def Start(self):
"""For each artifact, create subflows for each collector."""
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
self.state.artifacts_failed = []
self.state.artifacts_skipped_due_to_condition = []
self.state.called_fallbacks = set()
self.state.failed_count = 0
self.state.knowledge_base = self.args.knowledge_base
self.state.response_count = 0
if (self.args.dependencies ==
artifact_utils.ArtifactCollectorFlowArgs.Dependency.FETCH_NOW):
# String due to dependency loop with discover.py.
self.CallFlow("Interrogate", next_state="StartCollection")
return
elif (self.args.dependencies
== artifact_utils.ArtifactCollectorFlowArgs.Dependency.USE_CACHED
) and (not self.state.knowledge_base):
# If not provided, get a knowledge base from the client.
try:
self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(
self.client)
except artifact_utils.KnowledgeBaseUninitializedError:
# If no-one has ever initialized the knowledge base, we should do so
# now.
if not self._AreArtifactsKnowledgeBaseArtifacts():
# String due to dependency loop with discover.py.
self.CallFlow("Interrogate", next_state="StartCollection")
return
# In all other cases start the collection state.
self.CallState(next_state="StartCollection")
def ParseRunKeys(self, responses):
"""Get filenames from the RunKeys and download the files."""
filenames = []
client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
kb = artifact.GetArtifactKnowledgeBase(client)
for response in responses:
runkey = response.registry_data.string
environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
path_guesses = path_detection_windows.DetectExecutablePaths(
[runkey], environ_vars)
if not path_guesses:
self.Log("Couldn't guess path for %s", runkey)
for path in path_guesses:
filenames.append(
rdf_paths.PathSpec(
path=path, pathtype=rdf_paths.PathSpec.PathType.TSK))
if filenames:
self.CallFlow(transfer.MultiGetFile.__name__,
pathspecs=filenames,
next_state="Done")
def FindMatchingPathspecs(self, response):
# If we're dealing with plain file StatEntry, just
# return it's pathspec - there's nothing to parse
# and guess.
if (isinstance(response, rdf_client.StatEntry)
and response.pathspec.pathtype
in [paths.PathSpec.PathType.TSK, paths.PathSpec.PathType.OS]):
return [response.pathspec]
client = aff4.FACTORY.Open(self.client_id, token=self.token)
knowledge_base = artifact.GetArtifactKnowledgeBase(client)
if self.args.use_tsk:
path_type = paths.PathSpec.PathType.TSK
else:
path_type = paths.PathSpec.PathType.OS
parser = windows_persistence.WindowsPersistenceMechanismsParser()
parsed_items = parser.Parse(response, knowledge_base, path_type)
return [item.pathspec for item in parsed_items]
def StartCollection(self, responses):
"""Start collecting."""
if not responses.success:
raise artifact_utils.KnowledgeBaseUninitializedError(
"Attempt to initialize Knowledge Base failed.")
if not self.state.knowledge_base:
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
# If we are processing the knowledge base, it still won't exist yet.
self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(
self.client, allow_uninitialized=True)
for artifact_name in self.args.artifact_list:
artifact_obj = self._GetArtifactFromName(artifact_name)
# Ensure artifact has been written sanely. Note that this could be
# removed if it turns out to be expensive. Artifact tests should catch
# these.
artifact_obj.Validate()
self.Collect(artifact_obj)
