	189	'Replace "%%users.userprofile%%\\Application Data" by '
	190	'"%%users.appdata%%" in path: {0:s} defined by artifact '
	191	'definition: {1:s} in file: {2:s}').format(
	192	path, artifact_definition.name, filename))
	193	result = False
	194
	195	elif path_lower.startswith(
	196	'%%users.userprofile%%\\local settings\\application data\\'):
	197	logging.warning((
	198	'Replace "%%users.userprofile%%\\Local Settings\\Application Data" '
	199	'by "%%users.localappdata%%" in path: {0:s} defined by artifact '
	200	'definition: {1:s} in file: {2:s}').format(
	201	path, artifact_definition.name, filename))
	202	result = False
51	203
52	204	return result
53	205

103	255	artifact_definition.name, filename))
104	256	result = False
105	257
	258	artifact_definition_supports_macos = (
	259	definitions.SUPPORTED_OS_DARWIN in (
	260	artifact_definition.supported_os))
	261	artifact_definition_supports_windows = (
	262	definitions.SUPPORTED_OS_WINDOWS in (
	263	artifact_definition.supported_os))
	264
106	265	for source in artifact_definition.sources:
107	266	if source.type_indicator in (
108	267	definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH):
109		if definitions.SUPPORTED_OS_WINDOWS in source.supported_os:
	268
	269	if (definitions.SUPPORTED_OS_DARWIN in source.supported_os or (
	270	artifact_definition_supports_macos and
	271	not source.supported_os)):
	272	if not self._CheckMacOSPaths(
	273	filename, artifact_definition, source, source.paths):
	274	result = False
	275
	276	elif (artifact_definition_supports_windows or
	277	definitions.SUPPORTED_OS_WINDOWS in source.supported_os):
110	278	for path in source.paths:
111		number_of_forward_slashes = path.count('/')
112		number_of_backslashes = path.count('\\')
113		if (number_of_forward_slashes < number_of_backslashes and
114		source.separator != '\\'):
115		logging.warning((
116		'Incorrect path separator: {0:s} in path: {1:s} defined '
117		'by artifact definition: {2:s} in file: {3:s}').format(
118		source.separator, path, artifact_definition.name,
119		filename))
	279	if not self._CheckWindowsPath(
	280	filename, artifact_definition, source, path):
120	281	result = False
121	282
122	283	elif source.type_indicator == (

+3

-13

tox.ini less more

5	5	setenv =
6	6	PYTHONPATH = {toxinidir}
7	7	deps =
8		funcsigs ; python_version < '3.0'
9		mock
10		pbr
11		six
12		pytest
13		yapf
14	8	-rrequirements.txt
	9	-rtest_requirements.txt
15	10	commands =
16	11	./run_tests.py
17	12

20	15	setenv =
21	16	PYTHONPATH = {toxinidir}
22	17	deps =
	18	-rrequirements.txt
	19	-rtest_requirements.txt
23	20	coverage
24		funcsigs ; python_version < '3.0'
25		mock
26		pbr
27		six
28		pytest
29		yapf
30		-rrequirements.txt
31	21	commands =
32	22	coverage erase
33	23	coverage run --source=artifacts --omit="_test,__init__,test_lib" run_tests.py