def MeetsConditions(knowledge_base, source):
"""Check conditions on the source."""
source_conditions_met = True
os_conditions = ConvertSupportedOSToConditions(source)
if os_conditions:
source.conditions.append(os_conditions)
for condition in source.conditions:
source_conditions_met &= artifact_utils.CheckCondition(
condition, knowledge_base)
return source_conditions_met
def Collect(self, artifact_obj):
"""Collect the raw data from the client for this artifact."""
artifact_name = artifact_obj.name
# Ensure attempted artifacts are shown in progress, even with 0 results.
self._GetOrInsertArtifactProgress(artifact_name)
test_conditions = list(artifact_obj.conditions)
os_conditions = ConvertSupportedOSToConditions(artifact_obj)
if os_conditions:
test_conditions.append(os_conditions)
# Check each of the conditions match our target.
for condition in test_conditions:
if not artifact_utils.CheckCondition(condition,
self.state.knowledge_base):
logging.debug("Artifact %s condition %s failed on %s", artifact_name,
condition, self.client_id)
self.state.artifacts_skipped_due_to_condition.append(
(artifact_name, condition))
return
# Call the source defined action for each source.
for source in artifact_obj.sources:
# Check conditions on the source.
source_conditions_met = True
test_conditions = list(source.conditions)
os_conditions = ConvertSupportedOSToConditions(source)
if os_conditions:
test_conditions.append(os_conditions)
for condition in test_conditions:
if not artifact_utils.CheckCondition(condition,
self.state.knowledge_base):
source_conditions_met = False
if source_conditions_met:
type_name = source.type
source_type = rdf_artifacts.ArtifactSource.SourceType
self.current_artifact_name = artifact_name
if type_name == source_type.COMMAND:
self.RunCommand(source)
# TODO(hanuszczak): `DIRECTORY` is deprecated [1], it should be removed.
#
# [1]: https://github.com/ForensicArtifacts/artifacts/pull/475
elif (type_name == source_type.DIRECTORY or
type_name == source_type.PATH):
self.Glob(source, _GetPathType(self.args, self.client_os),
_GetImplementationType(self.args))
elif type_name == source_type.FILE:
self.GetFiles(source, _GetPathType(self.args, self.client_os),
_GetImplementationType(self.args),
self.args.max_file_size)
elif type_name == source_type.GREP:
self.Grep(source, _GetPathType(self.args, self.client_os),
_GetImplementationType(self.args))
elif type_name == source_type.REGISTRY_KEY:
self.GetRegistryKey(source)
elif type_name == source_type.REGISTRY_VALUE:
self.GetRegistryValue(source)
elif type_name == source_type.WMI:
self.WMIQuery(source)
elif type_name == source_type.REKALL_PLUGIN:
raise NotImplementedError(
"Running Rekall artifacts is not supported anymore.")
elif type_name == source_type.ARTIFACT_GROUP:
self.CollectArtifacts(source)
elif type_name == source_type.ARTIFACT_FILES:
self.CollectArtifactFiles(source)
elif type_name == source_type.GRR_CLIENT_ACTION:
self.RunGrrClientAction(source)
else:
raise RuntimeError("Invalid type %s in %s" %
(type_name, artifact_name))
else:
logging.debug(
"Artifact %s no sources run due to all sources "
"having failing conditions on %s", artifact_name, self.client_id)
def Collect(self, artifact_obj):
"""Collect the raw data from the client for this artifact."""
artifact_name = artifact_obj.name
# Ensure attempted artifacts are shown in progress, even with 0 results.
self._GetOrInsertArtifactProgress(artifact_name)
test_conditions = list(artifact_obj.conditions)
os_conditions = ConvertSupportedOSToConditions(artifact_obj)
if os_conditions:
test_conditions.append(os_conditions)
# Check each of the conditions match our target.
for condition in test_conditions:
if not artifact_utils.CheckCondition(condition,
self.state.knowledge_base):
logging.debug("Artifact %s condition %s failed on %s", artifact_name,
condition, self.client_id)
self.state.artifacts_skipped_due_to_condition.append(
(artifact_name, condition))
return
# Call the source defined action for each source.
for source in artifact_obj.sources:
# Check conditions on the source.
source_conditions_met = True
test_conditions = list(source.conditions)
os_conditions = ConvertSupportedOSToConditions(source)
if os_conditions:
test_conditions.append(os_conditions)
for condition in test_conditions:
if not artifact_utils.CheckCondition(condition,
self.state.knowledge_base):
source_conditions_met = False
if source_conditions_met:
type_name = source.type
source_type = rdf_artifacts.ArtifactSource.SourceType
self.current_artifact_name = artifact_name
if type_name == source_type.COMMAND:
self.RunCommand(source)
elif type_name == source_type.DIRECTORY:
self.Glob(source, _GetPathType(self.args, self.client_os))
elif type_name == source_type.FILE:
self.GetFiles(source, _GetPathType(self.args, self.client_os),
self.args.max_file_size)
elif type_name == source_type.GREP:
self.Grep(source, _GetPathType(self.args, self.client_os))
elif type_name == source_type.PATH:
# TODO(user): GRR currently ignores PATH types, they are currently
# only useful to plaso during bootstrapping when the registry is
# unavailable. The intention is to remove this type in favor of a
# default fallback mechanism.
pass
elif type_name == source_type.REGISTRY_KEY:
self.GetRegistryKey(source)
elif type_name == source_type.REGISTRY_VALUE:
self.GetRegistryValue(source)
elif type_name == source_type.WMI:
self.WMIQuery(source)
elif type_name == source_type.REKALL_PLUGIN:
raise NotImplementedError(
"Running Rekall artifacts is not supported anymore.")
elif type_name == source_type.ARTIFACT_GROUP:
self.CollectArtifacts(source)
elif type_name == source_type.ARTIFACT_FILES:
self.CollectArtifactFiles(source)
elif type_name == source_type.GRR_CLIENT_ACTION:
self.RunGrrClientAction(source)
else:
raise RuntimeError("Invalid type %s in %s" %
(type_name, artifact_name))
else:
logging.debug(
"Artifact %s no sources run due to all sources "
"having failing conditions on %s", artifact_name, self.client_id)
