feat: add support for FileInfo artifact source type

OWNsecurity / fastir_artifacts

Live forensic artifacts collector

https://medium.com/@Sekoia_team/introducing-fastir-artifacts-66f1d43fcac5

GNU General Public License v3.0

160 stars 17 forks source link

feat: add support for FileInfo artifact source type #8

Closed gaelmuller closed 4 years ago

gaelmuller commented 4 years ago

Add support for a custom artifact source type FILE_INFO which can be used to collect information about the file without collecting its content:

MD5
SHA1
SHA256
Mimetype
Basic PE Metadata, including imphash

ant1 commented 4 years ago

There should be an example on how to use it, for instance in the examples directory add a file with:

name: System32 Metadata
doc: Metadata about dll and exe files in System32.
sources:
- type: FILE_INFO
  attributes:
    paths:
    - '%%environ_systemroot%%\System32\*.dll'
    - '%%environ_systemroot%%\System32\*.exe'
    - '%%environ_systemroot%%\System32\**\*.dll'
    - '%%environ_systemroot%%\System32\**\*.exe'
    separator: '\'
supported_os: [Windows]