collection

package
v0.16.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 5, 2021 License: MIT Imports: 24 Imported by: 3

Documentation

Overview

Package collection provides functions to collect forensicartifacts into a forensicstore.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func WMIQuery 

func WMIQuery(q string) (wmiResult []map[string]interface{}, err error)

WMIQuery is a dummy function for non windows systems.

Types

type Configuration 

type Configuration struct {
	Artifacts []string `yaml:"artifacts"`
	User      bool     `yaml:"user"`
	Case      string   `yaml:"case"`
	OutputDir string   `yaml:"output_dir"`
	FS        afero.Fs `yaml:"-"`
}

Configuration defines the parameters of an artifactcollector.

type Directory added in v0.15.2 

type Directory struct {
	ID       string        `json:"id"`
	Artifact string        `json:"artifact,omitempty"`
	Type     string        `json:"type"`
	Path     string        `json:"path"`
	Ctime    string        `json:"ctime,omitempty"`
	Mtime    string        `json:"mtime,omitempty"`
	Atime    string        `json:"atime,omitempty"`
	Errors   []interface{} `json:"errors,omitempty"`
}

Directory implements a STIX 2.1 Directory Object.

func NewDirectory added in v0.15.2 

func NewDirectory() *Directory

NewDirectory creates a new STIX 2.1 Directory Object.

func (*Directory) AddError added in v0.15.2 

func (i *Directory) AddError(err string) *Directory

AddError adds an error string to a Directory and returns this Directory.

type File added in v0.15.2 

type File struct {
	ID         string                 `json:"id"`
	Artifact   string                 `json:"artifact,omitempty"`
	Type       string                 `json:"type"`
	Hashes     map[string]interface{} `json:"hashes,omitempty"`
	Size       float64                `json:"size,omitempty"`
	Name       string                 `json:"name"`
	Ctime      string                 `json:"ctime,omitempty"`
	Mtime      string                 `json:"mtime,omitempty"`
	Atime      string                 `json:"atime,omitempty"`
	Origin     map[string]interface{} `json:"origin,omitempty"`
	ExportPath string                 `json:"export_path,omitempty"`
	Errors     []interface{}          `json:"errors,omitempty"`
	Attributes map[string]interface{} `json:"attributes,omitempty"`
}

File implements a STIX 2.1 File Object

func NewFile added in v0.15.2 

func NewFile() *File

NewFile creates a new STIX 2.1 File Object.

func (*File) AddError added in v0.15.2 

func (i *File) AddError(err string) *File

AddError adds an error string to a File and returns this File.

type LiveCollector added in v0.13.0 

type LiveCollector struct {
	SourceFS fs.FS

	Store   Store
	TempDir string
	// contains filtered or unexported fields
}

The LiveCollector can resolve and collect artifact on live systems.

func NewCollector added in v0.13.0 

func NewCollector(store Store, tempDir string, definitions []goartifacts.ArtifactDefinition) (*LiveCollector, error)

NewCollector creates a new LiveCollector that collects the given ArtifactDefinitions.

func (*LiveCollector) Collect added in v0.13.0 

func (c *LiveCollector) Collect(name string, source goartifacts.Source)

Collect dispatches specific collection functions for different sources.

func (*LiveCollector) FS added in v0.13.0 

func (c *LiveCollector) FS() fs.FS

FS returns the used FileSystem.

func (*LiveCollector) Prefixes added in v0.15.1 

func (c *LiveCollector) Prefixes() []string

AddPartitions returns if partitions should be added to Windows paths.

func (*LiveCollector) Registry added in v0.13.0 

func (c *LiveCollector) Registry() fs.FS

Registry returns the used Registry.

func (*LiveCollector) Resolve added in v0.13.0 

func (c *LiveCollector) Resolve(parameter string) ([]string, error)

Resolve returns a list of values that can be used for the placeholder parameter.

type Process added in v0.15.2 

type Process struct {
	ID          string        `json:"id"`
	Artifact    string        `json:"artifact,omitempty"`
	Type        string        `json:"type"`
	Name        string        `json:"name,omitempty"`
	CreatedTime string        `json:"created_time,omitempty"`
	Cwd         string        `json:"cwd,omitempty"`
	CommandLine string        `json:"command_line,omitempty"`
	StdoutPath  string        `json:"stdout_path,omitempty"`
	StderrPath  string        `json:"stderr_path,omitempty"`
	WMI         []interface{} `json:"wmi,omitempty"`
	ReturnCode  float64       `json:"return_code,omitempty"`
	Errors      []interface{} `json:"errors,omitempty"`
}

Process implements a STIX 2.1 Process Object

func NewProcess added in v0.15.2 

func NewProcess() *Process

NewProcess creates a new STIX 2.1 Process Object.

func (*Process) AddError added in v0.15.2 

func (i *Process) AddError(err string) *Process

AddError adds an error string to a Process and returns this Process.

type RegistryKey added in v0.15.2 

type RegistryKey struct {
	ID           string          `json:"id"`
	Artifact     string          `json:"artifact,omitempty"`
	Type         string          `json:"type"`
	Key          string          `json:"key"`
	Values       []RegistryValue `json:"values,omitempty"`
	ModifiedTime string          `json:"modified_time,omitempty"`
	Errors       []interface{}   `json:"errors,omitempty"`
}

RegistryKey implements a STIX 2.1 Windows™ Registry Key Object.

func NewRegistryKey added in v0.15.2 

func NewRegistryKey() *RegistryKey

NewRegistryKey creates a new STIX 2.1 Windows™ Registry Key Object.

func (*RegistryKey) AddError added in v0.15.2 

func (i *RegistryKey) AddError(err string) *RegistryKey

AddError adds an error string to a RegistryKey and returns this RegistryKey.

type RegistryValue added in v0.15.2 

type RegistryValue struct {
	Name     string        `json:"name"`
	Data     string        `json:"data,omitempty"`
	DataType string        `json:"data_type,omitempty"`
	Errors   []interface{} `json:"errors,omitempty"`
}

RegistryValue implements a STIX 2.1 Windows™ Registry Value Type.

func NewRegistryValue added in v0.15.2 

func NewRegistryValue() *RegistryValue

NewRegistryValue creates a new STIX 2.1 Windows™ Registry Value Type.

func (*RegistryValue) AddError added in v0.15.2 

func (i *RegistryValue) AddError(err string) *RegistryValue

AddError adds an error string to a RegistryValue and returns this RegistryValue.

type Resetter added in v0.14.0 

type Resetter interface {
	Reset()
}

type Store added in v0.15.2 

type Store interface {
	SetFS(fs afero.Fs)
	InsertStruct(element interface{}) (string, error)
	StoreFile(filePath string) (storePath string, file io.WriteCloser, teardown func() error, err error)
	LoadFile(filePath string) (file io.ReadCloser, teardown func() error, err error)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.