diff -Nru forensic-artifacts-20170808/appveyor.yml forensic-artifacts-20190113/appveyor.yml --- forensic-artifacts-20170808/appveyor.yml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/appveyor.yml 2019-01-13 09:45:17.000000000 +0000 @@ -1,19 +1,34 @@ environment: matrix: - - PYTHON: "C:\\Python27" + - TARGET: windows_python27 + MACHINE_TYPE: "x86" + PYTHON: "C:\\Python27" + - TARGET: windows_python27 + MACHINE_TYPE: "amd64" + PYTHON: "C:\\Python27-x64" + - TARGET: windows_python36 + MACHINE_TYPE: "x86" + PYTHON: "C:\\Python36" + - TARGET: windows_python36 + MACHINE_TYPE: "amd64" + PYTHON: "C:\\Python36-x64" install: - - cmd: '"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x86 /release' - - ps: (new-object net.webclient).DownloadFile('https://bootstrap.pypa.io/get-pip.py', 'C:\Projects\get-pip.py') - - ps: (new-object net.webclient).DownloadFile('https://github.com/log2timeline/l2tbinaries/raw/master/win32/pywin32-220.win32-py2.7.exe', 'C:\Projects\pywin32-220.win32-py2.7.exe') - - ps: (new-object net.webclient).DownloadFile('https://github.com/log2timeline/l2tbinaries/raw/master/win32/WMI-1.4.9.win32.exe', 'C:\Projects\WMI-1.4.9.win32.exe') - - cmd: "%PYTHON%\\python.exe C:\\Projects\\get-pip.py" - - cmd: "%PYTHON%\\Scripts\\easy_install.exe C:\\Projects\\pywin32-220.win32-py2.7.exe" - - cmd: "%PYTHON%\\Scripts\\easy_install.exe C:\\Projects\\WMI-1.4.9.win32.exe" - - cmd: git clone https://github.com/log2timeline/l2tdevtools.git && move l2tdevtools ..\ - - cmd: mkdir dependencies && set PYTHONPATH=..\l2tdevtools && "%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type x86 --msi-targetdir "%PYTHON%" PyYAML yapf +- cmd: '"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x86 /release' +- cmd: "%PYTHON%\\python.exe -m pip install --upgrade pip" +- cmd: "%PYTHON%\\python.exe -m pip install pywin32 WMI" +- cmd: "%PYTHON%\\python.exe %PYTHON%\\Scripts\\pywin32_postinstall.py -install" +- cmd: git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools +- cmd: if [%TARGET%]==[windows_python27] ( + mkdir dependencies && + set PYTHONPATH=..\l2tdevtools && + "%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track dev PyYAML funcsigs mock pbr six yapf ) +- cmd: if [%TARGET%]==[windows_python36] ( + mkdir dependencies && + set PYTHONPATH=..\l2tdevtools && + "%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track dev PyYAML mock pbr six ) build: off test_script: - - "%PYTHON%\\python.exe run_tests.py" +- cmd: "%PYTHON%\\python.exe run_tests.py" diff -Nru forensic-artifacts-20170808/artifacts/artifact.py forensic-artifacts-20190113/artifacts/artifact.py --- forensic-artifacts-20170808/artifacts/artifact.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/artifacts/artifact.py 2019-01-13 09:45:17.000000000 +0000 @@ -82,7 +82,8 @@ for source in self.sources: source_definition = { 'type': source.type_indicator, - 'attributes': source.AsDict()} + 'attributes': source.AsDict() + } if source.supported_os: source_definition['supported_os'] = source.supported_os if source.conditions: @@ -94,7 +95,8 @@ artifact_definition = { 'name': self.name, 'doc': self.description, - 'sources': sources,} + 'sources': sources, + } if self.labels: artifact_definition['labels'] = self.labels if self.supported_os: diff -Nru forensic-artifacts-20170808/artifacts/definitions.py forensic-artifacts-20190113/artifacts/definitions.py --- forensic-artifacts-20170808/artifacts/definitions.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/artifacts/definitions.py 2019-01-13 09:45:17.000000000 +0000 @@ -3,7 +3,6 @@ from __future__ import unicode_literals - TYPE_INDICATOR_ARTIFACT_GROUP = 'ARTIFACT_GROUP' TYPE_INDICATOR_COMMAND = 'COMMAND' TYPE_INDICATOR_DIRECTORY = 'DIRECTORY' @@ -14,54 +13,51 @@ TYPE_INDICATOR_WMI_QUERY = 'WMI' LABELS = { - 'Antivirus': - 'Antivirus related artifacts, e.g. quarantine files.', - 'Authentication': - 'Authentication artifacts.', - 'Browser': - 'Web Browser artifacts.', - 'Cloud': - 'Cloud applications artifacts.', - 'Cloud Storage': - 'Cloud storage artifacts.', - 'Configuration Files': - 'Configuration files artifacts.', - 'Execution': - 'Contain execution events.', + 'Antivirus': 'Antivirus related artifacts, e.g. quarantine files.', + 'Authentication': 'Authentication artifacts.', + 'Browser': 'Web Browser artifacts.', + 'Cloud': 'Cloud applications artifacts.', + 'Cloud Storage': 'Cloud storage artifacts.', + 'Configuration Files': 'Configuration files artifacts.', + 'Docker': 'Docker artifacts.', + 'Execution': 'Contain execution events.', 'ExternalAccount': ( 'Information about any user accounts e.g. username, ' 'account ID, etc.'), - 'External Media': - 'Contain external media data or events e.g. USB drives.', - 'IM': - 'Instant Messaging / Chat applications artifacts.', - 'iOS': - 'Artifacts related to iOS devices connected to the system.', - 'History Files': - 'History files artifacts e.g. .bash_history.', - 'KnowledgeBase': - 'Artifacts used in knowledge base generation.', - 'Logs': - 'Contain log files.', - 'Mail': - 'Mail client applications artifacts.', - 'Memory': - 'Artifacts retrieved from memory.', - 'Network': - 'Describe networking state.', - 'Processes': - 'Describe running processes.', - 'Rekall': - 'Artifacts using the Rekall memory forensics framework.', - 'Software': - 'Installed software.', - 'System': - 'Core system artifacts.', - 'Users': - 'Information about users.'} - -SUPPORTED_OS = frozenset(['Darwin', 'Linux', 'Windows']) + 'External Media': 'Contain external media data or events e.g. USB drives.', + 'Hadoop': 'Hadoop artifacts.', + 'IM': 'Instant Messaging / Chat applications artifacts.', + 'iOS': 'Artifacts related to iOS devices connected to the system.', + 'History Files': 'History files artifacts e.g. .bash_history.', + 'KnowledgeBase': 'Artifacts used in knowledge base generation.', + 'Logs': 'Contain log files.', + 'Mail': 'Mail client applications artifacts.', + 'Memory': 'Artifacts retrieved from memory.', + 'Network': 'Describe networking state.', + 'Processes': 'Describe running processes.', + 'Rekall': 'Artifacts using the Rekall memory forensics framework.', + 'Software': 'Installed software.', + 'System': 'Core system artifacts.', + 'Users': 'Information about users.' +} + +SUPPORTED_OS_DARWIN = 'Darwin' +SUPPORTED_OS_LINUX = 'Linux' +SUPPORTED_OS_WINDOWS = 'Windows' + +# yapf: disable +SUPPORTED_OS = frozenset([ + SUPPORTED_OS_DARWIN, + SUPPORTED_OS_LINUX, + SUPPORTED_OS_WINDOWS]) TOP_LEVEL_KEYS = frozenset([ - 'conditions', 'doc', 'labels', 'name', 'provides', 'sources', - 'supported_os', 'urls']) + 'conditions', + 'doc', + 'labels', + 'name', + 'provides', + 'sources', + 'supported_os', + 'urls']) +# yapf: enable diff -Nru forensic-artifacts-20170808/artifacts/__init__.py forensic-artifacts-20190113/artifacts/__init__.py --- forensic-artifacts-20170808/artifacts/__init__.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/artifacts/__init__.py 2019-01-13 09:45:17.000000000 +0000 @@ -1,4 +1,4 @@ # -*- coding: utf-8 -*- """ForensicArtifacts.com Artifact Repository.""" -__version__ = '20170808' +__version__ = '20190113' diff -Nru forensic-artifacts-20170808/artifacts/reader.py forensic-artifacts-20190113/artifacts/reader.py --- forensic-artifacts-20170808/artifacts/reader.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/artifacts/reader.py 2019-01-13 09:45:17.000000000 +0000 @@ -22,6 +22,10 @@ supported_os (set[str]): supported operating systems. """ + # Note that redundant-returns-doc and redundant-yields-doc are broken for + # pylint 1.7.x for abstract methods. + # pylint: disable=redundant-returns-doc,redundant-yields-doc + def __init__(self): """Initializes an artifacts reader.""" super(BaseArtifactsReader, self).__init__() @@ -88,6 +92,10 @@ class ArtifactsReader(BaseArtifactsReader): """Artifacts reader common functionality.""" + # Note that redundant-yields-doc is broken for pylint 1.7.x for + # abstract methods. + # pylint: disable=redundant-yields-doc + def __init__(self): """Initializes an artifacts reader.""" super(ArtifactsReader, self).__init__() @@ -101,6 +109,7 @@ artifact_definition_values (dict[str, object]): artifact definition values. artifact_definition (ArtifactDefinition): an artifact definition. + name (str): name of the artifact definition. Raises: FormatError: if there are undefined labels. @@ -115,6 +124,9 @@ artifact_definition.labels = labels + # Pylint fails on detecting the type of definition_object based on + # the docstring. + # pylint: disable=missing-type-doc def _ReadSupportedOS(self, definition_values, definition_object, name): """Reads the optional artifact or source type supported OS. @@ -129,7 +141,7 @@ supported_os = definition_values.get('supported_os', []) if not isinstance(supported_os, list): raise errors.FormatError( - 'Invalid supported_os type: {0:s}'.format(type(supported_os))) + 'Invalid supported_os type: {0!s}'.format(type(supported_os))) undefined_supported_os = set(supported_os).difference(self.supported_os) if undefined_supported_os: @@ -147,6 +159,7 @@ artifact_definition_values (dict[str, object]): artifact definition values. artifact_definition (ArtifactDefinition): an artifact definition. + name (str): name of the artifact definition. Raises: FormatError: if the type indicator is not set or unsupported, @@ -204,6 +217,7 @@ different_keys = ( set(artifact_definition_values) - definitions.TOP_LEVEL_KEYS) if different_keys: + different_keys = ', '.join(different_keys) raise errors.FormatError('Undefined keys: {0:s}'.format(different_keys)) name = artifact_definition_values.get('name', None) diff -Nru forensic-artifacts-20170808/artifacts/registry.py forensic-artifacts-20190113/artifacts/registry.py --- forensic-artifacts-20170808/artifacts/registry.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/artifacts/registry.py 2019-01-13 09:45:17.000000000 +0000 @@ -86,8 +86,9 @@ indicator. """ if source_type_class.TYPE_INDICATOR not in cls._source_type_classes: - raise KeyError('Source type not set for type: {0:s}.'.format( - source_type_class.TYPE_INDICATOR)) + raise KeyError( + 'Source type not set for type: {0:s}.'.format( + source_type_class.TYPE_INDICATOR)) del cls._source_type_classes[source_type_class.TYPE_INDICATOR] @@ -100,8 +101,10 @@ Returns: ArtifactDefinition: an artifact definition or None if not available. """ - if name: - return self._artifact_definitions.get(name.lower(), None) + if not name: + return None + + return self._artifact_definitions.get(name.lower(), None) def GetDefinitions(self): """Retrieves the artifact definitions. @@ -158,8 +161,9 @@ type indicator. """ if source_type_class.TYPE_INDICATOR in cls._source_type_classes: - raise KeyError('Source type already set for type: {0:s}.'.format( - source_type_class.TYPE_INDICATOR)) + raise KeyError( + 'Source type already set for type: {0:s}.'.format( + source_type_class.TYPE_INDICATOR)) cls._source_type_classes[source_type_class.TYPE_INDICATOR] = ( source_type_class) @@ -176,7 +180,7 @@ for source_type_class in source_type_classes: cls.RegisterSourceType(source_type_class) - def ReadFromDirectory(self, artifact_reader, path, extension='yaml'): + def ReadFromDirectory(self, artifacts_reader, path, extension='yaml'): """Reads artifact definitions into the registry from files in a directory. This function does not recurse sub directories. @@ -189,26 +193,26 @@ Raises: KeyError: if a duplicate artifact definition is encountered. """ - for artifact_definition in artifact_reader.ReadDirectory( + for artifact_definition in artifacts_reader.ReadDirectory( path, extension=extension): self.RegisterDefinition(artifact_definition) - def ReadFromFile(self, artifact_reader, filename): + def ReadFromFile(self, artifacts_reader, filename): """Reads artifact definitions into the registry from a file. Args: artifacts_reader (ArtifactsReader): an artifacts reader. filename (str): name of the file to read from. """ - for artifact_definition in artifact_reader.ReadFile(filename): + for artifact_definition in artifacts_reader.ReadFile(filename): self.RegisterDefinition(artifact_definition) - def ReadFileObject(self, artifact_reader, file_object): + def ReadFileObject(self, artifacts_reader, file_object): """Reads artifact definitions into the registry from a file-like object. Args: artifacts_reader (ArtifactsReader): an artifacts reader. file_object (file): file-like object to read from. """ - for artifact_definition in artifact_reader.ReadFileObject(file_object): + for artifact_definition in artifacts_reader.ReadFileObject(file_object): self.RegisterDefinition(artifact_definition) diff -Nru forensic-artifacts-20170808/artifacts/source_type.py forensic-artifacts-20190113/artifacts/source_type.py --- forensic-artifacts-20170808/artifacts/source_type.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/artifacts/source_type.py 2019-01-13 09:45:17.000000000 +0000 @@ -30,17 +30,26 @@ class SourceType(object): """Artifact definition source type interface.""" + # Note that redundant-returns-doc is broken for pylint 1.7.x for + # abstract methods. + # pylint: disable=redundant-returns-doc + TYPE_INDICATOR = None - @property - def type_indicator(self): - """The type indicator. + def __init__(self): + """Initializes an artifact definition source type. Raises: - NotImplementedError: if the type indicator is not defined. + FormatError: if the indicator is not defined. """ + super(SourceType, self).__init__() + if not self.TYPE_INDICATOR: - raise NotImplementedError('Invalid source type missing type indicator.') + raise errors.FormatError('Missing type indicator.') + + @property + def type_indicator(self): + """str: type indicator.""" return self.TYPE_INDICATOR @abc.abstractmethod @@ -226,7 +235,8 @@ r'HKEY_LOCAL_MACHINE', r'HKEY_USERS', r'HKEY_CLASSES_ROOT', - r'%%current_control_set%%',] + r'%%current_control_set%%', + ] def __init__(self, keys=None): """Initializes a source type. @@ -309,6 +319,9 @@ raise errors.FormatError('key_value_pair must be a dict') if set(pair.keys()) != set(['key', 'value']): + key_value_pairs = ', '.join([ + '{0:s}: {1:s}'.format(key, value) for key, value in key_value_pairs + ]) error_message = ( 'key_value_pair missing "key" and "value" keys, got: ' '{0:s}').format(key_value_pairs) @@ -329,14 +342,20 @@ class WMIQuerySourceType(SourceType): - """WMI query source type.""" + """WMI query source type. + + Attributes: + base_object (str): WMI base object. + query (str): WMI query. + """ TYPE_INDICATOR = definitions.TYPE_INDICATOR_WMI_QUERY - def __init__(self, query=None, base_object=None): + def __init__(self, base_object=None, query=None): """Initializes a source type. Args: + base_object (Optional[str]): WMI base object. query (Optional[str]): WMI query. Raises: @@ -366,22 +385,17 @@ """Source type factory.""" _source_type_classes = { - definitions.TYPE_INDICATOR_ARTIFACT_GROUP: - ArtifactGroupSourceType, - definitions.TYPE_INDICATOR_COMMAND: - CommandSourceType, - definitions.TYPE_INDICATOR_DIRECTORY: - DirectorySourceType, - definitions.TYPE_INDICATOR_FILE: - FileSourceType, - definitions.TYPE_INDICATOR_PATH: - PathSourceType, + definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType, + definitions.TYPE_INDICATOR_COMMAND: CommandSourceType, + definitions.TYPE_INDICATOR_DIRECTORY: DirectorySourceType, + definitions.TYPE_INDICATOR_FILE: FileSourceType, + definitions.TYPE_INDICATOR_PATH: PathSourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: WindowsRegistryKeySourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: WindowsRegistryValueSourceType, - definitions.TYPE_INDICATOR_WMI_QUERY: - WMIQuerySourceType,} + definitions.TYPE_INDICATOR_WMI_QUERY: WMIQuerySourceType, + } @classmethod def CreateSourceType(cls, type_indicator, attributes): diff -Nru forensic-artifacts-20170808/artifacts/writer.py forensic-artifacts-20190113/artifacts/writer.py --- forensic-artifacts-20170808/artifacts/writer.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/artifacts/writer.py 2019-01-13 09:45:17.000000000 +0000 @@ -11,6 +11,10 @@ class BaseArtifactsWriter(object): """Artifacts writer interface.""" + # Note that redundant-returns-doc is broken for # pylint 1.7.x for + # abstract methods. + # pylint: disable=redundant-returns-doc + @abc.abstractmethod def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. @@ -35,6 +39,10 @@ class ArtifactWriter(BaseArtifactsWriter): """File artifacts writer.""" + # Note that redundant-returns-doc is broken for # pylint 1.7.x for + # abstract methods. + # pylint: disable=redundant-returns-doc + @abc.abstractmethod def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. diff -Nru forensic-artifacts-20170808/artifacts.ini forensic-artifacts-20190113/artifacts.ini --- forensic-artifacts-20170808/artifacts.ini 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/artifacts.ini 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,9 @@ +[project] +name: artifacts +status: alpha +name_description: ForensicArtifacts.com Artifact Repository +maintainer: Forensic artifacts +homepage_url: https://github.com/ForensicArtifacts/artifacts +description_short: ForensicArtifacts.com Artifact Repository. +description_long: A free, community-sourced, machine-readable knowledge base of forensic + artifacts that the world can use both as an information source and within other tools. diff -Nru forensic-artifacts-20170808/config/dpkg/changelog forensic-artifacts-20190113/config/dpkg/changelog --- forensic-artifacts-20170808/config/dpkg/changelog 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/config/dpkg/changelog 2019-01-13 09:45:17.000000000 +0000 @@ -1,5 +1,5 @@ -artifacts (20170513-1) unstable; urgency=low +artifacts (20190113-1) unstable; urgency=low * Auto-generated - -- Forensic artifacts Tue, 08 Aug 2017 08:18:16 +0200 + -- Forensic artifacts Sun, 13 Jan 2019 09:44:56 +0100 \ No newline at end of file diff -Nru forensic-artifacts-20170808/config/dpkg/control forensic-artifacts-20190113/config/dpkg/control --- forensic-artifacts-20170808/config/dpkg/control 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/config/dpkg/control 2019-01-13 09:45:17.000000000 +0000 @@ -2,7 +2,7 @@ Section: python Priority: extra Maintainer: Forensic artifacts -Build-Depends: debhelper (>= 7), python-all (>= 2.7~), python-setuptools, python3-all (>= 3.4~), python3-setuptools +Build-Depends: debhelper (>= 9), python-all (>= 2.7~), python-setuptools, python3-all (>= 3.4~), python3-setuptools Standards-Version: 3.9.5 X-Python-Version: >= 2.7 X-Python3-Version: >= 3.4 @@ -18,20 +18,20 @@ Package: python-artifacts Architecture: all Depends: artifacts-data, python-yaml (>= 3.10), ${python:Depends}, ${misc:Depends} -Description: Python bindings for ForensicArtifacts.com Artifact Repository +Description: Python 2 module of ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: python3-artifacts Architecture: all Depends: artifacts-data, python3-yaml (>= 3.10), ${python3:Depends}, ${misc:Depends} -Description: Python bindings for ForensicArtifacts.com Artifact Repository +Description: Python 3 module of ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: artifacts-tools Architecture: all Depends: python-artifacts, python (>= 2.7~), ${python:Depends}, ${misc:Depends} -Description: Tools for ForensicArtifacts.com Artifact Repository +Description: Tools of ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. diff -Nru forensic-artifacts-20170808/config/travis/install.sh forensic-artifacts-20190113/config/travis/install.sh --- forensic-artifacts-20170808/config/travis/install.sh 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/config/travis/install.sh 2019-01-13 09:45:17.000000000 +0000 @@ -1,34 +1,70 @@ #!/bin/bash # # Script to set up Travis-CI test VM. - -COVERALL_DEPENDENCIES="python-coverage python-coveralls python-docopt"; +# +# This file is generated by l2tdevtools update-dependencies.py any dependency +# related changes should be made in dependencies.ini. L2TBINARIES_DEPENDENCIES="PyYAML"; -L2TBINARIES_TEST_DEPENDENCIES="yapf"; +L2TBINARIES_TEST_DEPENDENCIES="funcsigs mock pbr six yapf"; PYTHON2_DEPENDENCIES="python-yaml"; -PYTHON2_TEST_DEPENDENCIES="python-yapf"; +PYTHON2_TEST_DEPENDENCIES="python-coverage python-funcsigs python-mock python-pbr python-six python-tox python-yapf yapf"; + +PYTHON3_DEPENDENCIES="python3-yaml"; + +PYTHON3_TEST_DEPENDENCIES="python-yapf python3-mock python3-pbr python3-setuptools python3-six python3-tox yapf"; # Exit on error. set -e; if test ${TRAVIS_OS_NAME} = "osx"; then - git clone https://github.com/log2timeline/l2tdevtools.git; + git clone https://github.com/log2timeline/l2tbinaries.git -b dev; - mv l2tdevtools ../; - mkdir dependencies; + mv l2tbinaries ../; - PYTHONPATH=../l2tdevtools ../l2tdevtools/tools/update.py --download-directory=dependencies ${L2TBINARIES_DEPENDENCIES} ${L2TBINARIES_TEST_DEPENDENCIES}; + for PACKAGE in ${L2TBINARIES_DEPENDENCIES}; + do + echo "Installing: ${PACKAGE}"; + sudo /usr/bin/hdiutil attach ../l2tbinaries/macos/${PACKAGE}-*.dmg; + sudo /usr/sbin/installer -target / -pkg /Volumes/${PACKAGE}-*.pkg/${PACKAGE}-*.pkg; + sudo /usr/bin/hdiutil detach /Volumes/${PACKAGE}-*.pkg + done + + for PACKAGE in ${L2TBINARIES_TEST_DEPENDENCIES}; + do + echo "Installing: ${PACKAGE}"; + sudo /usr/bin/hdiutil attach ../l2tbinaries/macos/${PACKAGE}-*.dmg; + sudo /usr/sbin/installer -target / -pkg /Volumes/${PACKAGE}-*.pkg/${PACKAGE}-*.pkg; + sudo /usr/bin/hdiutil detach /Volumes/${PACKAGE}-*.pkg + done -elif test ${TRAVIS_OS_NAME} = "linux"; +elif test ${TRAVIS_OS_NAME} = "linux" && test ${TARGET} != "jenkins"; then + sudo rm -f /etc/apt/sources.list.d/travis_ci_zeromq3-source.list; + + if test ${TARGET} = "pylint"; + then + if test ${TRAVIS_PYTHON_VERSION} = "2.7"; + then + sudo add-apt-repository ppa:gift/pylint2 -y; + fi + fi + sudo add-apt-repository ppa:gift/dev -y; sudo apt-get update -q; - # Only install the Python 2 dependencies. - # Also see: https://docs.travis-ci.com/user/languages/python/#Travis-CI-Uses-Isolated-virtualenvs - sudo apt-get install -y ${COVERALL_DEPENDENCIES} ${PYTHON2_DEPENDENCIES} ${PYTHON2_TEST_DEPENDENCIES}; + + if test ${TRAVIS_PYTHON_VERSION} = "2.7"; + then + sudo apt-get install -y ${PYTHON2_DEPENDENCIES} ${PYTHON2_TEST_DEPENDENCIES}; + else + sudo apt-get install -y ${PYTHON3_DEPENDENCIES} ${PYTHON3_TEST_DEPENDENCIES}; + fi + if test ${TARGET} = "pylint"; + then + sudo apt-get install -y pylint; + fi fi diff -Nru forensic-artifacts-20170808/config/travis/runtests.sh forensic-artifacts-20190113/config/travis/runtests.sh --- forensic-artifacts-20170808/config/travis/runtests.sh 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/config/travis/runtests.sh 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,80 @@ +#!/bin/bash +# +# Script to run tests on Travis-CI. +# +# This file is generated by l2tdevtools update-dependencies.py, any dependency +# related changes should be made in dependencies.ini. + +# Exit on error. +set -e; + +if test "${TARGET}" = "jenkins"; +then + ./config/jenkins/linux/run_end_to_end_tests.sh "travis"; + +elif test "${TARGET}" = "pylint"; +then + pylint --version + + for FILE in `find setup.py artifacts config tests tools -name \*.py`; + do + echo "Checking: ${FILE}"; + + pylint --rcfile=.pylintrc ${FILE}; + done + +elif test "${TRAVIS_OS_NAME}" = "osx"; +then + PYTHONPATH=/Library/Python/2.7/site-packages/ /usr/bin/python ./run_tests.py; + + python ./setup.py build + + python ./setup.py sdist + + python ./setup.py bdist + + if test -f tests/end-to-end.py; + then + PYTHONPATH=. python ./tests/end-to-end.py --debug -c config/end-to-end.ini; + fi + +elif test "${TRAVIS_OS_NAME}" = "linux"; +then + COVERAGE="/usr/bin/coverage"; + + if ! test -x "${COVERAGE}"; + then + # Ubuntu has renamed coverage. + COVERAGE="/usr/bin/python-coverage"; + fi + + if test -n "${TOXENV}"; + then + tox --sitepackages ${TOXENV}; + + elif test "${TRAVIS_PYTHON_VERSION}" = "2.7"; + then + ${COVERAGE} erase + ${COVERAGE} run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" ./run_tests.py + else + python ./run_tests.py + + python ./setup.py build + + python ./setup.py sdist + + python ./setup.py bdist + + TMPDIR="${PWD}/tmp"; + TMPSITEPACKAGES="${TMPDIR}/lib/python${TRAVIS_PYTHON_VERSION}/site-packages"; + + mkdir -p ${TMPSITEPACKAGES}; + + PYTHONPATH=${TMPSITEPACKAGES} python ./setup.py install --prefix=${TMPDIR}; + + if test -f tests/end-to-end.py; + then + PYTHONPATH=. python ./tests/end-to-end.py --debug -c config/end-to-end.ini; + fi + fi +fi diff -Nru forensic-artifacts-20170808/config/travis/run_with_timeout.sh forensic-artifacts-20190113/config/travis/run_with_timeout.sh --- forensic-artifacts-20170808/config/travis/run_with_timeout.sh 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/config/travis/run_with_timeout.sh 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,47 @@ +#!/bin/bash +# +# Script to run commands on a Travis-CI test VM that otherwise would time out +# after 10 minutes. This replaces travis_wait and outputs stdout of the command +# running. +# +# This file is generated by l2tdevtools update-dependencies.py, any dependency +# related changes should be made in dependencies.ini. + +# Exit on error. +set -e + +# Usage: ./run_with_timeout.sh [TIMEOUT] [COMMAND] [OPTION] [...] + +TIMEOUT=$1; +shift + +# Launch a command in the background. +$* & + +PID_COMMAND=$!; + +# Probe the command every minute. +MINUTES=0; + +while kill -0 ${PID_COMMAND} >/dev/null 2>&1; +do + # Print to stdout, seeing this prints a space and a backspace + # there is no visible trace. + echo -n -e " \b"; + + if test ${MINUTES} -ge ${TIMEOUT}; + then + kill -9 ${PID_COMMAND} >/dev/null 2>&1; + + echo -e "\033[0;31m[ERROR] command: $* timed out after: ${MINUTES} minute(s).\033[0m"; + + exit 1; + fi + MINUTES=$(( ${MINUTES} + 1 )); + + sleep 60; +done + +wait ${PID_COMMAND}; + +exit $?; diff -Nru forensic-artifacts-20170808/data/antivirus.yaml forensic-artifacts-20190113/data/antivirus.yaml --- forensic-artifacts-20170808/data/antivirus.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/antivirus.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -16,6 +16,7 @@ paths: - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**' - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**' + separator: '\' supported_os: [Windows] labels: [Antivirus] --- @@ -23,25 +24,28 @@ doc: Sophos Anti-Virus log files. sources: - type: FILE - attributes: {paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*']} - supported_os: [Windows] -sources: -- type: FILE attributes: {paths: ['/Library/Logs/Sophos*.log']} supported_os: [Darwin] -supported_os: [Windows, Darwin] +- type: FILE + attributes: + paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*'] + separator: '\' + supported_os: [Windows] +supported_os: [Darwin, Windows] labels: [Antivirus, Logs] --- name: SophosAVQuarantine doc: Sophos Anti-Virus Quarantine (Infected) files. sources: - type: FILE - attributes: {paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*']} - supported_os: [Windows] -- type: FILE attributes: {paths: ['/Users/Shared/Infected/*']} supported_os: [Darwin] -supported_os: [Windows, Darwin] +- type: FILE + attributes: + paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*'] + separator: '\' + supported_os: [Windows] +supported_os: [Darwin, Windows] labels: [Antivirus] --- name: SymantecAVLogs @@ -52,6 +56,7 @@ paths: - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log' - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log' + separator: '\' supported_os: [Windows] supported_os: [Windows] labels: [Antivirus, Logs] @@ -60,7 +65,9 @@ doc: Symantec Anti-Virus Quarantine (Infected) files. sources: - type: FILE - attributes: {paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn']} + attributes: + paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn'] + separator: '\' supported_os: [Windows] supported_os: [Windows] labels: [Antivirus, Logs] diff -Nru forensic-artifacts-20170808/data/applications.yaml forensic-artifacts-20190113/data/applications.yaml --- forensic-artifacts-20170808/data/applications.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/applications.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -20,7 +20,7 @@ sources: - type: FILE attributes: - paths: + paths: - '%%users.homedir%%/Library/Preferences/com.microsoft.office.plist' - '%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist' separator: '/' @@ -34,6 +34,45 @@ supported_os: [Darwin, Windows] urls: ['https://github.com/mac4n6/macMRU-Parser'] --- +name: MicrosoftOutlookPABFiles +doc: Microsoft Outlook PAB Files +sources: +- type: FILE + attributes: + paths: + - '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.pab' + - '%%users.homedir%%/Documents/Outlook Files/*.pab' + separator: '/' +labels: [Users, Mail] +supported_os: [Windows] +urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)'] +--- +name: MicrosoftOutlookPSTFiles +doc: Microsoft Outlook PST Files +sources: +- type: FILE + attributes: + paths: + - '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.pst' + - '%%users.homedir%%/Documents/Outlook Files/*.pst' + separator: '/' +labels: [Users, Mail] +supported_os: [Windows] +urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)'] +--- +name: MicrosoftOutlookOSTFiles +doc: Microsoft Outlook OST Files +sources: +- type: FILE + attributes: + paths: + - '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.ost' + - '%%users.homedir%%/Documents/Outlook Files/*.ost' + separator: '/' +labels: [Users, Mail] +supported_os: [Windows] +urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)'] +--- name: WinRARExternalViewer doc: Executable run when a file is opened by WinRAR inside an archive. sources: diff -Nru forensic-artifacts-20170808/data/cloud_services.yaml forensic-artifacts-20190113/data/cloud_services.yaml --- forensic-artifacts-20170808/data/cloud_services.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/cloud_services.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -20,6 +20,7 @@ paths: - '%%users.appdata%%\Dropbox\*.db*' - '%%users.localappdata%%\Dropbox\*.db*' + separator: '\' supported_os: [Windows] - type: FILE attributes: @@ -42,6 +43,7 @@ - '%%users.localappdata%%\Google\Drive\user_default\snapshot.db' - '%%users.localappdata%%\Google\Drive\user_default\sync_config.db' - '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*' + separator: '\' supported_os: [Windows] - type: FILE attributes: @@ -53,7 +55,7 @@ - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*' supported_os: [Darwin] -supported_os: [Darwin,Windows] +supported_os: [Darwin, Windows] labels: [Cloud Storage] urls: ['http://www.forensicswiki.org/wiki/Google_Drive'] --- @@ -71,6 +73,7 @@ - '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini' + separator: '\' supported_os: [Windows] supported_os: [Windows] labels: [Cloud Storage] diff -Nru forensic-artifacts-20170808/data/config_files.yaml forensic-artifacts-20190113/data/config_files.yaml --- forensic-artifacts-20170808/data/config_files.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/config_files.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -14,7 +14,7 @@ - type: FILE attributes: {paths: ['/etc/ssh/sshd_config']} labels: [Configuration Files] -supported_os: [Linux] +supported_os: [Linux, Darwin] --- name: SshUserConfigFile doc: User ssh configuration file diff -Nru forensic-artifacts-20170808/data/docker.yaml forensic-artifacts-20190113/data/docker.yaml --- forensic-artifacts-20170808/data/docker.yaml 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/data/docker.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,21 @@ +# Docker artifacts + +--- +name: DockerContainerConfig +doc: Docker container configuration files +sources: +- type: FILE + attributes: + paths: + - '/var/lib/docker/containers/*/config.v2.json' + - '/var/lib/docker/containers/*/config.json' +labels: [Docker, Configuration Files] +supported_os: [Linux] +--- +name: GKEDockerContainerLogs +doc: Location where stdout and stderr from containers is logged in a Google Kubernetes Engine (GKE) environment. +sources: +- type: FILE + attributes: {paths: ['/var/lib/docker/containers/*/*-json.log*']} +labels: [Docker, Logs] +supported_os: [Linux] diff -Nru forensic-artifacts-20170808/data/hadoop.yaml forensic-artifacts-20190113/data/hadoop.yaml --- forensic-artifacts-20170808/data/hadoop.yaml 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/data/hadoop.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,9 @@ +# Hadoop artifacts + +name: HadoopAppRoot +doc: Location where Hadoop application files are stored +sources: +- type: FILE + attributes: {paths: ['/hadoop/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*']} +labels: [Hadoop] +supported_os: [Linux] diff -Nru forensic-artifacts-20170808/data/java.yaml forensic-artifacts-20190113/data/java.yaml --- forensic-artifacts-20170808/data/java.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/java.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -4,16 +4,17 @@ doc: Java Plug-in cache. sources: - type: FILE + attributes: {paths: ['%%users.homedir%%/.java/deployment/cache/**']} + supported_os: [Linux] +- type: FILE + attributes: {paths: ['%%users.homedir%%/Library/Caches/Java/cache/**']} + supported_os: [Darwin] +- type: FILE attributes: paths: - '%%users.localappdata_low%%\Sun\Java\Deployment\cache\**' - '%%users.homedir%%\AppData\LocalLow\Sun\Java\Deployment\cache\**' - '%%users.homedir%%\Application Data\Sun\Java\Deployment\cache\**' + separator: '\' supported_os: [Windows] -- type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Caches/Java/cache/**']} - supported_os: [Darwin] -- type: FILE - attributes: {paths: ['%%users.homedir%%/.java/deployment/cache/**']} - supported_os: [Linux] supported_os: [Windows, Linux, Darwin] diff -Nru forensic-artifacts-20170808/data/legacy.yaml forensic-artifacts-20190113/data/legacy.yaml --- forensic-artifacts-20170808/data/legacy.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/legacy.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -34,6 +34,25 @@ supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/System-keys'] --- +name: LinuxRelease +doc: | + Linux specific distribution information. + + See: lsb_release(1) man page, or the LSB Specification under the 'Command + Behaviour' section. +sources: +- type: FILE + attributes: + paths: + - '/etc/enterprise-release' + - '/etc/lsb-release' + - '/etc/oracle-release' + - '/etc/redhat-release' + - '/etc/system-release' +provides: [os_release, os_major_version, os_minor_version] +labels: [Software] +supported_os: [Linux] +--- name: OSXUsers doc: Users directories in /Users sources: diff -Nru forensic-artifacts-20170808/data/linux.yaml forensic-artifacts-20190113/data/linux.yaml --- forensic-artifacts-20170808/data/linux.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/linux.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -79,6 +79,15 @@ labels: [Software] supported_os: [Linux] --- +name: DebianVersion +doc: Debian version information. +sources: +- type: FILE + attributes: {paths: ['/etc/debian_version']} +provides: [os_release, os_major_version, os_minor_version] +labels: [Software] +supported_os: [Linux] +--- name: DNSResolvConfFile doc: DNS Resolver configuration file. sources: @@ -171,6 +180,20 @@ labels: [Logs] supported_os: [Linux] --- +name: LinuxDistributionRelease +doc: Linux distribution release information of non-LSB compliant systems. +sources: +- type: FILE + attributes: + paths: + - '/etc/enterprise-release' + - '/etc/oracle-release' + - '/etc/redhat-release' + - '/etc/system-release' +provides: [os_release, os_major_version, os_minor_version] +labels: [Software] +supported_os: [Linux] +--- name: LinuxDSDTTable doc: Linux file containing DSDT table. sources: @@ -215,14 +238,26 @@ - type: FILE attributes: paths: - - '/boot/initramfs*' - - '/boot/initrd*' + - '/boot/initramfs*' + - '/boot/initrd*' labels: [Configuration Files, System] supported_os: [Linux] urls: - 'http://en.wikipedia.org/wiki/Initrd' - 'https://www.kernel.org/doc/Documentation/initrd.txt' --- +name: LinuxIssueFile +doc: Linux prelogin message and identification (issue) file. +sources: +- type: FILE + attributes: + paths: + - '/etc/issue' + - '/etc/issue.net' +labels: [Configuration Files, System] +supported_os: [Linux] +urls: ['https://linux.die.net/man/5/issue'] +--- name: LinuxKernelLogFiles doc: Linux kernel log files. sources: @@ -231,6 +266,14 @@ labels: [Logs] supported_os: [Linux] --- +name: LinuxLastlogFile +doc: Linux lastlog file. +sources: +- type: FILE + attributes: {paths: ['/var/log/lastlog']} +labels: [Logs, Authentication] +supported_os: [Linux] +--- name: LinuxLSBInit doc: Linux LSB-style init scripts. sources: @@ -252,11 +295,21 @@ labels: [System] supported_os: [Linux] --- +name: LinuxLSBRelease +doc: Linux Standard Base (LSB) release information +sources: +- type: FILE + attributes: {paths: ['/etc/lsb-release']} +provides: [os_release, os_major_version, os_minor_version] +labels: [Software] +supported_os: [Linux] +urls: ['https://linux.die.net/man/1/lsb_release'] +--- name: LinuxMessagesLogFiles doc: Linux messages log files. sources: - type: FILE - attributes: {paths: ['/var/log/messages.log*']} + attributes: {paths: ['/var/log/messages*']} labels: [Logs] supported_os: [Linux] --- @@ -306,25 +359,6 @@ labels: [Configuration Files, System] supported_os: [Linux] --- -name: LinuxRelease -doc: | - Linux specific distribution information. - - See: lsb_release(1) man page, or the LSB Specification under the 'Command - Behaviour' section. -sources: -- type: FILE - attributes: - paths: - - '/etc/enterprise-release' - - '/etc/lsb-release' - - '/etc/oracle-release' - - '/etc/redhat-release' - - '/etc/system-release' -provides: [os_release, os_major_version, os_minor_version] -labels: [Software] -supported_os: [Linux] ---- name: LinuxRsyslogConfigs doc: Linux rsyslog configurations. sources: @@ -428,14 +462,28 @@ labels: [Configuration Files, System] supported_os: [Linux] --- +name: LinuxUtmpFiles +doc: Linux btmp, utmp and wtmp login record files. +sources: +- type: FILE + attributes: + paths: + - '/var/log/btmp' + - '/var/log/wtmp' + - '/var/run/utmp' +labels: [Logs, Authentication] +supported_os: [Linux] +urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] +--- name: LinuxWtmp -doc: Linux wtmp file. +doc: Linux wtmp login record file sources: - type: FILE attributes: {paths: ['/var/log/wtmp']} labels: [Logs, Authentication] provides: [users.username, users.last_logon] supported_os: [Linux] +urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] --- name: LinuxXinetd doc: Linux xinetd configurations. diff -Nru forensic-artifacts-20170808/data/macos.yaml forensic-artifacts-20190113/data/macos.yaml --- forensic-artifacts-20170808/data/macos.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/macos.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -78,6 +78,15 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs' --- +name: MacOSBashSessions +doc: Terminal Commands Sessions +sources: +- type: FILE + attributes: {paths: ['%%users.homedir%%/.bash_sessions/*']} +labels: [Users, Logs] +supported_os: [Darwin] +urls: ['https://www.swiftforensics.com/2018/05/bash-sessions-in-macos.html'] +--- name: MacOSBluetoothPlistFile doc: Bluetooth preferences and paired device information plist file sources: @@ -89,6 +98,21 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- +name: MacOSCoreAnalyticsFiles +doc: macOS 10.13 (High Sierra) CoreAnalytics log files. +sources: +- type: FILE + attributes: + paths: + - '/Library/Logs/DiagnosticReports/*.core_analytics' + - '/private/var/db/analyticsd/aggregates/*' +labels: [Logs, System] +supported_os: [Darwin] +urls: +- 'http://forensicswiki.org/wiki/Mac_OS_X' +- 'http://forensicswiki.org/wiki/Mac_OS_X#Diagnostic_Reports' +- 'https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/' +--- name: MacOSCronTabs doc: Cron tabs sources: @@ -136,6 +160,14 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Networking' --- +name: MacOSiCloudAccounts +doc: iCloud Accounts +sources: +- type: FILE + attributes: {paths: ['%%users.homedir%%/Library/Application Support/iCloud/Accounts/*']} +labels: [Users, Software, Cloud, ExternalAccount] +supported_os: [Darwin] +--- name: MacOSiCloudPreferences doc: iCloud user preferences sources: @@ -268,6 +300,18 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Kernel_Extension' --- +name: MacOSDuetKnowledgeBase +doc: KnowledgeC User and Application usage database +sources: +- type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Application Support/Knowledge/knowledgeC.db' + - '/private/var/db/CoreDuet/Knowledge/knowledgeC.db' +labels: [Users, Logs] +supported_os: [Darwin] +urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage'] +--- name: MacOSLaunchAgentsPlistFiles doc: Launch Agents plist files sources: @@ -298,6 +342,14 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' --- +name: MacOSLastlogFile +doc: Mac OS X lastlog file. +sources: +- type: FILE + attributes: {paths: ['/var/log/lastlog']} +labels: [Logs, Authentication] +supported_os: [Darwin] +--- name: MacOSLoadedKexts doc: MacOS Loaded Kernel Extensions. sources: @@ -334,10 +386,10 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSMailAccounts -doc: Mail Accounts +doc: Mail Accounts. Until now only V2, V3 and V5 have been observed. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Accounts.plist']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Accounts.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -345,10 +397,10 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailBackupTOC -doc: Mail BackupTOC +doc: Mail Backup Table of Content. Until now only V2, V3 and V5 have been observed. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/BackupTOC.plist']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/BackupTOC.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -356,10 +408,10 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailboxes -doc: Mail Mailbox Directory +doc: Mail Mailbox Directory. Until now only V2, V3 and V5 have been observed. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/Mailboxes/*']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/Mailboxes/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -378,10 +430,10 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailEnvelopIndex -doc: Mail Envelope Index +doc: Mail Envelope Index. Until now only V2, V3 and V5 have been observed. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Envelope Index']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Envelope Index']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -389,10 +441,10 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailIMAP -doc: Mail IMAP Synched Mailboxes +doc: Mail IMAP Synched Mailboxes. Until now only V2, V3 and V5 have been observed. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/IMAP-*/*']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/IMAP-*/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -400,10 +452,10 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailMainDirectory -doc: Mail Main Folder +doc: Mail Main Folder. Until now only V2, V3 and V5 have been observed. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/*']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -414,7 +466,7 @@ doc: Mail Opened Attachments sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/OpenedAttachmentsV2.plist']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/OpenedAttachmentsV2.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -422,10 +474,10 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailPOP -doc: Mail POP Synched Mailboxes +doc: Mail POP Synched Mailboxes. Until now only V2, V3 and V5 have been observed. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/POP-*/*']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/POP-*/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -455,10 +507,10 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailSignatures -doc: Mail Signatures by Account +doc: Mail Signatures by Account. Until now only V2, V3 and V5 have been observed. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Signatures/*']} + attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Signatures/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: @@ -486,6 +538,18 @@ labels: [System] supported_os: [Darwin] --- +name: MacOSNotificationCenter +doc: MacOS NotificationCenter database +sources: +- type: FILE + attributes: + paths: + - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db' + - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db' + - '%%users.homedir%%/Library/Application Support/NotificationCenter/*.db' +labels: [Users, Logs] +supported_os: [Darwin] +--- name: MacOSPeriodicSystemFunctions doc: Periodic system functions scripts and configuration sources: @@ -500,6 +564,9 @@ - '/etc/daily.local/*' - '/etc/weekly.local/*' - '/etc/monthly.local/*' + - '/etc/periodic/daily/*' + - '/etc/periodic/weekly/*' + - '/etc/periodic/monthly/*' labels: [System] supported_os: [Darwin] urls: @@ -539,57 +606,16 @@ This plist contains the names of volumes mounted on the desktop that have appeared in the sidebar list. sources: - type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist']} + attributes: + paths: + - '%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist' + - '%%users.homedir%%/Preferences/com.apple.sidebarlists.plist' labels: [Users, External Media] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- -name: MacOSSkypechatsync -doc: Chat Sync Directory -sources: -- type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*']} -labels: [Users, Software, IM] -supported_os: [Darwin] -urls: -- 'http://forensicswiki.org/wiki/Mac_OS_X' -- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' ---- -name: MacOSSkypeDb -doc: Main Skype database -sources: -- type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db']} -labels: [Users, Software, IM] -supported_os: [Darwin] -urls: -- 'http://forensicswiki.org/wiki/Mac_OS_X' -- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' ---- -name: MacOSSkypePreferences -doc: Skype Preferences and Recent Searches -sources: -- type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist']} -labels: [Users, Software, IM] -supported_os: [Darwin] -urls: -- 'http://forensicswiki.org/wiki/Mac_OS_X' -- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' ---- -name: MacOSSkypeUserProfile -doc: Skype User profile -sources: -- type: FILE - attributes: {paths: ['%%users.homedir%%/Library/Application Support/Skype/*/*']} -labels: [Users, Software, IM] -supported_os: [Darwin] -urls: -- 'http://forensicswiki.org/wiki/Mac_OS_X' -- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' ---- name: MacOSSleepimageFile doc: Sleepimage file which contains the content of memory before going to sleep sources: @@ -681,6 +707,32 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' --- +name: MacOSTimeMachinePlistFile +doc: Time Machine information plist file +sources: +- type: FILE + attributes: {paths: ['/Library/Preferences/com.apple.TimeMachine.plist']} +labels: [System] +supported_os: [Darwin] +urls: +- 'http://forensicswiki.org/wiki/Mac_OS_X' +- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' +--- +name: MacOSUnifiedLogging +doc: Apple Unified Logging and Activity Tracing +sources: +- type: FILE + attributes: + paths: + - '/var/db/diagnostics/*.tracev3' + - '/var/db/diagnostics/*/*.tracev3' + - '/var/db/uuidtext/*/*' +labels: [System, Logs] +supported_os: [Darwin] +urls: +- 'http://forensicswiki.org/wiki/Mac_OS_X' +- 'https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf' +--- name: MacOSUpdate doc: Software Update sources: @@ -861,17 +913,6 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts' --- -name: MacOSTimeMachinePlistFile -doc: Time Machine information plist file -sources: -- type: FILE - attributes: {paths: ['/Library/Preferences/com.apple.TimeMachine.plist']} -labels: [System] -supported_os: [Darwin] -urls: -- 'http://forensicswiki.org/wiki/Mac_OS_X' -- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' ---- name: MacOSUserTrash doc: User Trash Folder sources: @@ -883,6 +924,27 @@ - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.' --- +name: MacOSUtmpFile +doc: Mac OS X utmp and wmtp login record file. +sources: +- type: FILE + attributes: + paths: + - '/var/log/wtmp' + - '/var/run/utmp' +labels: [Logs, Authentication] +supported_os: [Darwin] +urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] +--- +name: MacOSUtmpxFile +doc: Mac OS X 10.5 utmpx login record file. +sources: +- type: FILE + attributes: {paths: ['/var/run/utmpx']} +labels: [Logs, Authentication] +supported_os: [Darwin] +urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] +--- name: MacOSWirelessNetworks doc: Remembered Wireless Networks sources: diff -Nru forensic-artifacts-20170808/data/tomcat.yaml forensic-artifacts-20190113/data/tomcat.yaml --- forensic-artifacts-20170808/data/tomcat.yaml 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/data/tomcat.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,102 @@ +# Apache Tomcat artifacts. + +name: TomcatFiles +doc: Tomcat files. +sources: +- type: ARTIFACT_GROUP + attributes: + names: + - 'TomcatLogFiles' + - 'TomcatPasswordFile' +labels: [Software] +supported_os: [Darwin,Linux,Windows] +--- +name: TomcatLogFiles +doc: Tomcat log files. +sources: +- type: FILE + attributes: + paths: + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out' + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\access_log*' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*' + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' + separator: '\' + supported_os: [Windows] +- type: FILE + attributes: + paths: + - '/usr/local/tomcat*/logs/catalina.out' + - '/opt/tomcat*/logs/catalina.out' + - '/usr/share/tomcat*/logs/catalina.out' + - '/var/lib/tomcat*/logs/catalina.out' + - '/usr/local/tomcat*/logs/access_log*' + - '/opt/tomcat*/logs/access_log*' + - '/usr/share/tomcat*/logs/access_log*' + - '/var/lib/tomcat*/logs/access_log*' + - '/usr/local/tomcat*/logs/**/catalina.out' + - '/opt/tomcat*/logs/**/catalina.out' + - '/usr/share/tomcat*/logs/**/catalina.out' + - '/var/lib/tomcat*/logs/**/catalina.out' + - '/usr/local/tomcat*/logs/**/access_log*' + - '/opt/tomcat*/logs/**/access_log*' + - '/usr/share/tomcat*/logs/**/access_log*' + - '/var/lib/tomcat*/logs/**/access_log*' + supported_os: [Linux] +- type: FILE + attributes: + paths: + - '/Library/Tomcat/logs/catalina.out' + - '/usr/local/apache-tomcat*/logs/catalina.out' + - '/usr/local/Cellar/tomcat*/logs/catalina.out' # Default location for Homebrew + - '/Library/Tomcat/logs/**/catalina.out' + - '/usr/local/apache-tomcat*/logs/**/catalina.out' + - '/usr/local/Cellar/tomcat*/logs/**/catalina.out' # Default location for Homebrew + - '/Library/Tomcat/logs/access_log*' + - '/usr/local/apache-tomcat*/logs/access_log*' + - '/usr/local/Cellar/tomcat*/logs/access_log*' # Default location for Homebrew + - '/Library/Tomcat/logs/**/access_log*' + - '/usr/local/apache-tomcat*/logs/**/access_log*' + - '/usr/local/Cellar/tomcat*/logs/**/access_log*' # Default location for Homebrew + supported_os: [Darwin] +supported_os: [Windows,Linux,Darwin] +urls: +- 'https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Access_Logging' +- 'https://tomcat.apache.org/tomcat-8.0-doc/logging.html' +--- +name: TomcatPasswordFile +doc: Tomcat password file. +sources: +- type: FILE + attributes: + paths: + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' + separator: '\' + supported_os: [Windows] +- type: FILE + attributes: + paths: + - '/opt/tomcat*/conf/tomcat-users.xml' + - '/usr/local/tomcat*/conf/tomcat-users.xml' + - '/usr/share/tomcat*/conf/tomcat-users.xml' + - '/var/lib/tomcat*/conf/tomcat-users.xml' + supported_os: [Linux] +- type: FILE + attributes: + paths: + - '/Library/Tomcat/conf/tomcat-users.xml' + - '/usr/local/apache-tomcat-*/conf/tomcat-users.xml' + - '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' # Default location for Homebrew + supported_os: [Darwin] +supported_os: [Windows,Linux,Darwin] +urls: ['https://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access'] diff -Nru forensic-artifacts-20170808/data/unix_common.yaml forensic-artifacts-20190113/data/unix_common.yaml --- forensic-artifacts-20170808/data/unix_common.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/unix_common.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -157,9 +157,9 @@ - type: FILE attributes: paths: - - '/%%users.homedir%%/.bash_history' - - '/%%users.homedir%%/.sh_history' - - '/%%users.homedir%%/.zhistory' - - '/%%users.homedir%%/.zsh_history' + - '%%users.homedir%%/.bash_history' + - '%%users.homedir%%/.sh_history' + - '%%users.homedir%%/.zhistory' + - '%%users.homedir%%/.zsh_history' labels: [History Files] supported_os: [Linux, Darwin] diff -Nru forensic-artifacts-20170808/data/webbrowser.yaml forensic-artifacts-20190113/data/webbrowser.yaml --- forensic-artifacts-20170808/data/webbrowser.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/webbrowser.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -23,6 +23,7 @@ - 'FirefoxHistory' - 'InternetExplorerHistory' - 'OperaHistory' + - 'SafariDownloads' - 'SafariHistory' labels: [Browser] supported_os: [Darwin,Linux,Windows] @@ -81,6 +82,7 @@ - type: FILE attributes: paths: + - '%%users.homedir%%/.cache/google-chrome/Cache/*' - '%%users.homedir%%/.cache/google-chrome/*/Cache/*' - '%%users.homedir%%/.cache/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*' @@ -88,6 +90,7 @@ - '%%users.homedir%%/.config/google-chrome/*/Cache/*' - '%%users.homedir%%/.config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.config/google-chrome/*/GPUCache/*' + - '%%users.homedir%%/.cache/chromium/Cache/*' - '%%users.homedir%%/.cache/chromium/*/Cache/*' - '%%users.homedir%%/.cache/chromium/*/Media Cache/*' - '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*' @@ -98,7 +101,7 @@ supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] -urls: ['http://www.forensicswiki.org/wiki/Google_Chrome'] +urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/ChromeCache.md'] --- name: ChromeHistory doc: Chrome browser history. @@ -256,14 +259,15 @@ - type: FILE attributes: paths: - - '%%users.homedir%%/.cache/.mozilla/firefox/*.default/Cache/*' - - '%%users.homedir%%/.cache/.mozilla/firefox/*.default/cache2/*' - - '%%users.homedir%%/.cache/.mozilla/firefox/*.default/cache2/doomed/*' - - '%%users.homedir%%/.cache/.mozilla/firefox/*.default/cache2/entries/*' + - '%%users.homedir%%/.mozilla/firefox/*.default/Cache/*' + - '%%users.homedir%%/.cache/mozilla/firefox/*.default/Cache/*' + - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/*' + - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/doomed/*' + - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/entries/*' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] -urls: ['http://forensicswiki.org/wiki/Mozilla_Firefox'] +urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/FirefoxCache.md'] --- name: FirefoxHistory doc: Firefox browser history (places.sqlite). @@ -304,12 +308,15 @@ Microsoft Internet Explorer (MSIE) browser cache. * MSIE 4 - 9 Temporary Internet files. + * MSIE 10 INetCache files. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\*\*' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\*\*' + - '%%users.localappdata%%\Microsoft\Windows\INetCache\IE\*\*' + - '%%users.localappdata%%\Microsoft\Windows\INetCache\Low\*\*' separator: '\' labels: [Browser] supported_os: [Windows] @@ -481,6 +488,26 @@ labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Apple_Safari'] --- +name: SafariDownloads +doc: Safari downloads history (Downloads.plist). +sources: +- type: FILE + attributes: {paths: ['%%users.homedir%%/Library/Safari/Downloads.plist']} + supported_os: [Darwin] +- type: FILE + attributes: + paths: + - '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist' + - '%%users.appdata%%\Apple Computer\Safari\Downloads.plist' + separator: '\' + supported_os: [Windows] +labels: [Users, Browser] +supported_os: [Darwin, Windows] +urls: +- 'http://forensicswiki.org/wiki/Mac_OS_X' +- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Safari' +- 'https://www.forensicswiki.org/wiki/Apple_Safari' +--- name: SafariHistory doc: Safari browser history (History.plist). sources: diff -Nru forensic-artifacts-20170808/data/webservers.yaml forensic-artifacts-20190113/data/webservers.yaml --- forensic-artifacts-20170808/data/webservers.yaml 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/data/webservers.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,35 @@ +# Webserver related artifacts. + +name: NginxAccessLogs +doc: Location where nginx access logs are stored +sources: +- type: FILE + attributes: + paths: + - '/var/log/nginx/access.log*' +labels: [Software, Logs] +supported_os: [Linux] +--- +name: ApacheAccessLogs +doc: Location where Apache access logs are stored +sources: +- type: FILE + attributes: + paths: + - '/var/log/apache/access.log*' + - '/var/log/apache2/access.log*' + - '/var/log/httpd/access.log' +labels: [Software, Logs] +supported_os: [Linux] +--- +name: WordpressConfigFile +doc: WordPress configuration file +sources: +- type: FILE + attributes: + paths: + - '/wp/wp-config.php' + - '/var/www/wp-config.php' + - '/var/www/**/wp-config.php' +labels: [Configuration Files] +supported_os: [Linux, Darwin] diff -Nru forensic-artifacts-20170808/data/windows.yaml forensic-artifacts-20190113/data/windows.yaml --- forensic-artifacts-20170808/data/windows.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/windows.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -15,6 +15,22 @@ - 'https://support.microsoft.com/en-us/kb/929200' - 'https://en.wikipedia.org/wiki/Active_Desktop' --- +name: WindowsActivitiesCache +doc: | + Windows activities cache SQLite database. + + This file is available since Windows 10 and version 1803. +sources: +- type: FILE + attributes: + paths: ['%%users.homedir%%\AppData\Local\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db'] + separator: '\' +labels: [Users] +supported_os: [Windows] +urls: +- 'https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/' +- 'https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/amp/' +--- name: WindowsAlternateShell doc: Alternate Shell to be run via Userinit. sources: @@ -196,7 +212,6 @@ attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName'} -provides: [hostname] supported_os: [Windows] --- name: WindowsCommandProcessorAutoRun @@ -423,17 +438,36 @@ supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] --- +name: WindowsEnvironmentVariableProfilesDirectory +doc: Folder that typically contains users' profile directories; default is '%SystemDrive%\Users' +sources: +- type: REGISTRY_VALUE + attributes: + key_value_pairs: + - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} +provides: [environ_profilesdirectory] +supported_os: [Windows] +urls: +- 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx' +- 'https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables' +- 'http://support.microsoft.com/kb//214653' +--- name: WindowsEnvironmentVariableAllUsersProfile -doc: The %AllUsersProfile% environment variable. +doc: | + The %AllUsersProfile% environment variable + + May or may not depend on registry keys - see urls sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'} - - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} provides: [environ_allusersprofile] supported_os: [Windows] -urls: ['http://support.microsoft.com/kb//214653'] +urls: +- 'https://www.microsoft.com/en-us/wdsi/help/folder-variables' +- 'https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329d6b/reactos/boot/bootdata/livecd.inf' +- 'http://support.microsoft.com/kb//214653' --- name: WindowsEnvironmentVariableAppxProcess doc: | @@ -630,6 +664,19 @@ supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- +name: WindowsXMLEventLogSysmon +doc: Sysmon Windows XML Event Log. +sources: +- type: FILE + attributes: + paths: ['%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx'] + separator: '\' +labels: [Logs] +supported_os: [Windows] +urls: +- 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon' +- 'https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed' +--- name: WindowsXMLEventLogSystem doc: System Windows XML Event Log. sources: @@ -869,6 +916,37 @@ supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx'] --- +name: WindowsFirewallLogFile +doc: Windows Firewall default logfile +sources: +- type: FILE + attributes: + paths: ['%%environ_systemroot%%\System32\logfiles\firewall\pfirewall.log'] + separator: '\' +labels: [System] +supported_os: [Windows] +urls: ['https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/configure-the-windows-firewall-log'] +--- +name: WindowsFirewallEnabledRules +doc: Command to list the enabled Windows Firewall rules. +sources: +- type: COMMAND + attributes: + args: ["advfirewall", "monitor", "show", "firewall", "rule", "name=all"] + cmd: netsh.exe +labels: [System] +supported_os: [Windows] +--- +name: WindowsFirewallRules +doc: Command to list the configured Windows Firewall rules. +sources: +- type: COMMAND + attributes: + args: ["advfirewall", "firewall", "show", "rule", "name=all"] + cmd: netsh.exe +labels: [System] +supported_os: [Windows] +--- name: WindowsGroupPolicyScripts doc: Windows group policy scripts sources: @@ -1267,6 +1345,17 @@ supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc'] --- +name: WindowsProxyPACAutoConfigURL +doc: Windows Proxy PAC AutoConfigURL. +sources: +- type: REGISTRY_VALUE + attributes: + key_value_pairs: + - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'AutoConfigURL'} +labels: [System, Network] +supported_os: [Windows] +urls: ['https://blogs.msdn.microsoft.com/askie/2015/07/17/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp/'] +--- name: WindowsRecentFileCacheBCF doc: The RecentFileCache.bcf file. sources: @@ -1300,6 +1389,19 @@ supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/System-keys'] --- +name: WindowsRegistryFilesAndTransactionLogs +doc: Windows user and system Registry files and transaction logs. +sources: +- type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsSystemRegistryFiles' + - 'WindowsSystemRegistryTransactionLogFiles' + - 'WindowsUserRegistryFiles' + - 'WindowsUserRegistryTransactionLogFiles' +labels: [System,Users] +supported_os: [Windows] +--- name: WindowsRegistryProfiles doc: | Get SIDs for all users on the system with profiles present in the Registry. @@ -1314,6 +1416,17 @@ supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx'] --- +name: WindowsReleaseIdentifier +doc: | + The Windows 10 release identifier (or version number). + + This Windows Registry value contains the semi-annual Windows 10 version number. +sources: +- type: REGISTRY_VALUE + attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ReleaseID'}]} +supported_os: [Windows] +urls: ['https://www.microsoft.com/en-us/itpro/windows-10/release-information'] +--- name: WindowsRoverAutostartDLL doc: | Windows Rover autostart DLL. @@ -1795,6 +1908,47 @@ supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc728472(v=ws.10).aspx'] --- +name: WindowsSystemRegistryFilesBackup +doc: Backup of Windows system Registry files. +sources: +- type: FILE + attributes: + paths: + - '%%environ_systemroot%%\System32\config\RegBack\SAM' + - '%%environ_systemroot%%\System32\config\RegBack\SECURITY' + - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE' + - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM' + separator: '\' +labels: [System] +supported_os: [Windows] +urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#types-of-files'] +--- +name: WindowsSystemRegistryTransactionLogFilesBackup +doc: | + Backup of Windows system Registry transaction log files. + + These files have been observed to be typically 0 byte in size. +sources: +- type: FILE + attributes: + paths: + - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG' + - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG1' + - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG2' + - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG' + - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG1' + - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG2' + - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG' + - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG1' + - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG2' + - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG' + - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG1' + - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG2' + separator: '\' +labels: [System] +supported_os: [Windows] +urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#types-of-files'] +--- name: WindowsSystemRegistryFiles doc: Windows system Registry files. sources: @@ -1811,6 +1965,50 @@ supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/Registry-files'] --- +name: WindowsSystemRegistryTransactionLogFiles +doc: Windows system Registry transaction log files. +sources: +- type: FILE + attributes: + paths: + - '%%environ_systemroot%%\System32\config\SAM.LOG' + - '%%environ_systemroot%%\System32\config\SAM.LOG1' + - '%%environ_systemroot%%\System32\config\SAM.LOG2' + - '%%environ_systemroot%%\System32\config\SECURITY.LOG' + - '%%environ_systemroot%%\System32\config\SECURITY.LOG1' + - '%%environ_systemroot%%\System32\config\SECURITY.LOG2' + - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG' + - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG1' + - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG2' + - '%%environ_systemroot%%\System32\config\SYSTEM.LOG' + - '%%environ_systemroot%%\System32\config\SYSTEM.LOG1' + - '%%environ_systemroot%%\System32\config\SYSTEM.LOG2' + separator: '\' +labels: [System] +supported_os: [Windows] +urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-transaction-log-files'] +--- +name: WindowsSystemRegistryFilesAndTransactionLogs +doc: Windows system Registry files and transaction logs. +sources: +- type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsSystemRegistryFiles' + - 'WindowsSystemRegistryTransactionLogFiles' +labels: [System] +supported_os: [Windows] +--- +name: WindowsSystemResourceUsageMonitorDatabaseFile +doc: Windows System Resource Usage Monitor (SRUM) database file. +sources: +- type: FILE + attributes: + paths: ['%%environ_systemroot%%\System32\sru\SRUDB.dat'] + separator: '\' +supported_os: [Windows] +urls: ['https://github.com/libyal/esedb-kb/blob/master/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc'] +--- name: WindowsTempDirectories doc: Contents of the Windows temporary directories sources: @@ -1889,6 +2087,17 @@ supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx'] --- +name: WindowsUpdateBuildRevision +doc: | + Windows kernel update build revision (UBR). + + This Windows Registry value contains the monthly rollup patch version. +sources: +- type: REGISTRY_VALUE + attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'UBR'}]} +supported_os: [Windows] +urls: ['https://social.technet.microsoft.com/Forums/en-US/cadee4de-24d0-403e-9f3e-75868abf8f34'] +--- name: WindowsUpdateStatus doc: Windows auto update status. sources: @@ -1922,8 +2131,8 @@ - type: FILE attributes: paths: - - '%%users.appdata%%\Roaming\Microsoft\Office\Recent\*' - - '%%users.appdata%%\Roaming\Microsoft\Windows\Recent\*' + - '%%users.appdata%%\Microsoft\Office\Recent\*' + - '%%users.appdata%%\Microsoft\Windows\Recent\*' separator: '\' labels: [Users] supported_os: [Windows] @@ -1942,6 +2151,34 @@ supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/Registry-files'] --- +name: WindowsUserRegistryTransactionLogFiles +doc: Windows user Registry transaction log files. +sources: +- type: FILE + attributes: + paths: + - '%%users.homedir%%\NTUSER.DAT.LOG' + - '%%users.homedir%%\NTUSER.DAT.LOG1' + - '%%users.homedir%%\NTUSER.DAT.LOG2' + - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG' + - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1' + - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2' + separator: '\' +labels: [Users] +supported_os: [Windows] +urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-transaction-log-files'] +--- +name: WindowsUserRegistryFilesAndTransactionLogs +doc: Windows user Registry files and transaction logs. +sources: +- type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsUserRegistryFiles' + - 'WindowsUserRegistryTransactionLogFiles' +labels: [Users] +supported_os: [Windows] +--- name: WindowsUserShellFolders doc: The Shell Folders information for Windows users. sources: diff -Nru forensic-artifacts-20170808/data/wmi.yaml forensic-artifacts-20190113/data/wmi.yaml --- forensic-artifacts-20170808/data/wmi.yaml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/data/wmi.yaml 2019-01-13 09:45:17.000000000 +0000 @@ -21,6 +21,13 @@ supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx'] --- +name: WMIAntivirusProduct +doc: Enumerate the registered antivirus. +sources: +- type: WMI + attributes: {query: SELECT * FROM AntivirusProduct, base_object: 'winmgmts:\root\SecurityCenter2'} +supported_os: [Windows] +--- name: WMIComputerSystemProduct doc: Computer System Product including Identifiying number queried from WMI. sources: diff -Nru forensic-artifacts-20170808/debian/changelog forensic-artifacts-20190113/debian/changelog --- forensic-artifacts-20170808/debian/changelog 2018-12-01 12:06:11.000000000 +0000 +++ forensic-artifacts-20190113/debian/changelog 2019-01-16 07:52:35.000000000 +0000 @@ -1,3 +1,13 @@ +forensic-artifacts (20190113-1) unstable; urgency=medium + + * Team upload + * New upstream version 20190113 + * Bump Debhelper compat level + * Bump Standards-Version + * Update patches + + -- Hilko Bengen Wed, 16 Jan 2019 08:52:35 +0100 + forensic-artifacts (20170808-3) unstable; urgency=medium * Change maintainer to Security Tools Team. diff -Nru forensic-artifacts-20170808/debian/compat forensic-artifacts-20190113/debian/compat --- forensic-artifacts-20170808/debian/compat 2018-12-01 11:58:02.000000000 +0000 +++ forensic-artifacts-20190113/debian/compat 2019-01-15 10:17:21.000000000 +0000 @@ -1 +1 @@ -11 +12 diff -Nru forensic-artifacts-20170808/debian/control forensic-artifacts-20190113/debian/control --- forensic-artifacts-20170808/debian/control 2018-12-01 12:00:11.000000000 +0000 +++ forensic-artifacts-20190113/debian/control 2019-01-15 10:17:21.000000000 +0000 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Debian Security Tools Uploaders: Sascha Steinbiss -Build-Depends: debhelper (>= 11), +Build-Depends: debhelper (>= 12), dh-python, python-all, python-setuptools, @@ -13,7 +13,7 @@ python3-yaml, yapf, yapf3 -Standards-Version: 4.1.5 +Standards-Version: 4.3.0 Vcs-Git: https://salsa.debian.org/pkg-security-team/forensic-artifacts.git Vcs-Browser: https://salsa.debian.org/pkg-security-team/forensic-artifacts Homepage: https://github.com/ForensicArtifacts/artifacts diff -Nru forensic-artifacts-20170808/debian/patches/exclude-yaml-from-modules.patch forensic-artifacts-20190113/debian/patches/exclude-yaml-from-modules.patch --- forensic-artifacts-20170808/debian/patches/exclude-yaml-from-modules.patch 2018-12-01 11:58:02.000000000 +0000 +++ forensic-artifacts-20190113/debian/patches/exclude-yaml-from-modules.patch 2019-01-16 07:51:50.000000000 +0000 @@ -2,15 +2,19 @@ These YAML files are now going into a separate binary package and do not need to come with the pybuild-generated packages. Author: Sascha Steinbiss ---- a/setup.py -+++ b/setup.py -@@ -126,9 +126,6 @@ - packages=find_packages('.', exclude=[ - 'tests', 'tests.*', 'tools', 'utils']), - package_dir={'artifacts': 'artifacts'}, +Index: artifacts/setup.py +=================================================================== +--- artifacts.orig/setup.py ++++ artifacts/setup.py +@@ -238,11 +238,4 @@ setup( + package_dir={ + 'artifacts': 'artifacts' + }, +- scripts=glob.glob(os.path.join('tools', '[a-z]*.py')), - data_files=[ -- ('share/artifacts', glob.glob(os.path.join('data', '*'))), +- ('share/artifacts', glob.glob( +- os.path.join('data', '*'))), +- ('share/doc/artifacts', [ +- 'ACKNOWLEDGEMENTS', 'AUTHORS', 'LICENSE', 'README']), - ], - install_requires=[ - 'PyYAML >= 3.11', - ], + ) diff -Nru forensic-artifacts-20170808/debian/patches/remove-scripts.patch forensic-artifacts-20190113/debian/patches/remove-scripts.patch --- forensic-artifacts-20170808/debian/patches/remove-scripts.patch 2018-12-01 11:58:02.000000000 +0000 +++ forensic-artifacts-20190113/debian/patches/remove-scripts.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,20 +0,0 @@ -Description: exclude scripts - We package these as Python modules only. -Author: Sascha Steinbiss ---- a/setup.py -+++ b/setup.py -@@ -135,10 +135,10 @@ - url='https://github.com/ForensicArtifacts/artifacts', - maintainer='ForensicArtifacts.com Artifact Repository maintainers', - maintainer_email='forensicartifacts@googlegroups.com', -- scripts=[ -- os.path.join('tools', 'stats.py'), -- os.path.join('tools', 'validator.py'), -- ], -+# scripts=[ -+# os.path.join('tools', 'stats.py'), -+# os.path.join('tools', 'validator.py'), -+# ], - cmdclass={ - 'bdist_msi': BdistMSICommand, - 'bdist_rpm': BdistRPMCommand}, diff -Nru forensic-artifacts-20170808/debian/patches/series forensic-artifacts-20190113/debian/patches/series --- forensic-artifacts-20170808/debian/patches/series 2018-12-01 11:58:02.000000000 +0000 +++ forensic-artifacts-20190113/debian/patches/series 2019-01-15 10:22:32.000000000 +0000 @@ -1,2 +1,2 @@ exclude-yaml-from-modules.patch -remove-scripts.patch + diff -Nru forensic-artifacts-20170808/dependencies.ini forensic-artifacts-20190113/dependencies.ini --- forensic-artifacts-20170808/dependencies.ini 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/dependencies.ini 2019-01-13 09:45:17.000000000 +0000 @@ -3,5 +3,5 @@ l2tbinaries_name: PyYAML minimum_version: 3.10 pypi_name: PyYAML -rpm_name: PyYAML +rpm_name: python2-pyyaml version_property: __version__ diff -Nru forensic-artifacts-20170808/MANIFEST.in forensic-artifacts-20190113/MANIFEST.in --- forensic-artifacts-20170808/MANIFEST.in 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/MANIFEST.in 2019-01-13 09:45:17.000000000 +0000 @@ -1,5 +1,5 @@ include ACKNOWLEDGEMENTS AUTHORS LICENSE README -include dependencies.ini run_tests.py utils/dependencies.py +include dependencies.ini run_tests.py utils/__init__.py utils/dependencies.py recursive-include config * recursive-include data * recursive-include test_data * diff -Nru forensic-artifacts-20170808/.pylintrc forensic-artifacts-20190113/.pylintrc --- forensic-artifacts-20170808/.pylintrc 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/.pylintrc 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,476 @@ +# Pylint 1.7.x - 1.9.x configuration file +# +# This file is generated by l2tdevtools update-dependencies.py, any dependency +# related changes should be made in dependencies.ini. +[MASTER] + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code +extension-pkg-whitelist= + +# Add files or directories to the blacklist. They should be base names, not +# paths. +ignore=CVS + +# Add files or directories matching the regex patterns to the blacklist. The +# regex matches against base names, not paths. +ignore-patterns= + +# Python code to execute, usually for sys.path manipulation such as +# pygtk.require(). +#init-hook= + +# Use multiple processes to speed up Pylint. +jobs=1 + +# List of plugins (as comma separated values of python modules names) to load, +# usually to register additional checkers. +load-plugins=pylint.extensions.docparams + +# Pickle collected data for later comparisons. +persistent=yes + +# Specify a configuration file. +#rcfile= + +# Allow loading of arbitrary C extensions. Extensions are imported into the +# active Python interpreter and may run arbitrary code. +unsafe-load-any-extension=no + + +[MESSAGES CONTROL] + +# Only show warnings with the listed confidence levels. Leave empty to show +# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED +confidence= + +# Disable the message, report, category or checker with the given id(s). You +# can either give multiple identifiers separated by comma (,) or put this +# option multiple times (only on the command line, not in the configuration +# file where it should appear only once).You can also use "--disable=all" to +# disable everything first and then reenable specific checks. For example, if +# you want to run only the similarities checker, you can use "--disable=all +# --enable=similarities". If you want to run only the classes checker, but have +# no Warning level messages displayed, use"--disable=all --enable=classes +# --disable=W" +# +disable= + duplicate-code, + parameter-unpacking, + raw-checker-failed, + bad-inline-option, + locally-disabled, + locally-enabled, + file-ignored, + suppressed-message, + useless-suppression, + deprecated-pragma, + no-absolute-import, + missing-param-doc, + metaclass-assignment, + eq-without-hash, + fixme, + logging-format-interpolation, + no-self-use, + too-few-public-methods, + too-many-ancestors, + too-many-boolean-expressions, + too-many-branches, + too-many-instance-attributes, + too-many-lines, + too-many-locals, + too-many-nested-blocks, + too-many-public-methods, + too-many-return-statements, + too-many-statements, + unsubscriptable-object + +# Enable the message, report, category or checker with the given id(s). You can +# either give multiple identifier separated by comma (,) or put this option +# multiple time (only on the command line, not in the configuration file where +# it should appear only once). See also the "--disable" option for examples. +enable= + + +[REPORTS] + +# Python expression which should return a note less than 10 (10 is the highest +# note). You have access to the variables errors warning, statement which +# respectively contain the number of errors / warnings messages and the total +# number of statements analyzed. This is used by the global evaluation report +# (RP0004). +evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) + +# Template used to display messages. This is a python new-style format string +# used to format the message information. See doc for all details +#msg-template= + +# Set the output format. Available formats are text, parseable, colorized, json +# and msvs (visual studio).You can also give a reporter class, eg +# mypackage.mymodule.MyReporterClass. +output-format=text + +# Tells whether to display a full report or only the messages +reports=no + +# Activate the evaluation score. +# score=yes +score=no + + +[REFACTORING] + +# Maximum number of nested blocks for function / method body +max-nested-blocks=5 + + +[VARIABLES] + +# List of additional names supposed to be defined in builtins. Remember that +# you should avoid to define new builtins when possible. +additional-builtins= + +# Tells whether unused global variables should be treated as a violation. +allow-global-unused-variables=yes + +# List of strings which can identify a callback function by name. A callback +# name must start or end with one of those strings. +callbacks=cb_,_cb + +# A regular expression matching the name of dummy variables (i.e. expectedly +# not used). +dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ + +# Argument names that match this expression will be ignored. Default to name +# with leading underscore +ignored-argument-names=_.*|^ignored_|^unused_ + +# Tells whether we should check for unused import in __init__ files. +init-import=no + +# List of qualified module names which can have objects that can redefine +# builtins. +redefining-builtins-modules=six.moves,future.builtins + + +[TYPECHECK] + +# List of decorators that produce context managers, such as +# contextlib.contextmanager. Add to this list to register other decorators that +# produce valid context managers. +contextmanager-decorators=contextlib.contextmanager + +# List of members which are set dynamically and missed by pylint inference +# system, and so shouldn't trigger E1101 when accessed. Python regular +# expressions are accepted. +generated-members= + +# Tells whether missing members accessed in mixin class should be ignored. A +# mixin class is detected if its name ends with "mixin" (case insensitive). +ignore-mixin-members=yes + +# This flag controls whether pylint should warn about no-member and similar +# checks whenever an opaque object is returned when inferring. The inference +# can return multiple potential results while evaluating a Python object, but +# some branches might not be evaluated, which results in partial inference. In +# that case, it might be useful to still emit no-member and other checks for +# the rest of the inferred objects. +ignore-on-opaque-inference=yes + +# List of class names for which member attributes should not be checked (useful +# for classes with dynamically set attributes). This supports the use of +# qualified names. +ignored-classes=optparse.Values,thread._local,_thread._local + +# List of module names for which member attributes should not be checked +# (useful for modules/projects where namespaces are manipulated during runtime +# and thus existing member attributes cannot be deduced by static analysis. It +# supports qualified module names, as well as Unix pattern matching. +ignored-modules= + +# Show a hint with possible names when a member name was not found. The aspect +# of finding the hint is based on edit distance. +missing-member-hint=yes + +# The minimum edit distance a name should have in order to be considered a +# similar match for a missing member name. +missing-member-hint-distance=1 + +# The total number of similar names that should be taken in consideration when +# showing a hint for a missing member. +missing-member-max-choices=1 + + +[LOGGING] + +# Logging modules to check that the string format arguments are in logging +# function parameter format +logging-modules=logging + + +[BASIC] + +# Naming hint for argument names +# argument-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +argument-name-hint=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ + +# Regular expression matching correct argument names +# argument-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +argument-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ + +# Naming hint for attribute names +# attr-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +attr-name-hint=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ + +# Regular expression matching correct attribute names +# attr-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +attr-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ + +# Bad variable names which should always be refused, separated by a comma +bad-names=foo,bar,baz,toto,tutu,tata + +# Naming hint for class attribute names +# class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ +class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]*|(__.*__))$ + +# Regular expression matching correct class attribute names +# class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ +class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]*|(__.*__))$ + +# Naming hint for class names +class-name-hint=[A-Z_][a-zA-Z0-9]+$ + +# Regular expression matching correct class names +class-rgx=[A-Z_][a-zA-Z0-9]+$ + +# Naming hint for constant names +# const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$ +const-name-hint=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$ + +# Regular expression matching correct constant names +# const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ +const-rgx=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$ + +# Minimum line length for functions/classes that require docstrings, shorter +# ones are exempt. +docstring-min-length=-1 + +# Naming hint for function names +# function-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +function-name-hint=[A-Z_][a-zA-Z0-9_]*$ + +# Regular expression matching correct function names +# function-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +function-rgx=[A-Z_][a-zA-Z0-9_]*$ + +# Good variable names which should always be accepted, separated by a comma +good-names=i,j,k,ex,Run,_ + +# Include a hint for the correct naming format with invalid-name +include-naming-hint=no + +# Naming hint for inline iteration names +inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$ + +# Regular expression matching correct inline iteration names +inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ + +# Naming hint for method names +# method-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +method-name-hint=(test|[A-Z_])[a-zA-Z0-9_]*$ + +# Regular expression matching correct method names +# method-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +method-rgx=(test|[A-Z_])[a-zA-Z0-9_]*$ + +# Naming hint for module names +module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ + +# Regular expression matching correct module names +module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ + +# Colon-delimited sets of names that determine each other's naming style when +# the name regexes allow several styles. +name-group= + +# Regular expression which should only match function or class names that do +# not require a docstring. +no-docstring-rgx=^_ + +# List of decorators that produce properties, such as abc.abstractproperty. Add +# to this list to register other decorators that produce valid properties. +property-classes=abc.abstractproperty + +# Naming hint for variable names +# variable-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +variable-name-hint=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ + +# Regular expression matching correct variable names +# variable-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ +variable-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ + + +[MISCELLANEOUS] + +# List of note tags to take in consideration, separated by a comma. +notes=FIXME,XXX,TODO + + +[FORMAT] + +# Expected format of line ending, e.g. empty (any line ending), LF or CRLF. +expected-line-ending-format= + +# Regexp for a line that is allowed to be longer than the limit. +ignore-long-lines=^\s*(# )??$ + +# Number of spaces of indent required inside a hanging or continued line. +indent-after-paren=4 + +# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 +# tab). +# indent-string=' ' +indent-string=' ' + +# Maximum number of characters on a single line. +# max-line-length=100 +max-line-length=80 + +# Maximum number of lines in a module +max-module-lines=1000 + +# List of optional constructs for which whitespace checking is disabled. `dict- +# separator` is used to allow tabulation in dicts, etc.: {1 : 1,\n222: 2}. +# `trailing-comma` allows a space between comma and closing bracket: (a, ). +# `empty-line` allows space-only lines. +no-space-check=trailing-comma,dict-separator + +# Allow the body of a class to be on the same line as the declaration if body +# contains single statement. +single-line-class-stmt=no + +# Allow the body of an if to be on the same line as the test if there is no +# else. +single-line-if-stmt=no + + +[SPELLING] + +# Spelling dictionary name. Available dictionaries: en_US (myspell). +spelling-dict= + +# List of comma separated words that should not be checked. +spelling-ignore-words= + +# A path to a file that contains private dictionary; one word per line. +spelling-private-dict-file= + +# Tells whether to store unknown words to indicated private dictionary in +# --spelling-private-dict-file option instead of raising a message. +spelling-store-unknown-words=no + + +[SIMILARITIES] + +# Ignore comments when computing similarities. +ignore-comments=yes + +# Ignore docstrings when computing similarities. +ignore-docstrings=yes + +# Ignore imports when computing similarities. +ignore-imports=no + +# Minimum lines number of a similarity. +min-similarity-lines=4 + + +[DESIGN] + +# Maximum number of arguments for function / method +# max-args=5 +max-args=10 + +# Maximum number of attributes for a class (see R0902). +max-attributes=7 + +# Maximum number of boolean expressions in a if statement +max-bool-expr=5 + +# Maximum number of branch for function / method body +max-branches=12 + +# Maximum number of locals for function / method body +max-locals=15 + +# Maximum number of parents for a class (see R0901). +max-parents=7 + +# Maximum number of public methods for a class (see R0904). +max-public-methods=20 + +# Maximum number of return / yield for function / method body +max-returns=6 + +# Maximum number of statements in function / method body +max-statements=50 + +# Minimum number of public methods for a class (see R0903). +min-public-methods=2 + + +[CLASSES] + +# List of method names used to declare (i.e. assign) instance attributes. +defining-attr-methods=__init__,__new__,setUp + +# List of member names, which should be excluded from the protected access +# warning. +exclude-protected=_asdict,_fields,_replace,_source,_make + +# List of valid names for the first argument in a class method. +valid-classmethod-first-arg=cls + +# List of valid names for the first argument in a metaclass class method. +valid-metaclass-classmethod-first-arg=mcs + + +[IMPORTS] + +# Allow wildcard imports from modules that define __all__. +allow-wildcard-with-all=no + +# Analyse import fallback blocks. This can be used to support both Python 2 and +# 3 compatible code, which means that the block might have code that exists +# only in one or another interpreter, leading to false positives when analysed. +analyse-fallback-blocks=no + +# Deprecated modules which should not be used, separated by a comma +deprecated-modules=optparse,tkinter.tix + +# Create a graph of external dependencies in the given file (report RP0402 must +# not be disabled) +ext-import-graph= + +# Create a graph of every (i.e. internal and external) dependencies in the +# given file (report RP0402 must not be disabled) +import-graph= + +# Create a graph of internal dependencies in the given file (report RP0402 must +# not be disabled) +int-import-graph= + +# Force import order to recognize a module as part of the standard +# compatibility libraries. +known-standard-library= + +# Force import order to recognize a module as part of a third party library. +known-third-party=enchant + + +[EXCEPTIONS] + +# Exceptions that will emit a warning when being caught. Defaults to +# "Exception" +overgeneral-exceptions=Exception diff -Nru forensic-artifacts-20170808/README forensic-artifacts-20190113/README --- forensic-artifacts-20170808/README 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/README 2019-01-13 09:45:17.000000000 +0000 @@ -1,7 +1,8 @@ -ForensicArtifacts.com Artifact Repository +Digital Forensics Artifact Repository -A free, community-sourced, machine-readable knowledge base of forensic artifacts -that the world can use both as an information source and within other tools. +A free, community-sourced, machine-readable knowledge base of digital forensic +artifacts that the world can use both as an information source and within other +tools. For more information see: https://github.com/ForensicArtifacts/artifacts diff -Nru forensic-artifacts-20170808/README.md forensic-artifacts-20190113/README.md --- forensic-artifacts-20170808/README.md 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/README.md 2019-01-13 09:45:17.000000000 +0000 @@ -1,20 +1,24 @@ -## ForensicArtifacts.com Artifact Repository +## Digital Forensics Artifact Repository Artifact Repository -A free, community-sourced, machine-readable knowledge base of forensic artifacts -that the world can use both as an information source and within other tools. - -If you'd like to use the artifacts in your own tools, **all you need to be able to do is read YAML**. That's it. No other dependencies. The python code in this project is just used to validate all the artifacts to make sure they follow the spec. +A free, community-sourced, machine-readable knowledge base of digital forensic +artifacts that the world can use both as an information source and within other +tools. + +If you'd like to use the artifacts in your own tools, **all you need to be able +to do is read YAML**. That's it, no other dependencies. The Python code in +this project is just used to validate all the artifacts to make sure they +follow the specfication. ### Project status -[Travis-CI](https://travis-ci.org/) | [AppVeyor](https://ci.appveyor.com) | [Coveralls](https://coveralls.io/) +[Travis-CI](https://travis-ci.org/) | [AppVeyor](https://ci.appveyor.com) | [Codecov](https://codecov.io/) --- | --- | --- -[![Build Status](https://travis-ci.org/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.org/ForensicArtifacts/artifacts) | [![Build status](https://ci.appveyor.com/api/projects/status/3yark6bipveg55e0?svg=true)](https://ci.appveyor.com/project/joachimmetz/artifacts) | [![Coverage Status](https://img.shields.io/coveralls/ForensicArtifacts/artifacts.svg)](https://coveralls.io/r/ForensicArtifacts/artifacts?branch=master) +[![Build Status](https://travis-ci.org/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.org/ForensicArtifacts/artifacts) | [![Build status](https://ci.appveyor.com/api/projects/status/7gv9fwr269527cj1?svg=true)](https://ci.appveyor.com/project/forensicartifacts/artifacts) | [![codecov](https://codecov.io/gh/ForensicArtifacts/artifacts/branch/master/graph/badge.svg)](https://codecov.io/gh/ForensicArtifacts/artifacts) ## Artifact Definitions -The artifact definitions are in the [definitions directory](https://github.com/ForensicArtifacts/artifacts/tree/master/definitions) and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc). +The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/master/data) and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc). As of 2015-11-20 the repository contains: @@ -59,9 +63,11 @@ Please send us your contribution! See [the developers guide](https://github.com/ForensicArtifacts/artifacts/wiki/Developers-guide) for instructions. ## External links + * [ForensicsArtifacts.com ... the definitive database](http://forensicartifacts.com/) * [GRR Artifacts](https://www.blackhat.com/docs/us-14/materials/us-14-Castle-GRR-Find-All-The-Badness-Collect-All-The-Things-WP.pdf), by Greg Castle, Blackhat 2014 ## Contact [forensicartifacts@googlegroups.com](https://groups.google.com/forum/#!forum/forensicartifacts) + diff -Nru forensic-artifacts-20170808/requirements.txt forensic-artifacts-20190113/requirements.txt --- forensic-artifacts-20170808/requirements.txt 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/requirements.txt 2019-01-13 09:45:17.000000000 +0000 @@ -1,4 +1,2 @@ pip >= 7.0.0 -pytest -yapf -PyYAML >= 3.10 \ No newline at end of file +PyYAML >= 3.10 diff -Nru forensic-artifacts-20170808/run_tests.py forensic-artifacts-20190113/run_tests.py --- forensic-artifacts-20170808/run_tests.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/run_tests.py 2019-01-13 09:45:17.000000000 +0000 @@ -1,17 +1,21 @@ -#!/usr/bin/python +#!/usr/bin/env python # -*- coding: utf-8 -*- """Script to run the tests.""" +from __future__ import print_function + import sys import unittest # Change PYTHONPATH to include dependencies. -sys.path.insert(0, u'.') +sys.path.insert(0, '.') import utils.dependencies # pylint: disable=wrong-import-position if __name__ == '__main__': + print('Using Python version {0!s}'.format(sys.version)) + dependency_helper = utils.dependencies.DependencyHelper() if not dependency_helper.CheckTestDependencies(): diff -Nru forensic-artifacts-20170808/setup.cfg forensic-artifacts-20190113/setup.cfg --- forensic-artifacts-20170808/setup.cfg 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/setup.cfg 2019-01-13 09:45:17.000000000 +0000 @@ -1,3 +1,6 @@ +[metadata] +license_file = LICENSE + [bdist_rpm] release = 1 packager = Forensic artifacts @@ -6,4 +9,8 @@ LICENSE README build_requires = python-setuptools -requires = PyYAML >= 3.10 \ No newline at end of file +requires = python2-pyyaml >= 3.10 + +[bdist_wheel] +universal = 1 + diff -Nru forensic-artifacts-20170808/setup.py forensic-artifacts-20190113/setup.py --- forensic-artifacts-20170808/setup.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/setup.py 2019-01-13 09:45:17.000000000 +0000 @@ -1,10 +1,11 @@ -#!/usr/bin/python +#!/usr/bin/env python # -*- coding: utf-8 -*- """Installation and deployment script.""" from __future__ import print_function import glob +import locale import os import sys @@ -23,9 +24,21 @@ except ImportError: bdist_rpm = None -if sys.version < '2.7': +version_tuple = (sys.version_info[0], sys.version_info[1]) +if version_tuple[0] not in (2, 3): print('Unsupported Python version: {0:s}.'.format(sys.version)) - print('Supported Python versions are 2.7 or a later 2.x version.') + sys.exit(1) + +elif version_tuple[0] == 2 and version_tuple < (2, 7): + print(( + 'Unsupported Python 2 version: {0:s}, version 2.7 or higher ' + 'required.').format(sys.version)) + sys.exit(1) + +elif version_tuple[0] == 3 and version_tuple < (3, 4): + print(( + 'Unsupported Python 3 version: {0:s}, version 3.4 or higher ' + 'required.').format(sys.version)) sys.exit(1) # Change PYTHONPATH to include artifacts so that we can get the version. @@ -68,11 +81,12 @@ spec_file = bdist_rpm._make_spec_file(self) if sys.version_info[0] < 3: - python_package = 'python' + python_package = 'python2' else: python_package = 'python3' description = [] + requires = '' summary = '' in_description = False @@ -82,28 +96,89 @@ summary = line elif line.startswith('BuildRequires: '): - line = 'BuildRequires: {0:s}-setuptools'.format(python_package) + line = 'BuildRequires: {0:s}-setuptools, {0:s}-devel'.format( + python_package) elif line.startswith('Requires: '): + requires = line[10:] if python_package == 'python3': - line = line.replace('python', 'python3') + requires = requires.replace('python-', 'python3-') + requires = requires.replace('python2-', 'python3-') elif line.startswith('%description'): in_description = True + elif line.startswith('python setup.py build'): + if python_package == 'python3': + line = '%py3_build' + else: + line = '%py2_build' + + elif line.startswith('python setup.py install'): + if python_package == 'python3': + line = '%py3_install' + else: + line = '%py2_install' + elif line.startswith('%files'): - line = '%files -f INSTALLED_FILES -n {0:s}-%{{name}}'.format( - python_package) + lines = [ + '%files -n %{name}-data', + '%defattr(644,root,root,755)', + '%license LICENSE', + '%doc ACKNOWLEDGEMENTS AUTHORS README', + '%{_datadir}/%{name}/*', + '', + '%files -n {0:s}-%{{name}}'.format(python_package), + '%defattr(644,root,root,755)', + '%license LICENSE', + '%doc ACKNOWLEDGEMENTS AUTHORS README'] + + if python_package == 'python3': + lines.extend([ + '%{python3_sitelib}/artifacts/*.py', + '%{python3_sitelib}/artifacts*.egg-info/*', + '', + '%exclude %{_prefix}/share/doc/*', + '%exclude %{python3_sitelib}/artifacts/__pycache__/*', + '%exclude %{_bindir}/*.py']) + + else: + lines.extend([ + '%{python2_sitelib}/artifacts/*.py', + '%{python2_sitelib}/artifacts*.egg-info/*', + '', + '%exclude %{_prefix}/share/doc/*', + '%exclude %{python2_sitelib}/artifacts/*.pyc', + '%exclude %{python2_sitelib}/artifacts/*.pyo', + '%exclude %{_bindir}/*.py']) + + python_spec_file.extend(lines) + break elif line.startswith('%prep'): in_description = False + python_spec_file.extend([ + '%package -n %{name}-data', + 'Summary: Data files for {0:s}'.format(summary), + '', + '%description -n %{name}-data']) + + python_spec_file.extend(description) + python_spec_file.append( '%package -n {0:s}-%{{name}}'.format(python_package)) - python_spec_file.append('{0:s}'.format(summary)) - python_spec_file.append('') - python_spec_file.append( - '%description -n {0:s}-%{{name}}'.format(python_package)) + if python_package == 'python2': + python_spec_file.extend([ + 'Obsoletes: python-artifacts < %{version}', + 'Provides: python-artifacts = %{version}']) + + python_spec_file.extend([ + 'Requires: %{{name}}-data, {0:s}'.format(requires), + '{0:s}'.format(summary), + '', + '%description -n {0:s}-%{{name}}'.format(python_package)]) + python_spec_file.extend(description) elif in_description: @@ -118,13 +193,27 @@ return python_spec_file +if version_tuple[0] == 2: + encoding = sys.stdin.encoding # pylint: disable=invalid-name + + # Note that sys.stdin.encoding can be None. + if not encoding: + encoding = locale.getpreferredencoding() + + # Make sure the default encoding is set correctly otherwise on Python 2 + # setup.py sdist will fail to include filenames with Unicode characters. + reload(sys) # pylint: disable=undefined-variable + + sys.setdefaultencoding(encoding) # pylint: disable=no-member + + artifacts_description = ( 'ForensicArtifacts.com Artifact Repository.') artifacts_long_description = ( 'A free, community-sourced, machine-readable knowledge base of forensic ' - 'artifacts that the world can use both as an information source and ' - 'within other tools.') + 'artifacts that the world can use both as an information source and within' + ' other tools.') setup( name='artifacts', @@ -133,12 +222,8 @@ long_description=artifacts_long_description, license='Apache License, Version 2.0', url='https://github.com/ForensicArtifacts/artifacts', - maintainer='ForensicArtifacts.com Artifact Repository maintainers', + maintainer='Forensic artifacts', maintainer_email='forensicartifacts@googlegroups.com', - scripts=[ - os.path.join('tools', 'stats.py'), - os.path.join('tools', 'validator.py'), - ], cmdclass={ 'bdist_msi': BdistMSICommand, 'bdist_rpm': BdistRPMCommand}, @@ -149,12 +234,15 @@ 'Programming Language :: Python', ], packages=find_packages('.', exclude=[ - 'tests', 'tests.*', 'tools', 'utils']), - package_dir={'artifacts': 'artifacts'}, + 'docs', 'tests', 'tests.*', 'tools', 'utils']), + package_dir={ + 'artifacts': 'artifacts' + }, + scripts=glob.glob(os.path.join('tools', '[a-z]*.py')), data_files=[ - ('share/artifacts', glob.glob(os.path.join('data', '*'))), - ], - install_requires=[ - 'PyYAML >= 3.11', + ('share/artifacts', glob.glob( + os.path.join('data', '*'))), + ('share/doc/artifacts', [ + 'ACKNOWLEDGEMENTS', 'AUTHORS', 'LICENSE', 'README']), ], ) diff -Nru forensic-artifacts-20170808/.style.yapf forensic-artifacts-20190113/.style.yapf --- forensic-artifacts-20170808/.style.yapf 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/.style.yapf 2019-01-13 09:45:17.000000000 +0000 @@ -1,4 +1,7 @@ [style] based_on_style = chromium -COALESCE_BRACKETS = True -SPLIT_BEFORE_FIRST_ARGUMENT = True +allow_split_before_dict_value = False +coalesce_brackets = True +join_multiple_lines = True +split_before_first_argument = True +split_penalty_after_opening_bracket = 0 diff -Nru forensic-artifacts-20170808/test_dependencies.ini forensic-artifacts-20190113/test_dependencies.ini --- forensic-artifacts-20170808/test_dependencies.ini 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/test_dependencies.ini 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,23 @@ +[funcsigs] +dpkg_name: python-funcsigs +minimum_version: 1.0.2 +python2_only: true +rpm_name: python2-funcsigs +version_property: __version__ + +[mock] +dpkg_name: python-mock +minimum_version: 2.0.0 +rpm_name: python2-mock +version_property: __version__ + +[pbr] +dpkg_name: python-pbr +minimum_version: 4.2.0 +rpm_name: python2-pbr + +[six] +dpkg_name: python-six +minimum_version: 1.1.0 +rpm_name: python2-six +version_property: __version__ diff -Nru forensic-artifacts-20170808/tests/reader_test.py forensic-artifacts-20190113/tests/reader_test.py --- forensic-artifacts-20170808/tests/reader_test.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tests/reader_test.py 2019-01-13 09:45:17.000000000 +0000 @@ -41,7 +41,8 @@ source_type.type_indicator, definitions.TYPE_INDICATOR_FILE) expected_paths = [ - '%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx'] + '%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx' + ] self.assertEqual(sorted(source_type.paths), sorted(expected_paths)) self.assertEqual(len(artifact_definition.conditions), 1) diff -Nru forensic-artifacts-20170808/tests/registry_test.py forensic-artifacts-20190113/tests/registry_test.py --- forensic-artifacts-20170808/tests/registry_test.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tests/registry_test.py 2019-01-13 09:45:17.000000000 +0000 @@ -21,7 +21,7 @@ """Initializes the source type object. Args: - test: optional test string. The default is None. + test (Optional[str]): test string. Raises: FormatError: when test is not set. @@ -130,8 +130,7 @@ number_of_source_types + 1) with self.assertRaises(KeyError): - registry.ArtifactDefinitionsRegistry.RegisterSourceTypes( - [TestSourceType]) + registry.ArtifactDefinitionsRegistry.RegisterSourceTypes([TestSourceType]) source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( u'test', {u'test': u'test123'}) diff -Nru forensic-artifacts-20170808/tests/source_type_test.py forensic-artifacts-20190113/tests/source_type_test.py --- forensic-artifacts-20170808/tests/source_type_test.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tests/source_type_test.py 2019-01-13 09:45:17.000000000 +0000 @@ -18,7 +18,7 @@ """Initializes the source type object. Args: - test: optional test string. The default is None. + test (Optional[str]): test string. Raises: FormatError: when test is not set. diff -Nru forensic-artifacts-20170808/tests/style_test.py forensic-artifacts-20190113/tests/style_test.py --- forensic-artifacts-20170808/tests/style_test.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tests/style_test.py 2019-01-13 09:45:17.000000000 +0000 @@ -11,16 +11,17 @@ class StyleTest(test_lib.BaseTestCase): """Enforce code style requirements.""" + @unittest.skip('yapf deployment need to be fixed') def testCodeStyle(self): """Check yapf style enforcement runs cleanly.""" try: - subprocess.check_output([ - 'yapf', '--diff', '-r', 'artifacts tools', 'artifacts', 'tests']) - except subprocess.CalledProcessError as e: - if hasattr(e, 'output'): + subprocess.check_output( + ['yapf', '--diff', '-r', 'artifacts tools', 'artifacts', 'tests']) + except subprocess.CalledProcessError as exception: + if hasattr(exception, 'output'): raise errors.CodeStyleError( 'Run "yapf -i -r artifacts tools/ artifacts/ tests/" to correct ' - 'these problems: {0}'.format(e.output)) + 'these problems: {0}'.format(exception.output)) raise diff -Nru forensic-artifacts-20170808/tests/test_lib.py forensic-artifacts-20190113/tests/test_lib.py --- forensic-artifacts-20170808/tests/test_lib.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tests/test_lib.py 2019-01-13 09:45:17.000000000 +0000 @@ -8,7 +8,7 @@ import unittest -def skipUnlessHasTestFile(path_segments): +def skipUnlessHasTestFile(path_segments): # pylint: disable=invalid-name """Decorator to skip a test if the test file does not exist. Args: diff -Nru forensic-artifacts-20170808/tests/validator_test.py forensic-artifacts-20190113/tests/validator_test.py --- forensic-artifacts-20170808/tests/validator_test.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tests/validator_test.py 2019-01-13 09:45:17.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python # -*- coding: utf-8 -*- """Tests for the artifact definitions validator.""" diff -Nru forensic-artifacts-20170808/tools/__init__.py forensic-artifacts-20190113/tools/__init__.py --- forensic-artifacts-20170808/tools/__init__.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tools/__init__.py 2019-01-13 09:45:17.000000000 +0000 @@ -1,2 +1,2 @@ -#!/usr/bin/python +#!/usr/bin/env python # -*- coding: utf-8 -*- diff -Nru forensic-artifacts-20170808/tools/stats.py forensic-artifacts-20190113/tools/stats.py --- forensic-artifacts-20170808/tools/stats.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tools/stats.py 2019-01-13 09:45:17.000000000 +0000 @@ -1,10 +1,11 @@ -#!/usr/bin/python +#!/usr/bin/env python # -*- coding: utf-8 -*- """Report statistics about the artifact collection.""" from __future__ import print_function from __future__ import unicode_literals +import sys import time from artifacts import definitions @@ -100,10 +101,10 @@ if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: self.reg_key_count += len(source.keys) - if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: + elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: self.reg_key_count += len(source.key_value_pairs) - if (source_type == definitions.TYPE_INDICATOR_FILE or - source_type == definitions.TYPE_INDICATOR_DIRECTORY): + elif source_type in (definitions.TYPE_INDICATOR_FILE, + definitions.TYPE_INDICATOR_DIRECTORY): self.path_count += len(source.paths) os_list = source.supported_os @@ -119,11 +120,19 @@ self.PrintLabelTable() -def main(): - """The main function.""" +def Main(): + """The main program function. + + Returns: + bool: True if successful or False if not. + """ statsbuilder = ArtifactStatistics() statsbuilder.PrintStats() + return True if __name__ == '__main__': - main() + if not Main(): + sys.exit(1) + else: + sys.exit(0) diff -Nru forensic-artifacts-20170808/tools/validator.py forensic-artifacts-20190113/tools/validator.py --- forensic-artifacts-20170808/tools/validator.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tools/validator.py 2019-01-13 09:45:17.000000000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python # -*- coding: utf-8 -*- """Tool to validate artifact definitions.""" @@ -41,13 +41,13 @@ result = True key_path = key_path.upper() - if key_path.startswith(u'%%CURRENT_CONTROL_SET%%'): + if key_path.startswith('%%CURRENT_CONTROL_SET%%'): result = False logging.warning(( - u'Artifact definition: {0:s} in file: {1:s} contains Windows ' - u'Registry key path that starts with ' - u'%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with ' - u'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format( + 'Artifact definition: {0:s} in file: {1:s} contains Windows ' + 'Registry key path that starts with ' + '%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with ' + 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format( artifact_definition.name, filename)) return result @@ -72,10 +72,10 @@ intersection = self._artifact_registry_key_paths.intersection( set(source.keys)) if intersection: - duplicate_key_paths = u'\n'.join(intersection) + duplicate_key_paths = '\n'.join(intersection) logging.warning(( - u'Artifact definition: {0:s} in file: {1:s} has duplicate ' - u'Registry key paths:\n{2:s}').format( + 'Artifact definition: {0:s} in file: {1:s} has duplicate ' + 'Registry key paths:\n{2:s}').format( artifact_definition.name, filename, duplicate_key_paths)) result = True @@ -100,12 +100,27 @@ self._artifact_registry.RegisterDefinition(artifact_definition) except KeyError: logging.warning( - u'Duplicate artifact definition: {0:s} in file: {1:s}'.format( + 'Duplicate artifact definition: {0:s} in file: {1:s}'.format( artifact_definition.name, filename)) result = False for source in artifact_definition.sources: - if source.type_indicator == ( + if source.type_indicator in ( + definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH): + if definitions.SUPPORTED_OS_WINDOWS in source.supported_os: + for path in source.paths: + number_of_forward_slashes = path.count('/') + number_of_backslashes = path.count('\\') + if (number_of_forward_slashes < number_of_backslashes and + source.separator != '\\'): + logging.warning(( + 'Incorrect path separator: {0:s} in path: {1:s} defined ' + 'by artifact definition: {2:s} in file: {3:s}').format( + source.separator, path, artifact_definition.name, + filename)) + result = False + + elif source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY): # Exempt the legacy file from duplicate checking because it has @@ -125,12 +140,12 @@ for key_value_pair in source.key_value_pairs: if not self._CheckRegistryKeyPath( - filename, artifact_definition, key_value_pair[u'key']): + filename, artifact_definition, key_value_pair['key']): result = False except errors.FormatError as exception: logging.warning( - u'Unable to validate file: {0:s} with error: {1!s}'.format( + 'Unable to validate file: {0:s} with error: {1!s}'.format( filename, exception)) result = False diff -Nru forensic-artifacts-20170808/tox.ini forensic-artifacts-20190113/tox.ini --- forensic-artifacts-20170808/tox.ini 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/tox.ini 2019-01-13 09:45:17.000000000 +0000 @@ -1,8 +1,34 @@ [tox] -envlist = py27, py34 +envlist = py2, py3 [testenv] -commands = nosetests -v +pip_pre = True +setenv = + PYTHONPATH = {toxinidir} deps = - nose + funcsigs ; python_version < '3.0' + mock + pbr + six + pytest + yapf -rrequirements.txt +commands = + ./run_tests.py + +[testenv:py27] +pip_pre = True +setenv = + PYTHONPATH = {toxinidir} +deps = + coverage + funcsigs ; python_version < '3.0' + mock + pbr + six + pytest + yapf + -rrequirements.txt +commands = + coverage erase + coverage run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" run_tests.py diff -Nru forensic-artifacts-20170808/.travis.yml forensic-artifacts-20190113/.travis.yml --- forensic-artifacts-20170808/.travis.yml 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/.travis.yml 2019-01-13 09:45:17.000000000 +0000 @@ -1,24 +1,103 @@ -language: python matrix: include: - - os: linux + - env: TARGET="pylint" + os: linux dist: trusty sudo: required + group: edge + language: python python: 2.7 - - os: linux - dist: trusty + virtualenv: + system_site_packages: true + - env: TARGET="linux-python27" + os: linux + dist: xenial + sudo: required + group: edge + language: python + python: 2.7 + virtualenv: + system_site_packages: true + - env: TARGET="linux-python35" + os: linux + dist: xenial + sudo: required + group: edge + language: python + python: 3.5 + virtualenv: + system_site_packages: true + - env: [TARGET="linux-python27-tox", TOXENV="py27"] + os: linux + dist: xenial sudo: required + group: edge + language: python + python: 2.7 + virtualenv: + system_site_packages: false + - env: [TARGET="linux-python34-tox", TOXENV="py34"] + os: linux + dist: xenial + sudo: required + group: edge + language: python python: 3.4 - - os: osx - osx_image: xcode8.1 + virtualenv: + system_site_packages: false + - env: [TARGET="linux-python35-tox", TOXENV="py35"] + os: linux + dist: xenial + sudo: required + group: edge + language: python + python: 3.5 + virtualenv: + system_site_packages: false + - env: [TARGET="linux-python36-tox", TOXENV="py36"] + os: linux + dist: xenial + sudo: required + group: edge + language: python + python: 3.6 + virtualenv: + system_site_packages: false + - env: [TARGET="linux-python37-tox", TOXENV="py37"] + os: linux + dist: xenial + sudo: required + group: edge + language: python + python: 3.7 + virtualenv: + system_site_packages: false + - env: [TARGET="macos-python27", PYTHONPATH="/Library/Python/2.7/site-packages/"] + os: osx + osx_image: xcode9.2 language: generic + - env: TARGET="trusty-python27" + os: linux + dist: trusty + sudo: required + group: edge + language: python + python: 2.7 + virtualenv: + system_site_packages: true + - env: TARGET="trusty-python34" + os: linux + dist: trusty + sudo: required + group: edge + language: python + python: 3.4 + virtualenv: + system_site_packages: true install: - - ./config/travis/install.sh +- ./config/travis/install.sh script: - - if test ${TRAVIS_OS_NAME} = "osx"; then PYTHONPATH=/Library/Python/2.7/site-packages/ /usr/bin/python run_tests.py; elif test ${TRAVIS_OS_NAME} = "linux"; then if test ${TRAVIS_PYTHON_VERSION} = "2.7"; then coverage run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" ./run_tests.py; else ./run_tests.py; fi; fi - - python setup.py build - - python setup.py sdist - - python setup.py bdist - - if test ${TRAVIS_OS_NAME} = "linux"; then mkdir -p ${PWD}/tmp/lib/python${TRAVIS_PYTHON_VERSION}/site-packages/ && PYTHONPATH=${PWD}/tmp/lib/python${TRAVIS_PYTHON_VERSION}/site-packages/ python setup.py install --prefix=${PWD}/tmp/; fi +- ./config/travis/run_with_timeout.sh 30 ./config/travis/runtests.sh after_success: - - if test ${TRAVIS_OS_NAME} = "linux" && test ${TRAVIS_PYTHON_VERSION} = "2.7"; then coveralls --verbose; fi +- if ! test -f /usr/bin/coverage; then sudo ln -s /usr/bin/python-coverage /usr/bin/coverage; fi +- if test ${TARGET} = "linux-python27"; then curl -o codecov.sh -s https://codecov.io/bash && /bin/bash ./codecov.sh; fi diff -Nru forensic-artifacts-20170808/utils/check_dependencies.py forensic-artifacts-20190113/utils/check_dependencies.py --- forensic-artifacts-20170808/utils/check_dependencies.py 1970-01-01 00:00:00.000000000 +0000 +++ forensic-artifacts-20190113/utils/check_dependencies.py 2019-01-13 09:45:17.000000000 +0000 @@ -0,0 +1,17 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +"""Script to check for the availability and version of dependencies.""" + +import sys + +# Change PYTHONPATH to include dependencies. +sys.path.insert(0, '.') + +import utils.dependencies # pylint: disable=wrong-import-position + + +if __name__ == '__main__': + dependency_helper = utils.dependencies.DependencyHelper() + + if not dependency_helper.CheckDependencies(): + sys.exit(1) diff -Nru forensic-artifacts-20170808/utils/dependencies.py forensic-artifacts-20190113/utils/dependencies.py --- forensic-artifacts-20170808/utils/dependencies.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/utils/dependencies.py 2019-01-13 09:45:17.000000000 +0000 @@ -2,6 +2,8 @@ """Helper to check for availability and version of dependencies.""" from __future__ import print_function +from __future__ import unicode_literals + import re try: @@ -16,18 +18,22 @@ Attributes: dpkg_name (str): name of the dpkg package that provides the dependency. is_optional (bool): True if the dependency is optional. + l2tbinaries_macos_name (str): name of the l2tbinaries macos package that + provides the dependency. l2tbinaries_name (str): name of the l2tbinaries package that provides the dependency. maximum_version (str): maximum supported version. minimum_version (str): minimum supported version. name (str): name of (the Python module that provides) the dependency. pypi_name (str): name of the PyPI package that provides the dependency. + python2_only (bool): True if the dependency is only supported by Python 2. + python3_only (bool): True if the dependency is only supported by Python 3. rpm_name (str): name of the rpm package that provides the dependency. version_property (str): name of the version attribute or function. """ def __init__(self, name): - """Initializes a dependency configuation. + """Initializes a dependency configuration. Args: name (str): name of the dependency. @@ -35,11 +41,14 @@ super(DependencyDefinition, self).__init__() self.dpkg_name = None self.is_optional = False + self.l2tbinaries_macos_name = None self.l2tbinaries_name = None self.maximum_version = None self.minimum_version = None self.name = name self.pypi_name = None + self.python2_only = False + self.python3_only = False self.rpm_name = None self.version_property = None @@ -48,14 +57,17 @@ """Dependency definition reader.""" _VALUE_NAMES = frozenset([ - u'dpkg_name', - u'is_optional', - u'l2tbinaries_name', - u'maximum_version', - u'minimum_version', - u'pypi_name', - u'rpm_name', - u'version_property']) + 'dpkg_name', + 'is_optional', + 'l2tbinaries_macos_name', + 'l2tbinaries_name', + 'maximum_version', + 'minimum_version', + 'pypi_name', + 'python2_only', + 'python3_only', + 'rpm_name', + 'version_property']) def _GetConfigValue(self, config_parser, section_name, value_name): """Retrieves a value from the config parser. @@ -66,12 +78,12 @@ value_name (str): name of the value. Returns: - object: value or None if the value does not exists. + object: configuration value or None if the value does not exists. """ try: return config_parser.get(section_name, value_name) except configparser.NoOptionError: - return + return None def Read(self, file_object): """Reads dependency definitions. @@ -83,6 +95,8 @@ DependencyDefinition: dependency definition. """ config_parser = configparser.RawConfigParser() + # pylint: disable=deprecated-method + # TODO: replace readfp by read_file, check if Python 2 compatible config_parser.readfp(file_object) for section_name in config_parser.sections(): @@ -95,26 +109,36 @@ class DependencyHelper(object): - """Dependency helper.""" + """Dependency helper. + Attributes: + dependencies (dict[str, DependencyDefinition]): dependencies. + """ + + _VERSION_NUMBERS_REGEX = re.compile(r'[0-9.]+') _VERSION_SPLIT_REGEX = re.compile(r'\.|\-') - def __init__(self): - """Initializes a dependency helper.""" + def __init__(self, configuration_file='dependencies.ini'): + """Initializes a dependency helper. + + Args: + configuration_file (Optional[str]): path to the dependencies + configuration file. + """ super(DependencyHelper, self).__init__() - self._dependencies = {} self._test_dependencies = {} + self.dependencies = {} dependency_reader = DependencyDefinitionReader() - with open(u'dependencies.ini', 'r') as file_object: + with open(configuration_file, 'r') as file_object: for dependency in dependency_reader.Read(file_object): - self._dependencies[dependency.name] = dependency + self.dependencies[dependency.name] = dependency - dependency = DependencyDefinition(u'yapf') - dependency.minimum_version = u'0.16.1' - dependency.version_property = u'__version__' - self._test_dependencies[u'yapf'] = dependency + dependency = DependencyDefinition('mock') + dependency.minimum_version = '0.7.1' + dependency.version_property = '__version__' + self._test_dependencies['mock'] = dependency def _CheckPythonModule(self, dependency): """Checks the availability of a Python module. @@ -131,10 +155,10 @@ """ module_object = self._ImportPythonModule(dependency.name) if not module_object: - status_message = u'missing: {0:s}'.format(dependency.name) - return dependency.is_optional, status_message + status_message = 'missing: {0:s}'.format(dependency.name) + return False, status_message - if not dependency.version_property or not dependency.minimum_version: + if not dependency.version_property: return True, dependency.name return self._CheckPythonModuleVersion( @@ -161,7 +185,7 @@ str: status message. """ module_version = None - if not version_property.endswith(u'()'): + if not version_property.endswith('()'): module_version = getattr(module_object, version_property, None) else: version_method = getattr( @@ -171,38 +195,93 @@ if not module_version: status_message = ( - u'unable to determine version information for: {0:s}').format( + 'unable to determine version information for: {0:s}').format( module_name) return False, status_message # Make sure the module version is a string. - module_version = u'{0!s}'.format(module_version) + module_version = '{0!s}'.format(module_version) # Split the version string and convert every digit into an integer. # A string compare of both version strings will yield an incorrect result. - module_version_map = list( - map(int, self._VERSION_SPLIT_REGEX.split(module_version))) - minimum_version_map = list( - map(int, self._VERSION_SPLIT_REGEX.split(minimum_version))) - if module_version_map < minimum_version_map: - status_message = ( - u'{0:s} version: {1!s} is too old, {2!s} or later required').format( - module_name, module_version, minimum_version) + # Strip any semantic suffixes such as a1, b1, pre, post, rc, dev. + module_version = self._VERSION_NUMBERS_REGEX.findall(module_version)[0] + + if module_version[-1] == '.': + module_version = module_version[:-1] + + try: + module_version_map = list( + map(int, self._VERSION_SPLIT_REGEX.split(module_version))) + except ValueError: + status_message = 'unable to parse module version: {0:s} {1:s}'.format( + module_name, module_version) return False, status_message + if minimum_version: + try: + minimum_version_map = list( + map(int, self._VERSION_SPLIT_REGEX.split(minimum_version))) + except ValueError: + status_message = 'unable to parse minimum version: {0:s} {1:s}'.format( + module_name, minimum_version) + return False, status_message + + if module_version_map < minimum_version_map: + status_message = ( + '{0:s} version: {1!s} is too old, {2!s} or later required').format( + module_name, module_version, minimum_version) + return False, status_message + if maximum_version: - maximum_version_map = list( - map(int, self._VERSION_SPLIT_REGEX.split(maximum_version))) + try: + maximum_version_map = list( + map(int, self._VERSION_SPLIT_REGEX.split(maximum_version))) + except ValueError: + status_message = 'unable to parse maximum version: {0:s} {1:s}'.format( + module_name, maximum_version) + return False, status_message + if module_version_map > maximum_version_map: status_message = ( - u'{0:s} version: {1!s} is too recent, {2!s} or earlier ' - u'required').format(module_name, module_version, maximum_version) + '{0:s} version: {1!s} is too recent, {2!s} or earlier ' + 'required').format(module_name, module_version, maximum_version) return False, status_message - status_message = u'{0:s} version: {1!s}'.format(module_name, module_version) + status_message = '{0:s} version: {1!s}'.format(module_name, module_version) return True, status_message + def _CheckSQLite3(self): + """Checks the availability of sqlite3. + + Returns: + tuple: consists: + + bool: True if the Python module is available and conforms to + the minimum required version, False otherwise. + str: status message. + """ + # On Windows sqlite3 can be provided by both pysqlite2.dbapi2 and + # sqlite3. sqlite3 is provided with the Python installation and + # pysqlite2.dbapi2 by the pysqlite2 Python module. Typically + # pysqlite2.dbapi2 would contain a newer version of sqlite3, hence + # we check for its presence first. + module_name = 'pysqlite2.dbapi2' + minimum_version = '3.7.8' + + module_object = self._ImportPythonModule(module_name) + if not module_object: + module_name = 'sqlite3' + + module_object = self._ImportPythonModule(module_name) + if not module_object: + status_message = 'missing: {0:s}.'.format(module_name) + return False, status_message + + return self._CheckPythonModuleVersion( + module_name, module_object, 'sqlite_version', minimum_version, None) + def _ImportPythonModule(self, module_name): """Imports a Python module. @@ -215,11 +294,11 @@ try: module_object = list(map(__import__, [module_name]))[0] except ImportError: - return + return None # If the module name contains dots get the upper most module object. - if u'.' in module_name: - for submodule_name in module_name.split(u'.')[1:]: + if '.' in module_name: + for submodule_name in module_name.split('.')[1:]: module_object = getattr(module_object, submodule_name, None) return module_object @@ -233,17 +312,18 @@ result (bool): True if the Python module is available and conforms to the minimum required version, False otherwise. status_message (str): status message. + verbose_output (Optional[bool]): True if output should be verbose. """ if not result or dependency.is_optional: if dependency.is_optional: - status_indicator = u'[OPTIONAL]' + status_indicator = '[OPTIONAL]' else: - status_indicator = u'[FAILURE]' + status_indicator = '[FAILURE]' - print(u'{0:s}\t{1:s}.'.format(status_indicator, status_message)) + print('{0:s}\t{1:s}'.format(status_indicator, status_message)) elif verbose_output: - print(u'[OK]\t\t{0:s}'.format(status_message)) + print('[OK]\t\t{0:s}'.format(status_message)) def CheckDependencies(self, verbose_output=True): """Checks the availability of the dependencies. @@ -254,24 +334,29 @@ Returns: bool: True if the dependencies are available, False otherwise. """ + print('Checking availability and versions of dependencies.') check_result = True - if self._dependencies: - print(u'Checking availability and versions of dependencies.') - for dependency in sorted( - self._dependencies.values(), key=lambda dependency: dependency.name): + for module_name, dependency in sorted(self.dependencies.items()): + if module_name == 'sqlite3': + result, status_message = self._CheckSQLite3() + else: result, status_message = self._CheckPythonModule(dependency) - if not result: - check_result = False - self._PrintCheckDependencyStatus( - dependency, result, status_message, verbose_output=verbose_output) + if not result and module_name == 'lzma': + dependency.name = 'backports.lzma' + result, status_message = self._CheckPythonModule(dependency) - if check_result and not verbose_output: - print(u'[OK]') + if not result and not dependency.is_optional: + check_result = False - print(u'') + self._PrintCheckDependencyStatus( + dependency, result, status_message, verbose_output=verbose_output) + if check_result and not verbose_output: + print('[OK]') + + print('') return check_result def CheckTestDependencies(self, verbose_output=True): @@ -286,112 +371,21 @@ if not self.CheckDependencies(verbose_output=verbose_output): return False + print('Checking availability and versions of test dependencies.') check_result = True - if self._test_dependencies: - print(u'Checking availability and versions of test dependencies.') - - for dependency in sorted( - self._test_dependencies.values(), - key=lambda dependency: dependency.name): - result, status_message = self._CheckPythonModule(dependency) - if not result: - check_result = False - - self._PrintCheckDependencyStatus( - dependency, result, status_message, verbose_output=verbose_output) - - if check_result and not verbose_output: - print(u'[OK]') - - print(u'') - - return check_result - - def GetDPKGDepends(self, exclude_version=False): - """Retrieves the DPKG control file installation requirements. - - Args: - exclude_version (Optional[bool]): True if the version should be excluded - from the dependency definitions. - - Returns: - list[str]: dependency definitions for requires for DPKG control file. - """ - requires = [] - for dependency in sorted( - self._dependencies.values(), key=lambda dependency: dependency.name): - module_name = dependency.dpkg_name or dependency.name - - if exclude_version or not dependency.minimum_version: - requires_string = module_name - else: - requires_string = u'{0:s} (>= {1:s})'.format( - module_name, dependency.minimum_version) - - requires.append(requires_string) - - return sorted(requires) - - def GetL2TBinaries(self): - """Retrieves the l2tbinaries requirements. - - Returns: - list[str]: dependency definitions for l2tbinaries. - """ - requires = [] - for dependency in sorted( - self._dependencies.values(), key=lambda dependency: dependency.name): - module_name = dependency.l2tbinaries_name or dependency.name - - requires.append(module_name) - - return sorted(requires) - - def GetInstallRequires(self): - """Retrieves the setup.py installation requirements. - - Returns: - list[str]: dependency definitions for install_requires for setup.py. - """ - install_requires = [] - for dependency in sorted( - self._dependencies.values(), key=lambda dependency: dependency.name): - module_name = dependency.pypi_name or dependency.name - - if not dependency.minimum_version: - requires_string = module_name - elif not dependency.maximum_version: - requires_string = u'{0:s} >= {1!s}'.format( - module_name, dependency.minimum_version) - else: - requires_string = u'{0:s} >= {1!s},<= {2!s}'.format( - module_name, dependency.minimum_version, dependency.maximum_version) - - install_requires.append(requires_string) - - return sorted(install_requires) - - def GetRPMRequires(self, exclude_version=False): - """Retrieves the setup.cfg RPM installation requirements. - - Args: - exclude_version (Optional[bool]): True if the version should be excluded - from the dependency definitions. - Returns: - list[str]: dependency definitions for requires for setup.cfg. - """ - requires = [] for dependency in sorted( - self._dependencies.values(), key=lambda dependency: dependency.name): - module_name = dependency.rpm_name or dependency.name + self._test_dependencies.values(), + key=lambda dependency: dependency.name): + result, status_message = self._CheckPythonModule(dependency) + if not result: + check_result = False - if exclude_version or not dependency.minimum_version: - requires_string = module_name - else: - requires_string = u'{0:s} >= {1:s}'.format( - module_name, dependency.minimum_version) + self._PrintCheckDependencyStatus( + dependency, result, status_message, verbose_output=verbose_output) - requires.append(requires_string) + if check_result and not verbose_output: + print('[OK]') - return sorted(requires) + print('') + return check_result diff -Nru forensic-artifacts-20170808/utils/update_dependencies.py forensic-artifacts-20190113/utils/update_dependencies.py --- forensic-artifacts-20170808/utils/update_dependencies.py 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/utils/update_dependencies.py 1970-01-01 00:00:00.000000000 +0000 @@ -1,351 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- -"""Script to update the dependencies in various configuration files.""" - -import os -import sys - -# Change PYTHONPATH to include dependencies. -sys.path.insert(0, u'.') - -import utils.dependencies # pylint: disable=wrong-import-position - - -class DependencyFileWriter(object): - """Dependency file writer.""" - - def __init__(self, dependency_helper): - """Initializes a dependency file writer. - - Args: - dependency_helper (DependencyHelper): dependency helper. - """ - super(DependencyFileWriter, self).__init__() - self._dependency_helper = dependency_helper - - -class AppveyorYmlWriter(DependencyFileWriter): - """Appveyor.yml file writer.""" - - _PATH = os.path.join(u'appveyor.yml') - - _VERSION_PYWIN32 = u'220' - _VERSION_WMI = u'1.4.9' - - _DOWNLOAD_PIP = ( - u' - ps: (new-object net.webclient).DownloadFile(' - u'\'https://bootstrap.pypa.io/get-pip.py\', ' - u'\'C:\\Projects\\get-pip.py\')') - - _DOWNLOAD_PYWIN32 = ( - u' - ps: (new-object net.webclient).DownloadFile(' - u'\'https://github.com/log2timeline/l2tbinaries/raw/master/win32/' - u'pywin32-{0:s}.win32-py2.7.exe\', ' - u'\'C:\\Projects\\pywin32-{0:s}.win32-py2.7.exe\')').format( - _VERSION_PYWIN32) - - _DOWNLOAD_WMI = ( - u' - ps: (new-object net.webclient).DownloadFile(' - u'\'https://github.com/log2timeline/l2tbinaries/raw/master/win32/' - u'WMI-{0:s}.win32.exe\', \'C:\\Projects\\WMI-{0:s}.win32.exe\')').format( - _VERSION_WMI) - - _INSTALL_PIP = ( - u' - cmd: "%PYTHON%\\\\python.exe C:\\\\Projects\\\\get-pip.py"') - - _INSTALL_PYWIN32 = ( - u' - cmd: "%PYTHON%\\\\Scripts\\\\easy_install.exe ' - u'C:\\\\Projects\\\\pywin32-{0:s}.win32-py2.7.exe"').format( - _VERSION_PYWIN32) - - _INSTALL_WMI = ( - u' - cmd: "%PYTHON%\\\\Scripts\\\\easy_install.exe ' - u'C:\\\\Projects\\\\WMI-{0:s}.win32.exe"').format(_VERSION_WMI) - - _DOWNLOAD_L2TDEVTOOLS = ( - u' - cmd: git clone https://github.com/log2timeline/l2tdevtools.git && ' - u'move l2tdevtools ..\\') - - _FILE_HEADER = [ - u'environment:', - u' matrix:', - u' - PYTHON: "C:\\\\Python27"', - u'', - u'install:', - (u' - cmd: \'"C:\\Program Files\\Microsoft SDKs\\Windows\\v7.1\\Bin\\' - u'SetEnv.cmd" /x86 /release\''), - _DOWNLOAD_PIP, - _DOWNLOAD_PYWIN32, - _DOWNLOAD_WMI, - _INSTALL_PIP, - _INSTALL_PYWIN32, - _INSTALL_WMI, - _DOWNLOAD_L2TDEVTOOLS] - - _L2TDEVTOOLS_UPDATE = ( - u' - cmd: mkdir dependencies && set PYTHONPATH=..\\l2tdevtools && ' - u'"%PYTHON%\\\\python.exe" ..\\l2tdevtools\\tools\\update.py ' - u'--download-directory dependencies --machine-type x86 ' - u'--msi-targetdir "%PYTHON%" {0:s}') - - _FILE_FOOTER = [ - u'', - u'build: off', - u'', - u'test_script:', - u' - "%PYTHON%\\\\python.exe run_tests.py"', - u''] - - def Write(self): - """Writes an appveyor.yml file.""" - file_content = [] - file_content.extend(self._FILE_HEADER) - - dependencies = self._dependency_helper.GetL2TBinaries() - dependencies.extend([u'yapf']) - dependencies = u' '.join(dependencies) - - l2tdevtools_update = self._L2TDEVTOOLS_UPDATE.format(dependencies) - file_content.append(l2tdevtools_update) - - file_content.extend(self._FILE_FOOTER) - - file_content = u'\n'.join(file_content) - file_content = file_content.encode(u'utf-8') - - with open(self._PATH, 'wb') as file_object: - file_object.write(file_content) - - -class DPKGControlWriter(DependencyFileWriter): - """Dpkg control file writer.""" - - _PATH = os.path.join(u'config', u'dpkg', u'control') - - _PROJECT_NAME = u'artifacts' - - _MAINTAINER = u'Forensic artifacts ' - - _FILE_HEADER = [ - u'Source: {0:s}'.format(_PROJECT_NAME), - u'Section: python', - u'Priority: extra', - u'Maintainer: {0:s}'.format(_MAINTAINER), - (u'Build-Depends: debhelper (>= 7), python-all (>= 2.7~), ' - u'python-setuptools, python3-all (>= 3.4~), python3-setuptools'), - u'Standards-Version: 3.9.5', - u'X-Python-Version: >= 2.7', - u'X-Python3-Version: >= 3.4', - u'Homepage: https://github.com/ForensicArtifacts/artifacts', - u'', - u'Package: artifacts-data', - u'Architecture: all', - u'Depends: ${misc:Depends}', - u'Description: Data files for ForensicArtifacts.com Artifact Repository', - (u' A free, community-sourced, machine-readable knowledge base of ' - u'forensic'), - (u' artifacts that the world can use both as an information source and ' - u'within other tools.'), - u''] - - _PYTHON2_PACKAGE_HEADER = [ - u'Package: python-{0:s}'.format(_PROJECT_NAME), - u'Architecture: all'] - - _PYTHON3_PACKAGE_HEADER = [ - u'Package: python3-{0:s}'.format(_PROJECT_NAME), - u'Architecture: all'] - - _PYTHON_PACKAGE_DESCRIPTION = [ - (u'Description: Python bindings for ForensicArtifacts.com Artifact ' - u'Repository'), - (u' A free, community-sourced, machine-readable knowledge base of ' - u'forensic'), - (u' artifacts that the world can use both as an information source ' - u'and within other tools.'), - u''] - - _PYTHON_PACKAGE_FOOTER = [ - u'Package: artifacts-tools', - u'Architecture: all', - (u'Depends: python-artifacts, python (>= 2.7~), ${python:Depends}, ' - u'${misc:Depends}'), - u'Description: Tools for ForensicArtifacts.com Artifact Repository', - (u' A free, community-sourced, machine-readable knowledge base of ' - u'forensic'), - (u' artifacts that the world can use both as an information source and ' - u'within other tools.'), - u''] - - def Write(self): - """Writes a dpkg control file.""" - file_content = [] - file_content.extend(self._FILE_HEADER) - file_content.extend(self._PYTHON2_PACKAGE_HEADER) - - dependencies = self._dependency_helper.GetDPKGDepends() - dependencies.extend([u'${python:Depends}', u'${misc:Depends}']) - dependencies = u', '.join(dependencies) - - file_content.append(u'Depends: artifacts-data, {0:s}'.format(dependencies)) - - file_content.extend(self._PYTHON_PACKAGE_DESCRIPTION) - file_content.extend(self._PYTHON3_PACKAGE_HEADER) - - dependencies = dependencies.replace(u'python', u'python3') - - file_content.append(u'Depends: artifacts-data, {0:s}'.format(dependencies)) - - file_content.extend(self._PYTHON_PACKAGE_DESCRIPTION) - file_content.extend(self._PYTHON_PACKAGE_FOOTER) - - file_content = u'\n'.join(file_content) - file_content = file_content.encode(u'utf-8') - - with open(self._PATH, 'wb') as file_object: - file_object.write(file_content) - - -class RequirementsWriter(DependencyFileWriter): - """Requirements.txt file writer.""" - - _PATH = u'requirements.txt' - - _FILE_HEADER = [ - u'pip >= 7.0.0', - u'pytest', - u'yapf'] - - def Write(self): - """Writes a requirements.txt file.""" - file_content = [] - file_content.extend(self._FILE_HEADER) - - dependencies = self._dependency_helper.GetInstallRequires() - for dependency in dependencies: - file_content.append(u'{0:s}'.format(dependency)) - - file_content = u'\n'.join(file_content) - file_content = file_content.encode(u'utf-8') - - with open(self._PATH, 'wb') as file_object: - file_object.write(file_content) - - -class SetupCfgWriter(DependencyFileWriter): - """Setup.cfg file writer.""" - - _PATH = u'setup.cfg' - - _MAINTAINER = u'Forensic artifacts ' - - _FILE_HEADER = [ - u'[bdist_rpm]', - u'release = 1', - u'packager = {0:s}'.format(_MAINTAINER), - u'doc_files = ACKNOWLEDGEMENTS', - u' AUTHORS', - u' LICENSE', - u' README', - u'build_requires = python-setuptools'] - - def Write(self): - """Writes a setup.cfg file.""" - file_content = [] - file_content.extend(self._FILE_HEADER) - - dependencies = self._dependency_helper.GetRPMRequires() - for index, dependency in enumerate(dependencies): - if index == 0: - file_content.append(u'requires = {0:s}'.format(dependency)) - else: - file_content.append(u' {0:s}'.format(dependency)) - - file_content = u'\n'.join(file_content) - file_content = file_content.encode(u'utf-8') - - with open(self._PATH, 'wb') as file_object: - file_object.write(file_content) - - -class TravisBeforeInstallScriptWriter(DependencyFileWriter): - """Travis-CI install.sh file writer.""" - - _PATH = os.path.join(u'config', u'travis', u'install.sh') - - _FILE_HEADER = [ - u'#!/bin/bash', - u'#', - u'# Script to set up Travis-CI test VM.', - u'', - (u'COVERALL_DEPENDENCIES="python-coverage python-coveralls ' - u'python-docopt";'), - u''] - - _FILE_FOOTER = [ - u'', - u'# Exit on error.', - u'set -e;', - u'', - u'if test ${TRAVIS_OS_NAME} = "osx";', - u'then', - u'\tgit clone https://github.com/log2timeline/l2tdevtools.git;', - u'', - u'\tmv l2tdevtools ../;', - u'\tmkdir dependencies;', - u'', - (u'\tPYTHONPATH=../l2tdevtools ../l2tdevtools/tools/update.py ' - u'--download-directory=dependencies ${L2TBINARIES_DEPENDENCIES} ' - u'${L2TBINARIES_TEST_DEPENDENCIES};'), - u'', - u'elif test ${TRAVIS_OS_NAME} = "linux";', - u'then', - u'\tsudo add-apt-repository ppa:gift/dev -y;', - u'\tsudo apt-get update -q;', - u'\t# Only install the Python 2 dependencies.', - (u'\t# Also see: https://docs.travis-ci.com/user/languages/python/' - u'#Travis-CI-Uses-Isolated-virtualenvs'), - (u'\tsudo apt-get install -y ${COVERALL_DEPENDENCIES} ' - u'${PYTHON2_DEPENDENCIES} ${PYTHON2_TEST_DEPENDENCIES};'), - u'fi', - u''] - - def Write(self): - """Writes an install.sh file.""" - file_content = [] - file_content.extend(self._FILE_HEADER) - - dependencies = self._dependency_helper.GetL2TBinaries() - dependencies = u' '.join(dependencies) - file_content.append(u'L2TBINARIES_DEPENDENCIES="{0:s}";'.format( - dependencies)) - - file_content.append(u'') - file_content.append(u'L2TBINARIES_TEST_DEPENDENCIES="yapf";') - - file_content.append(u'') - - dependencies = self._dependency_helper.GetDPKGDepends(exclude_version=True) - dependencies = u' '.join(dependencies) - file_content.append(u'PYTHON2_DEPENDENCIES="{0:s}";'.format(dependencies)) - - file_content.append(u'') - file_content.append(u'PYTHON2_TEST_DEPENDENCIES="python-yapf";') - - file_content.extend(self._FILE_FOOTER) - - file_content = u'\n'.join(file_content) - file_content = file_content.encode(u'utf-8') - - with open(self._PATH, 'wb') as file_object: - file_object.write(file_content) - - -if __name__ == u'__main__': - helper = utils.dependencies.DependencyHelper() - - for writer_class in ( - AppveyorYmlWriter, DPKGControlWriter, RequirementsWriter, SetupCfgWriter, - TravisBeforeInstallScriptWriter): - writer = writer_class(helper) - writer.Write() diff -Nru forensic-artifacts-20170808/utils/update_version.sh forensic-artifacts-20190113/utils/update_version.sh --- forensic-artifacts-20170808/utils/update_version.sh 2017-08-08 19:57:45.000000000 +0000 +++ forensic-artifacts-20190113/utils/update_version.sh 2019-01-13 09:45:17.000000000 +0000 @@ -6,5 +6,5 @@ EMAIL_DPKG="Forensic artifacts "; sed -i -e "s/^\(__version__ = \)'[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'$/\1'${DATE_VERSION}'/" artifacts/__init__.py -sed -i -e "s/^\(python-artifacts \)([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-1)/\1(${DATE_VERSION}-1)/" config/dpkg/changelog +sed -i -e "s/^\(artifacts \)([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-1)/\1(${DATE_VERSION}-1)/" config/dpkg/changelog sed -i -e "s/^\( -- ${EMAIL_DPKG} \).*$/\1${DATE_DPKG}/" config/dpkg/changelog