forensicstore

package module
v0.18.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2022 License: MIT Imports: 28 Imported by: 6

README

forensicstore

doc

The forensicstore project can create, access and process forensic artifacts bundled in so called forensicstores (a database for forensic artifacts).

Example

func main() {
	// create forensicstore
	store, teardown, _ := forensicstore.New("example.forensicstore")
	defer teardown()

	// create a struct
	evidence := struct {
		Data string
		Type string
	}{Data: "secret", Type: "test"}

	// insert struct into forensicstore
	store.InsertStruct(evidence)

	// get element from forensicstore
	elements, _ := store.Search("secret")

	// access element's data
	fmt.Println(elements)
}

Contact

For feedback, questions and discussions you can use the Open Source DFIR Slack.

Documentation

Overview

Package forensicstore can create, access and process forensic artifacts bundled in so called forensicstores (a database for forensic artifacts).

Example 
package main

import (
	"fmt"

	"github.com/forensicanalysis/forensicstore"
)

func main() {
	// create forensicstore
	store, teardown, _ := forensicstore.New("example.forensicstore")
	defer teardown()

	// create a struct
	evidence := struct {
		Data string
		Type string
	}{Data: "secret", Type: "test"}

	// insert struct into forensicstore
	store.InsertStruct(evidence)

	// get element from forensicstore
	elements, _ := store.Search("secret")

	// access element's data
	fmt.Println(elements)
}

Output:

Index

Examples

Constants

View Source 
const Version = 3

Variables

View Source 
var ErrStoreExists = fmt.Errorf("store already exists")
View Source 
var ErrStoreNotExists = fmt.Errorf("store does not exist")

Functions

This section is empty.

Types

type Directory 

type Directory struct {
	ID       string        `json:"id"`
	Artifact string        `json:"artifact,omitempty"`
	Type     string        `json:"type"`
	Path     string        `json:"path"`
	Ctime    string        `json:"ctime,omitempty"`
	Mtime    string        `json:"mtime,omitempty"`
	Atime    string        `json:"atime,omitempty"`
	Errors   []interface{} `json:"errors,omitempty"`
}

Directory implements a STIX 2.1 Directory Object.

func NewDirectory 

func NewDirectory() *Directory

NewDirectory creates a new STIX 2.1 Directory Object.

func (*Directory) AddError 

func (i *Directory) AddError(err string) *Directory

AddError adds an error string to a Directory and returns this Directory.

type Element 

type Element map[string]interface{}

type File 

type File struct {
	ID         string                 `json:"id"`
	Artifact   string                 `json:"artifact,omitempty"`
	Type       string                 `json:"type"`
	Hashes     map[string]interface{} `json:"hashes,omitempty"`
	Size       float64                `json:"size,omitempty"`
	Name       string                 `json:"name"`
	Ctime      string                 `json:"ctime,omitempty"`
	Mtime      string                 `json:"mtime,omitempty"`
	Atime      string                 `json:"atime,omitempty"`
	Origin     map[string]interface{} `json:"origin,omitempty"`
	ExportPath string                 `json:"export_path,omitempty"`
	Errors     []interface{}          `json:"errors,omitempty"`
	Attributes map[string]interface{} `json:"attributes,omitempty"`
}

File implements a STIX 2.1 File Object

func NewFile 

func NewFile() *File

NewFile creates a new STIX 2.1 File Object.

func (*File) AddError 

func (i *File) AddError(err string) *File

AddError adds an error string to a File and returns this File.

type ForensicStore 

type ForensicStore struct {
	Fs afero.Fs
	// contains filtered or unexported fields
}

The ForensicStore is a central storage for elements in digital forensic investigations. It stores any piece of information in the investigation and serves as a single source of truth for the data. Cases, artifacts, evidence, meta data, bookmarks etc. can be stored in the forensicstore. Larger binary objects like files are usually stored outside the forensicstore and references from the forensicstore.

func New 

func New(url string) (store *ForensicStore, teardown func() error, err error)

New creates a new Forensicstore.

func NewDirFS added in v0.16.9 

func NewDirFS(url string) (store *ForensicStore, teardown func() error, err error)

New creates a new Forensicstore.

func Open 

func Open(url string) (store *ForensicStore, teardown func() error, err error)

Open opens an existing Forensicstore.

func (*ForensicStore) All 

func (store *ForensicStore) All() (elements []JSONElement, err error)

All returns every element.

func (*ForensicStore) Close 

func (store *ForensicStore) Close() error

Close saves and closes the database.

func (*ForensicStore) Connection 

func (store *ForensicStore) Connection() *sqlite.Conn

func (*ForensicStore) Get 

func (store *ForensicStore) Get(id string) (element JSONElement, err error)

Get retreives a single element.

func (*ForensicStore) Insert 

func (store *ForensicStore) Insert(element JSONElement) (string, error)

Insert adds a single element.

func (*ForensicStore) InsertBatch 

func (store *ForensicStore) InsertBatch(elements []JSONElement) ([]string, error)

InsertBatch adds a set of elements. All elements must have the same fields.

func (*ForensicStore) InsertStruct 

func (store *ForensicStore) InsertStruct(element interface{}) (string, error)

InsertStruct converts a Go struct to a map and inserts it.

func (*ForensicStore) InsertStructBatch 

func (store *ForensicStore) InsertStructBatch(elements []interface{}) ([]string, error)

InsertStructBatch adds a list of structs to the forensicstore.

func (*ForensicStore) LoadFile 

func (store *ForensicStore) LoadFile(filePath string) (file io.ReadCloser, teardown func() error, err error)

LoadFile opens a file from the database folder.

func (*ForensicStore) Query 

func (store *ForensicStore) Query(query string) (elements []JSONElement, err error)

Query executes a sql query.

func (*ForensicStore) Search 

func (store *ForensicStore) Search(q string) (elements []JSONElement, err error)

Search for elements.

func (*ForensicStore) Select 

func (store *ForensicStore) Select(conditions []map[string]string) (elements []JSONElement, err error)

Select retrieves all elements of a discriminated attribute.

func (*ForensicStore) SetFS 

func (store *ForensicStore) SetFS(fs afero.Fs)

func (*ForensicStore) StoreFile 

func (store *ForensicStore) StoreFile(filePath string) (storePath string, file io.WriteCloser, teardown func() error, err error)

StoreFile adds a file to the database folder.

func (*ForensicStore) Validate 

func (store *ForensicStore) Validate() (flaws []string, err error)

Validate checks the database for various flaws.

type JSONElement 

type JSONElement []byte

JSONElement is a single entry in the database.

type Process 

type Process struct {
	ID          string        `json:"id"`
	Artifact    string        `json:"artifact,omitempty"`
	Type        string        `json:"type"`
	Name        string        `json:"name,omitempty"`
	CreatedTime string        `json:"created_time,omitempty"`
	Cwd         string        `json:"cwd,omitempty"`
	CommandLine string        `json:"command_line,omitempty"`
	StdoutPath  string        `json:"stdout_path,omitempty"`
	StderrPath  string        `json:"stderr_path,omitempty"`
	WMI         []interface{} `json:"wmi,omitempty"`
	ReturnCode  float64       `json:"return_code,omitempty"`
	Errors      []interface{} `json:"errors,omitempty"`
}

Process implements a STIX 2.1 Process Object

func NewProcess 

func NewProcess() *Process

NewProcess creates a new STIX 2.1 Process Object.

func (*Process) AddError 

func (i *Process) AddError(err string) *Process

AddError adds an error string to a Process and returns this Process.

type RegistryKey 

type RegistryKey struct {
	ID           string          `json:"id"`
	Artifact     string          `json:"artifact,omitempty"`
	Type         string          `json:"type"`
	Key          string          `json:"key"`
	Values       []RegistryValue `json:"values,omitempty"`
	ModifiedTime string          `json:"modified_time,omitempty"`
	Errors       []interface{}   `json:"errors,omitempty"`
}

RegistryKey implements a STIX 2.1 Windows™ Registry Key Object.

func NewRegistryKey 

func NewRegistryKey() *RegistryKey

NewRegistryKey creates a new STIX 2.1 Windows™ Registry Key Object.

func (*RegistryKey) AddError 

func (i *RegistryKey) AddError(err string) *RegistryKey

AddError adds an error string to a RegistryKey and returns this RegistryKey.

type RegistryValue 

type RegistryValue struct {
	Name     string        `json:"name"`
	Data     string        `json:"data,omitempty"`
	DataType string        `json:"data_type,omitempty"`
	Errors   []interface{} `json:"errors,omitempty"`
}

RegistryValue implements a STIX 2.1 Windows™ Registry Value Type.

func NewRegistryValue 

func NewRegistryValue() *RegistryValue

NewRegistryValue creates a new STIX 2.1 Windows™ Registry Value Type.

func (*RegistryValue) AddError 

func (i *RegistryValue) AddError(err string) *RegistryValue

AddError adds an error string to a RegistryValue and returns this RegistryValue.

Source Files

View all Source files

Directories

Path Synopsis
cmd
forensicstore
Package forensicstore implements the forensicstore command line tool with various subcommands that can be used to edit and handle forensicstores.
 Package forensicstore implements the forensicstore command line tool with various subcommands that can be used to edit and handle forensicstores.
sqlargo
Package copy provides copy functions for files and directories for afero (https://github.com/spf13/afero) filesystems.
 Package copy provides copy functions for files and directories for afero (https://github.com/spf13/afero) filesystems.
Package goflatten provides functions to flatten and unflatten Go maps.
 Package goflatten provides functions to flatten and unflatten Go maps.
replace
context
spooled

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.