The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).
GNU Affero General Public License v3.0
38
stars
43
forks
source link
Create plugin category system for target-query #598
The category system is created to serve two adjacent goals:
Define a “killchain” category with a number of sub-categories (defined in the questionaire spreadsheet).
Have the user define their own categories specific for their investigation (e.g. plugins that output artifacts that hold clues to persistency)
Note that the words tags/categories can be used interchangeably: plugins are given a tag, while categories are sets of plugins. The difference is in the technical implementation.
In this case we go for the category implementation. A category is a list of strings of plugin (wildcard) names, which can be selected using a commandline parameter like --category <category_name>. This is then fed into the default plugin selection and execution mechanism. It should except wildcards (using the fnmatch()functionality), to be able to do sub-categories. E.g. when a user has defined some tags but only wants to run the plugins related to the build-in killchain categories, it can do: killchain.*.
The default categories should be defined somewhere in query.py or a related file. The user defined categories can go into .targetcfg.py as variables. These variables must be prefixed with a well known prefix, like plugin_category_<category_name>.
The category system is created to serve two adjacent goals:
Note that the words tags/categories can be used interchangeably: plugins are given a tag, while categories are sets of plugins. The difference is in the technical implementation.
In this case we go for the category implementation. A category is a list of strings of plugin (wildcard) names, which can be selected using a commandline parameter like
--category <category_name>. This is then fed into the default plugin selection and execution mechanism. It should except wildcards (using thefnmatch()functionality), to be able to do sub-categories. E.g. when a user has defined some tags but only wants to run the plugins related to the build-in killchain categories, it can do:killchain.*.The default categories should be defined somewhere in query.py or a related file. The user defined categories can go into
.targetcfg.pyas variables. These variables must be prefixed with a well known prefix, likeplugin_category_<category_name>.