def Start(self): """For each artifact, create subflows for each collector.""" self.client = aff4.FACTORY.Open(self.client_id, token=self.token) self.state.artifacts_failed = [] self.state.artifacts_skipped_due_to_condition = [] self.state.called_fallbacks = set() self.state.failed_count = 0 self.state.knowledge_base = self.args.knowledge_base self.state.response_count = 0 if (self.args.dependencies == artifact_utils.ArtifactCollectorFlowArgs.Dependency.FETCH_NOW): # String due to dependency loop with discover.py. self.CallFlow("Interrogate", next_state="StartCollection") return elif (self.args.dependencies == artifact_utils.ArtifactCollectorFlowArgs. Dependency.USE_CACHED) and (not self.state.knowledge_base): # If not provided, get a knowledge base from the client. try: self.state.knowledge_base = artifact.GetArtifactKnowledgeBase( self.client) except artifact_utils.KnowledgeBaseUninitializedError: # If no-one has ever initialized the knowledge base, we should do so # now. if not self._AreArtifactsKnowledgeBaseArtifacts(): # String due to dependency loop with discover.py. self.CallFlow("Interrogate", next_state="StartCollection") return # In all other cases start the collection state. self.CallState(next_state="StartCollection")
def Start(self): """Issue the artifact collection request.""" super(ClientArtifactCollector, self).Start() self.state.knowledge_base = self.args.knowledge_base self.processed_artifacts = set() self.state.response_count = 0 # TODO(user): Fill the knowledge base on the client side and remove the # field knowledge_base from ClientArtifactCollectorArgs dependency = artifact_utils.ArtifactCollectorFlowArgs.Dependency if self.args.dependencies == dependency.FETCH_NOW: # String due to dependency loop with discover.py. self.CallFlow("Interrogate", next_state="StartCollection") return if (self.args.dependencies == dependency.USE_CACHED and not self.state.knowledge_base): # If not provided, get a knowledge base from the client. try: with aff4.FACTORY.Open(self.client_id, token=self.token) as client: self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(client) except artifact_utils.KnowledgeBaseUninitializedError: # If no-one has ever initialized the knowledge base, we should do so # now. if not self._AreArtifactsKnowledgeBaseArtifacts(): # String due to dependency loop with discover.py. self.CallFlow("Interrogate", next_state="StartCollection") return # In all other cases start the collection state. self.CallStateInline(next_state="StartCollection")
def ParseRunKeys(self, responses): """Get filenames from the RunKeys and download the files.""" filenames = [] client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token) kb = artifact.GetArtifactKnowledgeBase(client) for response in responses: runkey = response.registry_data.string environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb) path_guesses = path_detection_windows.DetectExecutablePaths( [runkey], environ_vars) if not path_guesses: self.Log("Couldn't guess path for %s", runkey) for path in path_guesses: filenames.append( rdf_paths.PathSpec( path=path, pathtype=rdf_paths.PathSpec.PathType.TSK)) if filenames: self.CallFlow(transfer.MultiGetFile.__name__, pathspecs=filenames, next_state="Done")
def _ReadClientKnowledgeBase(client_id, allow_uninitialized=False, token=None): if data_store.RelationalDBEnabled(): client = data_store.REL_DB.ReadClientSnapshot(client_id) return artifact.GetKnowledgeBase( client, allow_uninitialized=allow_uninitialized) else: client = aff4.FACTORY.Open(client_id, token=token) return artifact.GetArtifactKnowledgeBase( client, allow_uninitialized=allow_uninitialized)
def StartCollection(self, responses): """Start collecting.""" if not responses.success: raise artifact_utils.KnowledgeBaseUninitializedError( "Attempt to initialize Knowledge Base failed.") if not self.state.knowledge_base: with aff4.FACTORY.Open(self.client_id, token=self.token) as client: # If we are processing the knowledge base, it still won't exist yet. self.state.knowledge_base = artifact.GetArtifactKnowledgeBase( client, allow_uninitialized=True) request = GetArtifactCollectorArgs( self.state.knowledge_base, self.args.artifact_list, self.args.apply_parsers, self.args.ignore_interpolation_errors, self.args.use_tsk, self.args.max_file_size) self.CollectArtifacts(request)
def StartCollection(self, responses): """Start collecting.""" if not responses.success: raise artifact_utils.KnowledgeBaseUninitializedError( "Attempt to initialize Knowledge Base failed.") if not self.state.knowledge_base: self.client = aff4.FACTORY.Open(self.client_id, token=self.token) # If we are processing the knowledge base, it still won't exist yet. self.state.knowledge_base = artifact.GetArtifactKnowledgeBase( self.client, allow_uninitialized=True) for artifact_name in self.args.artifact_list: artifact_obj = artifact_registry.REGISTRY.GetArtifact(artifact_name) # Ensure artifact has been written sanely. Note that this could be # removed if it turns out to be expensive. Artifact tests should catch # these. artifact_registry.Validate(artifact_obj) self.Collect(artifact_obj)
def FindMatchingPathspecs(self, response): # If we're dealing with plain file StatEntry, just # return it's pathspec - there's nothing to parse # and guess. if (isinstance(response, rdf_client.StatEntry) and response.pathspec.pathtype in [ rdf_paths.PathSpec.PathType.TSK, rdf_paths.PathSpec.PathType.OS ]): return [response.pathspec] client = aff4.FACTORY.Open(self.client_id, token=self.token) knowledge_base = artifact.GetArtifactKnowledgeBase(client) if self.args.use_tsk: path_type = rdf_paths.PathSpec.PathType.TSK else: path_type = rdf_paths.PathSpec.PathType.OS p = windows_persistence.WindowsPersistenceMechanismsParser() parsed_items = p.Parse(response, knowledge_base, path_type) return [item.pathspec for item in parsed_items]