Documentation ¶
Overview ¶
Package collection provides functions to collect forensicartifacts into a forensicstore.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Configuration ¶
type Configuration struct { Artifacts []string `yaml:"artifacts"` User bool `yaml:"user"` Case string `yaml:"case"` OutputDir string `yaml:"output_dir"` FS afero.Fs `yaml:"-"` }
Configuration defines the parameters of an artifactcollector.
type Directory ¶ added in v0.15.2
type Directory struct { ID string `json:"id"` Artifact string `json:"artifact,omitempty"` Type string `json:"type"` Path string `json:"path"` Ctime string `json:"ctime,omitempty"` Mtime string `json:"mtime,omitempty"` Atime string `json:"atime,omitempty"` Errors []interface{} `json:"errors,omitempty"` }
Directory implements a STIX 2.1 Directory Object.
func NewDirectory ¶ added in v0.15.2
func NewDirectory() *Directory
NewDirectory creates a new STIX 2.1 Directory Object.
type File ¶ added in v0.15.2
type File struct { ID string `json:"id"` Artifact string `json:"artifact,omitempty"` Type string `json:"type"` Hashes map[string]interface{} `json:"hashes,omitempty"` Size float64 `json:"size,omitempty"` Name string `json:"name"` Ctime string `json:"ctime,omitempty"` Mtime string `json:"mtime,omitempty"` Atime string `json:"atime,omitempty"` Origin map[string]interface{} `json:"origin,omitempty"` ExportPath string `json:"export_path,omitempty"` Errors []interface{} `json:"errors,omitempty"` Attributes map[string]interface{} `json:"attributes,omitempty"` }
File implements a STIX 2.1 File Object
type LiveCollector ¶ added in v0.13.0
type LiveCollector struct { SourceFS fs.FS Store Store TempDir string // contains filtered or unexported fields }
The LiveCollector can resolve and collect artifact on live systems.
func NewCollector ¶ added in v0.13.0
func NewCollector(store Store, tempDir string, definitions []goartifacts.ArtifactDefinition) (*LiveCollector, error)
NewCollector creates a new LiveCollector that collects the given ArtifactDefinitions.
func (*LiveCollector) Collect ¶ added in v0.13.0
func (c *LiveCollector) Collect(name string, source goartifacts.Source)
Collect dispatches specific collection functions for different sources.
func (*LiveCollector) FS ¶ added in v0.13.0
func (c *LiveCollector) FS() fs.FS
FS returns the used FileSystem.
func (*LiveCollector) Prefixes ¶ added in v0.15.1
func (c *LiveCollector) Prefixes() []string
AddPartitions returns if partitions should be added to Windows paths.
func (*LiveCollector) Registry ¶ added in v0.13.0
func (c *LiveCollector) Registry() fs.FS
Registry returns the used Registry.
type Process ¶ added in v0.15.2
type Process struct { ID string `json:"id"` Artifact string `json:"artifact,omitempty"` Type string `json:"type"` Name string `json:"name,omitempty"` CreatedTime string `json:"created_time,omitempty"` Cwd string `json:"cwd,omitempty"` CommandLine string `json:"command_line,omitempty"` StdoutPath string `json:"stdout_path,omitempty"` StderrPath string `json:"stderr_path,omitempty"` WMI []interface{} `json:"wmi,omitempty"` ReturnCode float64 `json:"return_code,omitempty"` Errors []interface{} `json:"errors,omitempty"` }
Process implements a STIX 2.1 Process Object
func NewProcess ¶ added in v0.15.2
func NewProcess() *Process
NewProcess creates a new STIX 2.1 Process Object.
type RegistryKey ¶ added in v0.15.2
type RegistryKey struct { ID string `json:"id"` Artifact string `json:"artifact,omitempty"` Type string `json:"type"` Key string `json:"key"` Values []RegistryValue `json:"values,omitempty"` ModifiedTime string `json:"modified_time,omitempty"` Errors []interface{} `json:"errors,omitempty"` }
RegistryKey implements a STIX 2.1 Windows™ Registry Key Object.
func NewRegistryKey ¶ added in v0.15.2
func NewRegistryKey() *RegistryKey
NewRegistryKey creates a new STIX 2.1 Windows™ Registry Key Object.
func (*RegistryKey) AddError ¶ added in v0.15.2
func (i *RegistryKey) AddError(err string) *RegistryKey
AddError adds an error string to a RegistryKey and returns this RegistryKey.
type RegistryValue ¶ added in v0.15.2
type RegistryValue struct { Name string `json:"name"` Data string `json:"data,omitempty"` DataType string `json:"data_type,omitempty"` Errors []interface{} `json:"errors,omitempty"` }
RegistryValue implements a STIX 2.1 Windows™ Registry Value Type.
func NewRegistryValue ¶ added in v0.15.2
func NewRegistryValue() *RegistryValue
NewRegistryValue creates a new STIX 2.1 Windows™ Registry Value Type.
func (*RegistryValue) AddError ¶ added in v0.15.2
func (i *RegistryValue) AddError(err string) *RegistryValue
AddError adds an error string to a RegistryValue and returns this RegistryValue.