Removed support for conditions (#515)

ForensicArtifacts · Jul 10, 2022 · 6bc2607 · 6bc2607
1 parent 62a4418
commit 6bc2607
Show file tree

Hide file tree

Showing 13 changed files with 26 additions and 92 deletions.
diff --git a/artifacts/__init__.py b/artifacts/__init__.py
@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 """ForensicArtifacts.com Artifact Repository."""
 
-__version__ = '20220615'
+__version__ = '20220710'
diff --git a/artifacts/artifact.py b/artifacts/artifact.py
@@ -10,7 +10,6 @@ class ArtifactDefinition(object):
 
   Attributes:
     aliases (list[str]): aliases that identify the artifact definition.
-    conditions (list[str]): conditions.
     description (str): description.
     name (str): name that uniquely identifiers the artifact definition.
     provides (list[str]): hints to what information the artifact definition
@@ -30,7 +29,6 @@ def __init__(self, name, aliases=None, description=None):
     """
     super(ArtifactDefinition, self).__init__()
     self.aliases = aliases or []
-    self.conditions = []
     self.description = description
     self.name = name
     self.provides = []
@@ -85,8 +83,6 @@ def AsDict(self):
       }
       if source.supported_os:
         source_definition['supported_os'] = source.supported_os
-      if source.conditions:
-        source_definition['conditions'] = source.conditions
       sources.append(source_definition)
 
     artifact_definition = {
@@ -100,8 +96,6 @@ def AsDict(self):
       artifact_definition['supported_os'] = self.supported_os
     if self.provides:
       artifact_definition['provides'] = self.provides
-    if self.conditions:
-      artifact_definition['conditions'] = self.conditions
     if self.urls:
       artifact_definition['urls'] = self.urls
     return artifact_definition
diff --git a/artifacts/definitions.py b/artifacts/definitions.py
@@ -21,6 +21,7 @@
 
 TOP_LEVEL_KEYS = frozenset([
     'aliases',
+    # conditions have been deprecated as of version 20220710.
     'conditions',
     'doc',
     # labels have been deprecated as of version 20220311.

diff --git a/artifacts/reader.py b/artifacts/reader.py
@@ -167,7 +167,6 @@ def _ReadSources(self, artifact_definition_values, artifact_definition, name):
               'Invalid artifact definition: {0:s} returned_types no longer '
               'supported.').format(name))
 
-        source_type.conditions = source.get('conditions', [])
         self._ReadSupportedOS(source, source_type, name)
         if set(source_type.supported_os) - set(
             artifact_definition.supported_os):
@@ -225,9 +224,6 @@ def ReadArtifactDefinitionValues(self, artifact_definition_values):
           'Invalid artifact definition: {0:s} urls is not a list.'.format(
               name))
 
-    # TODO: check conditions.
-    artifact_definition.conditions = artifact_definition_values.get(
-        'conditions', [])
     artifact_definition.provides = artifact_definition_values.get(
         'provides', [])
     self._ReadSupportedOS(artifact_definition_values, artifact_definition, name)

diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -1,5 +1,5 @@
-artifacts (20220615-1) unstable; urgency=low
+artifacts (20220710-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Forensic artifacts <forensicartifacts@googlegroups.com>  Wed, 15 Jun 2022 19:16:45 +0200
+ -- Forensic artifacts <forensicartifacts@googlegroups.com>  Sun, 10 Jul 2022 07:24:54 +0200
diff --git a/data/windows.yaml b/data/windows.yaml
@@ -8,7 +8,6 @@ sources:
     keys:
     - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*'
     - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General'
-conditions: [os_major_version < 6]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html']
 ---
@@ -46,7 +45,6 @@ sources:
     - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1'
     - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2'
     separator: '\'
-conditions: [os_major_version >= 6 AND os_minor_version >= 1]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/AMCache.html']
 ---
@@ -203,7 +201,6 @@ sources:
     - '%%environ_systemroot%%\System32\WindowsPowerShell\v1.0\WinAppXRT.dll'
     separator: '\'
 supported_os: [Windows]
-conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/']
 ---
 name: WindowsAutoexecBat
@@ -627,7 +624,6 @@ sources:
     - '%%environ_systemroot%%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*'
     - '%%users.userprofile%%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*'
     separator: '\'
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Cryptnet_URL_Cache']
 ---
@@ -646,7 +642,6 @@ sources:
     - '%%environ_systemroot%%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*'
     - '%%users.userprofile%%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*'
     separator: '\'
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Cryptnet_URL_Cache']
 ---
@@ -740,7 +735,6 @@ sources:
     key_value_pairs:
     - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'}
 supported_os: [Windows]
-conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
 ---
 name: WindowsEnvironmentVariableCommonProgramFiles
@@ -785,7 +779,6 @@ sources:
     - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'DriverData'}
 provides: [environ_driverdata]
 supported_os: [Windows]
-conditions: [os_major_version >= 10]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html']
 ---
 name: WindowsEnvironmentVariablePath
@@ -925,7 +918,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\System32\config\AppEvent.evt']
     separator: '\'
-conditions: [os_major_version < 6]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
 ---
@@ -957,7 +949,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\System32\config\SecEvent.evt']
     separator: '\'
-conditions: [os_major_version < 6]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
 ---
@@ -978,7 +969,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\System32\config\SysEvent.evt']
     separator: '\'
-conditions: [os_major_version < 6]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
 ---
@@ -1009,7 +999,6 @@ sources:
     - '%%environ_systemroot%%\System32\WDI\LogFiles\*.etl.0*'
     - '%%environ_systemroot%%\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\*\*.etl'
     separator: '\'
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Event_Tracing_for_Windows_(ETW)']
 ---
@@ -1486,7 +1475,6 @@ sources:
 - type: REGISTRY_KEY
   attributes:
     keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU\*\*']
-conditions: [os_major_version < 6]
 supported_os: [Windows]
 urls:
 - 'https://forensicswiki.xyz/wiki/index.php?title=OpenSaveMRU'
@@ -1498,7 +1486,6 @@ sources:
 - type: REGISTRY_KEY
   attributes:
     keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*\*']
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls:
 - 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru'
@@ -1793,7 +1780,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\AppCompat\Programs\RecentFileCache.bcf']
     separator: '\'
-conditions: [os_major_version >= 6 AND os_minor_version >= 1]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RecentFileCache.html']
 ---
@@ -1903,7 +1889,6 @@ sources:
 - type: REGISTRY_VALUE
   attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'RunGrpConv'}]}
 supported_os: [Windows]
-conditions: [os_major_version <= 5]
 urls:
 - 'http://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/'
 - 'http://www.exploit-id.com/local-exploits/windows-xp-sp2-grpconv-exe'
@@ -2701,19 +2686,14 @@ urls: ['http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?
 name: WindowsSetupApiLogs
 doc: Windows setup API logs.
 sources:
-- type: FILE
-  attributes:
-    paths: ['%%environ_systemroot%%\setupapi.log']
-    separator: '\'
-  conditions: [os_major_version < 6]
 - type: FILE
   attributes:
     paths:
+    - '%%environ_systemroot%%\setupapi.log'
     - '%%environ_systemroot%%\inf\setupapi.app.log'
     - '%%environ_systemroot%%\inf\setupapi.dev.log'
     - '%%environ_systemroot%%\inf\setupapi.offline.log'
     separator: '\'
-  conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Setup_API_Logs']
 ---
@@ -3364,7 +3344,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\System32\winevt\Logs\Application.evtx']
     separator: '\'
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
 ---
@@ -3375,7 +3354,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx']
     separator: '\'
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
 ---
@@ -3396,7 +3374,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']
     separator: '\'
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
 ---
@@ -3407,7 +3384,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx']
     separator: '\'
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
 ---
@@ -3465,7 +3441,6 @@ sources:
   attributes:
     paths: ['%%environ_systemroot%%\System32\WDI\LogFiles\StartupInfo\*.xml']
     separator: '\'
-conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 supported_os: [Windows]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Startup_info']
 ---

diff --git a/data/wmi.yaml b/data/wmi.yaml
@@ -40,7 +40,6 @@ doc: DNS client cache via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: SELECT * from MSFT_DNSClientCache, base_object: 'winmgmts:\root\StandardCimv2'}
-conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 supported_os: [Windows]
 urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/dnsclientcimprov/msft-dnsclientcache']
 ---
@@ -49,7 +48,6 @@ doc: Installed drivers via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: 'SELECT DisplayName, Description, InstallDate, Name, PathName, Status, State, ServiceType from Win32_SystemDriver'}
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 ---
 name: WMIEnumerateASEC
@@ -71,15 +69,13 @@ doc: Installed hotfixes via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: SELECT * from Win32_QuickFixEngineering}
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 ---
 name: WMIInstalledSoftware
 doc: Installed software via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: 'SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version from Win32_Product'}
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 ---
 name: WMILastBootupTime
@@ -121,15 +117,13 @@ doc: |
 sources:
 - type: WMI
   attributes: {query: SELECT * from Win32_GroupUser where Name = "login_users"}
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 ---
 name: WMINetNeighbors
 doc: TCP/IP neighbors via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: SELECT * from MSFT_NetNeighbor, base_object: 'winmgmts:\root\StandardCimv2'}
-conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 supported_os: [Windows]
 urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netneighbor']
 ---
@@ -138,7 +132,6 @@ doc: TCP connections via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: SELECT * from MSFT_NetTCPConnection, base_object: 'winmgmts:\root\StandardCimv2'}
-conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 supported_os: [Windows]
 urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-nettcpconnection']
 ---
@@ -147,7 +140,6 @@ doc: UDP endpoints via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: SELECT * from MSFT_NetUDPEndpoint, base_object: 'winmgmts:\root\StandardCimv2'}
-conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 supported_os: [Windows]
 urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netudpendpoint']
 ---
@@ -156,7 +148,6 @@ doc: Operating system installed on the computer via Windows Management Instrumen
 sources:
 - type: WMI
   attributes: {query: SELECT * from Win32_OperatingSystem}
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-operatingsystem']
 ---
@@ -165,7 +156,6 @@ doc: Physical memory information via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: SELECT * from Win32_PhysicalMemory}
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ["http://msdn.microsoft.com/en-us/library/aa394347%28v=vs.85%29.aspx"]
 ---
@@ -174,7 +164,6 @@ doc: Process listing via Windows Management Instrumentation (WMI).
 sources:
 - type: WMI
   attributes: {query: SELECT * from Win32_Process}
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 ---
 name: WMIProfileUsersHomeDir
@@ -196,7 +185,6 @@ doc: Scheduled tasks that are registered on the computer via Windows Management
 sources:
 - type: WMI
   attributes: {query: SELECT * from MSFT_ScheduledTask, base_object: 'winmgmts:\root\Microsoft\Windows\TaskScheduler'}
-conditions: [os_major_version >= 6 AND os_minor_version >= 2]
 supported_os: [Windows]
 urls: ['https://wutils.com/wmi/root/microsoft/windows/taskscheduler/msft_scheduledtask/']
 ---
@@ -212,7 +200,6 @@ doc: Commands that run automatically when a user logs onto the computer system v
 sources:
 - type: WMI
   attributes: {query: SELECT * from Win32_StartupCommand}
-conditions: [os_major_version >= 6]
 supported_os: [Windows]
 urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-startupcommand']
 ---