def Start(self):
"""For each artifact, create subflows for each collector."""
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
self.state.artifacts_failed = []
self.state.artifacts_skipped_due_to_condition = []
self.state.called_fallbacks = set()
self.state.failed_count = 0
self.state.knowledge_base = self.args.knowledge_base
self.state.response_count = 0
if (self.args.dependencies ==
artifact_utils.ArtifactCollectorFlowArgs.Dependency.FETCH_NOW):
# String due to dependency loop with discover.py.
self.CallFlow("Interrogate", next_state="StartCollection")
return
elif (self.args.dependencies == artifact_utils.ArtifactCollectorFlowArgs.
Dependency.USE_CACHED) and (not self.state.knowledge_base):
# If not provided, get a knowledge base from the client.
try:
self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(
self.client)
except artifact_utils.KnowledgeBaseUninitializedError:
# If no-one has ever initialized the knowledge base, we should do so
# now.
if not self._AreArtifactsKnowledgeBaseArtifacts():
# String due to dependency loop with discover.py.
self.CallFlow("Interrogate", next_state="StartCollection")
return
# In all other cases start the collection state.
self.CallState(next_state="StartCollection")
def Start(self):
"""Issue the artifact collection request."""
super(ClientArtifactCollector, self).Start()
self.state.knowledge_base = self.args.knowledge_base
self.processed_artifacts = set()
self.state.response_count = 0
# TODO(user): Fill the knowledge base on the client side and remove the
# field knowledge_base from ClientArtifactCollectorArgs
dependency = artifact_utils.ArtifactCollectorFlowArgs.Dependency
if self.args.dependencies == dependency.FETCH_NOW:
# String due to dependency loop with discover.py.
self.CallFlow("Interrogate", next_state="StartCollection")
return
if (self.args.dependencies == dependency.USE_CACHED and
not self.state.knowledge_base):
# If not provided, get a knowledge base from the client.
try:
with aff4.FACTORY.Open(self.client_id, token=self.token) as client:
self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(client)
except artifact_utils.KnowledgeBaseUninitializedError:
# If no-one has ever initialized the knowledge base, we should do so
# now.
if not self._AreArtifactsKnowledgeBaseArtifacts():
# String due to dependency loop with discover.py.
self.CallFlow("Interrogate", next_state="StartCollection")
return
# In all other cases start the collection state.
self.CallStateInline(next_state="StartCollection")
def ParseRunKeys(self, responses):
"""Get filenames from the RunKeys and download the files."""
filenames = []
client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
kb = artifact.GetArtifactKnowledgeBase(client)
for response in responses:
runkey = response.registry_data.string
environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
path_guesses = path_detection_windows.DetectExecutablePaths(
[runkey], environ_vars)
if not path_guesses:
self.Log("Couldn't guess path for %s", runkey)
for path in path_guesses:
filenames.append(
rdf_paths.PathSpec(
path=path, pathtype=rdf_paths.PathSpec.PathType.TSK))
if filenames:
self.CallFlow(transfer.MultiGetFile.__name__,
pathspecs=filenames,
next_state="Done")
def _ReadClientKnowledgeBase(client_id, allow_uninitialized=False, token=None):
if data_store.RelationalDBEnabled():
client = data_store.REL_DB.ReadClientSnapshot(client_id)
return artifact.GetKnowledgeBase(
client, allow_uninitialized=allow_uninitialized)
else:
client = aff4.FACTORY.Open(client_id, token=token)
return artifact.GetArtifactKnowledgeBase(
client, allow_uninitialized=allow_uninitialized)
def StartCollection(self, responses):
"""Start collecting."""
if not responses.success:
raise artifact_utils.KnowledgeBaseUninitializedError(
"Attempt to initialize Knowledge Base failed.")
if not self.state.knowledge_base:
with aff4.FACTORY.Open(self.client_id, token=self.token) as client:
# If we are processing the knowledge base, it still won't exist yet.
self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(
client, allow_uninitialized=True)
request = GetArtifactCollectorArgs(
self.state.knowledge_base, self.args.artifact_list,
self.args.apply_parsers, self.args.ignore_interpolation_errors,
self.args.use_tsk, self.args.max_file_size)
self.CollectArtifacts(request)
def StartCollection(self, responses):
"""Start collecting."""
if not responses.success:
raise artifact_utils.KnowledgeBaseUninitializedError(
"Attempt to initialize Knowledge Base failed.")
if not self.state.knowledge_base:
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
# If we are processing the knowledge base, it still won't exist yet.
self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(
self.client, allow_uninitialized=True)
for artifact_name in self.args.artifact_list:
artifact_obj = artifact_registry.REGISTRY.GetArtifact(artifact_name)
# Ensure artifact has been written sanely. Note that this could be
# removed if it turns out to be expensive. Artifact tests should catch
# these.
artifact_registry.Validate(artifact_obj)
self.Collect(artifact_obj)
def FindMatchingPathspecs(self, response):
# If we're dealing with plain file StatEntry, just
# return it's pathspec - there's nothing to parse
# and guess.
if (isinstance(response, rdf_client.StatEntry) and
response.pathspec.pathtype in [
rdf_paths.PathSpec.PathType.TSK, rdf_paths.PathSpec.PathType.OS
]):
return [response.pathspec]
client = aff4.FACTORY.Open(self.client_id, token=self.token)
knowledge_base = artifact.GetArtifactKnowledgeBase(client)
if self.args.use_tsk:
path_type = rdf_paths.PathSpec.PathType.TSK
else:
path_type = rdf_paths.PathSpec.PathType.OS
p = windows_persistence.WindowsPersistenceMechanismsParser()
parsed_items = p.Parse(response, knowledge_base, path_type)
return [item.pathspec for item in parsed_items]
