/usr/lib/python3/dist-packages/artifacts/definitions.py is in python3-artifacts 20170808-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | # -*- coding: utf-8 -*-
"""Constants and definitions."""
from __future__ import unicode_literals
TYPE_INDICATOR_ARTIFACT_GROUP = 'ARTIFACT_GROUP'
TYPE_INDICATOR_COMMAND = 'COMMAND'
TYPE_INDICATOR_DIRECTORY = 'DIRECTORY'
TYPE_INDICATOR_FILE = 'FILE'
TYPE_INDICATOR_PATH = 'PATH'
TYPE_INDICATOR_WINDOWS_REGISTRY_KEY = 'REGISTRY_KEY'
TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE = 'REGISTRY_VALUE'
TYPE_INDICATOR_WMI_QUERY = 'WMI'
LABELS = {
'Antivirus':
'Antivirus related artifacts, e.g. quarantine files.',
'Authentication':
'Authentication artifacts.',
'Browser':
'Web Browser artifacts.',
'Cloud':
'Cloud applications artifacts.',
'Cloud Storage':
'Cloud storage artifacts.',
'Configuration Files':
'Configuration files artifacts.',
'Execution':
'Contain execution events.',
'ExternalAccount': (
'Information about any user accounts e.g. username, '
'account ID, etc.'),
'External Media':
'Contain external media data or events e.g. USB drives.',
'IM':
'Instant Messaging / Chat applications artifacts.',
'iOS':
'Artifacts related to iOS devices connected to the system.',
'History Files':
'History files artifacts e.g. .bash_history.',
'KnowledgeBase':
'Artifacts used in knowledge base generation.',
'Logs':
'Contain log files.',
'Mail':
'Mail client applications artifacts.',
'Memory':
'Artifacts retrieved from memory.',
'Network':
'Describe networking state.',
'Processes':
'Describe running processes.',
'Rekall':
'Artifacts using the Rekall memory forensics framework.',
'Software':
'Installed software.',
'System':
'Core system artifacts.',
'Users':
'Information about users.'}
SUPPORTED_OS = frozenset(['Darwin', 'Linux', 'Windows'])
TOP_LEVEL_KEYS = frozenset([
'conditions', 'doc', 'labels', 'name', 'provides', 'sources',
'supported_os', 'urls'])
|