Import upstream version 20210404
Debian Janitor
2 years ago
0 | # Run tests on Fedora and Ubuntu Docker images using GIFT CORP and GIFT PPA on commit | |
1 | name: test_docker | |
2 | on: [push] | |
3 | jobs: | |
4 | test_fedora: | |
5 | runs-on: ubuntu-latest | |
6 | strategy: | |
7 | matrix: | |
8 | version: ['32', '33'] | |
9 | container: | |
10 | image: registry.fedoraproject.org/fedora:${{ matrix.version }} | |
11 | steps: | |
12 | - uses: actions/checkout@v2 | |
13 | - name: Set up container | |
14 | run: | | |
15 | dnf install -y dnf-plugins-core langpacks-en | |
16 | - name: Install dependencies | |
17 | run: | | |
18 | dnf copr -y enable @gift/dev | |
19 | dnf install -y python3 python3-mock python3-pbr python3-pyyaml python3-setuptools python3-six | |
20 | - name: Run tests | |
21 | env: | |
22 | LANG: C.utf8 | |
23 | run: | | |
24 | python3 ./run_tests.py | |
25 | - name: Run end-to-end tests | |
26 | run: | | |
27 | if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi | |
28 | - name: Build source distribution | |
29 | run: | | |
30 | python3 ./setup.py sdist | |
31 | - name: Build binary distribution | |
32 | run: | | |
33 | python3 ./setup.py bdist | |
34 | - name: Run build and install test | |
35 | run: | | |
36 | python3 ./setup.py build | |
37 | python3 ./setup.py install | |
38 | test_ubuntu: | |
39 | runs-on: ubuntu-latest | |
40 | strategy: | |
41 | matrix: | |
42 | version: ['18.04', '20.04'] | |
43 | container: | |
44 | image: ubuntu:${{ matrix.version }} | |
45 | steps: | |
46 | - uses: actions/checkout@v2 | |
47 | - name: Set up container | |
48 | env: | |
49 | DEBIAN_FRONTEND: noninteractive | |
50 | run: | | |
51 | apt-get update -q | |
52 | apt-get install -y libterm-readline-gnu-perl locales software-properties-common | |
53 | locale-gen en_US.UTF-8 | |
54 | ln -f -s /usr/share/zoneinfo/UTC /etc/localtime | |
55 | - name: Install dependencies | |
56 | run: | | |
57 | add-apt-repository -y ppa:gift/dev | |
58 | apt-get update -q | |
59 | apt-get install -y python3 python3-distutils python3-mock python3-pbr python3-setuptools python3-six python3-yaml | |
60 | - name: Run tests | |
61 | env: | |
62 | LANG: en_US.UTF-8 | |
63 | run: | | |
64 | python3 ./run_tests.py | |
65 | - name: Run end-to-end tests | |
66 | env: | |
67 | LANG: en_US.UTF-8 | |
68 | run: | | |
69 | if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi | |
70 | - name: Build source distribution | |
71 | run: | | |
72 | python3 ./setup.py sdist | |
73 | - name: Build binary distribution | |
74 | run: | | |
75 | python3 ./setup.py bdist | |
76 | - name: Run build and install test | |
77 | run: | | |
78 | python3 ./setup.py build | |
79 | python3 ./setup.py install |
0 | # Run tox tests on Ubuntu Docker images using GIFT PPA | |
1 | name: test_tox | |
2 | on: [push, pull_request] | |
3 | jobs: | |
4 | build: | |
5 | runs-on: ubuntu-latest | |
6 | strategy: | |
7 | matrix: | |
8 | include: | |
9 | - python-version: 3.6 | |
10 | toxenv: 'py36' | |
11 | - python-version: 3.7 | |
12 | toxenv: 'py37' | |
13 | - python-version: 3.8 | |
14 | toxenv: 'py38,coverage,codecov' | |
15 | - python-version: 3.8 | |
16 | toxenv: 'pylint' | |
17 | - python-version: 3.8 | |
18 | toxenv: 'docs' | |
19 | container: | |
20 | image: ubuntu:20.04 | |
21 | steps: | |
22 | - uses: actions/checkout@v2 | |
23 | - name: Set up container | |
24 | env: | |
25 | DEBIAN_FRONTEND: noninteractive | |
26 | run: | | |
27 | apt-get update -q | |
28 | apt-get install -y libterm-readline-gnu-perl locales software-properties-common | |
29 | locale-gen en_US.UTF-8 | |
30 | ln -f -s /usr/share/zoneinfo/UTC /etc/localtime | |
31 | - name: Install dependencies | |
32 | env: | |
33 | DEBIAN_FRONTEND: noninteractive | |
34 | run: | | |
35 | add-apt-repository -y universe | |
36 | add-apt-repository -y ppa:deadsnakes/ppa | |
37 | add-apt-repository -y ppa:gift/dev | |
38 | apt-get update -q | |
39 | apt-get install -y build-essential git python${{ matrix.python-version }} python${{ matrix.python-version }}-dev tox python3-distutils python3-mock python3-pbr python3-setuptools python3-six python3-yaml | |
40 | - name: Run tests | |
41 | env: | |
42 | LANG: en_US.UTF-8 | |
43 | run: | | |
44 | tox -e${{ matrix.toxenv }} |
0 | # Pylint 2.4.x configuration file | |
0 | # Pylint 2.6.x configuration file | |
1 | 1 | # |
2 | 2 | # This file is generated by l2tdevtools update-dependencies.py, any dependency |
3 | 3 | # related changes should be made in dependencies.ini. |
8 | 8 | # run arbitrary code. |
9 | 9 | extension-pkg-whitelist= |
10 | 10 | |
11 | # Specify a score threshold to be exceeded before program exits with error. | |
12 | fail-under=10.0 | |
13 | ||
11 | 14 | # Add files or directories to the blacklist. They should be base names, not |
12 | 15 | # paths. |
13 | 16 | ignore=CVS |
35 | 38 | |
36 | 39 | # Pickle collected data for later comparisons. |
37 | 40 | persistent=yes |
38 | ||
39 | # Specify a configuration file. | |
40 | #rcfile= | |
41 | 41 | |
42 | 42 | # When enabled, pylint would attempt to guess common misconfiguration and emit |
43 | 43 | # user-friendly hints instead of false-positive error messages. |
78 | 78 | no-absolute-import, |
79 | 79 | no-self-use, |
80 | 80 | parameter-unpacking, |
81 | raise-missing-from, | |
81 | 82 | raw-checker-failed, |
83 | super-with-arguments, | |
82 | 84 | suppressed-message, |
83 | 85 | too-few-public-methods, |
84 | 86 | too-many-ancestors, |
99 | 101 | # either give multiple identifier separated by comma (,) or put this option |
100 | 102 | # multiple time (only on the command line, not in the configuration file where |
101 | 103 | # it should appear only once). See also the "--disable" option for examples. |
102 | # enable=c-extension-no-member | |
103 | 104 | enable= |
104 | 105 | |
105 | 106 | |
125 | 126 | reports=no |
126 | 127 | |
127 | 128 | # Activate the evaluation score. |
128 | # score=yes | |
129 | 129 | score=no |
130 | 130 | |
131 | 131 | |
228 | 228 | |
229 | 229 | [LOGGING] |
230 | 230 | |
231 | # Format style used to check logging format string. `old` means using % | |
232 | # formatting, `new` is for `{}` formatting,and `fstr` is for f-strings. | |
231 | # The type of string formatting that logging methods do. `old` means using % | |
232 | # formatting, `new` is for `{}` formatting. | |
233 | 233 | logging-format-style=old |
234 | 234 | |
235 | 235 | # Logging modules to check that the string format arguments are in logging |
244 | 244 | |
245 | 245 | # Regular expression matching correct argument names. Overrides argument- |
246 | 246 | # naming-style. |
247 | #argument-rgx= | |
248 | 247 | argument-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ |
249 | 248 | |
250 | 249 | # Naming style matching correct attribute names. |
252 | 251 | |
253 | 252 | # Regular expression matching correct attribute names. Overrides attr-naming- |
254 | 253 | # style. |
255 | #attr-rgx= | |
256 | 254 | attr-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ |
257 | 255 | |
258 | 256 | # Bad variable names which should always be refused, separated by a comma. |
263 | 261 | tutu, |
264 | 262 | tata |
265 | 263 | |
264 | # Bad variable names regexes, separated by a comma. If names match any regex, | |
265 | # they will always be refused | |
266 | bad-names-rgxs= | |
267 | ||
266 | 268 | # Naming style matching correct class attribute names. |
267 | 269 | class-attribute-naming-style=any |
268 | 270 | |
269 | 271 | # Regular expression matching correct class attribute names. Overrides class- |
270 | 272 | # attribute-naming-style. |
271 | #class-attribute-rgx= | |
272 | 273 | class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]*|(__.*__))$ |
273 | 274 | |
274 | 275 | # Naming style matching correct class names. |
276 | 277 | |
277 | 278 | # Regular expression matching correct class names. Overrides class-naming- |
278 | 279 | # style. |
279 | #class-rgx= | |
280 | 280 | class-rgx=[A-Z_][a-zA-Z0-9]+$ |
281 | 281 | |
282 | 282 | # Naming style matching correct constant names. |
284 | 284 | |
285 | 285 | # Regular expression matching correct constant names. Overrides const-naming- |
286 | 286 | # style. |
287 | #const-rgx= | |
288 | 287 | const-rgx=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$ |
289 | 288 | |
290 | 289 | # Minimum line length for functions/classes that require docstrings, shorter |
296 | 295 | |
297 | 296 | # Regular expression matching correct function names. Overrides function- |
298 | 297 | # naming-style. |
299 | #function-rgx= | |
300 | 298 | function-rgx=[A-Z_][a-zA-Z0-9_]*$ |
301 | 299 | |
302 | 300 | # Good variable names which should always be accepted, separated by a comma. |
307 | 305 | Run, |
308 | 306 | _ |
309 | 307 | |
308 | # Good variable names regexes, separated by a comma. If names match any regex, | |
309 | # they will always be accepted | |
310 | good-names-rgxs= | |
311 | ||
310 | 312 | # Include a hint for the correct naming format with invalid-name. |
311 | 313 | include-naming-hint=no |
312 | 314 | |
315 | 317 | |
316 | 318 | # Regular expression matching correct inline iteration names. Overrides |
317 | 319 | # inlinevar-naming-style. |
318 | #inlinevar-rgx= | |
319 | 320 | inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ |
320 | 321 | |
321 | 322 | # Naming style matching correct method names. |
323 | 324 | |
324 | 325 | # Regular expression matching correct method names. Overrides method-naming- |
325 | 326 | # style. |
326 | #method-rgx= | |
327 | 327 | method-rgx=(test|[A-Z_])[a-zA-Z0-9_]*$ |
328 | 328 | |
329 | 329 | # Naming style matching correct module names. |
331 | 331 | |
332 | 332 | # Regular expression matching correct module names. Overrides module-naming- |
333 | 333 | # style. |
334 | #module-rgx= | |
335 | 334 | module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ |
336 | 335 | |
337 | 336 | # Colon-delimited sets of names that determine each other's naming style when |
352 | 351 | |
353 | 352 | # Regular expression matching correct variable names. Overrides variable- |
354 | 353 | # naming-style. |
355 | #variable-rgx= | |
356 | 354 | variable-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ |
357 | 355 | |
358 | 356 | |
363 | 361 | XXX, |
364 | 362 | TODO |
365 | 363 | |
364 | # Regular expression of note tags to take in consideration. | |
365 | #notes-rgx= | |
366 | ||
366 | 367 | |
367 | 368 | [FORMAT] |
368 | 369 | |
377 | 378 | |
378 | 379 | # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 |
379 | 380 | # tab). |
380 | # indent-string=' ' | |
381 | 381 | indent-string=' ' |
382 | 382 | |
383 | 383 | # Maximum number of characters on a single line. |
384 | # max-line-length=100 | |
385 | 384 | max-line-length=80 |
386 | 385 | |
387 | 386 | # Maximum number of lines in a module. |
388 | 387 | max-module-lines=1000 |
389 | ||
390 | # List of optional constructs for which whitespace checking is disabled. `dict- | |
391 | # separator` is used to allow tabulation in dicts, etc.: {1 : 1,\n222: 2}. | |
392 | # `trailing-comma` allows a space between comma and closing bracket: (a, ). | |
393 | # `empty-line` allows space-only lines. | |
394 | no-space-check=trailing-comma, | |
395 | dict-separator | |
396 | 388 | |
397 | 389 | # Allow the body of a class to be on the same line as the declaration if body |
398 | 390 | # contains single statement. |
408 | 400 | # Limits count of emitted suggestions for spelling mistakes. |
409 | 401 | max-spelling-suggestions=4 |
410 | 402 | |
411 | # Spelling dictionary name. Available dictionaries: en_NA (myspell), en_NZ | |
412 | # (myspell), en_ZM (myspell), en_CA (myspell), en_GH (myspell), en_IN | |
413 | # (myspell), en_TT (myspell), en_BS (myspell), en_DK (myspell), en_MW | |
414 | # (myspell), en_ZW (myspell), en_BW (myspell), en_ZA (myspell), en_BZ | |
415 | # (myspell), en_JM (myspell), en_US (myspell), en_PH (myspell), en_GB | |
416 | # (myspell), en_SG (myspell), en_IE (myspell), en_HK (myspell), en_AU | |
417 | # (myspell), en_AG (myspell), en_NG (myspell). | |
403 | # Spelling dictionary name. Available dictionaries: en_AG (hunspell), en_AU | |
404 | # (hunspell), en_BS (hunspell), en_BW (hunspell), en_BZ (hunspell), en_CA | |
405 | # (hunspell), en_DK (hunspell), en_GB (hunspell), en_GH (hunspell), en_HK | |
406 | # (hunspell), en_IE (hunspell), en_IN (hunspell), en_JM (hunspell), en_MW | |
407 | # (hunspell), en_NA (hunspell), en_NG (hunspell), en_NZ (hunspell), en_PH | |
408 | # (hunspell), en_SG (hunspell), en_TT (hunspell), en_US (hunspell), en_ZA | |
409 | # (hunspell), en_ZM (hunspell), en_ZW (hunspell). | |
418 | 410 | spelling-dict= |
419 | 411 | |
420 | 412 | # List of comma separated words that should not be checked. |
445 | 437 | |
446 | 438 | [STRING] |
447 | 439 | |
448 | # This flag controls whether the implicit-str-concat-in-sequence should | |
449 | # generate a warning on implicit string concatenation in sequences defined over | |
450 | # several lines. | |
440 | # This flag controls whether inconsistent-quotes generates a warning when the | |
441 | # character used as a quote delimiter is used inconsistently within a module. | |
442 | check-quote-consistency=no | |
443 | ||
444 | # This flag controls whether the implicit-str-concat should generate a warning | |
445 | # on implicit string concatenation in sequences defined over several lines. | |
451 | 446 | check-str-concat-over-line-jumps=no |
452 | 447 | |
453 | 448 | |
454 | 449 | [DESIGN] |
455 | 450 | |
456 | 451 | # Maximum number of arguments for function / method. |
457 | # max-args=5 | |
458 | 452 | max-args=10 |
459 | 453 | |
460 | 454 | # Maximum number of attributes for a class (see R0902). |
548 | 542 | preferred-modules= |
549 | 543 | |
550 | 544 | |
545 | [PARAMETER_DOCUMENTATION] | |
546 | ||
547 | # Whether to accept totally missing parameter documentation in the docstring of | |
548 | # a function that has parameters. | |
549 | accept-no-param-doc=yes | |
550 | ||
551 | # Whether to accept totally missing raises documentation in the docstring of a | |
552 | # function that raises an exception. | |
553 | accept-no-raise-doc=yes | |
554 | ||
555 | # Whether to accept totally missing return documentation in the docstring of a | |
556 | # function that returns a statement. | |
557 | accept-no-return-doc=yes | |
558 | ||
559 | # Whether to accept totally missing yields documentation in the docstring of a | |
560 | # generator. | |
561 | accept-no-yields-doc=yes | |
562 | ||
563 | # If the docstring type cannot be guessed the specified docstring type will be | |
564 | # used. | |
565 | default-docstring-type=default | |
566 | ||
567 | ||
551 | 568 | [EXCEPTIONS] |
552 | 569 | |
553 | 570 | # Exceptions that will emit a warning when being caught. Defaults to |
0 | version: ~> 1.0 | |
1 | language: generic | |
2 | arch: amd64 | |
3 | os: linux | |
4 | dist: focal | |
5 | jobs: | |
6 | include: | |
7 | - name: "Fedora 31 (Docker) with Python 3.7" | |
8 | env: FEDORA_VERSION="31" | |
9 | group: edge | |
10 | language: python | |
11 | python: 3.7 | |
12 | services: | |
13 | - docker | |
14 | - name: "Fedora 32 (Docker) with Python 3.8" | |
15 | env: FEDORA_VERSION="32" | |
16 | group: edge | |
17 | language: python | |
18 | python: 3.8 | |
19 | services: | |
20 | - docker | |
21 | - name: "Fedora 33 (Docker) with Python 3.9" | |
22 | env: FEDORA_VERSION="33" | |
23 | group: edge | |
24 | language: python | |
25 | python: 3.9 | |
26 | services: | |
27 | - docker | |
28 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 (amd64)" | |
29 | env: UBUNTU_VERSION="18.04" | |
30 | group: edge | |
31 | language: python | |
32 | python: 3.6 | |
33 | services: | |
34 | - docker | |
35 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 (ppc64le)" | |
36 | env: UBUNTU_VERSION="18.04" | |
37 | arch: ppc64le | |
38 | group: edge | |
39 | language: python | |
40 | python: 3.6 | |
41 | services: | |
42 | - docker | |
43 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (amd64)" | |
44 | env: UBUNTU_VERSION="20.04" | |
45 | group: edge | |
46 | language: python | |
47 | python: 3.8 | |
48 | services: | |
49 | - docker | |
50 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (ppc64le)" | |
51 | env: UBUNTU_VERSION="20.04" | |
52 | arch: ppc64le | |
53 | group: edge | |
54 | language: python | |
55 | python: 3.8 | |
56 | services: | |
57 | - docker | |
58 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.6 (tox)" | |
59 | env: | |
60 | - TOXENV="py36" | |
61 | - UBUNTU_VERSION="20.04" | |
62 | group: edge | |
63 | language: python | |
64 | python: 3.6 | |
65 | services: | |
66 | - docker | |
67 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.7 (tox)" | |
68 | env: | |
69 | - TOXENV="py37" | |
70 | - UBUNTU_VERSION="20.04" | |
71 | group: edge | |
72 | language: python | |
73 | python: 3.7 | |
74 | services: | |
75 | - docker | |
76 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (tox)" | |
77 | env: | |
78 | - TOXENV="py38,coverage,codecov" | |
79 | - UBUNTU_VERSION="20.04" | |
80 | group: edge | |
81 | language: python | |
82 | python: 3.8 | |
83 | services: | |
84 | - docker | |
85 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.9 (tox)" | |
86 | env: | |
87 | - TOXENV="py39" | |
88 | - UBUNTU_VERSION="20.04" | |
89 | group: edge | |
90 | language: python | |
91 | python: 3.9 | |
92 | services: | |
93 | - docker | |
94 | - name: "Pylint on Ubuntu Focal (20.04) (Docker) with Python 3.8 (tox)" | |
95 | env: | |
96 | - TOXENV="pylint" | |
97 | - UBUNTU_VERSION="20.04" | |
98 | group: edge | |
99 | language: python | |
100 | python: 3.8 | |
101 | services: | |
102 | - docker | |
103 | - name: "MacOS 10.14 with Python 3.8 (tox)" | |
104 | env: TOXENV="py38" | |
105 | os: osx | |
106 | osx_image: xcode11 | |
107 | - name: "MacOS 10.15 with Python 3.8 (tox)" | |
108 | env: TOXENV="py38" | |
109 | os: osx | |
110 | osx_image: xcode12 | |
111 | install: | |
112 | - ./config/travis/install.sh | |
113 | script: | |
114 | - ./config/travis/run_with_timeout.sh 45 ./config/travis/runtests.sh |
0 | Digital Forensics Artifact Repository | |
0 | Digital Forensics Artifacts Repository | |
1 | 1 | |
2 | 2 | A free, community-sourced, machine-readable knowledge base of digital forensic |
3 | 3 | artifacts that the world can use both as an information source and within other |
4 | 4 | tools. |
5 | 5 | |
6 | For more information see: https://github.com/ForensicArtifacts/artifacts | |
6 | For more information see: | |
7 | 7 | |
8 | * Project documentation: https://artifacts.readthedocs.io/en/latest | |
9 |
0 | ## Digital Forensics Artifact Repository | |
0 | ## Digital Forensics Artifacts Repository | |
1 | 1 | |
2 | 2 | A free, community-sourced, machine-readable knowledge base of digital forensic |
3 | 3 | artifacts that the world can use both as an information source and within other |
8 | 8 | this project is just used to validate all the artifacts to make sure they |
9 | 9 | follow the specification. |
10 | 10 | |
11 | ### Project status | |
11 | For more information see: | |
12 | 12 | |
13 | [Travis-CI](https://travis-ci.com/) | [AppVeyor](https://ci.appveyor.com) | [Codecov](https://codecov.io/) | |
14 | --- | --- | --- | |
15 | [![Build Status](https://travis-ci.com/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.com/ForensicArtifacts/artifacts) | [![Build status](https://ci.appveyor.com/api/projects/status/7gv9fwr269527cj1?svg=true)](https://ci.appveyor.com/project/forensicartifacts/artifacts) | [![codecov](https://codecov.io/gh/ForensicArtifacts/artifacts/branch/master/graph/badge.svg)](https://codecov.io/gh/ForensicArtifacts/artifacts) | |
16 | ||
17 | ## Artifact Definitions | |
18 | ||
19 | The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/master/data) | |
20 | and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc). | |
21 | ||
22 | As of 2019-06-10 the repository contains: | |
23 | ||
24 | | **File paths covered** | **1013** | | |
25 | | :------------------ | ------: | | |
26 | | **Registry keys covered** | **635** | | |
27 | | **Total artifacts** | **525** | | |
28 | ||
29 | **Artifacts by type** | |
30 | ||
31 | | ARTIFACT_GROUP | COMMAND | DIRECTORY | FILE | PATH | REGISTRY_KEY | REGISTRY_VALUE | WMI | | |
32 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | |
33 | | 21 | 9 | 14 | 283 | 8 | 50 | 114 | 26 | | |
34 | ||
35 | **Artifacts by OS** | |
36 | ||
37 | | Darwin | Linux | Windows | | |
38 | | :---: | :---: | :---: | | |
39 | | 33 | 25 | 23 | | |
40 | ||
41 | **Artifacts by label** | |
42 | ||
43 | | Antivirus | Authentication | Browser | Cloud | Cloud Storage | Configuration Files | Docker | External Media | ExternalAccount | Hadoop | History Files | Logs | Mail | Network | Software | System | Users | iOS | | |
44 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | |
45 | | 6 | 18 | 21 | 2 | 4 | 41 | 2 | 2 | 3 | 1 | 3 | 46 | 15 | 15 | 43 | 104 | 68 | 5 | | |
46 | ||
47 | ## Background/History | |
48 | ||
49 | The [ForensicArtifacts.com](http://forensicartifacts.com/) artifact repository | |
50 | was forked from the [GRR project](https://github.com/google/grr) artifact | |
51 | collection into a stand-alone repository that is not tool-specific. The GRR | |
52 | developers have migrated to using this repository and make contributions here. In | |
53 | addition the ForensicArtifact team will begin backfilling artifacts in the new | |
54 | format from the [ForensicArtifacts.com](http://forensicartifacts.com/) website. | |
55 | ||
56 | For some background on the artifacts system and how we expect it to be used see | |
57 | [this blackhat presentation](https://www.blackhat.com/us-14/archives.html#grr-find-all-the-badness-collect-all-the-things) | |
58 | and [youtube video](https://www.youtube.com/watch?v=ren6QSvwFvg) from the GRR team. | |
13 | * Project documentation: https://artifacts.readthedocs.io/en/latest | |
59 | 14 | |
60 | 15 | ## Contributing |
61 | 16 | |
62 | 17 | Please send us your contribution! See [the developers guide](https://github.com/ForensicArtifacts/artifacts/wiki/Developers-guide) for instructions. |
63 | ||
64 | ## External links | |
65 | ||
66 | * [GRR Artifacts](https://www.blackhat.com/docs/us-14/materials/us-14-Castle-GRR-Find-All-The-Badness-Collect-All-The-Things-WP.pdf), by Greg Castle, Blackhat 2014 | |
67 | 18 | |
68 | 19 | ## Contact |
69 | 20 |
0 | 0 | environment: |
1 | 1 | matrix: |
2 | - TARGET: unittests | |
2 | - DESCRIPTION: "Windows with 32-bit Python 3.9" | |
3 | 3 | MACHINE_TYPE: "x86" |
4 | PYTHON: "C:\\Python38" | |
5 | PYTHON_VERSION: "3.8" | |
4 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 | |
5 | PYTHON: "C:\\Python39" | |
6 | PYTHON_VERSION: "3.9" | |
6 | 7 | L2TBINARIES_TRACK: "dev" |
7 | - TARGET: unittests | |
8 | - DESCRIPTION: "Windows with 64-bit Python 3.9" | |
8 | 9 | MACHINE_TYPE: "amd64" |
9 | PYTHON: "C:\\Python38-x64" | |
10 | PYTHON_VERSION: "3.8" | |
10 | APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 | |
11 | PYTHON: "C:\\Python39-x64" | |
12 | PYTHON_VERSION: "3.9" | |
11 | 13 | L2TBINARIES_TRACK: "dev" |
14 | - DESCRIPTION: "Mac OS with Python 3.9" | |
15 | APPVEYOR_BUILD_WORKER_IMAGE: macos | |
16 | HOMEBREW_NO_INSTALL_CLEANUP: 1 | |
12 | 17 | |
13 | 18 | install: |
14 | - cmd: '"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x86 /release' | |
15 | 19 | - cmd: "%PYTHON%\\python.exe -m pip install -U pip setuptools wheel" |
16 | 20 | - cmd: "%PYTHON%\\python.exe -m pip install pywin32 WMI" |
17 | 21 | - cmd: "%PYTHON%\\python.exe %PYTHON%\\Scripts\\pywin32_postinstall.py -install" |
18 | - cmd: git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools | |
19 | - cmd: IF [%PYTHON_VERSION%]==[3.8] ( | |
20 | mkdir dependencies && | |
21 | set PYTHONPATH=..\l2tdevtools && | |
22 | "%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track "%L2TBINARIES_TRACK%" PyYAML mock pbr six ) | |
22 | - ps: If ($isWindows) { .\config\appveyor\install.ps1 } | |
23 | - sh: config/appveyor/install.sh | |
23 | 24 | |
24 | build: off | |
25 | build_script: | |
26 | - cmd: "%PYTHON%\\python.exe setup.py bdist_msi bdist_wheel" | |
25 | 27 | |
26 | 28 | test_script: |
27 | - cmd: IF [%TARGET%]==[unittests] ( | |
28 | "%PYTHON%\\python.exe" run_tests.py && | |
29 | IF EXIST "tests\\end-to-end.py" ( | |
30 | set PYTHONPATH=. && | |
31 | "%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" ) ) | |
29 | - cmd: "%PYTHON%\\python.exe run_tests.py" | |
30 | - cmd: IF EXIST "tests\\end-to-end.py" ( | |
31 | set PYTHONPATH=. && | |
32 | "%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" ) | |
33 | - sh: config/appveyor/runtests.sh | |
34 | ||
35 | artifacts: | |
36 | - path: dist\*.whl |
0 | 0 | # -*- coding: utf-8 -*- |
1 | 1 | """ForensicArtifacts.com Artifact Repository.""" |
2 | 2 | |
3 | __version__ = '20201106' | |
3 | __version__ = '20210404' |
0 | 0 | [project] |
1 | 1 | name: artifacts |
2 | 2 | status: alpha |
3 | name_description: ForensicArtifacts.com Artifact Repository | |
3 | name_description: Digital Forensics Artifacts Repository | |
4 | 4 | maintainer: Forensic artifacts <forensicartifacts@googlegroups.com> |
5 | 5 | homepage_url: https://github.com/ForensicArtifacts/artifacts |
6 | 6 | git_url: https://github.com/ForensicArtifacts/artifacts.git |
0 | # Script to set up tests on AppVeyor Windows. | |
1 | ||
2 | $Dependencies = "PyYAML mock pbr six" | |
3 | $Dependencies = ${Dependencies} -split " " | |
4 | ||
5 | $Output = Invoke-Expression -Command "git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools 2>&1" | |
6 | Write-Host (${Output} | Out-String) | |
7 | ||
8 | If ($env:APPVEYOR_REPO_BRANCH -eq "main") | |
9 | { | |
10 | $Track = "stable" | |
11 | } | |
12 | Else | |
13 | { | |
14 | $Track = $env:APPVEYOR_REPO_BRANCH | |
15 | } | |
16 | New-Item -ItemType "directory" -Name "dependencies" | |
17 | ||
18 | $env:PYTHONPATH = "..\l2tdevtools" | |
19 | ||
20 | $Output = Invoke-Expression -Command "& '${env:PYTHON}\python.exe' ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type ${env:MACHINE_TYPE} --msi-targetdir ${env:PYTHON} --track ${env:L2TBINARIES_TRACK} ${Dependencies} 2>&1" | |
21 | Write-Host (${Output} | Out-String) | |
22 |
0 | # Script to set up tests on AppVeyor MacOS. | |
1 | ||
2 | set -e | |
3 | ||
4 | brew update | |
5 | brew install tox || true | |
6 |
0 | #!/bin/sh | |
1 | # Script to run tests | |
2 | ||
3 | # Set the following environment variables to build pycrypto and yara-python. | |
4 | export CFLAGS="-I/usr/local/include -I/usr/local/opt/openssl@1.1/include ${CFLAGS}"; | |
5 | export LDFLAGS="-L/usr/local/lib -L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}"; | |
6 | export TOX_TESTENV_PASSENV="CFLAGS LDFLAGS"; | |
7 | ||
8 | # Set the following environment variables to ensure tox can find Python 3.9. | |
9 | export PATH="/usr/local/opt/python@3.9/bin:${PATH}"; | |
10 | ||
11 | tox -e py39 |
0 | artifacts (20201106-1) unstable; urgency=low | |
0 | artifacts (20210404-1) unstable; urgency=low | |
1 | 1 | |
2 | 2 | * Auto-generated |
3 | 3 | |
4 | -- Forensic artifacts <forensicartifacts@googlegroups.com> Fri, 06 Nov 2020 05:50:46 +0100⏎ | |
4 | -- Forensic artifacts <forensicartifacts@googlegroups.com> Sun, 04 Apr 2021 08:42:37 +0200 |
0 | #!/bin/bash | |
1 | # | |
2 | # Script to set up Travis-CI test VM. | |
3 | # | |
4 | # This file is generated by l2tdevtools update-dependencies.py any dependency | |
5 | # related changes should be made in dependencies.ini. | |
6 | ||
7 | DPKG_PYTHON3_DEPENDENCIES="python3-yaml"; | |
8 | ||
9 | DPKG_PYTHON3_TEST_DEPENDENCIES="python3-coverage python3-distutils python3-mock python3-pbr python3-setuptools python3-six"; | |
10 | ||
11 | RPM_PYTHON3_DEPENDENCIES="python3-pyyaml"; | |
12 | ||
13 | RPM_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-setuptools python3-six"; | |
14 | ||
15 | # Exit on error. | |
16 | set -e; | |
17 | ||
18 | if test -n "${FEDORA_VERSION}"; | |
19 | then | |
20 | CONTAINER_NAME="fedora${FEDORA_VERSION}"; | |
21 | ||
22 | docker pull registry.fedoraproject.org/fedora:${FEDORA_VERSION}; | |
23 | ||
24 | docker run --name=${CONTAINER_NAME} --detach -i registry.fedoraproject.org/fedora:${FEDORA_VERSION}; | |
25 | ||
26 | # Install dnf-plugins-core and langpacks-en. | |
27 | docker exec ${CONTAINER_NAME} dnf install -y dnf-plugins-core langpacks-en; | |
28 | ||
29 | # Add additional dnf repositories. | |
30 | docker exec ${CONTAINER_NAME} dnf copr -y enable @gift/dev; | |
31 | ||
32 | if test -n "${TOXENV}"; | |
33 | then | |
34 | RPM_PACKAGES="python3-tox"; | |
35 | ||
36 | else | |
37 | RPM_PACKAGES="python3 ${RPM_PYTHON3_DEPENDENCIES} ${RPM_PYTHON3_TEST_DEPENDENCIES}"; | |
38 | fi | |
39 | docker exec ${CONTAINER_NAME} dnf install -y ${RPM_PACKAGES}; | |
40 | ||
41 | docker cp ../artifacts ${CONTAINER_NAME}:/ | |
42 | ||
43 | elif test -n "${UBUNTU_VERSION}"; | |
44 | then | |
45 | CONTAINER_NAME="ubuntu${UBUNTU_VERSION}"; | |
46 | ||
47 | docker pull ubuntu:${UBUNTU_VERSION}; | |
48 | ||
49 | docker run --name=${CONTAINER_NAME} --detach -i ubuntu:${UBUNTU_VERSION}; | |
50 | ||
51 | # Install add-apt-repository and locale-gen. | |
52 | docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get update -q"; | |
53 | docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get install -y locales software-properties-common"; | |
54 | ||
55 | # Add additional apt repositories. | |
56 | if test -n "${TOXENV}"; | |
57 | then | |
58 | docker exec ${CONTAINER_NAME} add-apt-repository universe; | |
59 | docker exec ${CONTAINER_NAME} add-apt-repository ppa:deadsnakes/ppa -y; | |
60 | fi | |
61 | docker exec ${CONTAINER_NAME} add-apt-repository ppa:gift/dev -y; | |
62 | ||
63 | docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get update -q"; | |
64 | ||
65 | # Set locale to US English and UTF-8. | |
66 | docker exec ${CONTAINER_NAME} locale-gen en_US.UTF-8; | |
67 | ||
68 | # Install packages. | |
69 | if test -n "${TOXENV}"; | |
70 | then | |
71 | DPKG_PACKAGES="build-essential curl git python${TRAVIS_PYTHON_VERSION} python${TRAVIS_PYTHON_VERSION}-dev tox"; | |
72 | ||
73 | elif test "${TARGET}" = "jenkins3"; | |
74 | then | |
75 | DPKG_PACKAGES="sudo"; | |
76 | else | |
77 | DPKG_PACKAGES="python3 ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES}"; | |
78 | fi | |
79 | docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get install -y ${DPKG_PACKAGES}"; | |
80 | ||
81 | docker cp ../artifacts ${CONTAINER_NAME}:/ | |
82 | ||
83 | elif test ${TRAVIS_OS_NAME} = "osx"; | |
84 | then | |
85 | brew update; | |
86 | ||
87 | # Brew will exit with 1 and print some diagnostic information | |
88 | # to prevent the CI test from failing || true is added. | |
89 | brew install tox || true; | |
90 | fi |
0 | #!/bin/bash | |
1 | # | |
2 | # Script to run Python 2 tests on Travis-CI. | |
3 | # | |
4 | # This file is generated by l2tdevtools update-dependencies.py, any dependency | |
5 | # related changes should be made in dependencies.ini. | |
6 | ||
7 | # Exit on error. | |
8 | set -e; | |
9 | ||
10 | python2 ./run_tests.py | |
11 | ||
12 | if test -f tests/end-to-end.py; | |
13 | then | |
14 | PYTHONPATH=. python2 ./tests/end-to-end.py --debug -c config/end-to-end.ini; | |
15 | fi | |
16 | ||
17 | python2 ./setup.py build | |
18 | ||
19 | python2 ./setup.py sdist | |
20 | ||
21 | python2 ./setup.py bdist | |
22 | ||
23 | python2 ./setup.py install |
0 | #!/bin/bash | |
1 | # | |
2 | # Script to run Python 3 tests on Travis-CI. | |
3 | # | |
4 | # This file is generated by l2tdevtools update-dependencies.py, any dependency | |
5 | # related changes should be made in dependencies.ini. | |
6 | ||
7 | # Exit on error. | |
8 | set -e; | |
9 | ||
10 | python3 ./run_tests.py | |
11 | ||
12 | if test -f tests/end-to-end.py; | |
13 | then | |
14 | PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; | |
15 | fi | |
16 | ||
17 | python3 ./setup.py build | |
18 | ||
19 | python3 ./setup.py sdist | |
20 | ||
21 | python3 ./setup.py bdist | |
22 | ||
23 | python3 ./setup.py install |
0 | #!/bin/bash | |
1 | # | |
2 | # Script to run commands on a Travis-CI test VM that otherwise would time out | |
3 | # after 10 minutes. This replaces travis_wait and outputs stdout of the command | |
4 | # running. | |
5 | # | |
6 | # This file is generated by l2tdevtools update-dependencies.py, any dependency | |
7 | # related changes should be made in dependencies.ini. | |
8 | ||
9 | # Exit on error. | |
10 | set -e | |
11 | ||
12 | # Usage: ./run_with_timeout.sh [TIMEOUT] [COMMAND] [OPTION] [...] | |
13 | ||
14 | TIMEOUT=$1; | |
15 | shift | |
16 | ||
17 | # Launch a command in the background. | |
18 | $* & | |
19 | ||
20 | PID_COMMAND=$!; | |
21 | ||
22 | # Probe the command every minute. | |
23 | MINUTES=0; | |
24 | ||
25 | while kill -0 ${PID_COMMAND} >/dev/null 2>&1; | |
26 | do | |
27 | # Print to stdout, seeing this prints a space and a backspace | |
28 | # there is no visible trace. | |
29 | echo -n -e " \b"; | |
30 | ||
31 | if test ${MINUTES} -ge ${TIMEOUT}; | |
32 | then | |
33 | kill -9 ${PID_COMMAND} >/dev/null 2>&1; | |
34 | ||
35 | echo -e "\033[0;31m[ERROR] command: $* timed out after: ${MINUTES} minute(s).\033[0m"; | |
36 | ||
37 | exit 1; | |
38 | fi | |
39 | MINUTES=$(( ${MINUTES} + 1 )); | |
40 | ||
41 | sleep 60; | |
42 | done | |
43 | ||
44 | wait ${PID_COMMAND}; | |
45 | ||
46 | exit $?; |
0 | #!/bin/bash | |
1 | # | |
2 | # Script to run tests on Travis-CI. | |
3 | # | |
4 | # This file is generated by l2tdevtools update-dependencies.py, any dependency | |
5 | # related changes should be made in dependencies.ini. | |
6 | ||
7 | # Exit on error. | |
8 | set -e; | |
9 | ||
10 | if test -n "${FEDORA_VERSION}"; | |
11 | then | |
12 | CONTAINER_NAME="fedora${FEDORA_VERSION}"; | |
13 | CONTAINER_OPTIONS="-e LANG=C.utf8"; | |
14 | ||
15 | if test -n "${TOXENV}"; | |
16 | then | |
17 | TEST_COMMAND="tox -e ${TOXENV}"; | |
18 | else | |
19 | TEST_COMMAND="./config/travis/run_python3.sh"; | |
20 | fi | |
21 | # Note that exec options need to be defined before the container name. | |
22 | docker exec ${CONTAINER_OPTIONS} ${CONTAINER_NAME} sh -c "cd artifacts && ${TEST_COMMAND}"; | |
23 | ||
24 | elif test -n "${UBUNTU_VERSION}"; | |
25 | then | |
26 | CONTAINER_NAME="ubuntu${UBUNTU_VERSION}"; | |
27 | CONTAINER_OPTIONS="-e LANG=en_US.UTF-8"; | |
28 | ||
29 | if test -n "${TOXENV}"; | |
30 | then | |
31 | # Also see: https://docs.codecov.io/docs/testing-with-docker | |
32 | curl -o codecov_env.sh -s https://codecov.io/env; | |
33 | ||
34 | # Generates a series of -e options. | |
35 | CODECOV_ENV=$(/bin/bash ./codecov_env.sh); | |
36 | ||
37 | CONTAINER_OPTIONS="${CODECOV_ENV} ${CONTAINER_OPTIONS}"; | |
38 | ||
39 | TEST_COMMAND="tox -e ${TOXENV}"; | |
40 | ||
41 | elif test "${TARGET}" = "jenkins3"; | |
42 | then | |
43 | TEST_COMMAND="./config/jenkins/linux/run_end_to_end_tests_py3.sh travis"; | |
44 | else | |
45 | TEST_COMMAND="./config/travis/run_python3.sh"; | |
46 | fi | |
47 | # Note that exec options need to be defined before the container name. | |
48 | docker exec ${CONTAINER_OPTIONS} ${CONTAINER_NAME} sh -c "cd artifacts && ${TEST_COMMAND}"; | |
49 | ||
50 | elif test "${TARGET}" = "dockerfile"; | |
51 | then | |
52 | SOURCE_PATH=${PWD}; | |
53 | CONTAINER_NAME="test"; | |
54 | ||
55 | cd config/docker | |
56 | ||
57 | docker build --build-arg PPA_TRACK="dev" -f Dockerfile -t ${CONTAINER_NAME} . | |
58 | ||
59 | # TODO: add tests | |
60 | ||
61 | elif test "${TRAVIS_OS_NAME}" = "osx"; | |
62 | then | |
63 | # Set the following environment variables to build pycrypto and yara-python. | |
64 | export CFLAGS="-I/usr/local/include -I/usr/local/opt/openssl@1.1/include ${CFLAGS}"; | |
65 | export LDFLAGS="-L/usr/local/lib -L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}"; | |
66 | export TOX_TESTENV_PASSENV="CFLAGS LDFLAGS"; | |
67 | ||
68 | # Set the following environment variables to ensure tox can find Python 3.8. | |
69 | export PATH="/usr/local/opt/python@3.8/bin:${PATH}"; | |
70 | ||
71 | tox -e ${TOXENV}; | |
72 | fi |
31 | 31 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'}]} |
32 | 32 | provides: [current_control_set] |
33 | 33 | supported_os: [Windows] |
34 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'] | |
34 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] | |
35 | 35 | --- |
36 | 36 | name: LinuxRelease |
37 | 37 | doc: | |
192 | 192 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]} |
193 | 193 | provides: [time_zone] |
194 | 194 | supported_os: [Windows] |
195 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc'] | |
195 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc'] |
543 | 543 | - '/var/run/utmp' |
544 | 544 | labels: [Logs, Authentication] |
545 | 545 | supported_os: [Linux] |
546 | urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] | |
546 | urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] | |
547 | 547 | --- |
548 | 548 | name: LinuxWtmp |
549 | 549 | doc: Linux wtmp login record file |
553 | 553 | labels: [Logs, Authentication] |
554 | 554 | provides: [users.username, users.last_logon] |
555 | 555 | supported_os: [Linux] |
556 | urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] | |
556 | urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] | |
557 | 557 | --- |
558 | 558 | name: LinuxXinetd |
559 | 559 | doc: Linux xinetd configurations. |
1017 | 1017 | - '/var/log/wtmp' |
1018 | 1018 | labels: [Logs, Authentication] |
1019 | 1019 | supported_os: [Darwin] |
1020 | urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] | |
1020 | urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] | |
1021 | 1021 | --- |
1022 | 1022 | name: MacOSUtmpxFile |
1023 | 1023 | doc: Mac OS X 10.5 utmpx login record file. |
1029 | 1029 | - '/var/run/utmpx' |
1030 | 1030 | labels: [Logs, Authentication] |
1031 | 1031 | supported_os: [Darwin] |
1032 | urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] | |
1032 | urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] | |
1033 | 1033 | --- |
1034 | 1034 | name: MacOSWirelessNetworks |
1035 | 1035 | doc: Remembered Wireless Networks |
139 | 139 | supported_os: [Linux] |
140 | 140 | supported_os: [Windows,Darwin,Linux] |
141 | 141 | labels: [Browser] |
142 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/ChromeCache.md'] | |
142 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/ChromeCache.html'] | |
143 | 143 | --- |
144 | 144 | name: ChromeCookies |
145 | 145 | doc: Chrome Cookies database. |
535 | 535 | supported_os: [Linux] |
536 | 536 | supported_os: [Windows,Darwin,Linux] |
537 | 537 | labels: [Browser] |
538 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/FirefoxCache.md'] | |
538 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/FirefoxCache.html'] | |
539 | 539 | --- |
540 | 540 | name: FirefoxHistory |
541 | 541 | doc: Firefox browser history (places.sqlite). |
9 | 9 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' |
10 | 10 | conditions: [os_major_version < 6] |
11 | 11 | supported_os: [Windows] |
12 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/ActiveDesktop.md'] | |
12 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html'] | |
13 | 13 | --- |
14 | 14 | name: WindowsActivitiesCacheDatabase |
15 | 15 | doc: SQLite database containing the Windows activities cache. |
20 | 20 | separator: '\' |
21 | 21 | labels: [Users] |
22 | 22 | supported_os: [Windows] |
23 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/ActivitiesCacheDatabase.md'] | |
23 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActivitiesCacheDatabase.html'] | |
24 | 24 | --- |
25 | 25 | name: WindowsAlternateShell |
26 | 26 | doc: Alternate Shell to be run via Userinit. |
48 | 48 | separator: '\' |
49 | 49 | conditions: [os_major_version >= 6 AND os_minor_version >= 1] |
50 | 50 | supported_os: [Windows] |
51 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/AMCache.md'] | |
51 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/AMCache.html'] | |
52 | 52 | --- |
53 | 53 | name: WindowsAppCertDLLs |
54 | 54 | doc: Windows AppCertDLLs persistence. |
68 | 68 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'} |
69 | 69 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'} |
70 | 70 | supported_os: [Windows] |
71 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Application%20Compatibility%20Cache%20key.asciidoc'] | |
71 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Application%20Compatibility%20Cache%20key.asciidoc'] | |
72 | 72 | --- |
73 | 73 | name: WindowsAppInitDLLs |
74 | 74 | doc: | |
257 | 257 | - type: REGISTRY_KEY |
258 | 258 | attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*']} |
259 | 259 | supported_os: [Windows] |
260 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc'] | |
260 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc'] | |
261 | 261 | --- |
262 | 262 | name: WindowsBITSQueueManagerDatabases |
263 | 263 | doc: Databases that contain the Windows BITS jobs definition and state. |
315 | 315 | supported_os: [Windows] |
316 | 316 | urls: |
317 | 317 | - 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf' |
318 | - 'https://github.com/libyal/dtformats/blob/master/documentation/WMI%20repository%20file%20format.asciidoc' | |
318 | - 'https://github.com/libyal/dtformats/blob/main/documentation/WMI%20repository%20file%20format.asciidoc' | |
319 | 319 | --- |
320 | 320 | name: WindowsCodePage |
321 | 321 | doc: The code page of the system. |
461 | 461 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\*\*\*\*', value: ''} |
462 | 462 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} |
463 | 463 | supported_os: [Windows] |
464 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key'] | |
464 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key'] | |
465 | 465 | --- |
466 | 466 | name: WindowsSearchFilterHandlers |
467 | 467 | doc: | |
582 | 582 | - type: REGISTRY_VALUE |
583 | 583 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'CurrentVersion'}]} |
584 | 584 | supported_os: [Windows] |
585 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'] | |
585 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] | |
586 | 586 | --- |
587 | 587 | name: WindowsDebugger |
588 | 588 | doc: Windows Debugger peristence or AV disable. |
639 | 639 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'} |
640 | 640 | provides: [environ_allusersprofile] |
641 | 641 | supported_os: [Windows] |
642 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
642 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
643 | 643 | --- |
644 | 644 | name: WindowsEnvironmentVariableAppxProcess |
645 | 645 | doc: | |
653 | 653 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'} |
654 | 654 | supported_os: [Windows] |
655 | 655 | conditions: [os_major_version >= 6 AND os_minor_version >= 2] |
656 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
656 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
657 | 657 | --- |
658 | 658 | name: WindowsEnvironmentVariableCommonProgramFiles |
659 | 659 | doc: The %COMMONPROGRAMFILES% environment variable contains the path of the common program files folder. |
664 | 664 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir'} |
665 | 665 | provides: [environ_commonprogramfiles] |
666 | 666 | supported_os: [Windows] |
667 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
667 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
668 | 668 | --- |
669 | 669 | name: WindowsEnvironmentVariableCommonProgramFilesX86 |
670 | 670 | doc: The %COMMONPROGRAMFILES(X86)% environment variable contains the path of the 32-bit common program files folder on a 64-bit Windows installation. |
675 | 675 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir (x86)'} |
676 | 676 | provides: [environ_commonprogramfilesx86] |
677 | 677 | supported_os: [Windows] |
678 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
678 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
679 | 679 | --- |
680 | 680 | name: WindowsEnvironmentVariableComSpec |
681 | 681 | doc: The %ComSpec% environment variable contains the path of the command processor, typically "cmd.exe". |
686 | 686 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'ComSpec'} |
687 | 687 | provides: [environ_comspec] |
688 | 688 | supported_os: [Windows] |
689 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
689 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
690 | 690 | --- |
691 | 691 | name: WindowsEnvironmentVariableDriverData |
692 | 692 | doc: The %DriverData% environment variable contains the path of the directory used for temporary state files of user-mode drivers. |
698 | 698 | provides: [environ_driverdata] |
699 | 699 | supported_os: [Windows] |
700 | 700 | conditions: [os_major_version >= 10] |
701 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
701 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
702 | 702 | --- |
703 | 703 | name: WindowsEnvironmentVariablePath |
704 | 704 | doc: The %PATH% environment variable contains an ordered list of paths of directories that will be searched on execution request without a specific path. |
709 | 709 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'} |
710 | 710 | provides: [environ_path] |
711 | 711 | supported_os: [Windows] |
712 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
712 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
713 | 713 | --- |
714 | 714 | name: WindowsEnvironmentVariableProfilesDirectory |
715 | 715 | doc: The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users". |
720 | 720 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} |
721 | 721 | provides: [environ_profilesdirectory] |
722 | 722 | supported_os: [Windows] |
723 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
723 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
724 | 724 | --- |
725 | 725 | name: WindowsEnvironmentVariableProgramData |
726 | 726 | doc: The %ProgramData% environment variable contains a path of the "Program Data" directory. |
731 | 731 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} |
732 | 732 | provides: [environ_programdata] |
733 | 733 | supported_os: [Windows] |
734 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
734 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
735 | 735 | --- |
736 | 736 | name: WindowsEnvironmentVariableProgramFiles |
737 | 737 | doc: The %ProgramFiles% environment variable contains a path of the "Program Files" directory. |
746 | 746 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'} |
747 | 747 | provides: [environ_programfiles] |
748 | 748 | supported_os: [Windows] |
749 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
749 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
750 | 750 | --- |
751 | 751 | name: WindowsEnvironmentVariableProgramFilesX86 |
752 | 752 | doc: The %ProgramFiles(x86)% environment variable contains a path of the 32-bit "Program Files" directory on a 64-bit Windows installation. |
761 | 761 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'} |
762 | 762 | provides: [environ_programfilesx86] |
763 | 763 | supported_os: [Windows] |
764 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
764 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
765 | 765 | --- |
766 | 766 | name: WindowsEnvironmentVariableSystemDrive |
767 | 767 | doc: | |
773 | 773 | attributes: {names: ['WindowsEnvironmentVariableSystemRoot']} |
774 | 774 | provides: [environ_systemdrive] |
775 | 775 | supported_os: [Windows] |
776 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
776 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
777 | 777 | --- |
778 | 778 | name: WindowsEnvironmentVariableSystemRoot |
779 | 779 | doc: The %SystemRoot%, environment variable contains the path of the system directory, typically "C:\Windows". |
792 | 792 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'} |
793 | 793 | provides: [environ_systemroot] |
794 | 794 | supported_os: [Windows] |
795 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
795 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
796 | 796 | --- |
797 | 797 | name: WindowsEnvironmentVariableTemp |
798 | 798 | doc: The %TEMP% environment variable. |
803 | 803 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'} |
804 | 804 | provides: [environ_temp] |
805 | 805 | supported_os: [Windows] |
806 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
806 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
807 | 807 | --- |
808 | 808 | name: WindowsEnvironmentVariableWinDir |
809 | 809 | doc: The %WinDir%, environment variable contains the path of the Windows directory, typically "C:\Windows". |
822 | 822 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'} |
823 | 823 | provides: [environ_windir] |
824 | 824 | supported_os: [Windows] |
825 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
825 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] | |
826 | 826 | --- |
827 | 827 | name: WindowsEventLogs |
828 | 828 | doc: Windows Event logs. |
840 | 840 | - 'WindowsXMLEventLogTerminalServices' |
841 | 841 | labels: [Logs] |
842 | 842 | supported_os: [Windows] |
843 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
843 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
844 | 844 | --- |
845 | 845 | name: WindowsEventLogApplication |
846 | 846 | doc: Application Windows Event Log. |
852 | 852 | conditions: [os_major_version < 6] |
853 | 853 | labels: [Logs] |
854 | 854 | supported_os: [Windows] |
855 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
855 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
856 | 856 | --- |
857 | 857 | name: WindowsEventLogSecurity |
858 | 858 | doc: Security Windows Event Log. |
864 | 864 | conditions: [os_major_version < 6] |
865 | 865 | labels: [Logs] |
866 | 866 | supported_os: [Windows] |
867 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
867 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
868 | 868 | --- |
869 | 869 | name: WindowsEventLogSystem |
870 | 870 | doc: System Windows Event Log. |
876 | 876 | conditions: [os_major_version < 6] |
877 | 877 | labels: [Logs] |
878 | 878 | supported_os: [Windows] |
879 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
879 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
880 | 880 | --- |
881 | 881 | name: WindowsXMLEventLogApplication |
882 | 882 | doc: Application Windows XML Event Log. |
888 | 888 | conditions: [os_major_version >= 6] |
889 | 889 | labels: [Logs] |
890 | 890 | supported_os: [Windows] |
891 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
891 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
892 | 892 | --- |
893 | 893 | name: WindowsXMLEventLogSecurity |
894 | 894 | doc: Security Windows XML Event Log. |
900 | 900 | conditions: [os_major_version >= 6] |
901 | 901 | labels: [Logs] |
902 | 902 | supported_os: [Windows] |
903 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
903 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
904 | 904 | --- |
905 | 905 | name: WindowsXMLEventLogSysmon |
906 | 906 | doc: Sysmon Windows XML Event Log. |
911 | 911 | separator: '\' |
912 | 912 | labels: [Logs] |
913 | 913 | supported_os: [Windows] |
914 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
914 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
915 | 915 | --- |
916 | 916 | name: WindowsXMLEventLogSystem |
917 | 917 | doc: System Windows XML Event Log. |
923 | 923 | conditions: [os_major_version >= 6] |
924 | 924 | labels: [Logs] |
925 | 925 | supported_os: [Windows] |
926 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
926 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
927 | 927 | --- |
928 | 928 | name: WindowsXMLEventLogTerminalServices |
929 | 929 | doc: TerminalServices Windows XML Event Log. |
935 | 935 | conditions: [os_major_version >= 6] |
936 | 936 | labels: [Logs] |
937 | 937 | supported_os: [Windows] |
938 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
938 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] | |
939 | 939 | --- |
940 | 940 | name: WindowsExcludeFromKnownDLLs |
941 | 941 | doc: ExcludeFromKnownDLLs can be used to bypass search order hijacking protection. |
1595 | 1595 | - 'https://technet.microsoft.com/library/hh847748.aspx' |
1596 | 1596 | - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' |
1597 | 1597 | --- |
1598 | name: WindowsPowerShellHistory | |
1599 | doc: History of commands executed in an interactive PowerShell session. | |
1600 | sources: | |
1601 | - type: FILE | |
1602 | attributes: | |
1603 | paths: ['%%users.appdata%%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'] | |
1604 | separator: '\' | |
1605 | supported_os: [Windows] | |
1606 | urls: | |
1607 | - 'https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html' | |
1608 | - 'https://docs.microsoft.com/en-us/powershell/module/psreadline/get-psreadlineoption?view=powershell-7.1' | |
1609 | --- | |
1598 | 1610 | name: WindowsPrefetchFiles |
1599 | 1611 | doc: Windows Prefetch files. |
1600 | 1612 | sources: |
1623 | 1635 | - type: REGISTRY_VALUE |
1624 | 1636 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ProductName'}]} |
1625 | 1637 | supported_os: [Windows] |
1626 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'] | |
1638 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] | |
1627 | 1639 | --- |
1628 | 1640 | name: WindowsProgramsCache |
1629 | 1641 | doc: Windows Programs Cache |
1634 | 1646 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'} |
1635 | 1647 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'} |
1636 | 1648 | supported_os: [Windows] |
1637 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc'] | |
1649 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Programs%20Cache%20values.asciidoc'] | |
1638 | 1650 | --- |
1639 | 1651 | name: WindowsProgramsCacheJumpLists |
1640 | 1652 | doc: Windows Programs Cache Jump Lists |
1645 | 1657 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheSMP'} |
1646 | 1658 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheTBP'} |
1647 | 1659 | supported_os: [Windows] |
1648 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md'] | |
1660 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] | |
1649 | 1661 | --- |
1650 | 1662 | name: WindowsProxyPACAutoConfigURL |
1651 | 1663 | doc: Windows Proxy PAC AutoConfigURL. |
1689 | 1701 | separator: '\' |
1690 | 1702 | conditions: [os_major_version >= 6 AND os_minor_version >= 1] |
1691 | 1703 | supported_os: [Windows] |
1692 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RecentFileCache.md'] | |
1704 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RecentFileCache.html'] | |
1693 | 1705 | --- |
1694 | 1706 | name: WindowsRecycleBin |
1695 | 1707 | doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files. |
1711 | 1723 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]} |
1712 | 1724 | provides: [current_control_set] |
1713 | 1725 | supported_os: [Windows] |
1714 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'] | |
1726 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] | |
1715 | 1727 | --- |
1716 | 1728 | name: WindowsRegistryFilesAndTransactionLogs |
1717 | 1729 | doc: Windows user and system Registry files and transaction logs. |
1725 | 1737 | - 'WindowsUserRegistryTransactionLogFiles' |
1726 | 1738 | labels: [System,Users] |
1727 | 1739 | supported_os: [Windows] |
1728 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
1740 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
1729 | 1741 | --- |
1730 | 1742 | name: WindowsRegistryProfiles |
1731 | 1743 | doc: | |
1936 | 1948 | supported_os: [Windows] |
1937 | 1949 | urls: |
1938 | 1950 | - 'http://support.microsoft.com/kb/103000' |
1939 | - 'https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc' | |
1951 | - 'https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc' | |
1940 | 1952 | --- |
1941 | 1953 | name: WindowsActionCenterSettings |
1942 | 1954 | doc: | |
2762 | 2774 | separator: '\' |
2763 | 2775 | labels: [System] |
2764 | 2776 | supported_os: [Windows] |
2765 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2777 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
2766 | 2778 | --- |
2767 | 2779 | name: WindowsSystemRegistryTransactionLogFilesBackup |
2768 | 2780 | doc: | |
2788 | 2800 | separator: '\' |
2789 | 2801 | labels: [System] |
2790 | 2802 | supported_os: [Windows] |
2791 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2803 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
2792 | 2804 | --- |
2793 | 2805 | name: WindowsSystemRegistryFiles |
2794 | 2806 | doc: Windows system Registry files. |
2804 | 2816 | separator: '\' |
2805 | 2817 | labels: [System] |
2806 | 2818 | supported_os: [Windows] |
2807 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2819 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
2808 | 2820 | --- |
2809 | 2821 | name: WindowsSystemRegistryTransactionLogFiles |
2810 | 2822 | doc: Windows system Registry transaction log files. |
2827 | 2839 | separator: '\' |
2828 | 2840 | labels: [System] |
2829 | 2841 | supported_os: [Windows] |
2830 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2842 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
2831 | 2843 | --- |
2832 | 2844 | name: WindowsSystemRegistryFilesAndTransactionLogs |
2833 | 2845 | doc: Windows system Registry files and transaction logs. |
2839 | 2851 | - 'WindowsSystemRegistryTransactionLogFiles' |
2840 | 2852 | labels: [System] |
2841 | 2853 | supported_os: [Windows] |
2842 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2854 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
2843 | 2855 | --- |
2844 | 2856 | name: WindowsSystemResourceUsageMonitorDatabaseFile |
2845 | 2857 | doc: Windows System Resource Usage Monitor (SRUM) database file. |
2849 | 2861 | paths: ['%%environ_systemroot%%\System32\sru\SRUDB.dat'] |
2850 | 2862 | separator: '\' |
2851 | 2863 | supported_os: [Windows] |
2852 | urls: ['https://github.com/libyal/esedb-kb/blob/master/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc'] | |
2864 | urls: ['https://github.com/libyal/esedb-kb/blob/main/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc'] | |
2853 | 2865 | --- |
2854 | 2866 | name: WindowsTempDirectories |
2855 | 2867 | doc: Contents of the Windows temporary directories |
2931 | 2943 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'} |
2932 | 2944 | provides: [time_zone] |
2933 | 2945 | supported_os: [Windows] |
2934 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc'] | |
2946 | urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc'] | |
2935 | 2947 | --- |
2936 | 2948 | name: WindowsToolPaths |
2937 | 2949 | doc: Paths to windows tools such as defrag, chkdsk. |
2955 | 2967 | attributes: |
2956 | 2968 | keys: |
2957 | 2969 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\*' |
2970 | - 'HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*\*' | |
2958 | 2971 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\*' |
2959 | 2972 | supported_os: [Windows] |
2960 | 2973 | urls: ['https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx'] |
2996 | 3009 | separator: '\' |
2997 | 3010 | labels: [Users] |
2998 | 3011 | supported_os: [Windows] |
2999 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md'] | |
3012 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] | |
3000 | 3013 | --- |
3001 | 3014 | name: WindowsUserCustomDestinationsJumpLists |
3002 | 3015 | doc: Windows user CustomDestinations Jump Lists. |
3007 | 3020 | separator: '\' |
3008 | 3021 | labels: [Users] |
3009 | 3022 | supported_os: [Windows] |
3010 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md'] | |
3023 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] | |
3011 | 3024 | --- |
3012 | 3025 | name: WindowsUserDownloadsDirectory |
3013 | 3026 | doc: User downloads directory |
3030 | 3043 | - 'WindowsUserCustomDestinationsJumpLists' |
3031 | 3044 | labels: [Users] |
3032 | 3045 | supported_os: [Windows] |
3033 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md'] | |
3046 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] | |
3034 | 3047 | --- |
3035 | 3048 | name: WindowsUserRecentFiles |
3036 | 3049 | doc: Windows user specific recent files. |
3056 | 3069 | separator: '\' |
3057 | 3070 | labels: [Users] |
3058 | 3071 | supported_os: [Windows] |
3059 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
3072 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
3060 | 3073 | --- |
3061 | 3074 | name: WindowsUserRegistryTransactionLogFiles |
3062 | 3075 | doc: Windows user Registry transaction log files. |
3073 | 3086 | separator: '\' |
3074 | 3087 | labels: [Users] |
3075 | 3088 | supported_os: [Windows] |
3076 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
3089 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
3077 | 3090 | --- |
3078 | 3091 | name: WindowsUserRegistryFilesAndTransactionLogs |
3079 | 3092 | doc: Windows user Registry files and transaction logs. |
3085 | 3098 | - 'WindowsUserRegistryTransactionLogFiles' |
3086 | 3099 | labels: [Users] |
3087 | 3100 | supported_os: [Windows] |
3088 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
3101 | urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] | |
3089 | 3102 | --- |
3090 | 3103 | name: WindowsUserShellFolders |
3091 | 3104 | doc: The Shell Folders information for Windows users. |
0 | = Artifact definition format and style guide | |
0 | Moved to: https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html | |
1 | 1 | |
2 | :toc: | |
3 | :toclevels: 4 | |
4 | :icons: | |
5 | ||
6 | :numbered!: | |
7 | [abstract] | |
8 | == Summary | |
9 | ||
10 | This guide contains a description of the forensics artifacts definitions. | |
11 | The artifacts definitions are | |
12 | link:http://www.yaml.org/spec/1.2/spec.html[YAML]-based. The format is | |
13 | currently still under development and is likely to undergo some change. One of | |
14 | the goals of this guide is to ensure consistency and readbility of the | |
15 | artifacts definitions. | |
16 | ||
17 | [preface] | |
18 | == Revision history | |
19 | ||
20 | [cols="1,1,1,5",options="header"] | |
21 | |=== | |
22 | | Version | Author | Date | Comments | |
23 | | 0.0.1 | G. Castle | November 2014 | Initial version. | |
24 | | 0.0.2 | G. Castle | December 2014 | Minor format changes. | |
25 | | 0.0.3 | J.B. Metz | April 2015 | Merged style guide and artifact definitions wiki page. | |
26 | | 0.0.3 | J.B. Metz | September 2015 | Additional label. | |
27 | | 0.0.4 | J.B. Metz | July 2016 | Added information about a naming convention. | |
28 | | 0.0.5 | J.B. Metz | February 2019 | Removed returned_types as keyword and format changes. | |
29 | |=== | |
30 | ||
31 | :numbered: | |
32 | == Background | |
33 | ||
34 | The first version of the artifact definitions originated from the | |
35 | https://github.com/google/grr[GRR project], where it is used to describe and | |
36 | quickly collect data of interest, e.g. specific files or Windows Registry keys. | |
37 | The goal of the format is to provide a way to describe the majority of forensic | |
38 | artifacts in a language that is readable by humans and machines. | |
39 | ||
40 | The format is designed to be simple and straight forward, so that a digital | |
41 | forensic analysist is able to quickly write artifact definitions during an | |
42 | investigation without having to rely on complex standards or tooling. | |
43 | ||
44 | The format is intended to describe forensically-relevant data on a machine, | |
45 | while being tool agnostic. In particular we intentionally avoided adding | |
46 | IOC-like logic, or describing how the data should be collected since this | |
47 | various between tools. | |
48 | ||
49 | === Terminology | |
50 | ||
51 | The term artifact (or artefact) is widely used within computer (or digital) | |
52 | forensics, though there is no official definition of this term. | |
53 | ||
54 | The definition closest to the meaning of the word within computer forensics is | |
55 | that of the word artifact within | |
56 | http://en.wikipedia.org/wiki/Artifact_(archaeology)[archaeology]. The term | |
57 | should not be confused with the word artifact used within | |
58 | http://en.wikipedia.org/wiki/Artifact_(software_development)[software development]. | |
59 | ||
60 | If archaeology defines an artifact as: | |
61 | ``` | |
62 | something made or given shape by man, such as a tool or | |
63 | a work of art, esp an object of archaeological interest | |
64 | ``` | |
65 | ||
66 | The definition of artifact within computer forensics could be: | |
67 | ``` | |
68 | An object of digital archaeological interest. | |
69 | ``` | |
70 | ||
71 | Where digital archaeology roughly refers to computer forensics without the | |
72 | forensic (legal) context. | |
73 | ||
74 | == The artifact definition | |
75 | ||
76 | The best way to show what an artifact definition is, is by example. The | |
77 | following example is the artifact definition for the Windows EVTX System Event | |
78 | Logs. | |
79 | ||
80 | [source,yaml] | |
81 | ---- | |
82 | name: WindowsSystemEventLogEvtx | |
83 | doc: Windows System Event log for Vista or later systems. | |
84 | sources: | |
85 | - type: FILE | |
86 | attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} | |
87 | conditions: [os_major_version >= 6] | |
88 | labels: [Logs] | |
89 | supported_os: [Windows] | |
90 | urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] | |
91 | ---- | |
92 | ||
93 | The artifact definition can have the following values: | |
94 | ||
95 | [cols="1,5",options="header"] | |
96 | |=== | |
97 | | Value | Description | |
98 | | name | The name. An unique string that identifies the artifact definition. + | |
99 | Also see section: <<artifact_name,Name>>. | |
100 | | doc | The description (or documentation). A human readable string that describes the artifact definition. + | |
101 | *Style note*: Typically one line description of the artifact, mentioning important caveats. + | |
102 | If more description is necessary, use the <<artifact_long_docs,Long docs form>>. | |
103 | | sources | A list of source definitions. + | |
104 | See section: <<sources,Sources>>. | |
105 | | conditions | Optional list of conditions that describe when the artifact definition should apply. + | |
106 | See section: <<conditions,Conditions>>. | |
107 | | labels | Optional list of predefined labels. | |
108 | See section: <<labels,Labels>>. | |
109 | | provides | Optional list of *TODO* | |
110 | | supported_os | Optional list that indicates which operating systems the artifact definition applies to. | |
111 | See section: <<supported_os,Supported operating system>>. | |
112 | | urls | Optional list of URLs with more contextual information. + | |
113 | Ideally the artifact definition links to an article that discusses the artificat in more depth e.g. on http://forensicswiki.org[Forensics Wiki] | |
114 | |=== | |
115 | ||
116 | === [[artifact_name]]Name | |
117 | ||
118 | *Style note*: The name of an artifact defintion should be in CamelCase name without spaces. | |
119 | ||
120 | As of July 2016 we are migrating to the following naming convention: | |
121 | ||
122 | * Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or "Windows" | |
123 | * If not platform specific: | |
124 | ** prefix with the application name, for example "ChromeHistory". | |
125 | ** prefix with the name of the subsystem, for example "WMIComputerSystemProduct". | |
126 | ||
127 | *Style note*: If the sole source of the artifact definition for example are | |
128 | files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity. | |
129 | ||
130 | === [[artifact_long_docs]]Long docs form | |
131 | ||
132 | Multi-line documentation should use the YAML Literal Style as indicated by the | | |
133 | character. | |
134 | ||
135 | [source,yaml] | |
136 | ---- | |
137 | doc: | | |
138 | The Windows run keys. | |
139 | ||
140 | Note users.sid will currently only expand to SIDs with profiles on the system, | |
141 | not all SIDs. | |
142 | ---- | |
143 | ||
144 | *Style note*: the short description (first line) and the longer portion are | |
145 | separated by an empty line. | |
146 | ||
147 | *Style note*: explicit newlines (\n) should not be used. | |
148 | ||
149 | == [[sources]]Sources | |
150 | ||
151 | Every source definition starts with a `type` followed by arguments e.g. | |
152 | ||
153 | [source,yaml] | |
154 | ---- | |
155 | sources: | |
156 | - type: COMMAND | |
157 | attributes: | |
158 | args: [-qa] | |
159 | cmd: /bin/rpm | |
160 | ---- | |
161 | ||
162 | [source,yaml] | |
163 | ---- | |
164 | sources: | |
165 | - type: FILE | |
166 | attributes: | |
167 | paths: | |
168 | - /root/.bashrc | |
169 | - /root/.cshrc | |
170 | - /root/.ksh | |
171 | - /root/.logout | |
172 | - /root/.profile | |
173 | - /root/.tcsh | |
174 | - /root/.zlogin | |
175 | - /root/.zlogout | |
176 | - /root/.zprofile | |
177 | - /root/.zprofile | |
178 | ---- | |
179 | ||
180 | *Style note*: where sources take a single argument with a single value, the one-line {} | |
181 | form should be used to save on line breaks as below: | |
182 | ||
183 | [source,yaml] | |
184 | ---- | |
185 | - type: FILE | |
186 | attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} | |
187 | ---- | |
188 | ||
189 | [cols="1,5",options="header"] | |
190 | |=== | |
191 | | Value | Description | |
192 | | attributes | A dictionary of keyword attributes specific to the type of source definition. | |
193 | | type | The source type. | |
194 | | conditions | Optional list of conditions to when the artifact definition should apply. + | |
195 | See section: <<conditions,Conditions>>. | |
196 | | supported_os | Optional list that indicates which operating systems the artifact definition applies to. + | |
197 | See section: <<supported_os,Supported operating system>>. | |
198 | |=== | |
199 | ||
200 | === Source types | |
201 | ||
202 | Currently the following different source types are defined: | |
203 | ||
204 | [cols="1,5",options="header"] | |
205 | |=== | |
206 | | Value | Description | |
207 | | ARTIFACT_GROUP | A source that consists of a group of other artifacts. | |
208 | | COMMAND | A source that consists of the output of a command. | |
209 | | FILE | A source that consists of the contents of files. | |
210 | | PATH | A source that consists of the contents of paths. | |
211 | | REGISTRY_KEY | A source that consists of the contents of Windows Registry keys. | |
212 | | REGISTRY_VALUE | A source that consists of the contents of Windows Registry values. | |
213 | | WMI | A source that consists of the output of Windows Management Instrumentation (WMI) queries. | |
214 | |=== | |
215 | ||
216 | The sources types are defined in | |
217 | link:https://github.com/ForensicArtifacts/artifacts/blob/master/artifacts/definitions.py[definitions.py]. | |
218 | as TYPE_INDICATOR constants. | |
219 | ||
220 | === Artifact group source | |
221 | ||
222 | The artifact group source is a source that consists of a group of other artifacts e.g. | |
223 | ||
224 | [source,yaml] | |
225 | ---- | |
226 | - type: ARTIFACT_GROUP | |
227 | attributes: | |
228 | names: [WindowsRunKeys, WindowsServices] | |
229 | ---- | |
230 | ||
231 | Where `attributes` can contain the following values: | |
232 | ||
233 | [cols="1,5",options="header"] | |
234 | |=== | |
235 | | Value | Description | |
236 | | names | A list of artifact definition names that make up this "composite" artifact. + | |
237 | This can also be used to group multiple artifact definitions into one for convenience. | |
238 | |=== | |
239 | ||
240 | === Command source | |
241 | ||
242 | The command source is a source that consists of the output of a command e.g. | |
243 | ||
244 | [source,yaml] | |
245 | ---- | |
246 | - type: COMMAND | |
247 | attributes: | |
248 | args: [-qa] | |
249 | cmd: /bin/rpm | |
250 | ---- | |
251 | ||
252 | Where `attributes` can contain the following values: | |
253 | ||
254 | [cols="1,5",options="header"] | |
255 | |=== | |
256 | | Value | Description | |
257 | | args | A list arguments to pass to the command. | |
258 | | cmd | The path of the command. | |
259 | |=== | |
260 | ||
261 | === File source | |
262 | ||
263 | The file source is a source that consists of the contents of files e.g. | |
264 | ||
265 | [source,yaml] | |
266 | ---- | |
267 | - type: FILE | |
268 | attributes: | |
269 | paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] | |
270 | ---- | |
271 | ||
272 | Where `attributes` can contain the following values: | |
273 | ||
274 | [cols="1,5",options="header"] | |
275 | |=== | |
276 | | Value | Description | |
277 | | paths | A list of file paths that can potentially be collected. + | |
278 | The paths can use parameter expansion e.g. `%%environ_systemroot%%`. + | |
279 | See section: <<parameter_expansion,Parameter expansion and globs>> | |
280 | | separator | Optional path segment seperator e.g. '\' for Windows systems. + | |
281 | When not specified the default path segment separator is '/'. | |
282 | |=== | |
283 | ||
284 | === Path source | |
285 | ||
286 | The path source is a source that consists of the contents of paths e.g. | |
287 | ||
288 | [source,yaml] | |
289 | ---- | |
290 | - type: PATH | |
291 | attributes: | |
292 | paths: ['\Program Files'] | |
293 | separator: '\' | |
294 | ---- | |
295 | ||
296 | Where `attributes` can contain the following values: | |
297 | ||
298 | [cols="1,5",options="header"] | |
299 | |=== | |
300 | | Value | Description | |
301 | | paths | A list of file paths that can potentially be collected. + | |
302 | The paths can use parameter expansion e.g. `%%environ_systemroot%%`. + | |
303 | See section: <<parameter_expansion,Parameter expansion and globs>> | |
304 | | separator | Optional path segment seperator e.g. '\' for Windows systems. + | |
305 | When not specified the default path segment separator is '/'. | |
306 | |=== | |
307 | ||
308 | === Windows Registry key source | |
309 | ||
310 | The Windows Registry key source is a source that consists of the contents of | |
311 | Windows Registry keys e.g. | |
312 | ||
313 | [source,yaml] | |
314 | ---- | |
315 | sources: | |
316 | - type: REGISTRY_KEY | |
317 | attributes: | |
318 | keys: | |
319 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*' | |
320 | ---- | |
321 | ||
322 | Where `attributes` can contain the following values: | |
323 | ||
324 | [cols="1,5",options="header"] | |
325 | |=== | |
326 | | Value | Description | |
327 | | keys | A list of Windows Registry key paths that can potentially be collected. + | |
328 | The paths can use parameter expansion e.g. `%%users.sid%%`. + | |
329 | See section: <<parameter_expansion,Parameter expansion and globs>> | |
330 | |=== | |
331 | ||
332 | === Windows Registry value source | |
333 | ||
334 | The Windows Registry value source is a source that consists of the contents of | |
335 | Windows Registry values e.g. | |
336 | ||
337 | [source,yaml] | |
338 | ---- | |
339 | - type: REGISTRY_VALUE | |
340 | attributes: | |
341 | key_value_pairs: | |
342 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} | |
343 | ---- | |
344 | ||
345 | Where `attributes` can contain the following values: | |
346 | ||
347 | [cols="1,5",options="header"] | |
348 | |=== | |
349 | | Value | Description | |
350 | | key_value_pairs | A list of Windows Registry key paths and value names that can potentially be collected. + | |
351 | The key path can use parameter expansion e.g. `%%users.sid%%`. + | |
352 | See section: <<parameter_expansion,Parameter expansion and globs>> | |
353 | |=== | |
354 | ||
355 | === Windows Management Instrumentation (WMI) query source | |
356 | ||
357 | The Windows Management Instrumentation (WMI) query source is a source that | |
358 | consists of the output of Windows Management Instrumentation (WMI) queries e.g. | |
359 | ||
360 | [source,yaml] | |
361 | ---- | |
362 | - type: WMI | |
363 | attributes: | |
364 | query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' | |
365 | ---- | |
366 | ||
367 | Where `attributes` can contain the following values: | |
368 | ||
369 | [cols="1,5",options="header"] | |
370 | |=== | |
371 | | Value | Description | |
372 | | base_object | Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2` | |
373 | | query | The Windows Management Instrumentation (WMI) query. + | |
374 | The query can use parameter expansion e.g. `%%users.username%%`. + | |
375 | See section: <<parameter_expansion,Parameter expansion and globs>> | |
376 | |=== | |
377 | ||
378 | == [[conditions]]Conditions | |
379 | ||
380 | *TODO: work is in progress to move this out of GRR into something more portable.* | |
381 | ||
382 | Artifact conditions are currently implemented using the | |
383 | link:https://github.com/google/objectfilter[objectfilter] system that allows | |
384 | you to apply complex conditions to the attributes of an object. Artifacts can | |
385 | apply conditions to any of the Knowledge Base object attributes as defined in | |
386 | the GRR link:https://github.com/google/grr/blob/master/proto/knowledge_base.proto[knowledge_base.proto]. | |
387 | ||
388 | *Style note*: single quotes should be used for strings when writing conditions. | |
389 | ||
390 | [source,yaml] | |
391 | ---- | |
392 | conditions: [os_major_version >= 6 and time_zone == 'America/Los_Angeles'] | |
393 | ---- | |
394 | ||
395 | === [[supported_os]]Supported operating system | |
396 | ||
397 | Since operating system (OS) conditions are a very common constraint, this has | |
398 | been provided as a separate option "supported_os" to simplify syntax. For | |
399 | supported_os no quotes are required. The currently supported operating systems | |
400 | are: | |
401 | ||
402 | * Darwin (also used for Mac OS X) | |
403 | * Linux | |
404 | * Windows | |
405 | ||
406 | [source,yaml] | |
407 | ---- | |
408 | supported_os: [Darwin, Linux, Windows] | |
409 | ---- | |
410 | ||
411 | This can be translated to objectfilter as: | |
412 | ||
413 | [source,yaml] | |
414 | ---- | |
415 | ["os =='Darwin'" OR "os=='Linux'" OR "os == 'Windows'"] | |
416 | ---- | |
417 | ||
418 | == [[labels]]Labels | |
419 | ||
420 | Currently the following different labels are defined: | |
421 | ||
422 | [cols="1,5",options="header"] | |
423 | |=== | |
424 | | Value | Description | |
425 | | Antivirus | Antivirus related artifacts, e.g. quarantine files. | |
426 | | Authentication | Authentication artifacts. | |
427 | | Browser | Web Browser artifacts. | |
428 | | Cloud Storage | Cloud Storage artifacts. | |
429 | | Configuration Files | Configuration files artifacts. | |
430 | | Execution | Contain execution events. | |
431 | | External Media | Contain external media data or events e.g. USB drives. | |
432 | | KnowledgeBase | Artifacts used in knowledge base generation. | |
433 | | Logs | Contain log files. | |
434 | | Memory | Artifacts retrieved from memory. | |
435 | | Network | Describe networking state. | |
436 | | Processes | Describe running processes. | |
437 | | Software | Installed software. | |
438 | | System | Core system artifacts. | |
439 | | Users | Information about users. | |
440 | | Rekall | Artifacts using the Rekall memory forensics framework. | |
441 | |=== | |
442 | ||
443 | The labes are defined in | |
444 | link:https://github.com/ForensicArtifacts/artifacts/blob/master/artifacts/definitions.py[definitions.py]. | |
445 | ||
446 | == Style notes | |
447 | ||
448 | === Artifact definition YAML files | |
449 | ||
450 | Artifact definition YAML filenames should be of the form: | |
451 | .... | |
452 | $FILENAME.yaml | |
453 | .... | |
454 | ||
455 | Where $FILENAME is name of the file e.g. windows.yaml. | |
456 | ||
457 | Each defintion file should have a comment at the top of the file with a | |
458 | one-line summary describing the type of artifact definitions contained in the | |
459 | file e.g. | |
460 | ||
461 | [source,yaml] | |
462 | ---- | |
463 | # Windows specific artifacts. | |
464 | ---- | |
465 | ||
466 | === Lists | |
467 | ||
468 | Generally use the short [] format for single-item lists that fit inside 80 | |
469 | characters to save on unnecessary line breaks: | |
470 | ||
471 | [source,yaml] | |
472 | ---- | |
473 | labels: [Logs] | |
474 | supported_os: [Windows] | |
475 | urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] | |
476 | ---- | |
477 | ||
478 | and the bulleted list form for multi-item lists or long lines: | |
479 | ||
480 | [source,yaml] | |
481 | ---- | |
482 | paths: | |
483 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
484 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
485 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
486 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
487 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
488 | ---- | |
489 | ||
490 | === Quotes | |
491 | ||
492 | Quotes should not be used for doc strings, artifact names, and simple lists | |
493 | like labels and supported_os. | |
494 | ||
495 | Paths and URLs should use single quotes to avoid the need for manual escaping. | |
496 | ||
497 | [source,yaml] | |
498 | ---- | |
499 | paths: ['%%environ_temp%%\*.exe'] | |
500 | urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] | |
501 | ---- | |
502 | ||
503 | Double quotes should be used where escaping causes problems, such as | |
504 | regular expressions: | |
505 | ||
506 | [source,yaml] | |
507 | ---- | |
508 | content_regex_list: ["^%%users.username%%:[^:]*\n"] | |
509 | ---- | |
510 | ||
511 | === Minimize the number of definitions by using multiple sources | |
512 | ||
513 | To minimize the number of artifacts in the list, combine them using the | |
514 | supported_os and conditions attributes where it makes sense. e.g. rather than | |
515 | having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: | |
516 | ||
517 | [source,yaml] | |
518 | ---- | |
519 | name: FirefoxHistory | |
520 | doc: Firefox places.sqlite files. | |
521 | sources: | |
522 | - type: FILE | |
523 | attributes: | |
524 | paths: | |
525 | - %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite | |
526 | - %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite | |
527 | supported_os: [Windows] | |
528 | - type: FILE | |
529 | attributes: | |
530 | paths: [%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite] | |
531 | supported_os: [Darwin] | |
532 | - type: FILE | |
533 | attributes: | |
534 | paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite'] | |
535 | supported_os: [Linux] | |
536 | labels: [Browser] | |
537 | supported_os: [Windows, Linux, Darwin] | |
538 | ---- | |
539 | ||
540 | == [[parameter_expansion]]Parameter expansion and globs | |
541 | ||
542 | *TODO* | |
543 |
0 | # -*- coding: utf-8 -*- | |
1 | """Sphinx build configuration file.""" | |
2 | ||
3 | import os | |
4 | import sys | |
5 | ||
6 | from sphinx.ext import apidoc | |
7 | ||
8 | from docutils import nodes | |
9 | from docutils import transforms | |
10 | ||
11 | # Change PYTHONPATH to include artifacts module and dependencies. | |
12 | sys.path.insert(0, os.path.abspath('..')) | |
13 | ||
14 | import artifacts # pylint: disable=wrong-import-position | |
15 | ||
16 | import utils.dependencies # pylint: disable=wrong-import-position | |
17 | ||
18 | ||
19 | # -- General configuration ------------------------------------------------ | |
20 | ||
21 | # If your documentation needs a minimal Sphinx version, state it here. | |
22 | needs_sphinx = '2.0.1' | |
23 | ||
24 | # Add any Sphinx extension module names here, as strings. They can be | |
25 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom | |
26 | # ones. | |
27 | extensions = [ | |
28 | 'sphinx.ext.autodoc', | |
29 | 'sphinx.ext.doctest', | |
30 | 'sphinx.ext.coverage', | |
31 | 'sphinx.ext.viewcode', | |
32 | 'sphinx.ext.napoleon', | |
33 | 'sphinx_markdown_tables', | |
34 | 'recommonmark' | |
35 | ] | |
36 | ||
37 | # We cannot install architecture dependent Python modules on readthedocs, | |
38 | # therefore we mock most imports. | |
39 | pip_installed_modules = set(['six']) | |
40 | ||
41 | dependency_helper = utils.dependencies.DependencyHelper( | |
42 | dependencies_file=os.path.join('..', 'dependencies.ini'), | |
43 | test_dependencies_file=os.path.join('..', 'test_dependencies.ini')) | |
44 | modules_to_mock = set(dependency_helper.dependencies.keys()) | |
45 | modules_to_mock = modules_to_mock.difference(pip_installed_modules) | |
46 | ||
47 | autodoc_mock_imports = sorted(modules_to_mock) | |
48 | ||
49 | # Options for the Sphinx Napoleon extension, which reads Google-style | |
50 | # docstrings. | |
51 | napoleon_google_docstring = True | |
52 | napoleon_numpy_docstring = False | |
53 | napoleon_include_private_with_doc = False | |
54 | napoleon_include_special_with_doc = True | |
55 | ||
56 | # General information about the project. | |
57 | # pylint: disable=redefined-builtin | |
58 | project = 'Digital Forensics Artifacts Repository' | |
59 | copyright = 'The Digital Forensics Artifacts Repository Authors' | |
60 | version = artifacts.__version__ | |
61 | release = artifacts.__version__ | |
62 | ||
63 | # Add any paths that contain templates here, relative to this directory. | |
64 | templates_path = ['_templates'] | |
65 | ||
66 | # List of patterns, relative to source directory, that match files and | |
67 | # directories to ignore when looking for source files. | |
68 | exclude_patterns = ['_build'] | |
69 | ||
70 | # The master toctree document. | |
71 | master_doc = 'index' | |
72 | ||
73 | # The name of the Pygments (syntax highlighting) style to use. | |
74 | pygments_style = 'sphinx' | |
75 | ||
76 | ||
77 | # -- Options for HTML output ---------------------------------------------- | |
78 | ||
79 | # The theme to use for HTML and HTML Help pages. See the documentation for | |
80 | # a list of builtin themes. | |
81 | html_theme = 'default' | |
82 | ||
83 | # Output file base name for HTML help builder. | |
84 | htmlhelp_basename = 'artifactsdoc' | |
85 | ||
86 | ||
87 | # -- Options linkcheck ---------------------------------------------------- | |
88 | ||
89 | linkcheck_ignore = [ | |
90 | ] | |
91 | ||
92 | ||
93 | # -- Code to rewrite links for readthedocs -------------------------------- | |
94 | ||
95 | # This function is a Sphinx core event callback, the format of which is detailed | |
96 | # here: https://www.sphinx-doc.org/en/master/extdev/appapi.html#events | |
97 | ||
98 | # pylint: disable=unused-argument | |
99 | def RunSphinxAPIDoc(app): | |
100 | """Runs sphinx-apidoc to auto-generate documentation. | |
101 | ||
102 | Args: | |
103 | app (sphinx.application.Sphinx): Sphinx application. Required by the | |
104 | the Sphinx event callback API. | |
105 | """ | |
106 | current_directory = os.path.abspath(os.path.dirname(__file__)) | |
107 | module_path = os.path.join(current_directory, '..', 'artifacts') | |
108 | api_directory = os.path.join(current_directory, 'sources', 'api') | |
109 | apidoc.main(['-o', api_directory, module_path, '--force']) | |
110 | ||
111 | ||
112 | class MarkdownLinkFixer(transforms.Transform): | |
113 | """Transform definition to parse .md references to internal pages.""" | |
114 | ||
115 | default_priority = 1000 | |
116 | ||
117 | _URI_PREFIXES = [] | |
118 | ||
119 | def _FixLinks(self, node): | |
120 | """Corrects links to .md files not part of the documentation. | |
121 | ||
122 | Args: | |
123 | node (docutils.nodes.Node): docutils node. | |
124 | ||
125 | Returns: | |
126 | docutils.nodes.Node: docutils node, with correct URIs outside | |
127 | of Markdown pages outside the documentation. | |
128 | """ | |
129 | if isinstance(node, nodes.reference) and 'refuri' in node: | |
130 | reference_uri = node['refuri'] | |
131 | for uri_prefix in self._URI_PREFIXES: | |
132 | if (reference_uri.startswith(uri_prefix) and not ( | |
133 | reference_uri.endswith('.asciidoc') or | |
134 | reference_uri.endswith('.md'))): | |
135 | node['refuri'] = reference_uri + '.md' | |
136 | break | |
137 | ||
138 | return node | |
139 | ||
140 | def _Traverse(self, node): | |
141 | """Traverses the document tree rooted at node. | |
142 | ||
143 | Args: | |
144 | node (docutils.nodes.Node): docutils node. | |
145 | """ | |
146 | self._FixLinks(node) | |
147 | ||
148 | for child_node in node.children: | |
149 | self._Traverse(child_node) | |
150 | ||
151 | # pylint: disable=arguments-differ | |
152 | def apply(self): | |
153 | """Applies this transform on document tree.""" | |
154 | self._Traverse(self.document) | |
155 | ||
156 | ||
157 | # pylint: invalid-name | |
158 | def setup(app): | |
159 | """Called at Sphinx initialization. | |
160 | ||
161 | Args: | |
162 | app (sphinx.application.Sphinx): Sphinx application. | |
163 | """ | |
164 | # Triggers sphinx-apidoc to generate API documentation. | |
165 | app.connect('builder-inited', RunSphinxAPIDoc) | |
166 | app.add_config_value( | |
167 | 'recommonmark_config', {'enable_auto_toc_tree': True}, True) | |
168 | app.add_transform(MarkdownLinkFixer) |
0 | Welcome to the Forensics Artifacts documentation | |
1 | ================================================ | |
2 | ||
3 | Digital Forensics Artifacts Repository, is a free, community-sourced, | |
4 | machine-readable knowledge base of digital forensic artifacts that the world | |
5 | can use both as an information source and within other tools. | |
6 | ||
7 | The source code is available from the `project page <https://github.com/ForensicArtifacts/artifacts>`__. | |
8 | ||
9 | .. toctree:: | |
10 | :maxdepth: 2 | |
11 | ||
12 | sources/user/index | |
13 | sources/background/index | |
14 | Format specification <sources/Format-specification> | |
15 | API documentation <sources/api/artifacts> | |
16 | ||
17 | ||
18 | Indices and tables | |
19 | ================== | |
20 | ||
21 | * :ref:`genindex` | |
22 | * :ref:`modindex` | |
23 | * :ref:`search` | |
24 |
0 | # Artifact definition format and style guide | |
1 | ||
2 | The best way to show what an artifact definition is, is by example. The | |
3 | following example is the artifact definition for the Windows EVTX System Event | |
4 | Logs. | |
5 | ||
6 | ```yaml | |
7 | name: WindowsSystemEventLogEvtx | |
8 | doc: Windows System Event log for Vista or later systems. | |
9 | sources: | |
10 | - type: FILE | |
11 | attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} | |
12 | conditions: [os_major_version >= 6] | |
13 | labels: [Logs] | |
14 | supported_os: [Windows] | |
15 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/main/windows/EventLog.md'] | |
16 | ``` | |
17 | ||
18 | The artifact definition can have the following values: | |
19 | ||
20 | Value | Description | |
21 | --- | --- | |
22 | name | The name. An unique string that identifies the artifact definition. See section: [Name](#name). | |
23 | doc | The description (or documentation). A human readable string that describes the artifact definition. See section: [Description](#description). | |
24 | sources | A list of source definitions. See section: [Sources](#sources). | |
25 | conditions | Optional list of conditions that describe when the artifact definition should apply. See section: [Conditions](#conditions). | |
26 | labels | Optional list of predefined labels. See section: [Labels](#labels). | |
27 | provides | Optional list of *TODO* | |
28 | supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). | |
29 | urls | Optional list of URLs with more contextual information. Ideally the artifact definition links to an article that discusses the artifact in more depth for example on [Digital Forensics Artifact Knowledge Base](https://github.com/ForensicArtifacts/artifacts-kb). | |
30 | ||
31 | ## Name | |
32 | ||
33 | **Style note**: The name of an artifact defintion should be in CamelCase name | |
34 | without spaces. | |
35 | ||
36 | As of July 2016 we are migrating to the following naming convention: | |
37 | ||
38 | * Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or "Windows" | |
39 | * If not platform specific: | |
40 | ** prefix with the application name, for example "ChromeHistory". | |
41 | ** prefix with the name of the subsystem, for example "WMIComputerSystemProduct". | |
42 | ||
43 | **Style note**: If the sole source of the artifact definition for example are | |
44 | files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity. | |
45 | ||
46 | ## Description | |
47 | ||
48 | **Style note**: Typically one line description of the artifact, mentioning | |
49 | important caveats. If more than one line is necessary, use the multi-line YAML | |
50 | Literal Style as indicated by the `|` character. | |
51 | ||
52 | ```yaml | |
53 | doc: | | |
54 | The Windows run keys. | |
55 | ||
56 | Note users.sid will currently only expand to SIDs with profiles on the system, | |
57 | not all SIDs. | |
58 | ``` | |
59 | ||
60 | **Style note**: the short description (first line) and the longer portion are | |
61 | separated by an empty line. | |
62 | ||
63 | **Style note**: explicit newlines (\n) should not be used. | |
64 | ||
65 | ## Sources | |
66 | ||
67 | Every source definition starts with a `type` followed by arguments for example: | |
68 | ||
69 | ```yaml | |
70 | sources: | |
71 | - type: COMMAND | |
72 | attributes: | |
73 | args: [-qa] | |
74 | cmd: /bin/rpm | |
75 | ``` | |
76 | ||
77 | ```yaml | |
78 | sources: | |
79 | - type: FILE | |
80 | attributes: | |
81 | paths: | |
82 | - /root/.bashrc | |
83 | - /root/.cshrc | |
84 | - /root/.ksh | |
85 | - /root/.logout | |
86 | - /root/.profile | |
87 | - /root/.tcsh | |
88 | - /root/.zlogin | |
89 | - /root/.zlogout | |
90 | - /root/.zprofile | |
91 | - /root/.zprofile | |
92 | ``` | |
93 | ||
94 | **Style note**: where sources take a single argument with a single value, the | |
95 | one-line {} form should be used to save on line breaks as below: | |
96 | ||
97 | ```yaml | |
98 | - type: FILE | |
99 | attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} | |
100 | ``` | |
101 | ||
102 | Value | Description | |
103 | --- | --- | |
104 | attributes | A dictionary of keyword attributes specific to the type of source definition. | |
105 | type | The source type. | |
106 | conditions | Optional list of conditions to when the artifact definition should apply. See section: [Conditions](#conditions). | |
107 | supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). | |
108 | ||
109 | ### Source types | |
110 | ||
111 | Currently the following different source types are defined: | |
112 | ||
113 | Value | Description | |
114 | --- | --- | |
115 | ARTIFACT_GROUP | A source that consists of a group of other artifacts. | |
116 | COMMAND | A source that consists of the output of a command. | |
117 | FILE | A source that consists of the contents of files. | |
118 | PATH | A source that consists of the contents of paths. | |
119 | REGISTRY_KEY | A source that consists of the contents of Windows Registry keys. | |
120 | REGISTRY_VALUE | A source that consists of the contents of Windows Registry values. | |
121 | WMI | A source that consists of the output of Windows Management Instrumentation (WMI) queries. | |
122 | ||
123 | The sources types are defined in | |
124 | [definitions.py](https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/definitions.py). | |
125 | as TYPE_INDICATOR constants. | |
126 | ||
127 | ### Artifact group source | |
128 | ||
129 | The artifact group source is a source that consists of a group of other artifacts e.g. | |
130 | ||
131 | ```yaml | |
132 | - type: ARTIFACT_GROUP | |
133 | attributes: | |
134 | names: [WindowsRunKeys, WindowsServices] | |
135 | ``` | |
136 | ||
137 | Where `attributes` can contain the following values: | |
138 | ||
139 | Value | Description | |
140 | --- | --- | |
141 | names | A list of artifact definition names that make up this "composite" artifact. This can also be used to group multiple artifact definitions into one for convenience. | |
142 | ||
143 | ### Command source | |
144 | ||
145 | The command source is a source that consists of the output of a command e.g. | |
146 | ||
147 | ```yaml | |
148 | - type: COMMAND | |
149 | attributes: | |
150 | args: [-qa] | |
151 | cmd: /bin/rpm | |
152 | ``` | |
153 | ||
154 | Where `attributes` can contain the following values: | |
155 | ||
156 | Value | Description | |
157 | --- | --- | |
158 | args | A list arguments to pass to the command. | |
159 | cmd | The path of the command. | |
160 | ||
161 | ### File source | |
162 | ||
163 | The file source is a source that consists of the contents of files e.g. | |
164 | ||
165 | ```yaml | |
166 | - type: FILE | |
167 | attributes: | |
168 | paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] | |
169 | ``` | |
170 | ||
171 | Where `attributes` can contain the following values: | |
172 | ||
173 | Value | Description | |
174 | --- | --- | |
175 | paths | A list of file paths that can potentially be collected. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). | |
176 | separator | Optional path segment seperator e.g. '\' for Windows systems. When not specified the default path segment separator is '/'. | |
177 | ||
178 | ### Path source | |
179 | ||
180 | The path source is a source that consists of the contents of paths e.g. | |
181 | ||
182 | ```yaml | |
183 | - type: PATH | |
184 | attributes: | |
185 | paths: ['\Program Files'] | |
186 | separator: '\' | |
187 | ``` | |
188 | ||
189 | Where `attributes` can contain the following values: | |
190 | ||
191 | Value | Description | |
192 | --- | --- | |
193 | paths | A list of file paths that can potentially be collected. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). | |
194 | separator | Optional path segment seperator e.g. '\' for Windows systems. When not specified the default path segment separator is '/'. | |
195 | ||
196 | ### Windows Registry key source | |
197 | ||
198 | The Windows Registry key source is a source that consists of the contents of | |
199 | Windows Registry keys e.g. | |
200 | ||
201 | ```yaml | |
202 | sources: | |
203 | - type: REGISTRY_KEY | |
204 | attributes: | |
205 | keys: | |
206 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*' | |
207 | ``` | |
208 | ||
209 | Where `attributes` can contain the following values: | |
210 | ||
211 | Value | Description | |
212 | --- | --- | |
213 | keys | A list of Windows Registry key paths that can potentially be collected. The paths can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). | |
214 | ||
215 | ### Windows Registry value source | |
216 | ||
217 | The Windows Registry value source is a source that consists of the contents of | |
218 | Windows Registry values e.g. | |
219 | ||
220 | ```yaml | |
221 | - type: REGISTRY_VALUE | |
222 | attributes: | |
223 | key_value_pairs: | |
224 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} | |
225 | ``` | |
226 | ||
227 | Where `attributes` can contain the following values: | |
228 | ||
229 | Value | Description | |
230 | --- | --- | |
231 | key_value_pairs | A list of Windows Registry key paths and value names that can potentially be collected. The key path can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). | |
232 | ||
233 | ### Windows Management Instrumentation (WMI) query source | |
234 | ||
235 | The Windows Management Instrumentation (WMI) query source is a source that | |
236 | consists of the output of Windows Management Instrumentation (WMI) queries e.g. | |
237 | ||
238 | ```yaml | |
239 | - type: WMI | |
240 | attributes: | |
241 | query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' | |
242 | ``` | |
243 | ||
244 | Where `attributes` can contain the following values: | |
245 | ||
246 | Value | Description | |
247 | --- | --- | |
248 | base_object | Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2` | |
249 | query | The Windows Management Instrumentation (WMI) query. The query can use parameter expansion e.g. `%%users.username%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). | |
250 | ||
251 | ## Conditions | |
252 | ||
253 | *TODO: work is in progress to move this out of GRR into something more portable.* | |
254 | ||
255 | Artifact conditions are currently implemented using the | |
256 | link:https://github.com/google/objectfilter[objectfilter] system that allows | |
257 | you to apply complex conditions to the attributes of an object. Artifacts can | |
258 | apply conditions to any of the Knowledge Base object attributes as defined in | |
259 | the GRR link:https://github.com/google/grr/blob/master/proto/knowledge_base.proto[knowledge_base.proto]. | |
260 | ||
261 | **Style note**: single quotes should be used for strings when writing conditions. | |
262 | ||
263 | ```yaml | |
264 | conditions: [os_major_version >= 6 and time_zone == 'America/Los_Angeles'] | |
265 | ``` | |
266 | ||
267 | ## Supported operating system | |
268 | ||
269 | Since operating system (OS) conditions are a very common constraint, this has | |
270 | been provided as a separate option "supported_os" to simplify syntax. For | |
271 | supported_os no quotes are required. The currently supported operating systems | |
272 | are: | |
273 | ||
274 | * Darwin (also used for Mac OS X) | |
275 | * Linux | |
276 | * Windows | |
277 | ||
278 | ```yaml | |
279 | supported_os: [Darwin, Linux, Windows] | |
280 | ``` | |
281 | ||
282 | This can be translated to objectfilter as: | |
283 | ||
284 | ```yaml | |
285 | ["os =='Darwin'" OR "os=='Linux'" OR "os == 'Windows'"] | |
286 | ``` | |
287 | ||
288 | ## Labels | |
289 | ||
290 | Currently the following different labels are defined: | |
291 | ||
292 | Value | Description | |
293 | --- | --- | |
294 | Antivirus | Antivirus related artifacts, e.g. quarantine files. | |
295 | Authentication | Authentication artifacts. | |
296 | Browser | Web Browser artifacts. | |
297 | Cloud Storage | Cloud Storage artifacts. | |
298 | Configuration Files | Configuration files artifacts. | |
299 | Execution | Contain execution events. | |
300 | External Media | Contain external media data or events e.g. USB drives. | |
301 | KnowledgeBase | Artifacts used in knowledge base generation. | |
302 | Logs | Contain log files. | |
303 | Memory | Artifacts retrieved from memory. | |
304 | Network | Describe networking state. | |
305 | Processes | Describe running processes. | |
306 | Software | Installed software. | |
307 | System | Core system artifacts. | |
308 | Users | Information about users. | |
309 | ||
310 | The labes are defined in | |
311 | link:https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/definitions.py[definitions.py]. | |
312 | ||
313 | ## Parameter expansion and globs | |
314 | ||
315 | **TODO: add text** | |
316 | ||
317 | ## Additional style notes | |
318 | ||
319 | ### Artifact definition YAML files | |
320 | ||
321 | Artifact definition YAML filenames should be of the form: | |
322 | ||
323 | ``` | |
324 | $FILENAME.yaml | |
325 | ``` | |
326 | ||
327 | Where $FILENAME is name of the file e.g. windows.yaml. | |
328 | ||
329 | Each defintion file should have a comment at the top of the file with a | |
330 | one-line summary describing the type of artifact definitions contained in the | |
331 | file e.g. | |
332 | ||
333 | ```yaml | |
334 | # Windows specific artifacts. | |
335 | ``` | |
336 | ||
337 | ### Lists | |
338 | ||
339 | Generally use the short `[]` format for single-item lists that fit inside 80 | |
340 | characters to save on unnecessary line breaks: | |
341 | ||
342 | ```yaml | |
343 | labels: [Logs] | |
344 | supported_os: [Windows] | |
345 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/main/windows/EventLog.md'] | |
346 | ``` | |
347 | ||
348 | and the bulleted list form for multi-item lists or long lines: | |
349 | ||
350 | ```yaml | |
351 | paths: | |
352 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
353 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
354 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
355 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
356 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
357 | ``` | |
358 | ||
359 | ### Quotes | |
360 | ||
361 | Quotes should not be used for doc strings, artifact names, and simple lists | |
362 | like labels and supported_os. | |
363 | ||
364 | Paths and URLs should use single quotes to avoid the need for manual escaping. | |
365 | ||
366 | ```yaml | |
367 | paths: ['%%environ_temp%%\*.exe'] | |
368 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/main/windows/EventLog.md'] | |
369 | ``` | |
370 | ||
371 | Double quotes should be used where escaping causes problems, such as | |
372 | regular expressions: | |
373 | ||
374 | ```yaml | |
375 | content_regex_list: ["^%%users.username%%:[^:]*\n"] | |
376 | ``` | |
377 | ||
378 | ### Minimize the number of definitions by using multiple sources | |
379 | ||
380 | To minimize the number of artifacts in the list, combine them using the | |
381 | supported_os and conditions attributes where it makes sense. e.g. rather than | |
382 | having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: | |
383 | ||
384 | ```yaml | |
385 | name: FirefoxHistory | |
386 | doc: Firefox places.sqlite files. | |
387 | sources: | |
388 | - type: FILE | |
389 | attributes: | |
390 | paths: | |
391 | - %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite | |
392 | - %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite | |
393 | supported_os: [Windows] | |
394 | - type: FILE | |
395 | attributes: | |
396 | paths: [%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite] | |
397 | supported_os: [Darwin] | |
398 | - type: FILE | |
399 | attributes: | |
400 | paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite'] | |
401 | supported_os: [Linux] | |
402 | labels: [Browser] | |
403 | supported_os: [Windows, Linux, Darwin] | |
404 | ``` | |
405 |
0 | artifacts package | |
1 | ================= | |
2 | ||
3 | Submodules | |
4 | ---------- | |
5 | ||
6 | artifacts.artifact module | |
7 | ------------------------- | |
8 | ||
9 | .. automodule:: artifacts.artifact | |
10 | :members: | |
11 | :undoc-members: | |
12 | :show-inheritance: | |
13 | ||
14 | artifacts.definitions module | |
15 | ---------------------------- | |
16 | ||
17 | .. automodule:: artifacts.definitions | |
18 | :members: | |
19 | :undoc-members: | |
20 | :show-inheritance: | |
21 | ||
22 | artifacts.errors module | |
23 | ----------------------- | |
24 | ||
25 | .. automodule:: artifacts.errors | |
26 | :members: | |
27 | :undoc-members: | |
28 | :show-inheritance: | |
29 | ||
30 | artifacts.reader module | |
31 | ----------------------- | |
32 | ||
33 | .. automodule:: artifacts.reader | |
34 | :members: | |
35 | :undoc-members: | |
36 | :show-inheritance: | |
37 | ||
38 | artifacts.registry module | |
39 | ------------------------- | |
40 | ||
41 | .. automodule:: artifacts.registry | |
42 | :members: | |
43 | :undoc-members: | |
44 | :show-inheritance: | |
45 | ||
46 | artifacts.source\_type module | |
47 | ----------------------------- | |
48 | ||
49 | .. automodule:: artifacts.source_type | |
50 | :members: | |
51 | :undoc-members: | |
52 | :show-inheritance: | |
53 | ||
54 | artifacts.writer module | |
55 | ----------------------- | |
56 | ||
57 | .. automodule:: artifacts.writer | |
58 | :members: | |
59 | :undoc-members: | |
60 | :show-inheritance: | |
61 | ||
62 | Module contents | |
63 | --------------- | |
64 | ||
65 | .. automodule:: artifacts | |
66 | :members: | |
67 | :undoc-members: | |
68 | :show-inheritance: |
0 | ## Statistics | |
1 | ||
2 | The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) | |
3 | and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/main/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc). | |
4 | ||
5 | As of 2019-06-10 the repository contains: | |
6 | ||
7 | | **File paths covered** | **1013** | | |
8 | | :------------------ | ------: | | |
9 | | **Registry keys covered** | **635** | | |
10 | | **Total artifacts** | **525** | | |
11 | ||
12 | **Artifacts by type** | |
13 | ||
14 | | ARTIFACT_GROUP | COMMAND | DIRECTORY | FILE | PATH | REGISTRY_KEY | REGISTRY_VALUE | WMI | | |
15 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | |
16 | | 21 | 9 | 14 | 283 | 8 | 50 | 114 | 26 | | |
17 | ||
18 | **Artifacts by OS** | |
19 | ||
20 | | Darwin | Linux | Windows | | |
21 | | :---: | :---: | :---: | | |
22 | | 33 | 25 | 23 | | |
23 | ||
24 | **Artifacts by label** | |
25 | ||
26 | | Antivirus | Authentication | Browser | Cloud | Cloud Storage | Configuration Files | Docker | External Media | ExternalAccount | Hadoop | History Files | Logs | Mail | Network | Software | System | Users | iOS | | |
27 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | |
28 | | 6 | 18 | 21 | 2 | 4 | 41 | 2 | 2 | 3 | 1 | 3 | 46 | 15 | 15 | 43 | 104 | 68 | 5 | |
0 | # Terminology | |
1 | ||
2 | The term artifact (or artefact) is widely used within computer (or digital) | |
3 | forensics, though there is no official definition of this term. | |
4 | ||
5 | The definition closest to the meaning of the word within computer forensics is | |
6 | that of the word artifact within | |
7 | [archaeology](https://en.wikipedia.org/wiki/Artifact_(archaeology)). The term | |
8 | should not be confused with the word artifact used within | |
9 | [software development](https://en.wikipedia.org/wiki/Artifact_(software_development)). | |
10 | ||
11 | If archaeology defines an artifact as: | |
12 | ||
13 | ``` | |
14 | something made or given shape by man, such as a tool or | |
15 | a work of art, esp an object of archaeological interest | |
16 | ``` | |
17 | ||
18 | The definition of artifact within computer forensics could be: | |
19 | ||
20 | ``` | |
21 | An object of digital archaeological interest. | |
22 | ``` | |
23 | ||
24 | Where digital archaeology roughly refers to computer forensics without the | |
25 | forensic (legal) context. |
0 | ########## | |
1 | Background | |
2 | ########## | |
3 | ||
4 | The first version of the artifact definitions originated from the | |
5 | `GRR project <https://github.com/google/grr>`__, where it is used to describe | |
6 | and quickly collect data of interest, for example specific files or Windows | |
7 | Registry keys. The goal of the format is to provide a tool independent way to | |
8 | describe the majority of forensic artifacts in a language that is readable by | |
9 | humans and machines. | |
10 | ||
11 | The format is designed to be simple and straight forward, so that a digital | |
12 | forensic analysist is able to quickly write artifact definitions during an | |
13 | investigation without having to rely on complex standards or tooling. | |
14 | ||
15 | The format is intended to describe forensically-relevant data on a machine, | |
16 | while being tool agnostic. In particular we intentionally avoided adding | |
17 | IOC-like logic, or describing how the data should be collected since this | |
18 | various between tools. | |
19 | ||
20 | For some background on the artifacts system and how we expect it to be used see | |
21 | `this Blackhat presentation <https://www.blackhat.com/us-14/archives.html#grr-find-all-the-badness-collect-all-the-things>`__ | |
22 | and `YouTube video <https://www.youtube.com/watch?v=ren6QSvwFvg>`__ from the GRR team. | |
23 | ||
24 | .. toctree:: | |
25 | :maxdepth: 2 | |
26 | ||
27 | Terminology <Terminology> | |
28 | Statistics <Stats> |
0 | # Installation instructions | |
1 | ||
2 | ## pip | |
3 | ||
4 | **Note that using pip outside virtualenv is not recommended since it ignores | |
5 | your systems package manager. If you aren't comfortable debugging package | |
6 | installation issues, this is not the option for you.** | |
7 | ||
8 | Create and activate a virtualenv: | |
9 | ||
10 | ```bash | |
11 | virtualenv artifactsenv | |
12 | cd artifactsenv | |
13 | source ./bin/activate | |
14 | ``` | |
15 | ||
16 | Upgrade pip and install Forensics Artifacts dependencies: | |
17 | ||
18 | ```bash | |
19 | pip install --upgrade pip | |
20 | pip install artifacts | |
21 | ``` | |
22 | ||
23 | To deactivate the virtualenv run: | |
24 | ||
25 | ```bash | |
26 | deactivate | |
27 | ``` | |
28 | ||
29 | ## Ubuntu 18.04 and 20.04 LTS | |
30 | ||
31 | To install Forensics Artifacts from the [GIFT Personal Package Archive (PPA)](https://launchpad.net/~gift): | |
32 | ||
33 | ```bash | |
34 | sudo add-apt-repository ppa:gift/stable | |
35 | ``` | |
36 | ||
37 | Update and install Forensics Artifacts: | |
38 | ||
39 | ```bash | |
40 | sudo apt-get update | |
41 | sudo apt-get install python3-artifacts | |
42 | ``` | |
43 | ||
44 | ## Windows | |
45 | ||
46 | The [l2tbinaries](https://github.com/log2timeline/l2tbinaries) contains the | |
47 | necessary packages for running Forensics Artifacts. l2tbinaries provides the following | |
48 | branches: | |
49 | ||
50 | * main; branch intended for the "packaged release" of Forensics Artifacts and dependencies; | |
51 | * dev; branch intended for the "development release" of Forensics Artifacts; | |
52 | * testing; branch intended for testing newly created packages. | |
53 | ||
54 | The l2tdevtools project provides [an update script](https://github.com/log2timeline/l2tdevtools/wiki/Update-script) | |
55 | to ease the process of keeping the dependencies up to date. | |
56 | ||
57 | The script requires [pywin32](https://github.com/mhammond/pywin32/releases) and | |
58 | [Python WMI](https://pypi.org/project/WMI/). | |
59 | ||
60 | To install the release versions of the dependencies run: | |
61 | ||
62 | ``` | |
63 | set PYTHONPATH=. | |
64 | ||
65 | C:\Python38\python.exe tools\update.py --preset artifacts | |
66 | ``` |
0 | ############### | |
1 | Getting started | |
2 | ############### | |
3 | ||
4 | To be able to use Forensics Artifacts you first need to install it. There are | |
5 | multiple ways to install Forensics Artifacts, check the following instructions | |
6 | for more detail. | |
7 | ||
8 | .. toctree:: | |
9 | :maxdepth: 2 | |
10 | ||
11 | Installation instructions <Installation-instructions> |
0 | 0 | #!/usr/bin/env python |
1 | 1 | # -*- coding: utf-8 -*- |
2 | 2 | """Installation and deployment script.""" |
3 | ||
4 | from __future__ import print_function | |
5 | 3 | |
6 | 4 | import glob |
7 | 5 | import os |
0 | [funcsigs] | |
1 | dpkg_name: python-funcsigs | |
2 | minimum_version: 1.0.2 | |
3 | python2_only: true | |
4 | rpm_name: python2-funcsigs | |
5 | version_property: __version__ | |
6 | ||
7 | 0 | [mock] |
8 | 1 | dpkg_name: python-mock |
9 | 2 | minimum_version: 2.0.0 |
0 | 0 | [tox] |
1 | envlist = py3{6,7,8},coverage,pylint | |
1 | envlist = py3{6,7,8,9},coverage,docs,pylint | |
2 | 2 | |
3 | 3 | [testenv] |
4 | 4 | pip_pre = True |
9 | 9 | -rtest_requirements.txt |
10 | 10 | coverage: coverage |
11 | 11 | commands = |
12 | py3{6,7,8}: ./run_tests.py | |
12 | py3{6,7,8,9}: ./run_tests.py | |
13 | 13 | coverage: coverage erase |
14 | 14 | coverage: coverage run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" run_tests.py |
15 | 15 | |
16 | 16 | [testenv:codecov] |
17 | 17 | skip_install = true |
18 | 18 | passenv = |
19 | CI | |
20 | TRAVIS_BUILD_ID | |
21 | TRAVIS_COMMIT | |
22 | TRAVIS_JOB_ID | |
23 | TRAVIS_JOB_NUMBER | |
24 | TRAVIS_PULL_REQUEST | |
25 | TRAVIS_REPO_SLUG | |
26 | TRAVIS TRAVIS_BRANCH | |
19 | GITHUB_ACTION | |
20 | GITHUB_HEAD_REF | |
21 | GITHUB_REF | |
22 | GITHUB_REPOSITORY | |
23 | GITHUB_RUN_ID | |
24 | GITHUB_SHA | |
27 | 25 | deps = |
28 | codecov | |
26 | codecov < 2.1.10 | |
29 | 27 | commands = |
30 | 28 | codecov |
29 | ||
30 | [testenv:docs] | |
31 | usedevelop = true | |
32 | deps = | |
33 | -rdocs/requirements.txt | |
34 | commands = | |
35 | sphinx-build -b html -d build/doctrees docs dist/docs | |
36 | sphinx-build -b linkcheck docs dist/docs | |
31 | 37 | |
32 | 38 | [testenv:pylint] |
33 | 39 | skipsdist=True |
37 | 43 | deps = |
38 | 44 | -rrequirements.txt |
39 | 45 | -rtest_requirements.txt |
40 | pylint >= 2.4.0, < 2.5.0 | |
46 | pylint >= 2.6.0, < 2.7.0 | |
41 | 47 | commands = |
42 | 48 | pylint --version |
43 | 49 | # Ignore setup.py for now due to: |
0 | 0 | # -*- coding: utf-8 -*- |
1 | 1 | """Helper to check for availability and version of dependencies.""" |
2 | 2 | |
3 | from __future__ import print_function | |
4 | from __future__ import unicode_literals | |
5 | ||
6 | 3 | import configparser |
4 | import os | |
7 | 5 | import re |
8 | 6 | |
9 | 7 | |
13 | 11 | Attributes: |
14 | 12 | dpkg_name (str): name of the dpkg package that provides the dependency. |
15 | 13 | is_optional (bool): True if the dependency is optional. |
16 | l2tbinaries_macos_name (str): name of the l2tbinaries macos package that | |
17 | provides the dependency. | |
18 | 14 | l2tbinaries_name (str): name of the l2tbinaries package that provides |
19 | 15 | the dependency. |
20 | 16 | maximum_version (str): maximum supported version, a greater or equal |
40 | 36 | super(DependencyDefinition, self).__init__() |
41 | 37 | self.dpkg_name = None |
42 | 38 | self.is_optional = False |
43 | self.l2tbinaries_macos_name = None | |
44 | 39 | self.l2tbinaries_name = None |
45 | 40 | self.maximum_version = None |
46 | 41 | self.minimum_version = None |
59 | 54 | _VALUE_NAMES = frozenset([ |
60 | 55 | 'dpkg_name', |
61 | 56 | 'is_optional', |
62 | 'l2tbinaries_macos_name', | |
63 | 57 | 'l2tbinaries_name', |
64 | 58 | 'maximum_version', |
65 | 59 | 'minimum_version', |
117 | 111 | _VERSION_NUMBERS_REGEX = re.compile(r'[0-9.]+') |
118 | 112 | _VERSION_SPLIT_REGEX = re.compile(r'\.|\-') |
119 | 113 | |
120 | def __init__(self, configuration_file='dependencies.ini'): | |
114 | def __init__( | |
115 | self, dependencies_file='dependencies.ini', | |
116 | test_dependencies_file='test_dependencies.ini'): | |
121 | 117 | """Initializes a dependency helper. |
122 | 118 | |
123 | 119 | Args: |
124 | configuration_file (Optional[str]): path to the dependencies | |
120 | dependencies_file (Optional[str]): path to the dependencies configuration | |
121 | file. | |
122 | test_dependencies_file (Optional[str]): path to the test dependencies | |
125 | 123 | configuration file. |
126 | 124 | """ |
127 | 125 | super(DependencyHelper, self).__init__() |
130 | 128 | |
131 | 129 | dependency_reader = DependencyDefinitionReader() |
132 | 130 | |
133 | with open(configuration_file, 'r') as file_object: | |
131 | with open(dependencies_file, 'r') as file_object: | |
134 | 132 | for dependency in dependency_reader.Read(file_object): |
135 | 133 | self.dependencies[dependency.name] = dependency |
136 | 134 | |
137 | dependency = DependencyDefinition('mock') | |
138 | dependency.minimum_version = '0.7.1' | |
139 | dependency.version_property = '__version__' | |
140 | self._test_dependencies['mock'] = dependency | |
135 | if os.path.exists(test_dependencies_file): | |
136 | with open(test_dependencies_file, 'r') as file_object: | |
137 | for dependency in dependency_reader.Read(file_object): | |
138 | self._test_dependencies[dependency.name] = dependency | |
141 | 139 | |
142 | 140 | def _CheckPythonModule(self, dependency): |
143 | 141 | """Checks the availability of a Python module. |
0 | 0 | #!/bin/bash |
1 | 1 | # Script to update the version information. |
2 | 2 | |
3 | DATE_VERSION=`date +"%Y%m%d"`; | |
4 | DATE_DPKG=`date -R`; | |
5 | EMAIL_DPKG="Forensic artifacts <forensicartifacts@googlegroups.com>"; | |
3 | EXIT_FAILURE=1; | |
4 | EXIT_SUCCESS=0; | |
6 | 5 | |
7 | sed -i -e "s/^\(__version__ = \)'[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'$/\1'${DATE_VERSION}'/" artifacts/__init__.py | |
8 | sed -i -e "s/^\(artifacts \)([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-1)/\1(${DATE_VERSION}-1)/" config/dpkg/changelog | |
9 | sed -i -e "s/^\( -- ${EMAIL_DPKG} \).*$/\1${DATE_DPKG}/" config/dpkg/changelog | |
6 | VERSION=`date -u +"%Y%m%d"` | |
7 | DPKG_DATE=`date -R` | |
8 | ||
9 | # Update the Python module version. | |
10 | sed "s/__version__ = '[0-9]*'/__version__ = '${VERSION}'/" -i artifacts/__init__.py | |
11 | ||
12 | # Update the version in the dpkg configuration files. | |
13 | cat > config/dpkg/changelog << EOT | |
14 | artifacts (${VERSION}-1) unstable; urgency=low | |
15 | ||
16 | * Auto-generated | |
17 | ||
18 | -- Forensic artifacts <forensicartifacts@googlegroups.com> ${DPKG_DATE} | |
19 | EOT | |
20 | ||
21 | # Regenerate the artifact definitions statistics documentation. | |
22 | # TODO: generate docs/sources/background/Stats.md | |
23 | ||
24 | # Regenerate the API documentation. | |
25 | tox -edocs | |
26 | ||
27 | exit ${EXIT_SUCCESS}; |