def MeetsConditions(knowledge_base, source): """Check conditions on the source.""" source_conditions_met = True os_conditions = ConvertSupportedOSToConditions(source) if os_conditions: source.conditions.append(os_conditions) for condition in source.conditions: source_conditions_met &= artifact_utils.CheckCondition( condition, knowledge_base) return source_conditions_met
def Collect(self, artifact_obj): """Collect the raw data from the client for this artifact.""" artifact_name = artifact_obj.name # Ensure attempted artifacts are shown in progress, even with 0 results. self._GetOrInsertArtifactProgress(artifact_name) test_conditions = list(artifact_obj.conditions) os_conditions = ConvertSupportedOSToConditions(artifact_obj) if os_conditions: test_conditions.append(os_conditions) # Check each of the conditions match our target. for condition in test_conditions: if not artifact_utils.CheckCondition(condition, self.state.knowledge_base): logging.debug("Artifact %s condition %s failed on %s", artifact_name, condition, self.client_id) self.state.artifacts_skipped_due_to_condition.append( (artifact_name, condition)) return # Call the source defined action for each source. for source in artifact_obj.sources: # Check conditions on the source. source_conditions_met = True test_conditions = list(source.conditions) os_conditions = ConvertSupportedOSToConditions(source) if os_conditions: test_conditions.append(os_conditions) for condition in test_conditions: if not artifact_utils.CheckCondition(condition, self.state.knowledge_base): source_conditions_met = False if source_conditions_met: type_name = source.type source_type = rdf_artifacts.ArtifactSource.SourceType self.current_artifact_name = artifact_name if type_name == source_type.COMMAND: self.RunCommand(source) # TODO(hanuszczak): `DIRECTORY` is deprecated [1], it should be removed. # # [1]: https://github.com/ForensicArtifacts/artifacts/pull/475 elif (type_name == source_type.DIRECTORY or type_name == source_type.PATH): self.Glob(source, _GetPathType(self.args, self.client_os), _GetImplementationType(self.args)) elif type_name == source_type.FILE: self.GetFiles(source, _GetPathType(self.args, self.client_os), _GetImplementationType(self.args), self.args.max_file_size) elif type_name == source_type.GREP: self.Grep(source, _GetPathType(self.args, self.client_os), _GetImplementationType(self.args)) elif type_name == source_type.REGISTRY_KEY: self.GetRegistryKey(source) elif type_name == source_type.REGISTRY_VALUE: self.GetRegistryValue(source) elif type_name == source_type.WMI: self.WMIQuery(source) elif type_name == source_type.REKALL_PLUGIN: raise NotImplementedError( "Running Rekall artifacts is not supported anymore.") elif type_name == source_type.ARTIFACT_GROUP: self.CollectArtifacts(source) elif type_name == source_type.ARTIFACT_FILES: self.CollectArtifactFiles(source) elif type_name == source_type.GRR_CLIENT_ACTION: self.RunGrrClientAction(source) else: raise RuntimeError("Invalid type %s in %s" % (type_name, artifact_name)) else: logging.debug( "Artifact %s no sources run due to all sources " "having failing conditions on %s", artifact_name, self.client_id)
def Collect(self, artifact_obj): """Collect the raw data from the client for this artifact.""" artifact_name = artifact_obj.name # Ensure attempted artifacts are shown in progress, even with 0 results. self._GetOrInsertArtifactProgress(artifact_name) test_conditions = list(artifact_obj.conditions) os_conditions = ConvertSupportedOSToConditions(artifact_obj) if os_conditions: test_conditions.append(os_conditions) # Check each of the conditions match our target. for condition in test_conditions: if not artifact_utils.CheckCondition(condition, self.state.knowledge_base): logging.debug("Artifact %s condition %s failed on %s", artifact_name, condition, self.client_id) self.state.artifacts_skipped_due_to_condition.append( (artifact_name, condition)) return # Call the source defined action for each source. for source in artifact_obj.sources: # Check conditions on the source. source_conditions_met = True test_conditions = list(source.conditions) os_conditions = ConvertSupportedOSToConditions(source) if os_conditions: test_conditions.append(os_conditions) for condition in test_conditions: if not artifact_utils.CheckCondition(condition, self.state.knowledge_base): source_conditions_met = False if source_conditions_met: type_name = source.type source_type = rdf_artifacts.ArtifactSource.SourceType self.current_artifact_name = artifact_name if type_name == source_type.COMMAND: self.RunCommand(source) elif type_name == source_type.DIRECTORY: self.Glob(source, _GetPathType(self.args, self.client_os)) elif type_name == source_type.FILE: self.GetFiles(source, _GetPathType(self.args, self.client_os), self.args.max_file_size) elif type_name == source_type.GREP: self.Grep(source, _GetPathType(self.args, self.client_os)) elif type_name == source_type.PATH: # TODO(user): GRR currently ignores PATH types, they are currently # only useful to plaso during bootstrapping when the registry is # unavailable. The intention is to remove this type in favor of a # default fallback mechanism. pass elif type_name == source_type.REGISTRY_KEY: self.GetRegistryKey(source) elif type_name == source_type.REGISTRY_VALUE: self.GetRegistryValue(source) elif type_name == source_type.WMI: self.WMIQuery(source) elif type_name == source_type.REKALL_PLUGIN: raise NotImplementedError( "Running Rekall artifacts is not supported anymore.") elif type_name == source_type.ARTIFACT_GROUP: self.CollectArtifacts(source) elif type_name == source_type.ARTIFACT_FILES: self.CollectArtifactFiles(source) elif type_name == source_type.GRR_CLIENT_ACTION: self.RunGrrClientAction(source) else: raise RuntimeError("Invalid type %s in %s" % (type_name, artifact_name)) else: logging.debug( "Artifact %s no sources run due to all sources " "having failing conditions on %s", artifact_name, self.client_id)