def _MeetsConditions(self, source): """Check conditions on the source.""" source_conditions_met = True os_conditions = ConvertSupportedOSToConditions(source) if os_conditions: source.conditions.append(os_conditions) for condition in source.conditions: source_conditions_met &= artifact_utils.CheckCondition( condition, self.args.knowledge_base) return source_conditions_met
def Collect(self, artifact_obj): """Collect the raw data from the client for this artifact.""" artifact_name = artifact_obj.name test_conditions = list(artifact_obj.conditions) self.ConvertSupportedOSToConditions(artifact_obj, test_conditions) # Check each of the conditions match our target. for condition in test_conditions: if not artifact_utils.CheckCondition(condition, self.state.knowledge_base): logging.debug("Artifact %s condition %s failed on %s", artifact_name, condition, self.client_id) self.state.artifacts_skipped_due_to_condition.append( (artifact_name, condition)) return # Call the source defined action for each source. for source in artifact_obj.sources: # Check conditions on the source. source_conditions_met = True self.ConvertSupportedOSToConditions(source, source.conditions) if source.conditions: for condition in source.conditions: if not artifact_utils.CheckCondition( condition, self.state.knowledge_base): source_conditions_met = False if source_conditions_met: type_name = source.type source_type = artifact_registry.ArtifactSource.SourceType self.current_artifact_name = artifact_name if type_name == source_type.COMMAND: self.RunCommand(source) elif (type_name == source_type.DIRECTORY or type_name == source_type.LIST_FILES): # TODO(user): LIST_FILES will be replaced in favor of # DIRECTORY as used by the public artifacts repo. self.Glob(source, self.GetPathType()) elif type_name == source_type.FILE: self.GetFiles(source, self.GetPathType(), self.args.max_file_size) elif type_name == source_type.GREP: self.Grep(source, self.GetPathType()) elif type_name == source_type.PATH: # TODO(user): GRR currently ignores PATH types, they are currently # only useful to plaso during bootstrapping when the registry is # unavailable. The intention is to remove this type in favor of a # default fallback mechanism. pass elif type_name == source_type.REGISTRY_KEY: self.GetRegistryKey(source) elif type_name == source_type.REGISTRY_VALUE: self.GetRegistryValue(source) elif type_name == source_type.WMI: self.WMIQuery(source) elif type_name == source_type.REKALL_PLUGIN: self.RekallPlugin(source) # ARTIFACT is the legacy name for ARTIFACT_GROUP # per: https://github.com/ForensicArtifacts/artifacts/pull/143 # TODO(user): remove legacy support after migration. elif type_name in (source_type.ARTIFACT, source_type.ARTIFACT_GROUP): self.CollectArtifacts(source) elif type_name == source_type.ARTIFACT_FILES: self.CollectArtifactFiles(source) elif type_name == source_type.GRR_CLIENT_ACTION: self.RunGrrClientAction(source) else: raise RuntimeError("Invalid type %s in %s" % (type_name, artifact_name)) else: logging.debug( "Artifact %s no sources run due to all sources " "having failing conditions on %s", artifact_name, self.client_id)
def Collect(self, artifact_obj): """Collect the raw data from the client for this artifact.""" artifact_name = artifact_obj.name test_conditions = list(artifact_obj.conditions) self.ConvertSupportedOSToConditions(artifact_obj, test_conditions) # Check each of the conditions match our target. for condition in test_conditions: if not artifact_utils.CheckCondition(condition, self.state.knowledge_base): logging.debug("Artifact %s condition %s failed on %s", artifact_name, condition, self.client_id) self.state.artifacts_skipped_due_to_condition.append( (artifact_name, condition)) return # Call the source defined action for each source. for source in artifact_obj.sources: # Check conditions on the source. source_conditions_met = True self.ConvertSupportedOSToConditions(source, source.conditions) if source.conditions: for condition in source.conditions: if not artifact_utils.CheckCondition( condition, self.state.knowledge_base): source_conditions_met = False if source_conditions_met: type_name = source.type source_type = artifact_registry.ArtifactSource.SourceType self.current_artifact_name = artifact_name if type_name == source_type.COMMAND: self.RunCommand(source) elif type_name == source_type.FILE: self.GetFiles(source, self.state.path_type, self.args.max_file_size) elif type_name == source_type.GREP: self.Grep(source, self.state.path_type) elif type_name == source_type.LIST_FILES: self.Glob(source, self.state.path_type) elif type_name == source_type.PATH: # GRR currently ignores PATH types, they are currently only useful # to plaso during bootstrapping when the registry is unavailable. pass elif type_name == source_type.REGISTRY_KEY: self.GetRegistryKey(source) elif type_name == source_type.REGISTRY_VALUE: self.GetRegistryValue(source) elif type_name == source_type.WMI: self.WMIQuery(source) elif type_name == source_type.REKALL_PLUGIN: self.RekallPlugin(source) elif type_name == source_type.ARTIFACT: self.CollectArtifacts(source) elif type_name == source_type.ARTIFACT_FILES: self.CollectArtifactFiles(source) elif type_name == source_type.GRR_CLIENT_ACTION: self.RunGrrClientAction(source) else: raise RuntimeError("Invalid type %s in %s" % (type_name, artifact_name)) else: logging.debug( "Artifact %s no sources run due to all sources " "having failing conditions on %s", artifact_name, self.client_id)