How to use the artifacts.definitions.TYPE_INDICATOR_FILE function in artifacts

To help you get started, we’ve selected a few artifacts examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github ForensicArtifacts / artifacts / artifacts / collector.py View on Github external
The default is None.

    Raises:
      FormatError: when artifact_list is not set.
    """
    if not artifact_list:
      raise errors.FormatError(u'Missing artifact_list value.')

    super(ArtifactCollectorDefinition, self).__init__(**kwargs)
    self.artifact_list = artifact_list


class FileCollectorDefinition(CollectorDefinition):
  """Class that implements the file collector definition."""

  TYPE_INDICATOR = definitions.TYPE_INDICATOR_FILE

  def __init__(self, path_list=None, **kwargs):
    """Initializes the collector definition object.

    Args:
      path_list: optional list of path strings. The default is None.

    Raises:
      FormatError: when path_list is not set.
    """
    if not path_list:
      raise errors.FormatError(u'Missing path_list value.')

    super(FileCollectorDefinition, self).__init__(**kwargs)
    self.path_list = path_list
github ForensicArtifacts / artifacts / tools / stats.py View on Github external
for artifact_definition in artifact_reader.ReadDirectory('data'):
      if hasattr(artifact_definition, 'labels'):
        for label in artifact_definition.labels:
          self._label_counts[label] = self._label_counts.get(label, 0) + 1

      for source in artifact_definition.sources:
        self._total_count += 1
        source_type = source.type_indicator
        self._source_type_counts[source_type] = self._source_type_counts.get(
            source_type, 0) + 1

        if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY:
          self._reg_key_count += len(source.keys)
        elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE:
          self._reg_key_count += len(source.key_value_pairs)
        elif source_type in (definitions.TYPE_INDICATOR_FILE,
                             definitions.TYPE_INDICATOR_DIRECTORY):
          self._path_count += len(source.paths)

        os_list = source.supported_os
        for os_str in os_list:
          self._os_counts[os_str] = self._os_counts.get(os_str, 0) + 1
github ForensicArtifacts / artifacts / artifacts / source_type.py View on Github external
"""Represents a source type as a dictionary.

    Returns:
      dict[str, str]: source type attributes.
    """
    source_type_attributes = {'paths': self.paths}
    if self.separator != '/':
      source_type_attributes['separator'] = self.separator

    return source_type_attributes


class FileSourceType(SourceType):
  """File source type."""

  TYPE_INDICATOR = definitions.TYPE_INDICATOR_FILE

  def __init__(self, paths=None, separator='/'):
    """Initializes a source type.

    Args:
      paths (Optional[str]): paths relative to the root of the file system.
      separator (Optional[str]): path segment separator.

    Raises:
      FormatError: when paths is not set or not a list type.
    """
    if not paths:
      raise errors.FormatError('Missing paths value.')

    if not isinstance(paths, list):
      raise errors.FormatError('Invalid paths value, not a list.')
github log2timeline / plaso / plaso / engine / artifact_filters.py View on Github external
def _BuildFindSpecsFromArtifact(self, definition, environment_variables):
    """Builds find specifications from an artifact definition.

    Args:
      definition (artifacts.ArtifactDefinition): artifact definition.
      environment_variables (list[EnvironmentVariableArtifact]):
          environment variables.

    Returns:
      list[dfvfs.FindSpec|dfwinreg.FindSpec]: dfVFS or dfWinReg find
          specifications.
    """
    find_specs = []
    for source in definition.sources:
      if source.type_indicator == artifact_types.TYPE_INDICATOR_FILE:
        for path_entry in set(source.paths):
          specifications = self._BuildFindSpecsFromFileSourcePath(
              path_entry, source.separator, environment_variables,
              self._knowledge_base.user_accounts)
          find_specs.extend(specifications)
          self.file_system_artifact_names.add(definition.name)

      elif (source.type_indicator ==
            artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
        for key_path in set(source.keys):
          if ArtifactDefinitionsFiltersHelper.CheckKeyCompatibility(key_path):
            specifications = self._BuildFindSpecsFromRegistrySourceKey(key_path)
            find_specs.extend(specifications)
            self.registry_artifact_names.add(definition.name)

      elif (source.type_indicator ==
github SekoiaLab / fastir_artifacts / fastir / common / filesystem.py View on Github external
def register_source(self, artifact_definition, artifact_source, variables):
        supported = False

        if artifact_source.type_indicator == artifacts.definitions.TYPE_INDICATOR_FILE:
            supported = True

            for p in artifact_source.paths:
                for sp in variables.substitute(p):
                    self.add_pattern(artifact_definition.name, sp)

        return supported
github google / rekall / rekall-agent / rekall_agent / flows / artifact_flow.py View on Github external
# launch it, but just collect its actions.
        subflow = flow_obj.cast(find.FileFinderFlow)

        subflow.globs = self.paths
        subflow.download = download
        if name is None:
            name = self.artifact.name

        subflow.set_collection_name("{flow_id}/%s" % name)

        for action in subflow.generate_actions():
            yield action


SOURCE_TYPES = {
    definitions.TYPE_INDICATOR_FILE: FileSourceType,
}


class Artifact(agent.Flow):
    """Launch artifacts on the client."""
    schema = [
        dict(name="artifacts", repeated=True, private=True, user=True,
             doc="The list of artifacts to launch."),
        dict(name="copy_files", type="bool", user=True,
             doc="Should we also download the files."),
    ]

    def generate_actions(self):
        self._artifact_profile = self._session.LoadProfile("artifacts")
        self._collected_artifacts = []
github google / rekall / rekall-core / rekall / plugins / response / forensic_artifacts.py View on Github external
field_type = RekallEFilterArtifacts.allowed_types[field["type"]]
                data = info.get(name)
                if data is not None:
                    row[name] = field_type(data)

            result.add_result(**row)

        yield result


# This lookup table maps between source type name and concrete implementations
# that we support. Artifacts which contain sources which are not implemented
# will be ignored.
SOURCE_TYPES = {
    TYPE_INDICATOR_REKALL: RekallEFilterArtifacts,
    definitions.TYPE_INDICATOR_FILE: FileSourceType,
    definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType,
    definitions.TYPE_INDICATOR_WMI_QUERY: WMISourceType,
    definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: RegistryKeySourceType,
    definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: RegistryValueSourceType,
}


class ArtifactDefinition(_FieldDefinitionValidator):
    """The main artifact class."""

    def CheckLabels(self, art_definition):
        """Ensure labels are defined."""
        labels = art_definition.get("labels", [])
        # Keep unknown labels around in case callers want to check for complete
        # label coverage. In most cases it is desirable to allow users to extend
        # labels but when super strict validation is required we want to make