Commit fresh-releases/upstream - forensic-artifacts

+80

-0

.github/workflows/test_docker.yml less more

	0	# Run tests on Fedora and Ubuntu Docker images using GIFT CORP and GIFT PPA on commit
	1	name: test_docker
	2	on: [push]
	3	jobs:
	4	test_fedora:
	5	runs-on: ubuntu-latest
	6	strategy:
	7	matrix:
	8	version: ['33', '34']
	9	container:
	10	image: registry.fedoraproject.org/fedora:${{ matrix.version }}
	11	steps:
	12	- uses: actions/checkout@v2
	13	- name: Set up container
	14	run: \|
	15	dnf install -y dnf-plugins-core langpacks-en
	16	- name: Install dependencies
	17	run: \|
	18	dnf copr -y enable @gift/dev
	19	dnf install -y python3 python3-mock python3-pbr python3-pyyaml python3-setuptools python3-six
	20	- name: Run tests
	21	env:
	22	LANG: C.utf8
	23	run: \|
	24	python3 ./run_tests.py
	25	- name: Run end-to-end tests
	26	run: \|
	27	if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi
	28	- name: Build source distribution
	29	run: \|
	30	python3 ./setup.py sdist
	31	- name: Build binary distribution
	32	run: \|
	33	python3 ./setup.py bdist
	34	- name: Run build and install test
	35	run: \|
	36	python3 ./setup.py build
	37	python3 ./setup.py install
	38	test_ubuntu:
	39	runs-on: ubuntu-latest
	40	strategy:
	41	matrix:
	42	version: ['18.04', '20.04']
	43	container:
	44	image: ubuntu:${{ matrix.version }}
	45	steps:
	46	- uses: actions/checkout@v2
	47	- name: Set up container
	48	env:
	49	DEBIAN_FRONTEND: noninteractive
	50	run: \|
	51	apt-get update -q
	52	apt-get install -y libterm-readline-gnu-perl locales software-properties-common
	53	locale-gen en_US.UTF-8
	54	ln -f -s /usr/share/zoneinfo/UTC /etc/localtime
	55	- name: Install dependencies
	56	run: \|
	57	add-apt-repository -y ppa:gift/dev
	58	apt-get update -q
	59	apt-get install -y python3 python3-distutils python3-mock python3-pbr python3-setuptools python3-six python3-yaml
	60	- name: Run tests
	61	env:
	62	LANG: en_US.UTF-8
	63	run: \|
	64	python3 ./run_tests.py
	65	- name: Run end-to-end tests
	66	env:
	67	LANG: en_US.UTF-8
	68	run: \|
	69	if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi
	70	- name: Build source distribution
	71	run: \|
	72	python3 ./setup.py sdist
	73	- name: Build binary distribution
	74	run: \|
	75	python3 ./setup.py bdist
	76	- name: Run build and install test
	77	run: \|
	78	python3 ./setup.py build
	79	python3 ./setup.py install

+58

-0

.github/workflows/test_tox.yml less more

	0	# Run tox tests on Ubuntu Docker images using GIFT PPA
	1	name: test_tox
	2	on:
	3	pull_request:
	4	branches:
	5	- main
	6	push:
	7	branches:
	8	- main
	9	jobs:
	10	build:
	11	runs-on: ubuntu-latest
	12	strategy:
	13	matrix:
	14	include:
	15	- python-version: '3.6'
	16	toxenv: 'py36'
	17	- python-version: '3.7'
	18	toxenv: 'py37'
	19	- python-version: '3.8'
	20	toxenv: 'py38,coverage,codecov'
	21	- python-version: '3.9'
	22	toxenv: 'py39'
	23	- python-version: '3.10'
	24	toxenv: 'py310'
	25	- python-version: '3.8'
	26	toxenv: 'pylint'
	27	- python-version: '3.8'
	28	toxenv: 'docs'
	29	container:
	30	image: ubuntu:20.04
	31	steps:
	32	- uses: actions/checkout@v2
	33	- name: Set up container
	34	env:
	35	DEBIAN_FRONTEND: noninteractive
	36	run: \|
	37	apt-get update -q
	38	apt-get install -y libterm-readline-gnu-perl locales software-properties-common
	39	locale-gen en_US.UTF-8
	40	ln -f -s /usr/share/zoneinfo/UTC /etc/localtime
	41	- name: Install dependencies
	42	env:
	43	DEBIAN_FRONTEND: noninteractive
	44	run: \|
	45	add-apt-repository -y universe
	46	add-apt-repository -y ppa:deadsnakes/ppa
	47	add-apt-repository -y ppa:gift/dev
	48	apt-get update -q
	49	apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv python3-distutils python3-mock python3-pbr python3-pip python3-setuptools python3-six python3-yaml
	50	- name: Install tox
	51	run: \|
	52	python3 -m pip install tox
	53	- name: Run tests
	54	env:
	55	LANG: en_US.UTF-8
	56	run: \|
	57	tox -e${{ matrix.toxenv }}

+55

-38

.pylintrc less more

0		# Pylint 2.4.x configuration file
	0	# Pylint 2.6.x configuration file
1	1	#
2	2	# This file is generated by l2tdevtools update-dependencies.py, any dependency
3	3	# related changes should be made in dependencies.ini.

8	8	# run arbitrary code.
9	9	extension-pkg-whitelist=
10	10
	11	# Specify a score threshold to be exceeded before program exits with error.
	12	fail-under=10.0
	13
11	14	# Add files or directories to the blacklist. They should be base names, not
12	15	# paths.
13	16	ignore=CVS

35	38
36	39	# Pickle collected data for later comparisons.
37	40	persistent=yes
38
39		# Specify a configuration file.
40		#rcfile=
41	41
42	42	# When enabled, pylint would attempt to guess common misconfiguration and emit
43	43	# user-friendly hints instead of false-positive error messages.

78	78	no-absolute-import,
79	79	no-self-use,
80	80	parameter-unpacking,
	81	raise-missing-from,
81	82	raw-checker-failed,
	83	super-with-arguments,
82	84	suppressed-message,
83	85	too-few-public-methods,
84	86	too-many-ancestors,

99	101	# either give multiple identifier separated by comma (,) or put this option
100	102	# multiple time (only on the command line, not in the configuration file where
101	103	# it should appear only once). See also the "--disable" option for examples.
102		# enable=c-extension-no-member
103	104	enable=
104	105
105	106

125	126	reports=no
126	127
127	128	# Activate the evaluation score.
128		# score=yes
129	129	score=no
130	130
131	131

228	228
229	229	[LOGGING]
230	230
231		# Format style used to check logging format string. `old` means using %
232		# formatting, `new` is for `{}` formatting,and `fstr` is for f-strings.
	231	# The type of string formatting that logging methods do. `old` means using %
	232	# formatting, `new` is for `{}` formatting.
233	233	logging-format-style=old
234	234
235	235	# Logging modules to check that the string format arguments are in logging

244	244
245	245	# Regular expression matching correct argument names. Overrides argument-
246	246	# naming-style.
247		#argument-rgx=
248	247	argument-rgx=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
249	248
250	249	# Naming style matching correct attribute names.

252	251
253	252	# Regular expression matching correct attribute names. Overrides attr-naming-
254	253	# style.
255		#attr-rgx=
256	254	attr-rgx=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
257	255
258	256	# Bad variable names which should always be refused, separated by a comma.

263	261	tutu,
264	262	tata
265	263
	264	# Bad variable names regexes, separated by a comma. If names match any regex,
	265	# they will always be refused
	266	bad-names-rgxs=
	267
266	268	# Naming style matching correct class attribute names.
267	269	class-attribute-naming-style=any
268	270
269	271	# Regular expression matching correct class attribute names. Overrides class-
270	272	# attribute-naming-style.
271		#class-attribute-rgx=
272	273	class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]\|(__.__))$
273	274
274	275	# Naming style matching correct class names.

276	277
277	278	# Regular expression matching correct class names. Overrides class-naming-
278	279	# style.
279		#class-rgx=
280	280	class-rgx=[A-Z_][a-zA-Z0-9]+$
281	281
282	282	# Naming style matching correct constant names.

284	284
285	285	# Regular expression matching correct constant names. Overrides const-naming-
286	286	# style.
287		#const-rgx=
288	287	const-rgx=(([a-zA-Z_][a-zA-Z0-9_])\|(__.__))$
289	288
290	289	# Minimum line length for functions/classes that require docstrings, shorter

296	295
297	296	# Regular expression matching correct function names. Overrides function-
298	297	# naming-style.
299		#function-rgx=
300	298	function-rgx=[A-Z_][a-zA-Z0-9_]*$
301	299
302	300	# Good variable names which should always be accepted, separated by a comma.

307	305	Run,
308	306	_
309	307
	308	# Good variable names regexes, separated by a comma. If names match any regex,
	309	# they will always be accepted
	310	good-names-rgxs=
	311
310	312	# Include a hint for the correct naming format with invalid-name.
311	313	include-naming-hint=no
312	314

315	317
316	318	# Regular expression matching correct inline iteration names. Overrides
317	319	# inlinevar-naming-style.
318		#inlinevar-rgx=
319	320	inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
320	321
321	322	# Naming style matching correct method names.

323	324
324	325	# Regular expression matching correct method names. Overrides method-naming-
325	326	# style.
326		#method-rgx=
327	327	method-rgx=(test\|[A-Z_])[a-zA-Z0-9_]*$
328	328
329	329	# Naming style matching correct module names.

331	331
332	332	# Regular expression matching correct module names. Overrides module-naming-
333	333	# style.
334		#module-rgx=
335	334	module-rgx=(([a-z_][a-z0-9_]*)\|([A-Z][a-zA-Z0-9]+))$
336	335
337	336	# Colon-delimited sets of names that determine each other's naming style when

352	351
353	352	# Regular expression matching correct variable names. Overrides variable-
354	353	# naming-style.
355		#variable-rgx=
356	354	variable-rgx=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
357	355
358	356

363	361	XXX,
364	362	TODO
365	363
	364	# Regular expression of note tags to take in consideration.
	365	#notes-rgx=
	366
366	367
367	368	[FORMAT]
368	369

377	378
378	379	# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1
379	380	# tab).
380		# indent-string=' '
381	381	indent-string=' '
382	382
383	383	# Maximum number of characters on a single line.
384		# max-line-length=100
385	384	max-line-length=80
386	385
387	386	# Maximum number of lines in a module.
388	387	max-module-lines=1000
389
390		# List of optional constructs for which whitespace checking is disabled. `dict-
391		# separator` is used to allow tabulation in dicts, etc.: {1 : 1,\n222: 2}.
392		# `trailing-comma` allows a space between comma and closing bracket: (a, ).
393		# `empty-line` allows space-only lines.
394		no-space-check=trailing-comma,
395		dict-separator
396	388
397	389	# Allow the body of a class to be on the same line as the declaration if body
398	390	# contains single statement.

408	400	# Limits count of emitted suggestions for spelling mistakes.
409	401	max-spelling-suggestions=4
410	402
411		# Spelling dictionary name. Available dictionaries: en_NA (myspell), en_NZ
412		# (myspell), en_ZM (myspell), en_CA (myspell), en_GH (myspell), en_IN
413		# (myspell), en_TT (myspell), en_BS (myspell), en_DK (myspell), en_MW
414		# (myspell), en_ZW (myspell), en_BW (myspell), en_ZA (myspell), en_BZ
415		# (myspell), en_JM (myspell), en_US (myspell), en_PH (myspell), en_GB
416		# (myspell), en_SG (myspell), en_IE (myspell), en_HK (myspell), en_AU
417		# (myspell), en_AG (myspell), en_NG (myspell).
	403	# Spelling dictionary name. Available dictionaries: en_AG (hunspell), en_AU
	404	# (hunspell), en_BS (hunspell), en_BW (hunspell), en_BZ (hunspell), en_CA
	405	# (hunspell), en_DK (hunspell), en_GB (hunspell), en_GH (hunspell), en_HK
	406	# (hunspell), en_IE (hunspell), en_IN (hunspell), en_JM (hunspell), en_MW
	407	# (hunspell), en_NA (hunspell), en_NG (hunspell), en_NZ (hunspell), en_PH
	408	# (hunspell), en_SG (hunspell), en_TT (hunspell), en_US (hunspell), en_ZA
	409	# (hunspell), en_ZM (hunspell), en_ZW (hunspell).
418	410	spelling-dict=
419	411
420	412	# List of comma separated words that should not be checked.

445	437
446	438	[STRING]
447	439
448		# This flag controls whether the implicit-str-concat-in-sequence should
449		# generate a warning on implicit string concatenation in sequences defined over
450		# several lines.
	440	# This flag controls whether inconsistent-quotes generates a warning when the
	441	# character used as a quote delimiter is used inconsistently within a module.
	442	check-quote-consistency=no
	443
	444	# This flag controls whether the implicit-str-concat should generate a warning
	445	# on implicit string concatenation in sequences defined over several lines.
451	446	check-str-concat-over-line-jumps=no
452	447
453	448
454	449	[DESIGN]
455	450
456	451	# Maximum number of arguments for function / method.
457		# max-args=5
458	452	max-args=10
459	453
460	454	# Maximum number of attributes for a class (see R0902).

548	542	preferred-modules=
549	543
550	544
	545	[PARAMETER_DOCUMENTATION]
	546
	547	# Whether to accept totally missing parameter documentation in the docstring of
	548	# a function that has parameters.
	549	accept-no-param-doc=yes
	550
	551	# Whether to accept totally missing raises documentation in the docstring of a
	552	# function that raises an exception.
	553	accept-no-raise-doc=yes
	554
	555	# Whether to accept totally missing return documentation in the docstring of a
	556	# function that returns a statement.
	557	accept-no-return-doc=yes
	558
	559	# Whether to accept totally missing yields documentation in the docstring of a
	560	# generator.
	561	accept-no-yields-doc=yes
	562
	563	# If the docstring type cannot be guessed the specified docstring type will be
	564	# used.
	565	default-docstring-type=default
	566
	567
551	568	[EXCEPTIONS]
552	569
553	570	# Exceptions that will emit a warning when being caught. Defaults to

+0

-115

~~.travis.yml~~ less more

0		version: ~> 1.0
1		language: generic
2		arch: amd64
3		os: linux
4		dist: focal
5		jobs:
6		include:
7		- name: "Fedora 31 (Docker) with Python 3.7"
8		env: FEDORA_VERSION="31"
9		group: edge
10		language: python
11		python: 3.7
12		services:
13		- docker
14		- name: "Fedora 32 (Docker) with Python 3.8"
15		env: FEDORA_VERSION="32"
16		group: edge
17		language: python
18		python: 3.8
19		services:
20		- docker
21		- name: "Fedora 33 (Docker) with Python 3.9"
22		env: FEDORA_VERSION="33"
23		group: edge
24		language: python
25		python: 3.9
26		services:
27		- docker
28		- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 (amd64)"
29		env: UBUNTU_VERSION="18.04"
30		group: edge
31		language: python
32		python: 3.6
33		services:
34		- docker
35		- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 (ppc64le)"
36		env: UBUNTU_VERSION="18.04"
37		arch: ppc64le
38		group: edge
39		language: python
40		python: 3.6
41		services:
42		- docker
43		- name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (amd64)"
44		env: UBUNTU_VERSION="20.04"
45		group: edge
46		language: python
47		python: 3.8
48		services:
49		- docker
50		- name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (ppc64le)"
51		env: UBUNTU_VERSION="20.04"
52		arch: ppc64le
53		group: edge
54		language: python
55		python: 3.8
56		services:
57		- docker
58		- name: "Ubuntu Focal (20.04) (Docker) with Python 3.6 (tox)"
59		env:
60		- TOXENV="py36"
61		- UBUNTU_VERSION="20.04"
62		group: edge
63		language: python
64		python: 3.6
65		services:
66		- docker
67		- name: "Ubuntu Focal (20.04) (Docker) with Python 3.7 (tox)"
68		env:
69		- TOXENV="py37"
70		- UBUNTU_VERSION="20.04"
71		group: edge
72		language: python
73		python: 3.7
74		services:
75		- docker
76		- name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (tox)"
77		env:
78		- TOXENV="py38,coverage,codecov"
79		- UBUNTU_VERSION="20.04"
80		group: edge
81		language: python
82		python: 3.8
83		services:
84		- docker
85		- name: "Ubuntu Focal (20.04) (Docker) with Python 3.9 (tox)"
86		env:
87		- TOXENV="py39"
88		- UBUNTU_VERSION="20.04"
89		group: edge
90		language: python
91		python: 3.9
92		services:
93		- docker
94		- name: "Pylint on Ubuntu Focal (20.04) (Docker) with Python 3.8 (tox)"
95		env:
96		- TOXENV="pylint"
97		- UBUNTU_VERSION="20.04"
98		group: edge
99		language: python
100		python: 3.8
101		services:
102		- docker
103		- name: "MacOS 10.14 with Python 3.8 (tox)"
104		env: TOXENV="py38"
105		os: osx
106		osx_image: xcode11
107		- name: "MacOS 10.15 with Python 3.8 (tox)"
108		env: TOXENV="py38"
109		os: osx
110		osx_image: xcode12
111		install:
112		- ./config/travis/install.sh
113		script:
114		- ./config/travis/run_with_timeout.sh 45 ./config/travis/runtests.sh

+4

-2

README less more

0		Digital Forensics Artifact Repository
	0	Digital Forensics Artifacts Repository
1	1
2	2	A free, community-sourced, machine-readable knowledge base of digital forensic
3	3	artifacts that the world can use both as an information source and within other
4	4	tools.
5	5
6		For more information see: https://github.com/ForensicArtifacts/artifacts
	6	For more information see:
7	7
	8	* Project documentation: https://artifacts.readthedocs.io/en/latest
	9

+3

-52

README.md less more

0		## Digital Forensics Artifact Repository
	0	## Digital Forensics Artifacts Repository
1	1
2	2	A free, community-sourced, machine-readable knowledge base of digital forensic
3	3	artifacts that the world can use both as an information source and within other

8	8	this project is just used to validate all the artifacts to make sure they
9	9	follow the specification.
10	10
11		### Project status
	11	For more information see:
12	12
13		[Travis-CI](https://travis-ci.com/) \| [AppVeyor](https://ci.appveyor.com) \| [Codecov](https://codecov.io/)
14		--- \| --- \| ---
15		[![Build Status](https://travis-ci.com/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.com/ForensicArtifacts/artifacts) \| [![Build status](https://ci.appveyor.com/api/projects/status/7gv9fwr269527cj1?svg=true)](https://ci.appveyor.com/project/forensicartifacts/artifacts) \| [![codecov](https://codecov.io/gh/ForensicArtifacts/artifacts/branch/master/graph/badge.svg)](https://codecov.io/gh/ForensicArtifacts/artifacts)
16
17		## Artifact Definitions
18
19		The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/master/data)
20		and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc).
21
22		As of 2019-06-10 the repository contains:
23
24		\| File paths covered \| 1013 \|
25		\| :------------------ \| ------: \|
26		\| Registry keys covered \| 635 \|
27		\| Total artifacts \| 525 \|
28
29		Artifacts by type
30
31		\| ARTIFACT_GROUP \| COMMAND \| DIRECTORY \| FILE \| PATH \| REGISTRY_KEY \| REGISTRY_VALUE \| WMI \|
32		\| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \|
33		\| 21 \| 9 \| 14 \| 283 \| 8 \| 50 \| 114 \| 26 \|
34
35		Artifacts by OS
36
37		\| Darwin \| Linux \| Windows \|
38		\| :---: \| :---: \| :---: \|
39		\| 33 \| 25 \| 23 \|
40
41		Artifacts by label
42
43		\| Antivirus \| Authentication \| Browser \| Cloud \| Cloud Storage \| Configuration Files \| Docker \| External Media \| ExternalAccount \| Hadoop \| History Files \| Logs \| Mail \| Network \| Software \| System \| Users \| iOS \|
44		\| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \|
45		\| 6 \| 18 \| 21 \| 2 \| 4 \| 41 \| 2 \| 2 \| 3 \| 1 \| 3 \| 46 \| 15 \| 15 \| 43 \| 104 \| 68 \| 5 \|
46
47		## Background/History
48
49		The [ForensicArtifacts.com](http://forensicartifacts.com/) artifact repository
50		was forked from the [GRR project](https://github.com/google/grr) artifact
51		collection into a stand-alone repository that is not tool-specific. The GRR
52		developers have migrated to using this repository and make contributions here. In
53		addition the ForensicArtifact team will begin backfilling artifacts in the new
54		format from the [ForensicArtifacts.com](http://forensicartifacts.com/) website.
55
56		For some background on the artifacts system and how we expect it to be used see
57		[this blackhat presentation](https://www.blackhat.com/us-14/archives.html#grr-find-all-the-badness-collect-all-the-things)
58		and [youtube video](https://www.youtube.com/watch?v=ren6QSvwFvg) from the GRR team.
	13	* Project documentation: https://artifacts.readthedocs.io/en/latest
59	14
60	15	## Contributing
61	16
62	17	Please send us your contribution! See [the developers guide](https://github.com/ForensicArtifacts/artifacts/wiki/Developers-guide) for instructions.
63
64		## External links
65
66		* [GRR Artifacts](https://www.blackhat.com/docs/us-14/materials/us-14-Castle-GRR-Find-All-The-Badness-Collect-All-The-Things-WP.pdf), by Greg Castle, Blackhat 2014
67	18
68	19	## Contact
69	20

+23

-18

appveyor.yml less more

0	0	environment:
1	1	matrix:
2		- TARGET: unittests
	2	- DESCRIPTION: "Windows with 32-bit Python 3.9"
3	3	MACHINE_TYPE: "x86"
4		PYTHON: "C:\\Python38"
5		PYTHON_VERSION: "3.8"
	4	APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
	5	PYTHON: "C:\\Python39"
	6	PYTHON_VERSION: "3.9"
6	7	L2TBINARIES_TRACK: "dev"
7		- TARGET: unittests
	8	- DESCRIPTION: "Windows with 64-bit Python 3.9"
8	9	MACHINE_TYPE: "amd64"
9		PYTHON: "C:\\Python38-x64"
10		PYTHON_VERSION: "3.8"
	10	APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
	11	PYTHON: "C:\\Python39-x64"
	12	PYTHON_VERSION: "3.9"
11	13	L2TBINARIES_TRACK: "dev"
	14	- DESCRIPTION: "Mac OS with Python 3.9"
	15	APPVEYOR_BUILD_WORKER_IMAGE: macos
	16	HOMEBREW_NO_INSTALL_CLEANUP: 1
12	17
13	18	install:
14		- cmd: '"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x86 /release'
15	19	- cmd: "%PYTHON%\\python.exe -m pip install -U pip setuptools wheel"
16	20	- cmd: "%PYTHON%\\python.exe -m pip install pywin32 WMI"
17	21	- cmd: "%PYTHON%\\python.exe %PYTHON%\\Scripts\\pywin32_postinstall.py -install"
18		- cmd: git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools
19		- cmd: IF [%PYTHON_VERSION%]==[3.8] (
20		mkdir dependencies &&
21		set PYTHONPATH=..\l2tdevtools &&
22		"%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track "%L2TBINARIES_TRACK%" PyYAML mock pbr six )
	22	- ps: If ($isWindows) { .\config\appveyor\install.ps1 }
	23	- sh: config/appveyor/install.sh
23	24
24		build: off
	25	build_script:
	26	- cmd: "%PYTHON%\\python.exe setup.py bdist_msi bdist_wheel"
25	27
26	28	test_script:
27		- cmd: IF [%TARGET%]==[unittests] (
28		"%PYTHON%\\python.exe" run_tests.py &&
29		IF EXIST "tests\\end-to-end.py" (
30		set PYTHONPATH=. &&
31		"%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" ) )
	29	- cmd: "%PYTHON%\\python.exe run_tests.py"
	30	- cmd: IF EXIST "tests\\end-to-end.py" (
	31	set PYTHONPATH=. &&
	32	"%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" )
	33	- sh: config/appveyor/runtests.sh
	34
	35	artifacts:
	36	- path: dist\*.whl

+1

-1

artifacts/__init__.py less more

0	0	# -- coding: utf-8 --
1	1	"""ForensicArtifacts.com Artifact Repository."""
2	2
3		__version__ = '20201106'
	3	__version__ = '20210620'

+1

-1

artifacts.ini less more

0	0	[project]
1	1	name: artifacts
2	2	status: alpha
3		name_description: ForensicArtifacts.com Artifact Repository
	3	name_description: Digital Forensics Artifacts Repository
4	4	maintainer: Forensic artifacts <forensicartifacts@googlegroups.com>
5	5	homepage_url: https://github.com/ForensicArtifacts/artifacts
6	6	git_url: https://github.com/ForensicArtifacts/artifacts.git

+23

-0

config/appveyor/install.ps1 less more

	0	# Script to set up tests on AppVeyor Windows.
	1
	2	$Dependencies = "PyYAML mock pbr six"
	3	$Dependencies = ${Dependencies} -split " "
	4
	5	$Output = Invoke-Expression -Command "git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools 2>&1"
	6	Write-Host (${Output} \| Out-String)
	7
	8	If ($env:APPVEYOR_REPO_BRANCH -eq "main")
	9	{
	10	$Track = "stable"
	11	}
	12	Else
	13	{
	14	$Track = $env:APPVEYOR_REPO_BRANCH
	15	}
	16	New-Item -ItemType "directory" -Name "dependencies"
	17
	18	$env:PYTHONPATH = "..\l2tdevtools"
	19
	20	$Output = Invoke-Expression -Command "& '${env:PYTHON}\python.exe' ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type ${env:MACHINE_TYPE} --msi-targetdir ${env:PYTHON} --track ${env:L2TBINARIES_TRACK} ${Dependencies} 2>&1"
	21	Write-Host (${Output} \| Out-String)
	22

+7

-0

config/appveyor/install.sh less more

	0	# Script to set up tests on AppVeyor MacOS.
	1
	2	set -e
	3
	4	brew update
	5	brew install tox \|\| true
	6

+12

-0

config/appveyor/runtests.sh less more

	0	#!/bin/sh
	1	# Script to run tests
	2
	3	# Set the following environment variables to build pycrypto and yara-python.
	4	export CFLAGS="-I/usr/local/include -I/usr/local/opt/openssl@1.1/include ${CFLAGS}";
	5	export LDFLAGS="-L/usr/local/lib -L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}";
	6	export TOX_TESTENV_PASSENV="CFLAGS LDFLAGS";
	7
	8	# Set the following environment variables to ensure tox can find Python 3.9.
	9	export PATH="/usr/local/opt/python@3.9/bin:${PATH}";
	10
	11	tox -e py39

+2

-2

config/dpkg/changelog less more

0		artifacts (20201106-1) unstable; urgency=low
	0	artifacts (20210620-1) unstable; urgency=low
1	1
2	2	* Auto-generated
3	3
4		-- Forensic artifacts <forensicartifacts@googlegroups.com> Fri, 06 Nov 2020 05:50:46 +0100⏎
	4	-- Forensic artifacts <forensicartifacts@googlegroups.com> Sun, 20 Jun 2021 12:39:00 +0200

+3

-3

config/dpkg/control less more

9	9	Package: artifacts-data
10	10	Architecture: all
11	11	Depends: ${misc:Depends}
12		Description: Data files for ForensicArtifacts.com Artifact Repository
	12	Description: Data files for Digital Forensics Artifacts Repository
13	13	A free, community-sourced, machine-readable knowledge base of forensic
14	14	artifacts that the world can use both as an information source and within other tools.
15	15
16	16	Package: python3-artifacts
17	17	Architecture: all
18	18	Depends: artifacts-data (>= ${binary:Version}), python3-yaml (>= 3.10), ${python3:Depends}, ${misc:Depends}
19		Description: Python 3 module of ForensicArtifacts.com Artifact Repository
	19	Description: Python 3 module of Digital Forensics Artifacts Repository
20	20	A free, community-sourced, machine-readable knowledge base of forensic
21	21	artifacts that the world can use both as an information source and within other tools.
22	22
23	23	Package: artifacts-tools
24	24	Architecture: all
25	25	Depends: python3-artifacts (>= ${binary:Version}), ${python3:Depends}, ${misc:Depends}
26		Description: Tools of ForensicArtifacts.com Artifact Repository
	26	Description: Tools of Digital Forensics Artifacts Repository
27	27	A free, community-sourced, machine-readable knowledge base of forensic
28	28	artifacts that the world can use both as an information source and within other tools.

+0

-91

~~config/travis/install.sh~~ less more

0		#!/bin/bash
1		#
2		# Script to set up Travis-CI test VM.
3		#
4		# This file is generated by l2tdevtools update-dependencies.py any dependency
5		# related changes should be made in dependencies.ini.
6
7		DPKG_PYTHON3_DEPENDENCIES="python3-yaml";
8
9		DPKG_PYTHON3_TEST_DEPENDENCIES="python3-coverage python3-distutils python3-mock python3-pbr python3-setuptools python3-six";
10
11		RPM_PYTHON3_DEPENDENCIES="python3-pyyaml";
12
13		RPM_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-setuptools python3-six";
14
15		# Exit on error.
16		set -e;
17
18		if test -n "${FEDORA_VERSION}";
19		then
20		CONTAINER_NAME="fedora${FEDORA_VERSION}";
21
22		docker pull registry.fedoraproject.org/fedora:${FEDORA_VERSION};
23
24		docker run --name=${CONTAINER_NAME} --detach -i registry.fedoraproject.org/fedora:${FEDORA_VERSION};
25
26		# Install dnf-plugins-core and langpacks-en.
27		docker exec ${CONTAINER_NAME} dnf install -y dnf-plugins-core langpacks-en;
28
29		# Add additional dnf repositories.
30		docker exec ${CONTAINER_NAME} dnf copr -y enable @gift/dev;
31
32		if test -n "${TOXENV}";
33		then
34		RPM_PACKAGES="python3-tox";
35
36		else
37		RPM_PACKAGES="python3 ${RPM_PYTHON3_DEPENDENCIES} ${RPM_PYTHON3_TEST_DEPENDENCIES}";
38		fi
39		docker exec ${CONTAINER_NAME} dnf install -y ${RPM_PACKAGES};
40
41		docker cp ../artifacts ${CONTAINER_NAME}:/
42
43		elif test -n "${UBUNTU_VERSION}";
44		then
45		CONTAINER_NAME="ubuntu${UBUNTU_VERSION}";
46
47		docker pull ubuntu:${UBUNTU_VERSION};
48
49		docker run --name=${CONTAINER_NAME} --detach -i ubuntu:${UBUNTU_VERSION};
50
51		# Install add-apt-repository and locale-gen.
52		docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get update -q";
53		docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get install -y locales software-properties-common";
54
55		# Add additional apt repositories.
56		if test -n "${TOXENV}";
57		then
58		docker exec ${CONTAINER_NAME} add-apt-repository universe;
59		docker exec ${CONTAINER_NAME} add-apt-repository ppa:deadsnakes/ppa -y;
60		fi
61		docker exec ${CONTAINER_NAME} add-apt-repository ppa:gift/dev -y;
62
63		docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get update -q";
64
65		# Set locale to US English and UTF-8.
66		docker exec ${CONTAINER_NAME} locale-gen en_US.UTF-8;
67
68		# Install packages.
69		if test -n "${TOXENV}";
70		then
71		DPKG_PACKAGES="build-essential curl git python${TRAVIS_PYTHON_VERSION} python${TRAVIS_PYTHON_VERSION}-dev tox";
72
73		elif test "${TARGET}" = "jenkins3";
74		then
75		DPKG_PACKAGES="sudo";
76		else
77		DPKG_PACKAGES="python3 ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES}";
78		fi
79		docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get install -y ${DPKG_PACKAGES}";
80
81		docker cp ../artifacts ${CONTAINER_NAME}:/
82
83		elif test ${TRAVIS_OS_NAME} = "osx";
84		then
85		brew update;
86
87		# Brew will exit with 1 and print some diagnostic information
88		# to prevent the CI test from failing \|\| true is added.
89		brew install tox \|\| true;
90		fi

+0

-24

~~config/travis/run_python2.sh~~ less more

0		#!/bin/bash
1		#
2		# Script to run Python 2 tests on Travis-CI.
3		#
4		# This file is generated by l2tdevtools update-dependencies.py, any dependency
5		# related changes should be made in dependencies.ini.
6
7		# Exit on error.
8		set -e;
9
10		python2 ./run_tests.py
11
12		if test -f tests/end-to-end.py;
13		then
14		PYTHONPATH=. python2 ./tests/end-to-end.py --debug -c config/end-to-end.ini;
15		fi
16
17		python2 ./setup.py build
18
19		python2 ./setup.py sdist
20
21		python2 ./setup.py bdist
22
23		python2 ./setup.py install

+0

-24

~~config/travis/run_python3.sh~~ less more

0		#!/bin/bash
1		#
2		# Script to run Python 3 tests on Travis-CI.
3		#
4		# This file is generated by l2tdevtools update-dependencies.py, any dependency
5		# related changes should be made in dependencies.ini.
6
7		# Exit on error.
8		set -e;
9
10		python3 ./run_tests.py
11
12		if test -f tests/end-to-end.py;
13		then
14		PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini;
15		fi
16
17		python3 ./setup.py build
18
19		python3 ./setup.py sdist
20
21		python3 ./setup.py bdist
22
23		python3 ./setup.py install

+0

-47

~~config/travis/run_with_timeout.sh~~ less more

0		#!/bin/bash
1		#
2		# Script to run commands on a Travis-CI test VM that otherwise would time out
3		# after 10 minutes. This replaces travis_wait and outputs stdout of the command
4		# running.
5		#
6		# This file is generated by l2tdevtools update-dependencies.py, any dependency
7		# related changes should be made in dependencies.ini.
8
9		# Exit on error.
10		set -e
11
12		# Usage: ./run_with_timeout.sh [TIMEOUT] [COMMAND] [OPTION] [...]
13
14		TIMEOUT=$1;
15		shift
16
17		# Launch a command in the background.
18		$* &
19
20		PID_COMMAND=$!;
21
22		# Probe the command every minute.
23		MINUTES=0;
24
25		while kill -0 ${PID_COMMAND} >/dev/null 2>&1;
26		do
27		# Print to stdout, seeing this prints a space and a backspace
28		# there is no visible trace.
29		echo -n -e " \b";
30
31		if test ${MINUTES} -ge ${TIMEOUT};
32		then
33		kill -9 ${PID_COMMAND} >/dev/null 2>&1;
34
35		echo -e "\033[0;31m[ERROR] command: $* timed out after: ${MINUTES} minute(s).\033[0m";
36
37		exit 1;
38		fi
39		MINUTES=$(( ${MINUTES} + 1 ));
40
41		sleep 60;
42		done
43
44		wait ${PID_COMMAND};
45
46		exit $?;

+0

-73

~~config/travis/runtests.sh~~ less more

0		#!/bin/bash
1		#
2		# Script to run tests on Travis-CI.
3		#
4		# This file is generated by l2tdevtools update-dependencies.py, any dependency
5		# related changes should be made in dependencies.ini.
6
7		# Exit on error.
8		set -e;
9
10		if test -n "${FEDORA_VERSION}";
11		then
12		CONTAINER_NAME="fedora${FEDORA_VERSION}";
13		CONTAINER_OPTIONS="-e LANG=C.utf8";
14
15		if test -n "${TOXENV}";
16		then
17		TEST_COMMAND="tox -e ${TOXENV}";
18		else
19		TEST_COMMAND="./config/travis/run_python3.sh";
20		fi
21		# Note that exec options need to be defined before the container name.
22		docker exec ${CONTAINER_OPTIONS} ${CONTAINER_NAME} sh -c "cd artifacts && ${TEST_COMMAND}";
23
24		elif test -n "${UBUNTU_VERSION}";
25		then
26		CONTAINER_NAME="ubuntu${UBUNTU_VERSION}";
27		CONTAINER_OPTIONS="-e LANG=en_US.UTF-8";
28
29		if test -n "${TOXENV}";
30		then
31		# Also see: https://docs.codecov.io/docs/testing-with-docker
32		curl -o codecov_env.sh -s https://codecov.io/env;
33
34		# Generates a series of -e options.
35		CODECOV_ENV=$(/bin/bash ./codecov_env.sh);
36
37		CONTAINER_OPTIONS="${CODECOV_ENV} ${CONTAINER_OPTIONS}";
38
39		TEST_COMMAND="tox -e ${TOXENV}";
40
41		elif test "${TARGET}" = "jenkins3";
42		then
43		TEST_COMMAND="./config/jenkins/linux/run_end_to_end_tests_py3.sh travis";
44		else
45		TEST_COMMAND="./config/travis/run_python3.sh";
46		fi
47		# Note that exec options need to be defined before the container name.
48		docker exec ${CONTAINER_OPTIONS} ${CONTAINER_NAME} sh -c "cd artifacts && ${TEST_COMMAND}";
49
50		elif test "${TARGET}" = "dockerfile";
51		then
52		SOURCE_PATH=${PWD};
53		CONTAINER_NAME="test";
54
55		cd config/docker
56
57		docker build --build-arg PPA_TRACK="dev" -f Dockerfile -t ${CONTAINER_NAME} .
58
59		# TODO: add tests
60
61		elif test "${TRAVIS_OS_NAME}" = "osx";
62		then
63		# Set the following environment variables to build pycrypto and yara-python.
64		export CFLAGS="-I/usr/local/include -I/usr/local/opt/openssl@1.1/include ${CFLAGS}";
65		export LDFLAGS="-L/usr/local/lib -L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}";
66		export TOX_TESTENV_PASSENV="CFLAGS LDFLAGS";
67
68		# Set the following environment variables to ensure tox can find Python 3.8.
69		export PATH="/usr/local/opt/python@3.8/bin:${PATH}";
70
71		tox -e ${TOXENV};
72		fi

+12

-0

data/antivirus.yaml less more

18	18	separator: '\'
19	19	supported_os: [Windows]
20	20	labels: [Antivirus]
	21	---
	22	name: MicrosoftAVLogs
	23	doc: Microsoft Anti-Virus log files.
	24	sources:
	25	- type: FILE
	26	attributes:
	27	paths:
	28	- '%%environ_allusersappdata%%\Microsoft\Windows Defender\Support\MPLog-*.log'
	29	- '%%environ_allusersappdata%%\Microsoft\Windows Defender\Support\MPDetection-*.log'
	30	separator: '\'
	31	supported_os: [Windows]
	32	labels: [Antivirus, Logs]
21	33	---
22	34	name: WindowsDefenderExclusions
23	35	doc: \|

+1

-0

data/cloud_services.yaml less more

42	42	- '%%users.localappdata%%\Google\Drive\user_default\snapshot.db'
43	43	- '%%users.localappdata%%\Google\Drive\user_default\sync_config.db'
44	44	- '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*'
	45	- '%%users.localappdata%%\Google\Drive\user_default\sync_log.log*'
45	46	separator: '\'
46	47	supported_os: [Windows]
47	48	- type: FILE

+2

-2

data/legacy.yaml less more

31	31	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'}]}
32	32	provides: [current_control_set]
33	33	supported_os: [Windows]
34		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc']
	34	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc']
35	35	---
36	36	name: LinuxRelease
37	37	doc: \|

192	192	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]}
193	193	provides: [time_zone]
194	194	supported_os: [Windows]
195		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc']
	195	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc']

+2

-2

data/linux.yaml less more

543	543	- '/var/run/utmp'
544	544	labels: [Logs, Authentication]
545	545	supported_os: [Linux]
546		urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']
	546	urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc']
547	547	---
548	548	name: LinuxWtmp
549	549	doc: Linux wtmp login record file

553	553	labels: [Logs, Authentication]
554	554	provides: [users.username, users.last_logon]
555	555	supported_os: [Linux]
556		urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']
	556	urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc']
557	557	---
558	558	name: LinuxXinetd
559	559	doc: Linux xinetd configurations.

+2

-2

data/macos.yaml less more

1017	1017	- '/var/log/wtmp'
1018	1018	labels: [Logs, Authentication]
1019	1019	supported_os: [Darwin]
1020		urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']
	1020	urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc']
1021	1021	---
1022	1022	name: MacOSUtmpxFile
1023	1023	doc: Mac OS X 10.5 utmpx login record file.

1029	1029	- '/var/run/utmpx'
1030	1030	labels: [Logs, Authentication]
1031	1031	supported_os: [Darwin]
1032		urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']
	1032	urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc']
1033	1033	---
1034	1034	name: MacOSWirelessNetworks
1035	1035	doc: Remembered Wireless Networks

+2

-2

data/webbrowser.yaml less more

139	139	supported_os: [Linux]
140	140	supported_os: [Windows,Darwin,Linux]
141	141	labels: [Browser]
142		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/ChromeCache.md']
	142	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/ChromeCache.html']
143	143	---
144	144	name: ChromeCookies
145	145	doc: Chrome Cookies database.

535	535	supported_os: [Linux]
536	536	supported_os: [Windows,Darwin,Linux]
537	537	labels: [Browser]
538		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/FirefoxCache.md']
	538	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/FirefoxCache.html']
539	539	---
540	540	name: FirefoxHistory
541	541	doc: Firefox browser history (places.sqlite).

+81

-59

data/windows.yaml less more

9	9	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General'
10	10	conditions: [os_major_version < 6]
11	11	supported_os: [Windows]
12		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/ActiveDesktop.md']
	12	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html']
13	13	---
14	14	name: WindowsActivitiesCacheDatabase
15	15	doc: SQLite database containing the Windows activities cache.

20	20	separator: '\'
21	21	labels: [Users]
22	22	supported_os: [Windows]
23		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/ActivitiesCacheDatabase.md']
	23	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActivitiesCacheDatabase.html']
24	24	---
25	25	name: WindowsAlternateShell
26	26	doc: Alternate Shell to be run via Userinit.

48	48	separator: '\'
49	49	conditions: [os_major_version >= 6 AND os_minor_version >= 1]
50	50	supported_os: [Windows]
51		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/AMCache.md']
	51	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/AMCache.html']
52	52	---
53	53	name: WindowsAppCertDLLs
54	54	doc: Windows AppCertDLLs persistence.

68	68	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'}
69	69	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'}
70	70	supported_os: [Windows]
71		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Application%20Compatibility%20Cache%20key.asciidoc']
	71	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Application%20Compatibility%20Cache%20key.asciidoc']
72	72	---
73	73	name: WindowsAppInitDLLs
74	74	doc: \|

257	257	- type: REGISTRY_KEY
258	258	attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*']}
259	259	supported_os: [Windows]
260		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc']
	260	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc']
261	261	---
262	262	name: WindowsBITSQueueManagerDatabases
263	263	doc: Databases that contain the Windows BITS jobs definition and state.

315	315	supported_os: [Windows]
316	316	urls:
317	317	- 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf'
318		- 'https://github.com/libyal/dtformats/blob/master/documentation/WMI%20repository%20file%20format.asciidoc'
	318	- 'https://github.com/libyal/dtformats/blob/main/documentation/WMI%20repository%20file%20format.asciidoc'
319	319	---
320	320	name: WindowsCodePage
321	321	doc: The code page of the system.

461	461	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\\\\', value: ''}
462	462	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\\\\', value: ''}
463	463	supported_os: [Windows]
464		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key']
	464	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key']
465	465	---
466	466	name: WindowsSearchFilterHandlers
467	467	doc: \|

582	582	- type: REGISTRY_VALUE
583	583	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'CurrentVersion'}]}
584	584	supported_os: [Windows]
585		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc']
	585	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc']
586	586	---
587	587	name: WindowsDebugger
588	588	doc: Windows Debugger peristence or AV disable.

639	639	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'}
640	640	provides: [environ_allusersprofile]
641	641	supported_os: [Windows]
642		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	642	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
643	643	---
644	644	name: WindowsEnvironmentVariableAppxProcess
645	645	doc: \|

653	653	- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'}
654	654	supported_os: [Windows]
655	655	conditions: [os_major_version >= 6 AND os_minor_version >= 2]
656		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	656	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
657	657	---
658	658	name: WindowsEnvironmentVariableCommonProgramFiles
659	659	doc: The %COMMONPROGRAMFILES% environment variable contains the path of the common program files folder.

664	664	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir'}
665	665	provides: [environ_commonprogramfiles]
666	666	supported_os: [Windows]
667		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	667	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
668	668	---
669	669	name: WindowsEnvironmentVariableCommonProgramFilesX86
670	670	doc: The %COMMONPROGRAMFILES(X86)% environment variable contains the path of the 32-bit common program files folder on a 64-bit Windows installation.

675	675	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir (x86)'}
676	676	provides: [environ_commonprogramfilesx86]
677	677	supported_os: [Windows]
678		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	678	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
679	679	---
680	680	name: WindowsEnvironmentVariableComSpec
681	681	doc: The %ComSpec% environment variable contains the path of the command processor, typically "cmd.exe".

686	686	- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'ComSpec'}
687	687	provides: [environ_comspec]
688	688	supported_os: [Windows]
689		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	689	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
690	690	---
691	691	name: WindowsEnvironmentVariableDriverData
692	692	doc: The %DriverData% environment variable contains the path of the directory used for temporary state files of user-mode drivers.

698	698	provides: [environ_driverdata]
699	699	supported_os: [Windows]
700	700	conditions: [os_major_version >= 10]
701		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	701	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
702	702	---
703	703	name: WindowsEnvironmentVariablePath
704	704	doc: The %PATH% environment variable contains an ordered list of paths of directories that will be searched on execution request without a specific path.

709	709	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'}
710	710	provides: [environ_path]
711	711	supported_os: [Windows]
712		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	712	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
713	713	---
714	714	name: WindowsEnvironmentVariableProfilesDirectory
715	715	doc: The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users".

720	720	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'}
721	721	provides: [environ_profilesdirectory]
722	722	supported_os: [Windows]
723		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	723	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
724	724	---
725	725	name: WindowsEnvironmentVariableProgramData
726	726	doc: The %ProgramData% environment variable contains a path of the "Program Data" directory.

731	731	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
732	732	provides: [environ_programdata]
733	733	supported_os: [Windows]
734		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	734	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
735	735	---
736	736	name: WindowsEnvironmentVariableProgramFiles
737	737	doc: The %ProgramFiles% environment variable contains a path of the "Program Files" directory.

746	746	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'}
747	747	provides: [environ_programfiles]
748	748	supported_os: [Windows]
749		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	749	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
750	750	---
751	751	name: WindowsEnvironmentVariableProgramFilesX86
752	752	doc: The %ProgramFiles(x86)% environment variable contains a path of the 32-bit "Program Files" directory on a 64-bit Windows installation.

761	761	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'}
762	762	provides: [environ_programfilesx86]
763	763	supported_os: [Windows]
764		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	764	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
765	765	---
766	766	name: WindowsEnvironmentVariableSystemDrive
767	767	doc: \|

773	773	attributes: {names: ['WindowsEnvironmentVariableSystemRoot']}
774	774	provides: [environ_systemdrive]
775	775	supported_os: [Windows]
776		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	776	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
777	777	---
778	778	name: WindowsEnvironmentVariableSystemRoot
779	779	doc: The %SystemRoot%, environment variable contains the path of the system directory, typically "C:\Windows".

792	792	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}
793	793	provides: [environ_systemroot]
794	794	supported_os: [Windows]
795		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	795	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
796	796	---
797	797	name: WindowsEnvironmentVariableTemp
798	798	doc: The %TEMP% environment variable.

803	803	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'}
804	804	provides: [environ_temp]
805	805	supported_os: [Windows]
806		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	806	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
807	807	---
808	808	name: WindowsEnvironmentVariableWinDir
809	809	doc: The %WinDir%, environment variable contains the path of the Windows directory, typically "C:\Windows".

822	822	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'}
823	823	provides: [environ_windir]
824	824	supported_os: [Windows]
825		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	825	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
	826	---
	827	name: WindowsEventLogProviders
	828	doc: Windows EventLog provider Registry keys.
	829	sources:
	830	- type: REGISTRY_KEY
	831	attributes:
	832	keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\\']
	833	supported_os: [Windows]
	834	urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html']
826	835	---
827	836	name: WindowsEventLogs
828	837	doc: Windows Event logs.

840	849	- 'WindowsXMLEventLogTerminalServices'
841	850	labels: [Logs]
842	851	supported_os: [Windows]
843		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	852	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
844	853	---
845	854	name: WindowsEventLogApplication
846	855	doc: Application Windows Event Log.

852	861	conditions: [os_major_version < 6]
853	862	labels: [Logs]
854	863	supported_os: [Windows]
855		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	864	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
856	865	---
857	866	name: WindowsEventLogSecurity
858	867	doc: Security Windows Event Log.

864	873	conditions: [os_major_version < 6]
865	874	labels: [Logs]
866	875	supported_os: [Windows]
867		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	876	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
868	877	---
869	878	name: WindowsEventLogSystem
870	879	doc: System Windows Event Log.

876	885	conditions: [os_major_version < 6]
877	886	labels: [Logs]
878	887	supported_os: [Windows]
879		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	888	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
880	889	---
881	890	name: WindowsXMLEventLogApplication
882	891	doc: Application Windows XML Event Log.

888	897	conditions: [os_major_version >= 6]
889	898	labels: [Logs]
890	899	supported_os: [Windows]
891		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	900	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
892	901	---
893	902	name: WindowsXMLEventLogSecurity
894	903	doc: Security Windows XML Event Log.

900	909	conditions: [os_major_version >= 6]
901	910	labels: [Logs]
902	911	supported_os: [Windows]
903		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	912	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
904	913	---
905	914	name: WindowsXMLEventLogSysmon
906	915	doc: Sysmon Windows XML Event Log.

911	920	separator: '\'
912	921	labels: [Logs]
913	922	supported_os: [Windows]
914		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	923	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
915	924	---
916	925	name: WindowsXMLEventLogSystem
917	926	doc: System Windows XML Event Log.

923	932	conditions: [os_major_version >= 6]
924	933	labels: [Logs]
925	934	supported_os: [Windows]
926		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	935	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
927	936	---
928	937	name: WindowsXMLEventLogTerminalServices
929	938	doc: TerminalServices Windows XML Event Log.

935	944	conditions: [os_major_version >= 6]
936	945	labels: [Logs]
937	946	supported_os: [Windows]
938		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
	947	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
939	948	---
940	949	name: WindowsExcludeFromKnownDLLs
941	950	doc: ExcludeFromKnownDLLs can be used to bypass search order hijacking protection.

1595	1604	- 'https://technet.microsoft.com/library/hh847748.aspx'
1596	1605	- 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/'
1597	1606	---
	1607	name: WindowsPowerShellHistory
	1608	doc: History of commands executed in an interactive PowerShell session.
	1609	sources:
	1610	- type: FILE
	1611	attributes:
	1612	paths: ['%%users.appdata%%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt']
	1613	separator: '\'
	1614	supported_os: [Windows]
	1615	urls:
	1616	- 'https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html'
	1617	- 'https://docs.microsoft.com/en-us/powershell/module/psreadline/get-psreadlineoption?view=powershell-7.1'
	1618	---
1598	1619	name: WindowsPrefetchFiles
1599	1620	doc: Windows Prefetch files.
1600	1621	sources:

1623	1644	- type: REGISTRY_VALUE
1624	1645	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ProductName'}]}
1625	1646	supported_os: [Windows]
1626		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc']
	1647	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc']
1627	1648	---
1628	1649	name: WindowsProgramsCache
1629	1650	doc: Windows Programs Cache

1634	1655	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'}
1635	1656	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'}
1636	1657	supported_os: [Windows]
1637		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc']
	1658	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Programs%20Cache%20values.asciidoc']
1638	1659	---
1639	1660	name: WindowsProgramsCacheJumpLists
1640	1661	doc: Windows Programs Cache Jump Lists

1645	1666	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheSMP'}
1646	1667	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheTBP'}
1647	1668	supported_os: [Windows]
1648		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md']
	1669	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html']
1649	1670	---
1650	1671	name: WindowsProxyPACAutoConfigURL
1651	1672	doc: Windows Proxy PAC AutoConfigURL.

1689	1710	separator: '\'
1690	1711	conditions: [os_major_version >= 6 AND os_minor_version >= 1]
1691	1712	supported_os: [Windows]
1692		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RecentFileCache.md']
	1713	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RecentFileCache.html']
1693	1714	---
1694	1715	name: WindowsRecycleBin
1695	1716	doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files.

1711	1732	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]}
1712	1733	provides: [current_control_set]
1713	1734	supported_os: [Windows]
1714		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc']
	1735	urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc']
1715	1736	---
1716	1737	name: WindowsRegistryFilesAndTransactionLogs
1717	1738	doc: Windows user and system Registry files and transaction logs.

1725	1746	- 'WindowsUserRegistryTransactionLogFiles'
1726	1747	labels: [System,Users]
1727	1748	supported_os: [Windows]
1728		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	1749	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
1729	1750	---
1730	1751	name: WindowsRegistryProfiles
1731	1752	doc: \|

1936	1957	supported_os: [Windows]
1937	1958	urls:
1938	1959	- 'http://support.microsoft.com/kb/103000'
1939		- 'https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'
	1960	- 'https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'
1940	1961	---
1941	1962	name: WindowsActionCenterSettings
1942	1963	doc: \|

2762	2783	separator: '\'
2763	2784	labels: [System]
2764	2785	supported_os: [Windows]
2765		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	2786	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
2766	2787	---
2767	2788	name: WindowsSystemRegistryTransactionLogFilesBackup
2768	2789	doc: \|

2788	2809	separator: '\'
2789	2810	labels: [System]
2790	2811	supported_os: [Windows]
2791		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	2812	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
2792	2813	---
2793	2814	name: WindowsSystemRegistryFiles
2794	2815	doc: Windows system Registry files.

2804	2825	separator: '\'
2805	2826	labels: [System]
2806	2827	supported_os: [Windows]
2807		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	2828	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
2808	2829	---
2809	2830	name: WindowsSystemRegistryTransactionLogFiles
2810	2831	doc: Windows system Registry transaction log files.

2827	2848	separator: '\'
2828	2849	labels: [System]
2829	2850	supported_os: [Windows]
2830		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	2851	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
2831	2852	---
2832	2853	name: WindowsSystemRegistryFilesAndTransactionLogs
2833	2854	doc: Windows system Registry files and transaction logs.

2839	2860	- 'WindowsSystemRegistryTransactionLogFiles'
2840	2861	labels: [System]
2841	2862	supported_os: [Windows]
2842		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	2863	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
2843	2864	---
2844	2865	name: WindowsSystemResourceUsageMonitorDatabaseFile
2845	2866	doc: Windows System Resource Usage Monitor (SRUM) database file.

2849	2870	paths: ['%%environ_systemroot%%\System32\sru\SRUDB.dat']
2850	2871	separator: '\'
2851	2872	supported_os: [Windows]
2852		urls: ['https://github.com/libyal/esedb-kb/blob/master/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc']
	2873	urls: ['https://github.com/libyal/esedb-kb/blob/main/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc']
2853	2874	---
2854	2875	name: WindowsTempDirectories
2855	2876	doc: Contents of the Windows temporary directories

2922	2943	urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2']
2923	2944	---
2924	2945	name: WindowsTimezone
2925		doc: The timezone of the system in Olson format.
2926		sources:
2927		- type: REGISTRY_VALUE
2928		attributes:
2929		key_value_pairs:
2930		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}
2931		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'}
	2946	doc: The time zone of the system as a Windows time zone name or in MUI form.
	2947	sources:
	2948	- type: REGISTRY_VALUE
	2949	attributes:
	2950	key_value_pairs:
	2951	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}
	2952	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'}
2932	2953	provides: [time_zone]
2933	2954	supported_os: [Windows]
2934		urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc']
	2955	urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Time-zones.html']
2935	2956	---
2936	2957	name: WindowsToolPaths
2937	2958	doc: Paths to windows tools such as defrag, chkdsk.

2955	2976	attributes:
2956	2977	keys:
2957	2978	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\\'
	2979	- 'HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\\'
2958	2980	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\\'
2959	2981	supported_os: [Windows]
2960	2982	urls: ['https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx']

2996	3018	separator: '\'
2997	3019	labels: [Users]
2998	3020	supported_os: [Windows]
2999		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md']
	3021	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html']
3000	3022	---
3001	3023	name: WindowsUserCustomDestinationsJumpLists
3002	3024	doc: Windows user CustomDestinations Jump Lists.

3007	3029	separator: '\'
3008	3030	labels: [Users]
3009	3031	supported_os: [Windows]
3010		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md']
	3032	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html']
3011	3033	---
3012	3034	name: WindowsUserDownloadsDirectory
3013	3035	doc: User downloads directory

3030	3052	- 'WindowsUserCustomDestinationsJumpLists'
3031	3053	labels: [Users]
3032	3054	supported_os: [Windows]
3033		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md']
	3055	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html']
3034	3056	---
3035	3057	name: WindowsUserRecentFiles
3036	3058	doc: Windows user specific recent files.

3056	3078	separator: '\'
3057	3079	labels: [Users]
3058	3080	supported_os: [Windows]
3059		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	3081	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
3060	3082	---
3061	3083	name: WindowsUserRegistryTransactionLogFiles
3062	3084	doc: Windows user Registry transaction log files.

3073	3095	separator: '\'
3074	3096	labels: [Users]
3075	3097	supported_os: [Windows]
3076		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	3098	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
3077	3099	---
3078	3100	name: WindowsUserRegistryFilesAndTransactionLogs
3079	3101	doc: Windows user Registry files and transaction logs.

3085	3107	- 'WindowsUserRegistryTransactionLogFiles'
3086	3108	labels: [Users]
3087	3109	supported_os: [Windows]
3088		urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
	3110	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html']
3089	3111	---
3090	3112	name: WindowsUserShellFolders
3091	3113	doc: The Shell Folders information for Windows users.

+1

-543

docs/Artifacts definition format and style guide.asciidoc less more

0		= Artifact definition format and style guide
	0	Moved to: https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html
1	1
2		:toc:
3		:toclevels: 4
4		:icons:
5
6		:numbered!:
7		[abstract]
8		== Summary
9
10		This guide contains a description of the forensics artifacts definitions.
11		The artifacts definitions are
12		link:http://www.yaml.org/spec/1.2/spec.html[YAML]-based. The format is
13		currently still under development and is likely to undergo some change. One of
14		the goals of this guide is to ensure consistency and readbility of the
15		artifacts definitions.
16
17		[preface]
18		== Revision history
19
20		[cols="1,1,1,5",options="header"]
21		\|===
22		\| Version \| Author \| Date \| Comments
23		\| 0.0.1 \| G. Castle \| November 2014 \| Initial version.
24		\| 0.0.2 \| G. Castle \| December 2014 \| Minor format changes.
25		\| 0.0.3 \| J.B. Metz \| April 2015 \| Merged style guide and artifact definitions wiki page.
26		\| 0.0.3 \| J.B. Metz \| September 2015 \| Additional label.
27		\| 0.0.4 \| J.B. Metz \| July 2016 \| Added information about a naming convention.
28		\| 0.0.5 \| J.B. Metz \| February 2019 \| Removed returned_types as keyword and format changes.
29		\|===
30
31		:numbered:
32		== Background
33
34		The first version of the artifact definitions originated from the
35		https://github.com/google/grr[GRR project], where it is used to describe and
36		quickly collect data of interest, e.g. specific files or Windows Registry keys.
37		The goal of the format is to provide a way to describe the majority of forensic
38		artifacts in a language that is readable by humans and machines.
39
40		The format is designed to be simple and straight forward, so that a digital
41		forensic analysist is able to quickly write artifact definitions during an
42		investigation without having to rely on complex standards or tooling.
43
44		The format is intended to describe forensically-relevant data on a machine,
45		while being tool agnostic. In particular we intentionally avoided adding
46		IOC-like logic, or describing how the data should be collected since this
47		various between tools.
48
49		=== Terminology
50
51		The term artifact (or artefact) is widely used within computer (or digital)
52		forensics, though there is no official definition of this term.
53
54		The definition closest to the meaning of the word within computer forensics is
55		that of the word artifact within
56		http://en.wikipedia.org/wiki/Artifact_(archaeology)[archaeology]. The term
57		should not be confused with the word artifact used within
58		http://en.wikipedia.org/wiki/Artifact_(software_development)[software development].
59
60		If archaeology defines an artifact as:
61		```
62		something made or given shape by man, such as a tool or
63		a work of art, esp an object of archaeological interest
64		```
65
66		The definition of artifact within computer forensics could be:
67		```
68		An object of digital archaeological interest.
69		```
70
71		Where digital archaeology roughly refers to computer forensics without the
72		forensic (legal) context.
73
74		== The artifact definition
75
76		The best way to show what an artifact definition is, is by example. The
77		following example is the artifact definition for the Windows EVTX System Event
78		Logs.
79
80		[source,yaml]
81		----
82		name: WindowsSystemEventLogEvtx
83		doc: Windows System Event log for Vista or later systems.
84		sources:
85		- type: FILE
86		attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']}
87		conditions: [os_major_version >= 6]
88		labels: [Logs]
89		supported_os: [Windows]
90		urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)']
91		----
92
93		The artifact definition can have the following values:
94
95		[cols="1,5",options="header"]
96		\|===
97		\| Value \| Description
98		\| name \| The name. An unique string that identifies the artifact definition. +
99		Also see section: <<artifact_name,Name>>.
100		\| doc \| The description (or documentation). A human readable string that describes the artifact definition. +
101		Style note: Typically one line description of the artifact, mentioning important caveats. +
102		If more description is necessary, use the <<artifact_long_docs,Long docs form>>.
103		\| sources \| A list of source definitions. +
104		See section: <<sources,Sources>>.
105		\| conditions \| Optional list of conditions that describe when the artifact definition should apply. +
106		See section: <<conditions,Conditions>>.
107		\| labels \| Optional list of predefined labels.
108		See section: <<labels,Labels>>.
109		\| provides \| Optional list of TODO
110		\| supported_os \| Optional list that indicates which operating systems the artifact definition applies to.
111		See section: <<supported_os,Supported operating system>>.
112		\| urls \| Optional list of URLs with more contextual information. +
113		Ideally the artifact definition links to an article that discusses the artificat in more depth e.g. on http://forensicswiki.org[Forensics Wiki]
114		\|===
115
116		=== [[artifact_name]]Name
117
118		Style note: The name of an artifact defintion should be in CamelCase name without spaces.
119
120		As of July 2016 we are migrating to the following naming convention:
121
122		* Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or "Windows"
123		* If not platform specific:
124		** prefix with the application name, for example "ChromeHistory".
125		** prefix with the name of the subsystem, for example "WMIComputerSystemProduct".
126
127		Style note: If the sole source of the artifact definition for example are
128		files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity.
129
130		=== [[artifact_long_docs]]Long docs form
131
132		Multi-line documentation should use the YAML Literal Style as indicated by the \|
133		character.
134
135		[source,yaml]
136		----
137		doc: \|
138		The Windows run keys.
139
140		Note users.sid will currently only expand to SIDs with profiles on the system,
141		not all SIDs.
142		----
143
144		Style note: the short description (first line) and the longer portion are
145		separated by an empty line.
146
147		Style note: explicit newlines (\n) should not be used.
148
149		== [[sources]]Sources
150
151		Every source definition starts with a `type` followed by arguments e.g.
152
153		[source,yaml]
154		----
155		sources:
156		- type: COMMAND
157		attributes:
158		args: [-qa]
159		cmd: /bin/rpm
160		----
161
162		[source,yaml]
163		----
164		sources:
165		- type: FILE
166		attributes:
167		paths:
168		- /root/.bashrc
169		- /root/.cshrc
170		- /root/.ksh
171		- /root/.logout
172		- /root/.profile
173		- /root/.tcsh
174		- /root/.zlogin
175		- /root/.zlogout
176		- /root/.zprofile
177		- /root/.zprofile
178		----
179
180		Style note: where sources take a single argument with a single value, the one-line {}
181		form should be used to save on line breaks as below:
182
183		[source,yaml]
184		----
185		- type: FILE
186		attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']}
187		----
188
189		[cols="1,5",options="header"]
190		\|===
191		\| Value \| Description
192		\| attributes \| A dictionary of keyword attributes specific to the type of source definition.
193		\| type \| The source type.
194		\| conditions \| Optional list of conditions to when the artifact definition should apply. +
195		See section: <<conditions,Conditions>>.
196		\| supported_os \| Optional list that indicates which operating systems the artifact definition applies to. +
197		See section: <<supported_os,Supported operating system>>.
198		\|===
199
200		=== Source types
201
202		Currently the following different source types are defined:
203
204		[cols="1,5",options="header"]
205		\|===
206		\| Value \| Description
207		\| ARTIFACT_GROUP \| A source that consists of a group of other artifacts.
208		\| COMMAND \| A source that consists of the output of a command.
209		\| FILE \| A source that consists of the contents of files.
210		\| PATH \| A source that consists of the contents of paths.
211		\| REGISTRY_KEY \| A source that consists of the contents of Windows Registry keys.
212		\| REGISTRY_VALUE \| A source that consists of the contents of Windows Registry values.
213		\| WMI \| A source that consists of the output of Windows Management Instrumentation (WMI) queries.
214		\|===
215
216		The sources types are defined in
217		link:https://github.com/ForensicArtifacts/artifacts/blob/master/artifacts/definitions.py[definitions.py].
218		as TYPE_INDICATOR constants.
219
220		=== Artifact group source
221
222		The artifact group source is a source that consists of a group of other artifacts e.g.
223
224		[source,yaml]
225		----
226		- type: ARTIFACT_GROUP
227		attributes:
228		names: [WindowsRunKeys, WindowsServices]
229		----
230
231		Where `attributes` can contain the following values:
232
233		[cols="1,5",options="header"]
234		\|===
235		\| Value \| Description
236		\| names \| A list of artifact definition names that make up this "composite" artifact. +
237		This can also be used to group multiple artifact definitions into one for convenience.
238		\|===
239
240		=== Command source
241
242		The command source is a source that consists of the output of a command e.g.
243
244		[source,yaml]
245		----
246		- type: COMMAND
247		attributes:
248		args: [-qa]
249		cmd: /bin/rpm
250		----
251
252		Where `attributes` can contain the following values:
253
254		[cols="1,5",options="header"]
255		\|===
256		\| Value \| Description
257		\| args \| A list arguments to pass to the command.
258		\| cmd \| The path of the command.
259		\|===
260
261		=== File source
262
263		The file source is a source that consists of the contents of files e.g.
264
265		[source,yaml]
266		----
267		- type: FILE
268		attributes:
269		paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']
270		----
271
272		Where `attributes` can contain the following values:
273
274		[cols="1,5",options="header"]
275		\|===
276		\| Value \| Description
277		\| paths \| A list of file paths that can potentially be collected. +
278		The paths can use parameter expansion e.g. `%%environ_systemroot%%`. +
279		See section: <<parameter_expansion,Parameter expansion and globs>>
280		\| separator \| Optional path segment seperator e.g. '\' for Windows systems. +
281		When not specified the default path segment separator is '/'.
282		\|===
283
284		=== Path source
285
286		The path source is a source that consists of the contents of paths e.g.
287
288		[source,yaml]
289		----
290		- type: PATH
291		attributes:
292		paths: ['\Program Files']
293		separator: '\'
294		----
295
296		Where `attributes` can contain the following values:
297
298		[cols="1,5",options="header"]
299		\|===
300		\| Value \| Description
301		\| paths \| A list of file paths that can potentially be collected. +
302		The paths can use parameter expansion e.g. `%%environ_systemroot%%`. +
303		See section: <<parameter_expansion,Parameter expansion and globs>>
304		\| separator \| Optional path segment seperator e.g. '\' for Windows systems. +
305		When not specified the default path segment separator is '/'.
306		\|===
307
308		=== Windows Registry key source
309
310		The Windows Registry key source is a source that consists of the contents of
311		Windows Registry keys e.g.
312
313		[source,yaml]
314		----
315		sources:
316		- type: REGISTRY_KEY
317		attributes:
318		keys:
319		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*'
320		----
321
322		Where `attributes` can contain the following values:
323
324		[cols="1,5",options="header"]
325		\|===
326		\| Value \| Description
327		\| keys \| A list of Windows Registry key paths that can potentially be collected. +
328		The paths can use parameter expansion e.g. `%%users.sid%%`. +
329		See section: <<parameter_expansion,Parameter expansion and globs>>
330		\|===
331
332		=== Windows Registry value source
333
334		The Windows Registry value source is a source that consists of the contents of
335		Windows Registry values e.g.
336
337		[source,yaml]
338		----
339		- type: REGISTRY_VALUE
340		attributes:
341		key_value_pairs:
342		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'}
343		----
344
345		Where `attributes` can contain the following values:
346
347		[cols="1,5",options="header"]
348		\|===
349		\| Value \| Description
350		\| key_value_pairs \| A list of Windows Registry key paths and value names that can potentially be collected. +
351		The key path can use parameter expansion e.g. `%%users.sid%%`. +
352		See section: <<parameter_expansion,Parameter expansion and globs>>
353		\|===
354
355		=== Windows Management Instrumentation (WMI) query source
356
357		The Windows Management Instrumentation (WMI) query source is a source that
358		consists of the output of Windows Management Instrumentation (WMI) queries e.g.
359
360		[source,yaml]
361		----
362		- type: WMI
363		attributes:
364		query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'
365		----
366
367		Where `attributes` can contain the following values:
368
369		[cols="1,5",options="header"]
370		\|===
371		\| Value \| Description
372		\| base_object \| Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2`
373		\| query \| The Windows Management Instrumentation (WMI) query. +
374		The query can use parameter expansion e.g. `%%users.username%%`. +
375		See section: <<parameter_expansion,Parameter expansion and globs>>
376		\|===
377
378		== [[conditions]]Conditions
379
380		TODO: work is in progress to move this out of GRR into something more portable.
381
382		Artifact conditions are currently implemented using the
383		link:https://github.com/google/objectfilter[objectfilter] system that allows
384		you to apply complex conditions to the attributes of an object. Artifacts can
385		apply conditions to any of the Knowledge Base object attributes as defined in
386		the GRR link:https://github.com/google/grr/blob/master/proto/knowledge_base.proto[knowledge_base.proto].
387
388		Style note: single quotes should be used for strings when writing conditions.
389
390		[source,yaml]
391		----
392		conditions: [os_major_version >= 6 and time_zone == 'America/Los_Angeles']
393		----
394
395		=== [[supported_os]]Supported operating system
396
397		Since operating system (OS) conditions are a very common constraint, this has
398		been provided as a separate option "supported_os" to simplify syntax. For
399		supported_os no quotes are required. The currently supported operating systems
400		are:
401
402		* Darwin (also used for Mac OS X)
403		* Linux
404		* Windows
405
406		[source,yaml]
407		----
408		supported_os: [Darwin, Linux, Windows]
409		----
410
411		This can be translated to objectfilter as:
412
413		[source,yaml]
414		----
415		["os =='Darwin'" OR "os=='Linux'" OR "os == 'Windows'"]
416		----
417
418		== [[labels]]Labels
419
420		Currently the following different labels are defined:
421
422		[cols="1,5",options="header"]
423		\|===
424		\| Value \| Description
425		\| Antivirus \| Antivirus related artifacts, e.g. quarantine files.
426		\| Authentication \| Authentication artifacts.
427		\| Browser \| Web Browser artifacts.
428		\| Cloud Storage \| Cloud Storage artifacts.
429		\| Configuration Files \| Configuration files artifacts.
430		\| Execution \| Contain execution events.
431		\| External Media \| Contain external media data or events e.g. USB drives.
432		\| KnowledgeBase \| Artifacts used in knowledge base generation.
433		\| Logs \| Contain log files.
434		\| Memory \| Artifacts retrieved from memory.
435		\| Network \| Describe networking state.
436		\| Processes \| Describe running processes.
437		\| Software \| Installed software.
438		\| System \| Core system artifacts.
439		\| Users \| Information about users.
440		\| Rekall \| Artifacts using the Rekall memory forensics framework.
441		\|===
442
443		The labes are defined in
444		link:https://github.com/ForensicArtifacts/artifacts/blob/master/artifacts/definitions.py[definitions.py].
445
446		== Style notes
447
448		=== Artifact definition YAML files
449
450		Artifact definition YAML filenames should be of the form:
451		....
452		$FILENAME.yaml
453		....
454
455		Where $FILENAME is name of the file e.g. windows.yaml.
456
457		Each defintion file should have a comment at the top of the file with a
458		one-line summary describing the type of artifact definitions contained in the
459		file e.g.
460
461		[source,yaml]
462		----
463		# Windows specific artifacts.
464		----
465
466		=== Lists
467
468		Generally use the short [] format for single-item lists that fit inside 80
469		characters to save on unnecessary line breaks:
470
471		[source,yaml]
472		----
473		labels: [Logs]
474		supported_os: [Windows]
475		urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)']
476		----
477
478		and the bulleted list form for multi-item lists or long lines:
479
480		[source,yaml]
481		----
482		paths:
483		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*'
484		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
485		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*'
486		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
487		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
488		----
489
490		=== Quotes
491
492		Quotes should not be used for doc strings, artifact names, and simple lists
493		like labels and supported_os.
494
495		Paths and URLs should use single quotes to avoid the need for manual escaping.
496
497		[source,yaml]
498		----
499		paths: ['%%environ_temp%%\*.exe']
500		urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)']
501		----
502
503		Double quotes should be used where escaping causes problems, such as
504		regular expressions:
505
506		[source,yaml]
507		----
508		content_regex_list: ["^%%users.username%%:[^:]*\n"]
509		----
510
511		=== Minimize the number of definitions by using multiple sources
512
513		To minimize the number of artifacts in the list, combine them using the
514		supported_os and conditions attributes where it makes sense. e.g. rather than
515		having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do:
516
517		[source,yaml]
518		----
519		name: FirefoxHistory
520		doc: Firefox places.sqlite files.
521		sources:
522		- type: FILE
523		attributes:
524		paths:
525		- %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite
526		- %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite
527		supported_os: [Windows]
528		- type: FILE
529		attributes:
530		paths: [%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite]
531		supported_os: [Darwin]
532		- type: FILE
533		attributes:
534		paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite']
535		supported_os: [Linux]
536		labels: [Browser]
537		supported_os: [Windows, Linux, Darwin]
538		----
539
540		== [[parameter_expansion]]Parameter expansion and globs
541
542		TODO
543

+170

-0

docs/conf.py less more

	0	# -- coding: utf-8 --
	1	"""Sphinx build configuration file."""
	2
	3	import os
	4	import sys
	5
	6	from sphinx.ext import apidoc
	7
	8	from docutils import nodes
	9	from docutils import transforms
	10
	11	# Change PYTHONPATH to include artifacts module and dependencies.
	12	sys.path.insert(0, os.path.abspath('..'))
	13
	14	import artifacts # pylint: disable=wrong-import-position
	15
	16	import utils.dependencies # pylint: disable=wrong-import-position
	17
	18
	19	# -- General configuration ------------------------------------------------
	20
	21	# If your documentation needs a minimal Sphinx version, state it here.
	22	needs_sphinx = '2.0.1'
	23
	24	# Add any Sphinx extension module names here, as strings. They can be
	25	# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
	26	# ones.
	27	extensions = [
	28	'recommonmark',
	29	'sphinx.ext.autodoc',
	30	'sphinx.ext.coverage',
	31	'sphinx.ext.doctest',
	32	'sphinx.ext.napoleon',
	33	'sphinx.ext.viewcode',
	34	'sphinx_markdown_tables',
	35	'sphinx_rtd_theme',
	36	]
	37
	38	# We cannot install architecture dependent Python modules on readthedocs,
	39	# therefore we mock most imports.
	40	pip_installed_modules = set(['six'])
	41
	42	dependency_helper = utils.dependencies.DependencyHelper(
	43	dependencies_file=os.path.join('..', 'dependencies.ini'),
	44	test_dependencies_file=os.path.join('..', 'test_dependencies.ini'))
	45	modules_to_mock = set(dependency_helper.dependencies.keys())
	46	modules_to_mock = modules_to_mock.difference(pip_installed_modules)
	47
	48	autodoc_mock_imports = sorted(modules_to_mock)
	49
	50	# Options for the Sphinx Napoleon extension, which reads Google-style
	51	# docstrings.
	52	napoleon_google_docstring = True
	53	napoleon_numpy_docstring = False
	54	napoleon_include_private_with_doc = False
	55	napoleon_include_special_with_doc = True
	56
	57	# General information about the project.
	58	# pylint: disable=redefined-builtin
	59	project = 'Digital Forensics Artifacts Repository'
	60	copyright = 'The Digital Forensics Artifacts Repository Project Authors'
	61	version = artifacts.__version__
	62	release = artifacts.__version__
	63
	64	# Add any paths that contain templates here, relative to this directory.
	65	templates_path = ['_templates']
	66
	67	# List of patterns, relative to source directory, that match files and
	68	# directories to ignore when looking for source files.
	69	exclude_patterns = ['_build']
	70
	71	# The master toctree document.
	72	master_doc = 'index'
	73
	74	# The name of the Pygments (syntax highlighting) style to use.
	75	pygments_style = 'sphinx'
	76
	77
	78	# -- Options for HTML output ----------------------------------------------
	79
	80	# The theme to use for HTML and HTML Help pages. See the documentation for
	81	# a list of builtin themes.
	82	html_theme = 'sphinx_rtd_theme'
	83
	84	# Output file base name for HTML help builder.
	85	htmlhelp_basename = 'artifactsdoc'
	86
	87
	88	# -- Options linkcheck ----------------------------------------------------
	89
	90	linkcheck_ignore = [
	91	]
	92
	93
	94	# -- Code to rewrite links for readthedocs --------------------------------
	95
	96	# This function is a Sphinx core event callback, the format of which is detailed
	97	# here: https://www.sphinx-doc.org/en/master/extdev/appapi.html#events
	98
	99	# pylint: disable=unused-argument
	100	def RunSphinxAPIDoc(app):
	101	"""Runs sphinx-apidoc to auto-generate documentation.
	102
	103	Args:
	104	app (sphinx.application.Sphinx): Sphinx application. Required by the
	105	the Sphinx event callback API.
	106	"""
	107	current_directory = os.path.abspath(os.path.dirname(__file__))
	108	module_path = os.path.join(current_directory, '..', 'artifacts')
	109	api_directory = os.path.join(current_directory, 'sources', 'api')
	110	apidoc.main(['-o', api_directory, module_path, '--force'])
	111
	112
	113	class MarkdownLinkFixer(transforms.Transform):
	114	"""Transform definition to parse .md references to internal pages."""
	115
	116	default_priority = 1000
	117
	118	_URI_PREFIXES = []
	119
	120	def _FixLinks(self, node):
	121	"""Corrects links to .md files not part of the documentation.
	122
	123	Args:
	124	node (docutils.nodes.Node): docutils node.
	125
	126	Returns:
	127	docutils.nodes.Node: docutils node, with correct URIs outside
	128	of Markdown pages outside the documentation.
	129	"""
	130	if isinstance(node, nodes.reference) and 'refuri' in node:
	131	reference_uri = node['refuri']
	132	for uri_prefix in self._URI_PREFIXES:
	133	if (reference_uri.startswith(uri_prefix) and not (
	134	reference_uri.endswith('.asciidoc') or
	135	reference_uri.endswith('.md'))):
	136	node['refuri'] = reference_uri + '.md'
	137	break
	138
	139	return node
	140
	141	def _Traverse(self, node):
	142	"""Traverses the document tree rooted at node.
	143
	144	Args:
	145	node (docutils.nodes.Node): docutils node.
	146	"""
	147	self._FixLinks(node)
	148
	149	for child_node in node.children:
	150	self._Traverse(child_node)
	151
	152	# pylint: disable=arguments-differ
	153	def apply(self):
	154	"""Applies this transform on document tree."""
	155	self._Traverse(self.document)
	156
	157
	158	# pylint: invalid-name
	159	def setup(app):
	160	"""Called at Sphinx initialization.
	161
	162	Args:
	163	app (sphinx.application.Sphinx): Sphinx application.
	164	"""
	165	# Triggers sphinx-apidoc to generate API documentation.
	166	app.connect('builder-inited', RunSphinxAPIDoc)
	167	app.add_config_value(
	168	'recommonmark_config', {'enable_auto_toc_tree': True}, True)
	169	app.add_transform(MarkdownLinkFixer)

+25

-0

docs/index.rst less more

	0	Welcome to the Forensics Artifacts documentation
	1	================================================
	2
	3	Digital Forensics Artifacts Repository, is a free, community-sourced,
	4	machine-readable knowledge base of digital forensic artifacts that the world
	5	can use both as an information source and within other tools.
	6
	7	The source code is available from the `project page <https://github.com/ForensicArtifacts/artifacts>`__.
	8
	9	.. toctree::
	10	:maxdepth: 2
	11
	12	sources/user/index
	13	sources/background/index
	14	Format specification <sources/Format-specification>
	15	API documentation <sources/api/artifacts>
	16
	17
	18	Indices and tables
	19	==================
	20
	21	* :ref:`genindex`
	22	* :ref:`modindex`
	23	* :ref:`search`
	24

+5

-0

docs/requirements.txt less more

	0	docutils
	1	recommonmark
	2	sphinx >= 2.0.1
	3	sphinx-markdown-tables
	4	sphinx-rtd-theme >= 0.5.1

+406

-0

docs/sources/Format-specification.md less more

	0	# Artifact definition format and style guide
	1
	2	The best way to show what an artifact definition is, is by example. The
	3	following example is the artifact definition for the Windows EVTX System Event
	4	Logs.
	5
	6	```yaml
	7	name: WindowsSystemEventLogEvtx
	8	doc: Windows System Event log for Vista or later systems.
	9	sources:
	10	- type: FILE
	11	attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']}
	12	conditions: [os_major_version >= 6]
	13	labels: [Logs]
	14	supported_os: [Windows]
	15	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
	16	```
	17
	18	The artifact definition can have the following values:
	19
	20	Value \| Description
	21	--- \| ---
	22	name \| The name. An unique string that identifies the artifact definition. See section: [Name](#name).
	23	doc \| The description (or documentation). A human readable string that describes the artifact definition. See section: [Description](#description).
	24	sources \| A list of source definitions. See section: [Sources](#sources).
	25	conditions \| Optional list of conditions that describe when the artifact definition should apply. See section: [Conditions](#conditions).
	26	labels \| Optional list of predefined labels. See section: [Labels](#labels).
	27	provides \| Optional list of TODO
	28	supported_os \| Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system).
	29	urls \| Optional list of URLs with more contextual information. Ideally the artifact definition links to an article that discusses the artifact in more depth for example on [Digital Forensics Artifact Knowledge Base](https://github.com/ForensicArtifacts/artifacts-kb).
	30
	31	## Name
	32
	33	Style note: The name of an artifact defintion should be in CamelCase name
	34	without spaces.
	35
	36	As of July 2016 we are migrating to the following naming convention:
	37
	38	* Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or "Windows"
	39	* If not platform specific:
	40	** prefix with the application name, for example "ChromeHistory".
	41	** prefix with the name of the subsystem, for example "WMIComputerSystemProduct".
	42
	43	Style note: If the sole source of the artifact definition for example are
	44	files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity.
	45
	46	## Description
	47
	48	Style note: Typically one line description of the artifact, mentioning
	49	important caveats. If more than one line is necessary, use the multi-line YAML
	50	Literal Style as indicated by the `\|` character.
	51
	52	```yaml
	53	doc: \|
	54	The Windows run keys.
	55
	56	Note users.sid will currently only expand to SIDs with profiles on the system,
	57	not all SIDs.
	58	```
	59
	60	Style note: the short description (first line) and the longer portion are
	61	separated by an empty line.
	62
	63	Style note: explicit newlines (\n) should not be used.
	64
	65	## Sources
	66
	67	Every source definition starts with a `type` followed by arguments for example:
	68
	69	```yaml
	70	sources:
	71	- type: COMMAND
	72	attributes:
	73	args: [-qa]
	74	cmd: /bin/rpm
	75	```
	76
	77	```yaml
	78	sources:
	79	- type: FILE
	80	attributes:
	81	paths:
	82	- /root/.bashrc
	83	- /root/.cshrc
	84	- /root/.ksh
	85	- /root/.logout
	86	- /root/.profile
	87	- /root/.tcsh
	88	- /root/.zlogin
	89	- /root/.zlogout
	90	- /root/.zprofile
	91	- /root/.zprofile
	92	```
	93
	94	Style note: where sources take a single argument with a single value, the
	95	one-line {} form should be used to save on line breaks as below:
	96
	97	```yaml
	98	- type: FILE
	99	attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']}
	100	```
	101
	102	Value \| Description
	103	--- \| ---
	104	attributes \| A dictionary of keyword attributes specific to the type of source definition.
	105	type \| The source type.
	106	conditions \| Optional list of conditions to when the artifact definition should apply. See section: [Conditions](#conditions).
	107	supported_os \| Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system).
	108
	109	### Source types
	110
	111	Currently the following different source types are defined:
	112
	113	Value \| Description
	114	--- \| ---
	115	ARTIFACT_GROUP \| A source that consists of a group of other artifacts.
	116	COMMAND \| A source that consists of the output of a command.
	117	FILE \| A source that consists of the contents of files.
	118	PATH \| A source that consists of the contents of paths.
	119	REGISTRY_KEY \| A source that consists of the contents of Windows Registry keys.
	120	REGISTRY_VALUE \| A source that consists of the contents of Windows Registry values.
	121	WMI \| A source that consists of the output of Windows Management Instrumentation (WMI) queries.
	122
	123	The sources types are defined in
	124	[definitions.py](https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/definitions.py).
	125	as TYPE_INDICATOR constants.
	126
	127	### Artifact group source
	128
	129	The artifact group source is a source that consists of a group of other artifacts e.g.
	130
	131	```yaml
	132	- type: ARTIFACT_GROUP
	133	attributes:
	134	names: [WindowsRunKeys, WindowsServices]
	135	```
	136
	137	Where `attributes` can contain the following values:
	138
	139	Value \| Description
	140	--- \| ---
	141	names \| A list of artifact definition names that make up this "composite" artifact. This can also be used to group multiple artifact definitions into one for convenience.
	142
	143	### Command source
	144
	145	The command source is a source that consists of the output of a command e.g.
	146
	147	```yaml
	148	- type: COMMAND
	149	attributes:
	150	args: [-qa]
	151	cmd: /bin/rpm
	152	```
	153
	154	Where `attributes` can contain the following values:
	155
	156	Value \| Description
	157	--- \| ---
	158	args \| A list arguments to pass to the command.
	159	cmd \| The path of the command.
	160
	161	### File source
	162
	163	The file source is a source that consists of the contents of files e.g.
	164
	165	```yaml
	166	- type: FILE
	167	attributes:
	168	paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']
	169	```
	170
	171	Where `attributes` can contain the following values:
	172
	173	Value \| Description
	174	--- \| ---
	175	paths \| A list of file paths that can potentially be collected. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs).
	176	separator \| Optional path segment seperator e.g. '\' for Windows systems. When not specified the default path segment separator is '/'.
	177
	178	### Path source
	179
	180	The path source is a source that consists of the contents of paths e.g.
	181
	182	```yaml
	183	- type: PATH
	184	attributes:
	185	paths: ['\Program Files']
	186	separator: '\'
	187	```
	188
	189	Where `attributes` can contain the following values:
	190
	191	Value \| Description
	192	--- \| ---
	193	paths \| A list of file paths that can potentially be collected. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs).
	194	separator \| Optional path segment seperator e.g. '\' for Windows systems. When not specified the default path segment separator is '/'.
	195
	196	### Windows Registry key source
	197
	198	The Windows Registry key source is a source that consists of the contents of
	199	Windows Registry keys e.g.
	200
	201	```yaml
	202	sources:
	203	- type: REGISTRY_KEY
	204	attributes:
	205	keys:
	206	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*'
	207	```
	208
	209	Where `attributes` can contain the following values:
	210
	211	Value \| Description
	212	--- \| ---
	213	keys \| A list of Windows Registry key paths that can potentially be collected. The paths can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs).
	214
	215	### Windows Registry value source
	216
	217	The Windows Registry value source is a source that consists of the contents of
	218	Windows Registry values e.g.
	219
	220	```yaml
	221	- type: REGISTRY_VALUE
	222	attributes:
	223	key_value_pairs:
	224	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'}
	225	```
	226
	227	Where `attributes` can contain the following values:
	228
	229	Value \| Description
	230	--- \| ---
	231	key_value_pairs \| A list of Windows Registry key paths and value names that can potentially be collected. The key path can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs).
	232
	233	### Windows Management Instrumentation (WMI) query source
	234
	235	The Windows Management Instrumentation (WMI) query source is a source that
	236	consists of the output of Windows Management Instrumentation (WMI) queries e.g.
	237
	238	```yaml
	239	- type: WMI
	240	attributes:
	241	query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'
	242	```
	243
	244	Where `attributes` can contain the following values:
	245
	246	Value \| Description
	247	--- \| ---
	248	base_object \| Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2`
	249	query \| The Windows Management Instrumentation (WMI) query. The query can use parameter expansion e.g. `%%users.username%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs).
	250
	251	## Conditions
	252
	253	TODO: work is in progress to move this out of GRR into something more portable.
	254
	255	Artifact conditions are currently implemented using the
	256	link:https://github.com/google/objectfilter[objectfilter] system that allows
	257	you to apply complex conditions to the attributes of an object. Artifacts can
	258	apply conditions to any of the Knowledge Base object attributes as defined in
	259	the GRR link:https://github.com/google/grr/blob/master/proto/knowledge_base.proto[knowledge_base.proto].
	260
	261	Style note: single quotes should be used for strings when writing conditions.
	262
	263	```yaml
	264	conditions: [os_major_version >= 6 and time_zone == 'America/Los_Angeles']
	265	```
	266
	267	## Supported operating system
	268
	269	Since operating system (OS) conditions are a very common constraint, this has
	270	been provided as a separate option "supported_os" to simplify syntax. For
	271	supported_os no quotes are required. The currently supported operating systems
	272	are:
	273
	274	* Darwin (also used for Mac OS X)
	275	* Linux
	276	* Windows
	277
	278	```yaml
	279	supported_os: [Darwin, Linux, Windows]
	280	```
	281
	282	This can be translated to objectfilter as:
	283
	284	```yaml
	285	["os =='Darwin'" OR "os=='Linux'" OR "os == 'Windows'"]
	286	```
	287
	288	## Labels
	289
	290	Currently the following different labels are defined:
	291
	292	Value \| Description
	293	--- \| ---
	294	Antivirus \| Antivirus related artifacts, e.g. quarantine files.
	295	Authentication \| Authentication artifacts.
	296	Browser \| Web Browser artifacts.
	297	Cloud Storage \| Cloud Storage artifacts.
	298	Configuration Files \| Configuration files artifacts.
	299	Execution \| Contain execution events.
	300	External Media \| Contain external media data or events e.g. USB drives.
	301	KnowledgeBase \| Artifacts used in knowledge base generation.
	302	Logs \| Contain log files.
	303	Memory \| Artifacts retrieved from memory.
	304	Network \| Describe networking state.
	305	Processes \| Describe running processes.
	306	Software \| Installed software.
	307	System \| Core system artifacts.
	308	Users \| Information about users.
	309
	310	The labes are defined in
	311	link:https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/definitions.py[definitions.py].
	312
	313	## Parameter expansion and globs
	314
	315	TODO: add text
	316
	317	## Additional style notes
	318
	319	### Artifact definition YAML files
	320
	321	Artifact definition YAML filenames should be of the form:
	322
	323	```
	324	$FILENAME.yaml
	325	```
	326
	327	Where $FILENAME is name of the file e.g. windows.yaml.
	328
	329	Each defintion file should have a comment at the top of the file with a
	330	one-line summary describing the type of artifact definitions contained in the
	331	file e.g.
	332
	333	```yaml
	334	# Windows specific artifacts.
	335	```
	336
	337	### Lists
	338
	339	Generally use the short `[]` format for single-item lists that fit inside 80
	340	characters to save on unnecessary line breaks:
	341
	342	```yaml
	343	labels: [Logs]
	344	supported_os: [Windows]
	345	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
	346	```
	347
	348	and the bulleted list form for multi-item lists or long lines:
	349
	350	```yaml
	351	paths:
	352	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*'
	353	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
	354	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*'
	355	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
	356	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
	357	```
	358
	359	### Quotes
	360
	361	Quotes should not be used for doc strings, artifact names, and simple lists
	362	like labels and supported_os.
	363
	364	Paths and URLs should use single quotes to avoid the need for manual escaping.
	365
	366	```yaml
	367	paths: ['%%environ_temp%%\*.exe']
	368	urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
	369	```
	370
	371	Double quotes should be used where escaping causes problems, such as
	372	regular expressions:
	373
	374	```yaml
	375	content_regex_list: ["^%%users.username%%:[^:]*\n"]
	376	```
	377
	378	### Minimize the number of definitions by using multiple sources
	379
	380	To minimize the number of artifacts in the list, combine them using the
	381	supported_os and conditions attributes where it makes sense. e.g. rather than
	382	having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do:
	383
	384	```yaml
	385	name: FirefoxHistory
	386	doc: Firefox places.sqlite files.
	387	sources:
	388	- type: FILE
	389	attributes:
	390	paths:
	391	- %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite
	392	- %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite
	393	supported_os: [Windows]
	394	- type: FILE
	395	attributes:
	396	paths: [%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite]
	397	supported_os: [Darwin]
	398	- type: FILE
	399	attributes:
	400	paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite']
	401	supported_os: [Linux]
	402	labels: [Browser]
	403	supported_os: [Windows, Linux, Darwin]
	404	```
	405

+69

-0

docs/sources/api/artifacts.rst less more

	0	artifacts package
	1	=================
	2
	3	Submodules
	4	----------
	5
	6	artifacts.artifact module
	7	-------------------------
	8
	9	.. automodule:: artifacts.artifact
	10	:members:
	11	:undoc-members:
	12	:show-inheritance:
	13
	14	artifacts.definitions module
	15	----------------------------
	16
	17	.. automodule:: artifacts.definitions
	18	:members:
	19	:undoc-members:
	20	:show-inheritance:
	21
	22	artifacts.errors module
	23	-----------------------
	24
	25	.. automodule:: artifacts.errors
	26	:members:
	27	:undoc-members:
	28	:show-inheritance:
	29
	30	artifacts.reader module
	31	-----------------------
	32
	33	.. automodule:: artifacts.reader
	34	:members:
	35	:undoc-members:
	36	:show-inheritance:
	37
	38	artifacts.registry module
	39	-------------------------
	40
	41	.. automodule:: artifacts.registry
	42	:members:
	43	:undoc-members:
	44	:show-inheritance:
	45
	46	artifacts.source\_type module
	47	-----------------------------
	48
	49	.. automodule:: artifacts.source_type
	50	:members:
	51	:undoc-members:
	52	:show-inheritance:
	53
	54	artifacts.writer module
	55	-----------------------
	56
	57	.. automodule:: artifacts.writer
	58	:members:
	59	:undoc-members:
	60	:show-inheritance:
	61
	62	Module contents
	63	---------------
	64
	65	.. automodule:: artifacts
	66	:members:
	67	:undoc-members:
	68	:show-inheritance:

+7

-0

docs/sources/api/modules.rst less more

	0	artifacts
	1	=========
	2
	3	.. toctree::
	4	:maxdepth: 4
	5
	6	artifacts

+57

-0

docs/sources/background/Stats.md less more

	0	## Statistics
	1
	2	The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data)
	3	and the format is described in detail in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).
	4
	5	Status of the repository as of 2021-06-20
	6
	7	Description \| Number
	8	--- \| ---
	9	Number of artifact definitions: \| 573
	10	Number of file paths: \| 1220
	11	Number of Windows Registry key paths: \| 672
	12
	13	### Artifact definition source types
	14
	15	Identifier \| Number
	16	--- \| ---
	17	ARTIFACT_GROUP \| 24
	18	COMMAND \| 9
	19	DIRECTORY \| 14
	20	FILE \| 318
	21	PATH \| 8
	22	REGISTRY_KEY \| 51
	23	REGISTRY_VALUE \| 123
	24	WMI \| 26
	25
	26	### Operating systems
	27
	28	Identifier \| Number
	29	--- \| ---
	30	Darwin \| 42
	31	Linux \| 33
	32	Windows \| 31
	33
	34	### Labels
	35
	36	Identifier \| Number
	37	--- \| ---
	38	Antivirus \| 7
	39	Authentication \| 19
	40	Browser \| 28
	41	Cloud \| 2
	42	Cloud Storage \| 4
	43	Configuration Files \| 46
	44	Docker \| 2
	45	External Media \| 2
	46	ExternalAccount \| 3
	47	Hadoop \| 1
	48	History Files \| 3
	49	Logs \| 49
	50	Mail \| 15
	51	Network \| 17
	52	Software \| 43
	53	System \| 113
	54	Users \| 73
	55	iOS \| 5
	56

+26

-0

docs/sources/background/Terminology.md less more

	0	# Terminology
	1
	2	The term artifact (or artefact) is widely used within computer (or digital)
	3	forensics, though there is no official definition of this term.
	4
	5	The definition closest to the meaning of the word within computer forensics is
	6	that of the word artifact within
	7	[archaeology](https://en.wikipedia.org/wiki/Artifact_(archaeology)). The term
	8	should not be confused with the word artifact used within
	9	[software development](https://en.wikipedia.org/wiki/Artifact_(software_development)).
	10
	11	If archaeology defines an artifact as:
	12
	13	```
	14	something made or given shape by man, such as a tool or
	15	a work of art, esp an object of archaeological interest
	16	```
	17
	18	The definition of artifact within computer forensics could be:
	19
	20	```
	21	An object of digital archaeological interest.
	22	```
	23
	24	Where digital archaeology roughly refers to computer forensics without the
	25	forensic (legal) context.

+29

-0

docs/sources/background/index.rst less more

	0	##########
	1	Background
	2	##########
	3
	4	The first version of the artifact definitions originated from the
	5	`GRR project <https://github.com/google/grr>`__, where it is used to describe
	6	and quickly collect data of interest, for example specific files or Windows
	7	Registry keys. The goal of the format is to provide a tool independent way to
	8	describe the majority of forensic artifacts in a language that is readable by
	9	humans and machines.
	10
	11	The format is designed to be simple and straight forward, so that a digital
	12	forensic analysist is able to quickly write artifact definitions during an
	13	investigation without having to rely on complex standards or tooling.
	14
	15	The format is intended to describe forensically-relevant data on a machine,
	16	while being tool agnostic. In particular we intentionally avoided adding
	17	IOC-like logic, or describing how the data should be collected since this
	18	various between tools.
	19
	20	For some background on the artifacts system and how we expect it to be used see
	21	`this Blackhat presentation <https://www.blackhat.com/us-14/archives.html#grr-find-all-the-badness-collect-all-the-things>`__
	22	and `YouTube video <https://www.youtube.com/watch?v=ren6QSvwFvg>`__ from the GRR team.
	23
	24	.. toctree::
	25	:maxdepth: 2
	26
	27	Terminology <Terminology>
	28	Statistics <Stats>

+67

-0

docs/sources/user/Installation-instructions.md less more

	0	# Installation instructions
	1
	2	## pip
	3
	4	**Note that using pip outside virtualenv is not recommended since it ignores
	5	your systems package manager. If you aren't comfortable debugging package
	6	installation issues, this is not the option for you.**
	7
	8	Create and activate a virtualenv:
	9
	10	```bash
	11	virtualenv artifactsenv
	12	cd artifactsenv
	13	source ./bin/activate
	14	```
	15
	16	Upgrade pip and install Forensics Artifacts dependencies:
	17
	18	```bash
	19	pip install --upgrade pip
	20	pip install artifacts
	21	```
	22
	23	To deactivate the virtualenv run:
	24
	25	```bash
	26	deactivate
	27	```
	28
	29	## Ubuntu 18.04 and 20.04 LTS
	30
	31	To install Forensics Artifacts from the [GIFT Personal Package Archive (PPA)](https://launchpad.net/~gift):
	32
	33	```bash
	34	sudo add-apt-repository ppa:gift/stable
	35	```
	36
	37	Update and install Forensics Artifacts:
	38
	39	```bash
	40	sudo apt-get update
	41	sudo apt-get install python3-artifacts
	42	```
	43
	44	## Windows
	45
	46	The [l2tbinaries](https://github.com/log2timeline/l2tbinaries) contains the
	47	necessary packages for running Forensics Artifacts. l2tbinaries provides the following
	48	branches:
	49
	50	* main; branch intended for the "packaged release" of Forensics Artifacts and dependencies;
	51	* dev; branch intended for the "development release" of Forensics Artifacts;
	52	* testing; branch intended for testing newly created packages.
	53
	54	The l2tdevtools project provides [an update script](https://github.com/log2timeline/l2tdevtools/wiki/Update-script)
	55	to ease the process of keeping the dependencies up to date.
	56
	57	The script requires [pywin32](https://github.com/mhammond/pywin32/releases) and
	58	[Python WMI](https://pypi.org/project/WMI/).
	59
	60	To install the release versions of the dependencies run:
	61
	62	```
	63	set PYTHONPATH=.
	64
	65	C:\Python38\python.exe tools\update.py --preset artifacts
	66	```

+12

-0

docs/sources/user/index.rst less more

	0	###############
	1	Getting started
	2	###############
	3
	4	To be able to use Forensics Artifacts you first need to install it. There are
	5	multiple ways to install Forensics Artifacts, check the following instructions
	6	for more detail.
	7
	8	.. toctree::
	9	:maxdepth: 2
	10
	11	Installation instructions <Installation-instructions>

+0

-2

setup.py less more

0	0	#!/usr/bin/env python
1	1	# -- coding: utf-8 --
2	2	"""Installation and deployment script."""
3
4		from __future__ import print_function
5	3
6	4	import glob
7	5	import os

+0

-7

test_dependencies.ini less more

0		[funcsigs]
1		dpkg_name: python-funcsigs
2		minimum_version: 1.0.2
3		python2_only: true
4		rpm_name: python2-funcsigs
5		version_property: __version__
6
7	0	[mock]
8	1	dpkg_name: python-mock
9	2	minimum_version: 2.0.0

+0

-1

test_requirements.txt less more

0		funcsigs >= 1.0.2 ; python_version < '3.0'
1	0	mock >= 2.0.0
2	1	pbr >= 4.2.0
3	2	six >= 1.1.0

+29

-30

tools/stats.py less more

24	24	self._source_type_counts = {}
25	25	self._total_count = 0
26	26
27		def _PrintDictAsTable(self, src_dict):
	27	def _PrintDictAsTable(self, title, src_dict):
28	28	"""Prints a table of artifact definitions.
29	29
30	30	Args:
	31	title (str): title of the table.
31	32	src_dict (dict[str, ArtifactDefinition]): artifact definitions by name.
32	33	"""
33		key_list = list(src_dict.keys())
34		key_list.sort()
	34	print('### {0:s}'.format(title))
	35	print('')
	36	print('Identifier \| Number')
	37	print('--- \| ---')
35	38
36		print('\|', end='')
37		for key in key_list:
38		print(' {0:s} \|'.format(key), end='')
	39	for key, value in sorted(src_dict.items()):
	40	print('{0:s} \| {1!s}'.format(key, value))
	41
39	42	print('')
40
41		print('\|', end='')
42		for key in key_list:
43		print(' :---: \|', end='')
44		print('')
45
46		print('\|', end='')
47		for key in key_list:
48		print(' {0!s} \|'.format(src_dict[key]), end='')
49		print('\n')
50	43
51	44	def PrintOSTable(self):
52	45	"""Prints a table of artifact definitions by operating system."""
53		print('Artifacts by OS\n')
54		self._PrintDictAsTable(self._os_counts)
	46	self._PrintDictAsTable('Operating systems', self._os_counts)
55	47
56	48	def PrintLabelTable(self):
57	49	"""Prints a table of artifact definitions by label."""
58		print('Artifacts by label\n')
59		self._PrintDictAsTable(self._label_counts)
	50	self._PrintDictAsTable('Labels', self._label_counts)
60	51
61	52	def PrintSourceTypeTable(self):
62	53	"""Prints a table of artifact definitions by source type."""
63		print('Artifacts by type\n')
64		self._PrintDictAsTable(self._source_type_counts)
	54	self._PrintDictAsTable(
	55	'Artifact definition source types', self._source_type_counts)
65	56
66	57	def PrintSummaryTable(self):
67	58	"""Prints a summary table."""
68		print("""
	59	date_time_string = time.strftime('%Y-%m-%d')
69	60
70		As of {0:s} the repository contains:
	61	print("""Status of the repository as of {0:s}
71	62
72		\| File paths covered \| {1:d} \|
73		\| :------------------ \| ------: \|
74		\| Registry keys covered \| {2:d} \|
75		\| Total artifacts \| {3:d} \|
	63	Description \| Number
	64	--- \| ---
	65	Number of artifact definitions: \| {1:d}
	66	Number of file paths: \| {2:d}
	67	Number of Windows Registry key paths: \| {3:d}
76	68	""".format(
77		time.strftime('%Y-%m-%d'), self._path_count, self._reg_key_count,
78		self._total_count))
	69	date_time_string, self._total_count, self._path_count, self._reg_key_count))
79	70
80	71	def BuildStats(self):
81	72	"""Builds the statistics."""

112	103
113	104	def PrintStats(self):
114	105	"""Build stats and print in MarkDown format."""
	106	print("""## Statistics
	107
	108	The artifact definitions can be found in the [data directory]({0:s})
	109	and the format is described in detail in the [Style Guide]({1:s}).
	110	""".format('https://github.com/ForensicArtifacts/artifacts/tree/main/data',
	111	('https://artifacts.readthedocs.io/en/latest/sources/'
	112	'Format-specification.html')))
	113
115	114	self.BuildStats()
116	115	self.PrintSummaryTable()
117	116	self.PrintSourceTypeTable()

+18

-12

tox.ini less more

0	0	[tox]
1		envlist = py3{6,7,8},coverage,pylint
	1	envlist = py3{6,7,8,9,10},coverage,docs,pylint
2	2
3	3	[testenv]
4	4	pip_pre = True

9	9	-rtest_requirements.txt
10	10	coverage: coverage
11	11	commands =
12		py3{6,7,8}: ./run_tests.py
	12	py3{6,7,8,9,10}: ./run_tests.py
13	13	coverage: coverage erase
14	14	coverage: coverage run --source=artifacts --omit="_test,__init__,test_lib" run_tests.py
15	15
16	16	[testenv:codecov]
17	17	skip_install = true
18	18	passenv =
19		CI
20		TRAVIS_BUILD_ID
21		TRAVIS_COMMIT
22		TRAVIS_JOB_ID
23		TRAVIS_JOB_NUMBER
24		TRAVIS_PULL_REQUEST
25		TRAVIS_REPO_SLUG
26		TRAVIS TRAVIS_BRANCH
	19	GITHUB_ACTION
	20	GITHUB_HEAD_REF
	21	GITHUB_REF
	22	GITHUB_REPOSITORY
	23	GITHUB_RUN_ID
	24	GITHUB_SHA
27	25	deps =
28		codecov
	26	codecov < 2.1.10
29	27	commands =
30	28	codecov
	29
	30	[testenv:docs]
	31	usedevelop = true
	32	deps =
	33	-rdocs/requirements.txt
	34	commands =
	35	sphinx-build -b html -d build/doctrees docs dist/docs
	36	sphinx-build -b linkcheck docs dist/docs
31	37
32	38	[testenv:pylint]
33	39	skipsdist=True

37	43	deps =
38	44	-rrequirements.txt
39	45	-rtest_requirements.txt
40		pylint >= 2.4.0, < 2.5.0
	46	pylint >= 2.6.0, < 2.7.0
41	47	commands =
42	48	pylint --version
43	49	# Ignore setup.py for now due to:

+16

-14

utils/dependencies.py less more

0	0	# -- coding: utf-8 --
1	1	"""Helper to check for availability and version of dependencies."""
2	2
3		from __future__ import print_function
4		from __future__ import unicode_literals
5
6	3	import configparser
	4	import os
7	5	import re
8	6
9	7

13	11	Attributes:
14	12	dpkg_name (str): name of the dpkg package that provides the dependency.
15	13	is_optional (bool): True if the dependency is optional.
16		l2tbinaries_macos_name (str): name of the l2tbinaries macos package that
17		provides the dependency.
18	14	l2tbinaries_name (str): name of the l2tbinaries package that provides
19	15	the dependency.
20	16	maximum_version (str): maximum supported version, a greater or equal

28	24	rpm_name (str): name of the rpm package that provides the dependency.
29	25	skip_check (bool): True if the dependency should be skipped by the
30	26	CheckDependencies or CheckTestDependencies methods of DependencyHelper.
	27	skip_requires (bool): True if the dependency should be excluded from
	28	requirements.txt or setup.py install_requires.
31	29	version_property (str): name of the version attribute or function.
32	30	"""
33	31

40	38	super(DependencyDefinition, self).__init__()
41	39	self.dpkg_name = None
42	40	self.is_optional = False
43		self.l2tbinaries_macos_name = None
44	41	self.l2tbinaries_name = None
45	42	self.maximum_version = None
46	43	self.minimum_version = None

50	47	self.python3_only = False
51	48	self.rpm_name = None
52	49	self.skip_check = None
	50	self.skip_requires = None
53	51	self.version_property = None
54	52
55	53

59	57	_VALUE_NAMES = frozenset([
60	58	'dpkg_name',
61	59	'is_optional',
62		'l2tbinaries_macos_name',
63	60	'l2tbinaries_name',
64	61	'maximum_version',
65	62	'minimum_version',

68	65	'python3_only',
69	66	'rpm_name',
70	67	'skip_check',
	68	'skip_requires',
71	69	'version_property'])
72	70
73	71	def _GetConfigValue(self, config_parser, section_name, value_name):

117	115	_VERSION_NUMBERS_REGEX = re.compile(r'[0-9.]+')
118	116	_VERSION_SPLIT_REGEX = re.compile(r'\.\|\-')
119	117
120		def __init__(self, configuration_file='dependencies.ini'):
	118	def __init__(
	119	self, dependencies_file='dependencies.ini',
	120	test_dependencies_file='test_dependencies.ini'):
121	121	"""Initializes a dependency helper.
122	122
123	123	Args:
124		configuration_file (Optional[str]): path to the dependencies
	124	dependencies_file (Optional[str]): path to the dependencies configuration
	125	file.
	126	test_dependencies_file (Optional[str]): path to the test dependencies
125	127	configuration file.
126	128	"""
127	129	super(DependencyHelper, self).__init__()

130	132
131	133	dependency_reader = DependencyDefinitionReader()
132	134
133		with open(configuration_file, 'r') as file_object:
	135	with open(dependencies_file, 'r') as file_object:
134	136	for dependency in dependency_reader.Read(file_object):
135	137	self.dependencies[dependency.name] = dependency
136	138
137		dependency = DependencyDefinition('mock')
138		dependency.minimum_version = '0.7.1'
139		dependency.version_property = '__version__'
140		self._test_dependencies['mock'] = dependency
	139	if os.path.exists(test_dependencies_file):
	140	with open(test_dependencies_file, 'r') as file_object:
	141	for dependency in dependency_reader.Read(file_object):
	142	self._test_dependencies[dependency.name] = dependency
141	143
142	144	def _CheckPythonModule(self, dependency):
143	145	"""Checks the availability of a Python module.

+24

-6

utils/update_version.sh less more

0	0	#!/bin/bash
1	1	# Script to update the version information.
2	2
3		DATE_VERSION=`date +"%Y%m%d"`;
4		DATE_DPKG=`date -R`;
5		EMAIL_DPKG="Forensic artifacts <forensicartifacts@googlegroups.com>";
	3	EXIT_FAILURE=1;
	4	EXIT_SUCCESS=0;
6	5
7		sed -i -e "s/^$__version__ = $'[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'$/\1'${DATE_VERSION}'/" artifacts/__init__.py
8		sed -i -e "s/^$artifacts $([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-1)/\1(${DATE_VERSION}-1)/" config/dpkg/changelog
9		sed -i -e "s/^$ -- ${EMAIL_DPKG} $.*$/\1${DATE_DPKG}/" config/dpkg/changelog
	6	VERSION=`date -u +"%Y%m%d"`
	7	DPKG_DATE=`date -R`
	8
	9	# Update the Python module version.
	10	sed "s/__version__ = '[0-9]*'/__version__ = '${VERSION}'/" -i artifacts/__init__.py
	11
	12	# Update the version in the dpkg configuration files.
	13	cat > config/dpkg/changelog << EOT
	14	artifacts (${VERSION}-1) unstable; urgency=low
	15
	16	* Auto-generated
	17
	18	-- Forensic artifacts <forensicartifacts@googlegroups.com> ${DPKG_DATE}
	19	EOT
	20
	21	# Regenerate the statistics documentation.
	22	PYTHONPATH=. ./tools/stats.py > docs/sources/background/Stats.md
	23
	24	# Regenerate the API documentation.
	25	tox -edocs
	26
	27	exit ${EXIT_SUCCESS};