def BuildFilterFindSpecs(cls,
artifact_definitions_path,
custom_artifacts_path,
knowledge_base_object,
artifact_filter_names=None,
filter_file_path=None):
"""Builds find specifications from artifacts or filter file if available.
Args:
artifact_definitions_path (str): path to artifact definitions file.
custom_artifacts_path (str): path to custom artifact definitions file.
knowledge_base_object (KnowledgeBase): knowledge base.
artifact_filter_names (Optional[list[str]]): names of artifact
definitions that are used for filtering file system and Windows
Registry key paths.
filter_file_path (Optional[str]): path of filter file.
Returns:
list[dfvfs.FindSpec]: find specifications for the file source type.
Raises:
InvalidFilter: if no valid FindSpecs are built.
"""
environment_variables = knowledge_base_object.GetEnvironmentVariables()
find_specs = None
if artifact_filter_names:
logger.debug(
'building find specification based on artifacts: {0:s}'.format(
', '.join(artifact_filter_names)))
artifacts_registry_object = cls.BuildArtifactsRegistry(
artifact_definitions_path, custom_artifacts_path)
artifact_filters_object = (
artifact_filters.ArtifactDefinitionsFilterHelper(
artifacts_registry_object, artifact_filter_names,
knowledge_base_object))
artifact_filters_object.BuildFindSpecs(
environment_variables=environment_variables)
find_specs = knowledge_base_object.GetValue(
artifact_filters_object.KNOWLEDGE_BASE_VALUE)[
artifact_types.TYPE_INDICATOR_FILE]
elif filter_file_path:
logger.debug(
'building find specification based on filter file: {0:s}'.
format(filter_file_path))
filter_file_object = filter_file.FilterFile(filter_file_path)
find_specs = filter_file_object.BuildFindSpecs(
environment_variables=environment_variables)
if (artifact_filter_names or filter_file_path) and not find_specs:
raise errors.InvalidFilter(
'Error processing filters, no valid specifications built.')
return find_specs
def BuildCollectionFilters(self,
artifact_definitions_path,
custom_artifacts_path,
knowledge_base_object,
artifact_filter_names=None,
filter_file_path=None):
"""Builds collection filters from artifacts or filter file if available.
Args:
artifact_definitions_path (str): path to artifact definitions file.
custom_artifacts_path (str): path to custom artifact definitions file.
knowledge_base_object (KnowledgeBase): knowledge base.
artifact_filter_names (Optional[list[str]]): names of artifact
definitions that are used for filtering file system and Windows
Registry key paths.
filter_file_path (Optional[str]): path of filter file.
Raises:
InvalidFilter: if no valid file system find specifications are built.
"""
environment_variables = knowledge_base_object.GetEnvironmentVariables()
if artifact_filter_names:
logger.debug(
'building find specification based on artifacts: {0:s}'.format(
', '.join(artifact_filter_names)))
artifacts_registry_object = BaseEngine.BuildArtifactsRegistry(
artifact_definitions_path, custom_artifacts_path)
self.collection_filters_helper = (
artifact_filters.ArtifactDefinitionsFiltersHelper(
artifacts_registry_object, knowledge_base_object))
self.collection_filters_helper.BuildFindSpecs(
artifact_filter_names,
environment_variables=environment_variables)
# If the user selected Windows Registry artifacts we have to ensure
# the Windows Registry files are parsed.
if self.collection_filters_helper.registry_find_specs:
self.collection_filters_helper.BuildFindSpecs(
self._WINDOWS_REGISTRY_FILES_ARTIFACT_NAMES,
environment_variables=environment_variables)
if not self.collection_filters_helper.included_file_system_find_specs:
raise errors.InvalidFilter(
'No valid file system find specifications were built from '
'artifacts.')
elif filter_file_path:
logger.debug(
'building find specification based on filter file: {0:s}'.
format(filter_file_path))
filter_file_path_lower = filter_file_path.lower()
if (filter_file_path_lower.endswith('.yaml')
or filter_file_path_lower.endswith('.yml')):
filter_file_object = yaml_filter_file.YAMLFilterFile()
else:
filter_file_object = filter_file.FilterFile()
filter_file_path_filters = filter_file_object.ReadFromFile(
filter_file_path)
self.collection_filters_helper = (
path_filters.PathCollectionFiltersHelper())
self.collection_filters_helper.BuildFindSpecs(
filter_file_path_filters,
environment_variables=environment_variables)
if (not self.collection_filters_helper.
excluded_file_system_find_specs and not self.
collection_filters_helper.included_file_system_find_specs):
raise errors.InvalidFilter((
'No valid file system find specifications were built from filter '
'file: {0:s}.').format(filter_file_path))
def BuildFilterFindSpecs(self,
artifact_definitions_path,
custom_artifacts_path,
knowledge_base_object,
artifact_filter_names=None,
filter_file_path=None):
"""Builds find specifications from artifacts or filter file if available.
Args:
artifact_definitions_path (str): path to artifact definitions file.
custom_artifacts_path (str): path to custom artifact definitions file.
knowledge_base_object (KnowledgeBase): knowledge base.
artifact_filter_names (Optional[list[str]]): names of artifact
definitions that are used for filtering file system and Windows
Registry key paths.
filter_file_path (Optional[str]): path of filter file.
Returns:
list[dfvfs.FindSpec]: find specifications for the file source type.
Raises:
InvalidFilter: if no valid FindSpecs are built.
"""
environment_variables = knowledge_base_object.GetEnvironmentVariables()
find_specs = None
if artifact_filter_names:
logger.debug(
'building find specification based on artifacts: {0:s}'.format(
', '.join(artifact_filter_names)))
artifacts_registry_object = BaseEngine.BuildArtifactsRegistry(
artifact_definitions_path, custom_artifacts_path)
self._artifacts_filter_helper = (
artifact_filters.ArtifactDefinitionsFilterHelper(
artifacts_registry_object, knowledge_base_object))
self._artifacts_filter_helper.BuildFindSpecs(
artifact_filter_names,
environment_variables=environment_variables)
# If the user selected Windows Registry artifacts we have to ensure
# the Windows Registry files are parsed.
if self._artifacts_filter_helper.registry_find_specs:
self._artifacts_filter_helper.BuildFindSpecs(
self._WINDOWS_REGISTRY_FILES_ARTIFACT_NAMES,
environment_variables=environment_variables)
find_specs = self._artifacts_filter_helper.file_system_find_specs
if not find_specs:
raise errors.InvalidFilter(
'No valid file system find specifications were built from '
'artifacts.')
elif filter_file_path:
logger.debug(
'building find specification based on filter file: {0:s}'.
format(filter_file_path))
filter_file_object = filter_file.FilterFile(filter_file_path)
find_specs = filter_file_object.BuildFindSpecs(
environment_variables=environment_variables)
if not find_specs:
raise errors.InvalidFilter(
'No valid file system find specifications were built from filter '
'file.')
return find_specs