Documentation ¶
Overview ¶
Package forensicstore can create, access and process forensic artifacts bundled in so called forensicstores (a database for forensic artifacts).
Example ¶
package main import ( "fmt" "github.com/forensicanalysis/forensicstore" ) func main() { // create forensicstore store, teardown, _ := forensicstore.New("example.forensicstore") defer teardown() // create a struct evidence := struct { Data string Type string }{Data: "secret", Type: "test"} // insert struct into forensicstore store.InsertStruct(evidence) // get element from forensicstore elements, _ := store.Search("secret") // access element's data fmt.Println(elements) }
Output:
Index ¶
- Constants
- Variables
- type Directory
- type Element
- type File
- type ForensicStore
- func (store *ForensicStore) All() (elements []JSONElement, err error)
- func (store *ForensicStore) Close() error
- func (store *ForensicStore) Connection() *sqlite.Conn
- func (store *ForensicStore) Get(id string) (element JSONElement, err error)
- func (store *ForensicStore) Insert(element JSONElement) (string, error)
- func (store *ForensicStore) InsertBatch(elements []JSONElement) ([]string, error)
- func (store *ForensicStore) InsertStruct(element interface{}) (string, error)
- func (store *ForensicStore) InsertStructBatch(elements []interface{}) ([]string, error)
- func (store *ForensicStore) LoadFile(filePath string) (file io.ReadCloser, teardown func() error, err error)
- func (store *ForensicStore) Query(query string) (elements []JSONElement, err error)
- func (store *ForensicStore) Search(q string) (elements []JSONElement, err error)
- func (store *ForensicStore) Select(conditions []map[string]string) (elements []JSONElement, err error)
- func (store *ForensicStore) SetFS(fs afero.Fs)
- func (store *ForensicStore) StoreFile(filePath string) (storePath string, file io.WriteCloser, teardown func() error, err error)
- func (store *ForensicStore) Validate() (flaws []string, err error)
- type JSONElement
- type Process
- type RegistryKey
- type RegistryValue
Examples ¶
Constants ¶
const Version = 3
Variables ¶
var ErrStoreExists = fmt.Errorf("store already exists")
var ErrStoreNotExists = fmt.Errorf("store does not exist")
Functions ¶
This section is empty.
Types ¶
type Directory ¶
type Directory struct { ID string `json:"id"` Artifact string `json:"artifact,omitempty"` Type string `json:"type"` Path string `json:"path"` Ctime string `json:"ctime,omitempty"` Mtime string `json:"mtime,omitempty"` Atime string `json:"atime,omitempty"` Errors []interface{} `json:"errors,omitempty"` }
Directory implements a STIX 2.1 Directory Object.
func NewDirectory ¶
func NewDirectory() *Directory
NewDirectory creates a new STIX 2.1 Directory Object.
type File ¶
type File struct { ID string `json:"id"` Artifact string `json:"artifact,omitempty"` Type string `json:"type"` Hashes map[string]interface{} `json:"hashes,omitempty"` Size float64 `json:"size,omitempty"` Name string `json:"name"` Ctime string `json:"ctime,omitempty"` Mtime string `json:"mtime,omitempty"` Atime string `json:"atime,omitempty"` Origin map[string]interface{} `json:"origin,omitempty"` ExportPath string `json:"export_path,omitempty"` Errors []interface{} `json:"errors,omitempty"` Attributes map[string]interface{} `json:"attributes,omitempty"` }
File implements a STIX 2.1 File Object
type ForensicStore ¶
The ForensicStore is a central storage for elements in digital forensic investigations. It stores any piece of information in the investigation and serves as a single source of truth for the data. Cases, artifacts, evidence, meta data, bookmarks etc. can be stored in the forensicstore. Larger binary objects like files are usually stored outside the forensicstore and references from the forensicstore.
func New ¶
func New(url string) (store *ForensicStore, teardown func() error, err error)
New creates a new Forensicstore.
func NewDirFS ¶ added in v0.16.9
func NewDirFS(url string) (store *ForensicStore, teardown func() error, err error)
New creates a new Forensicstore.
func Open ¶
func Open(url string) (store *ForensicStore, teardown func() error, err error)
Open opens an existing Forensicstore.
func (*ForensicStore) All ¶
func (store *ForensicStore) All() (elements []JSONElement, err error)
All returns every element.
func (*ForensicStore) Close ¶
func (store *ForensicStore) Close() error
Close saves and closes the database.
func (*ForensicStore) Connection ¶
func (store *ForensicStore) Connection() *sqlite.Conn
func (*ForensicStore) Get ¶
func (store *ForensicStore) Get(id string) (element JSONElement, err error)
Get retreives a single element.
func (*ForensicStore) Insert ¶
func (store *ForensicStore) Insert(element JSONElement) (string, error)
Insert adds a single element.
func (*ForensicStore) InsertBatch ¶
func (store *ForensicStore) InsertBatch(elements []JSONElement) ([]string, error)
InsertBatch adds a set of elements. All elements must have the same fields.
func (*ForensicStore) InsertStruct ¶
func (store *ForensicStore) InsertStruct(element interface{}) (string, error)
InsertStruct converts a Go struct to a map and inserts it.
func (*ForensicStore) InsertStructBatch ¶
func (store *ForensicStore) InsertStructBatch(elements []interface{}) ([]string, error)
InsertStructBatch adds a list of structs to the forensicstore.
func (*ForensicStore) LoadFile ¶
func (store *ForensicStore) LoadFile(filePath string) (file io.ReadCloser, teardown func() error, err error)
LoadFile opens a file from the database folder.
func (*ForensicStore) Query ¶
func (store *ForensicStore) Query(query string) (elements []JSONElement, err error)
Query executes a sql query.
func (*ForensicStore) Search ¶
func (store *ForensicStore) Search(q string) (elements []JSONElement, err error)
Search for elements.
func (*ForensicStore) Select ¶
func (store *ForensicStore) Select(conditions []map[string]string) (elements []JSONElement, err error)
Select retrieves all elements of a discriminated attribute.
func (*ForensicStore) SetFS ¶
func (store *ForensicStore) SetFS(fs afero.Fs)
func (*ForensicStore) StoreFile ¶
func (store *ForensicStore) StoreFile(filePath string) (storePath string, file io.WriteCloser, teardown func() error, err error)
StoreFile adds a file to the database folder.
func (*ForensicStore) Validate ¶
func (store *ForensicStore) Validate() (flaws []string, err error)
Validate checks the database for various flaws.
type Process ¶
type Process struct { ID string `json:"id"` Artifact string `json:"artifact,omitempty"` Type string `json:"type"` Name string `json:"name,omitempty"` CreatedTime string `json:"created_time,omitempty"` Cwd string `json:"cwd,omitempty"` CommandLine string `json:"command_line,omitempty"` StdoutPath string `json:"stdout_path,omitempty"` StderrPath string `json:"stderr_path,omitempty"` WMI []interface{} `json:"wmi,omitempty"` ReturnCode float64 `json:"return_code,omitempty"` Errors []interface{} `json:"errors,omitempty"` }
Process implements a STIX 2.1 Process Object
type RegistryKey ¶
type RegistryKey struct { ID string `json:"id"` Artifact string `json:"artifact,omitempty"` Type string `json:"type"` Key string `json:"key"` Values []RegistryValue `json:"values,omitempty"` ModifiedTime string `json:"modified_time,omitempty"` Errors []interface{} `json:"errors,omitempty"` }
RegistryKey implements a STIX 2.1 Windows™ Registry Key Object.
func NewRegistryKey ¶
func NewRegistryKey() *RegistryKey
NewRegistryKey creates a new STIX 2.1 Windows™ Registry Key Object.
func (*RegistryKey) AddError ¶
func (i *RegistryKey) AddError(err string) *RegistryKey
AddError adds an error string to a RegistryKey and returns this RegistryKey.
type RegistryValue ¶
type RegistryValue struct { Name string `json:"name"` Data string `json:"data,omitempty"` DataType string `json:"data_type,omitempty"` Errors []interface{} `json:"errors,omitempty"` }
RegistryValue implements a STIX 2.1 Windows™ Registry Value Type.
func NewRegistryValue ¶
func NewRegistryValue() *RegistryValue
NewRegistryValue creates a new STIX 2.1 Windows™ Registry Value Type.
func (*RegistryValue) AddError ¶
func (i *RegistryValue) AddError(err string) *RegistryValue
AddError adds an error string to a RegistryValue and returns this RegistryValue.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
forensicstore
Package forensicstore implements the forensicstore command line tool with various subcommands that can be used to edit and handle forensicstores.
|
Package forensicstore implements the forensicstore command line tool with various subcommands that can be used to edit and handle forensicstores. |
Package copy provides copy functions for files and directories for afero (https://github.com/spf13/afero) filesystems.
|
Package copy provides copy functions for files and directories for afero (https://github.com/spf13/afero) filesystems. |
Package goflatten provides functions to flatten and unflatten Go maps.
|
Package goflatten provides functions to flatten and unflatten Go maps. |
replace
|
|