Consider adding a FindSpec artifact definition

Question

Consider adding a FindSpec artifact definition

joachimmetz opened this issue 6 years ago · 2 comments

Though most artifacts (so far) are path/file based it would be useful to be able to specify paths in a more flexible way similar to find specs (as provided in GRR and dfVFS).

Answer 1 · 2018-08-23T08:32:58.000Z

Maybe not an artifact type but a replacement / alternative for paths e.g. now

name: MacOSAppleSystemLogFiles
doc: Apple system log (ASL) files
sources:
- type: FILE
  attributes: {paths: ['/var/log/asl/*']}
labels: [System, Logs]
supported_os: [Darwin]
urls:
- 'http://forensicswiki.org/wiki/Mac_OS_X'
- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'

with find spec

name: MacOSAppleSystemLogFiles
doc: Apple system log (ASL) files
sources:
- type: FILE
  attributes:
    find_specs:
      - paths: ['/var/log/asl']
        filenames: ['*']
labels: [System, Logs]
supported_os: [Darwin]
urls:
- 'http://forensicswiki.org/wiki/Mac_OS_X'
- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'

Answer 2 · 2018-08-27T06:07:57.000Z

Maybe instead of find_specs name this path_filters?