How to use the artifacts.definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY function in artifacts
To help you get started, we’ve selected a few artifacts examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
ForensicArtifacts / artifacts / artifacts / source_type.py View on Github 
if self.base_object:
source_type_attributes['base_object'] = self.base_object
return source_type_attributes
class SourceTypeFactory(object):
"""Source type factory."""
_source_type_classes = {
definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType,
definitions.TYPE_INDICATOR_COMMAND: CommandSourceType,
definitions.TYPE_INDICATOR_DIRECTORY: DirectorySourceType,
definitions.TYPE_INDICATOR_FILE: FileSourceType,
definitions.TYPE_INDICATOR_PATH: PathSourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY:
WindowsRegistryKeySourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE:
WindowsRegistryValueSourceType,
definitions.TYPE_INDICATOR_WMI_QUERY: WMIQuerySourceType,
}
@classmethod
def CreateSourceType(cls, type_indicator, attributes):
"""Creates a source type.
Args:
type_indicator (str): source type indicator.
attributes (dict[str, object]): source type attributes.
Returns:
SourceType: a source type.row[name] = field_type(data)
result.add_result(**row)
yield result
# This lookup table maps between source type name and concrete implementations
# that we support. Artifacts which contain sources which are not implemented
# will be ignored.
SOURCE_TYPES = {
TYPE_INDICATOR_REKALL: RekallEFilterArtifacts,
definitions.TYPE_INDICATOR_FILE: FileSourceType,
definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType,
definitions.TYPE_INDICATOR_WMI_QUERY: WMISourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: RegistryKeySourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: RegistryValueSourceType,
}
class ArtifactDefinition(_FieldDefinitionValidator):
"""The main artifact class."""
def CheckLabels(self, art_definition):
"""Ensure labels are defined."""
labels = art_definition.get("labels", [])
# Keep unknown labels around in case callers want to check for complete
# label coverage. In most cases it is desirable to allow users to extend
# labels but when super strict validation is required we want to make
# sure that users dont typo a label.
self.undefined_labels = set(labels).difference(definitions.LABELS)
return labelsself._reg_key_count = 0
self._source_type_counts = {}
self._total_count = 0
for artifact_definition in artifact_reader.ReadDirectory('data'):
if hasattr(artifact_definition, 'labels'):
for label in artifact_definition.labels:
self._label_counts[label] = self._label_counts.get(label, 0) + 1
for source in artifact_definition.sources:
self._total_count += 1
source_type = source.type_indicator
self._source_type_counts[source_type] = self._source_type_counts.get(
source_type, 0) + 1
if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY:
self._reg_key_count += len(source.keys)
elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE:
self._reg_key_count += len(source.key_value_pairs)
elif source_type in (definitions.TYPE_INDICATOR_FILE,
definitions.TYPE_INDICATOR_DIRECTORY):
self._path_count += len(source.paths)
os_list = source.supported_os
for os_str in os_list:
self._os_counts[os_str] = self._os_counts.get(os_str, 0) + 1from artifacts import definitions
from artifacts import errors
from artifacts import source_type
class ArtifactDefinitionsRegistry(object):
"""Artifact definitions registry."""
_source_type_classes = {
definitions.TYPE_INDICATOR_ARTIFACT_GROUP:
source_type.ArtifactGroupSourceType,
definitions.TYPE_INDICATOR_COMMAND: source_type.CommandSourceType,
definitions.TYPE_INDICATOR_DIRECTORY: source_type.DirectorySourceType,
definitions.TYPE_INDICATOR_FILE: source_type.FileSourceType,
definitions.TYPE_INDICATOR_PATH: source_type.PathSourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY:
source_type.WindowsRegistryKeySourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE:
source_type.WindowsRegistryValueSourceType,
definitions.TYPE_INDICATOR_WMI_QUERY: source_type.WMIQuerySourceType,
}
def __init__(self):
"""Initializes an artifact definitions registry."""
super(ArtifactDefinitionsRegistry, self).__init__()
self._artifact_definitions = {}
self._artifact_name_references = set()
self._defined_artifact_names = set()
@classmethod
def CreateSourceType(cls, type_indicator, attributes):
"""Creates a source type object.knowledge_base (KnowledgeBase): to fill with preprocessing information.
artifact_definition (artifacts.ArtifactDefinition): artifact definition.
searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to
preprocess the Windows Registry.
Raises:
PreProcessFail: if the Windows Registry key or value cannot be read.
"""
for source in artifact_definition.sources:
if source.type_indicator not in (
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY,
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE):
continue
if source.type_indicator == (
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
key_value_pairs = [{'key': key} for key in source.keys]
else:
key_value_pairs = source.key_value_pairs
for key_value_pair in key_value_pairs:
key_path = key_value_pair['key']
# The artifact definitions currently incorrectly define
# CurrentControlSet so we correct it here for now.
# Also see: https://github.com/ForensicArtifacts/artifacts/issues/120
key_path_upper = key_path.upper()
if key_path_upper.startswith('%%CURRENT_CONTROL_SET%%'):
key_path = '{0:s}{1:s}'.format(
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet', key_path[23:])
find_spec = registry_searcher.FindSpec(key_path_glob=key_path)elif (artifact_definition_supports_windows or
definitions.SUPPORTED_OS_WINDOWS in source.supported_os):
for path in source.paths:
if not self._CheckWindowsPath(
filename, artifact_definition, source, path):
result = False
else:
for path in source.paths:
if not self._CheckPath(
filename, artifact_definition, source, path):
result = False
elif source.type_indicator == (
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
# Exempt the legacy file from duplicate checking because it has
# duplicates intentionally.
if (filename != self.LEGACY_PATH and
self._HasDuplicateRegistryKeyPaths(
filename, artifact_definition, source)):
result = False
for key_path in source.keys:
if not self._CheckWindowsRegistryKeyPath(
filename, artifact_definition, key_path):
result = False
elif source.type_indicator == (
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE):Returns:
list[dfvfs.FindSpec|dfwinreg.FindSpec]: dfVFS or dfWinReg find
specifications.
"""
find_specs = []
for source in definition.sources:
if source.type_indicator == artifact_types.TYPE_INDICATOR_FILE:
for path_entry in set(source.paths):
specifications = self._BuildFindSpecsFromFileSourcePath(
path_entry, source.separator, environment_variables,
self._knowledge_base.user_accounts)
find_specs.extend(specifications)
self.file_system_artifact_names.add(definition.name)
elif (source.type_indicator ==
artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
for key_path in set(source.keys):
if ArtifactDefinitionsFiltersHelper.CheckKeyCompatibility(key_path):
specifications = self._BuildFindSpecsFromRegistrySourceKey(key_path)
find_specs.extend(specifications)
self.registry_artifact_names.add(definition.name)
elif (source.type_indicator ==
artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE):
# TODO: Handle Registry Values Once Supported in dfwinreg.
# https://github.com/log2timeline/dfwinreg/issues/98
# Use set-comprehension to create a set of the source key paths.
key_paths = {
key_value['key'] for key_value in source.key_value_pairs}
key_paths_string = ', '.join(key_paths)
path_list: optional list of path strings. The default is None.
Raises:
FormatError: when path_list is not set.
"""
if not path_list:
raise errors.FormatError(u'Missing path_list value.')
super(FileCollectorDefinition, self).__init__(**kwargs)
self.path_list = path_list
class WindowsRegistryKeyCollectorDefinition(CollectorDefinition):
"""Class that implements the Windows Registry key collector definition."""
TYPE_INDICATOR = definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY
def __init__(self, path_list=None, **kwargs):
"""Initializes the collector definition object.
Args:
path_list: optional list of path strings. The default is None.
Raises:
FormatError: when path_list is not set.
"""
if not path_list:
raise errors.FormatError(u'Missing path_list value.')
super(WindowsRegistryKeyCollectorDefinition, self).__init__(**kwargs)
self.path_list = path_list
"""Represents a source type as a dictionary.
Returns:
dict[str, str]: source type attributes.
"""
source_type_attributes = {'paths': self.paths}
if self.separator != '/':
source_type_attributes['separator'] = self.separator
return source_type_attributes
class WindowsRegistryKeySourceType(SourceType):
"""Windows Registry key source type."""
TYPE_INDICATOR = definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY
VALID_PREFIXES = [
r'HKEY_LOCAL_MACHINE',
r'HKEY_USERS',
r'HKEY_CLASSES_ROOT',
r'%%current_control_set%%',
]
def __init__(self, keys=None):
"""Initializes a source type.
Args:
keys (Optional[list[str]]): key paths relative to the root of
the Windows Registry.
Raises:artifacts
ForensicArtifacts.com Artifact Repository.
Package Health Score
81 / 100Popular artifacts functions
- artifacts.collector.CollectorDefinition
- artifacts.definitions
- artifacts.definitions.SUPPORTED_OS
- artifacts.definitions.TYPE_INDICATOR_ARTIFACT_GROUP
- artifacts.definitions.TYPE_INDICATOR_FILE
- artifacts.definitions.TYPE_INDICATOR_PATH
- artifacts.definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY
- artifacts.definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE
- artifacts.errors
- artifacts.errors.FormatError
- artifacts.reader
- artifacts.reader.YamlArtifactsReader
- artifacts.registry
- artifacts.source_type
- artifacts.source_type.FileSourceType
- artifacts.source_type.PathSourceType
- artifacts.source_type.SourceType
- artifacts.source_type.WindowsRegistryKeySourceType
- artifacts.win_artifacts.AbstractWMIArtifact