Removed support for labels #463 (#483)

ForensicArtifacts · Mar 12, 2022 · 7ad76c8 · 7ad76c8
1 parent c9d0df1
commit 7ad76c8
Show file tree

Hide file tree

Showing 5 changed files with 3 additions and 66 deletions.
diff --git a/artifacts/artifact.py b/artifacts/artifact.py
@@ -13,7 +13,6 @@ class ArtifactDefinition(object):
     conditions (list[str]): conditions.
     description (str): description.
     name (str): name that uniquely identifiers the artifact definition.
-    labels (list[str]): labels.
     provides (list[str]): hints to what information the artifact definition
         provides.
     sources (list[str]): sources.
@@ -34,7 +33,6 @@ def __init__(self, name, aliases=None, description=None):
     self.conditions = []
     self.description = description
     self.name = name
-    self.labels = []
     self.provides = []
     self.sources = []
     self.supported_os = []
@@ -98,8 +96,6 @@ def AsDict(self):
     }
     if self.aliases:
       artifact_definition['aliases'] = self.aliases
-    if self.labels:
-      artifact_definition['labels'] = self.labels
     if self.supported_os:
       artifact_definition['supported_os'] = self.supported_os
     if self.provides:

diff --git a/artifacts/definitions.py b/artifacts/definitions.py
@@ -3,46 +3,13 @@
 
 TYPE_INDICATOR_ARTIFACT_GROUP = 'ARTIFACT_GROUP'
 TYPE_INDICATOR_COMMAND = 'COMMAND'
-TYPE_INDICATOR_DIRECTORY = 'DIRECTORY'
+TYPE_INDICATOR_DIRECTORY = 'DIRECTORY'  # deprecated use PATH instead.
 TYPE_INDICATOR_FILE = 'FILE'
 TYPE_INDICATOR_PATH = 'PATH'
 TYPE_INDICATOR_WINDOWS_REGISTRY_KEY = 'REGISTRY_KEY'
 TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE = 'REGISTRY_VALUE'
 TYPE_INDICATOR_WMI_QUERY = 'WMI'
 
-LABELS = {
-    'Antivirus': 'Antivirus related artifacts, e.g. quarantine files.',
-    'Authentication': 'Authentication artifacts.',
-    'Browser': 'Web Browser artifacts.',
-    'Cloud': 'Cloud applications artifacts.',
-    'Cloud Storage': 'Cloud storage artifacts.',
-    'Configuration Files': 'Configuration files artifacts.',
-    'Containerd': 'Containerd artifacts',
-    'Docker': 'Docker artifacts.',
-    'Execution': 'Contain execution events.',
-    'ExternalAccount': (
-        'Information about any user accounts e.g. username, '
-        'account ID, etc.'),
-    'External Media': 'Contain external media data or events e.g. USB drives.',
-    'Hadoop': 'Hadoop artifacts.',
-    'IM': 'Instant Messaging / Chat applications artifacts.',
-    'iOS': 'Artifacts related to iOS devices connected to the system.',
-    'History Files': 'History files artifacts e.g. .bash_history.',
-    'KnowledgeBase': 'Artifacts used in knowledge base generation.',
-    'Kubernetes': 'Kubernetes artifacts',
-    'Logs': 'Contain log files.',
-    'Mail': 'Mail client applications artifacts.',
-    'Memory': 'Artifacts retrieved from memory.',
-    'Network': 'Describe networking state.',
-    'Plist': 'Artifact that is a plist.',
-    'Processes': 'Describe running processes.',
-    'Rekall': 'Artifacts using the Rekall memory forensics framework.',
-    'Software': 'Installed software.',
-    'SQLiteDB': 'Artifact that is a SQLite database.',
-    'System': 'Core system artifacts.',
-    'Users': 'Information about users.'
-}
-
 SUPPORTED_OS_DARWIN = 'Darwin'
 SUPPORTED_OS_LINUX = 'Linux'
 SUPPORTED_OS_WINDOWS = 'Windows'
@@ -56,6 +23,7 @@
     'aliases',
     'conditions',
     'doc',
+    # labels have been deprecated as of version 20220311.
     'labels',
     'name',
     'provides',

diff --git a/artifacts/reader.py b/artifacts/reader.py
@@ -17,7 +17,6 @@ class BaseArtifactsReader(object):
   """Artifacts reader interface.
 
   Attributes:
-    labels (set[str]): defined labels.
     supported_os (set[str]): supported operating systems.
   """
 
@@ -28,7 +27,6 @@ class BaseArtifactsReader(object):
   def __init__(self):
     """Initializes an artifacts reader."""
     super(BaseArtifactsReader, self).__init__()
-    self.labels = set()
     self.supported_os = set()
 
   @abc.abstractmethod
@@ -98,31 +96,8 @@ class ArtifactsReader(BaseArtifactsReader):
   def __init__(self):
     """Initializes an artifacts reader."""
     super(ArtifactsReader, self).__init__()
-    self.labels = set(definitions.LABELS)
     self.supported_os = set(definitions.SUPPORTED_OS)
 
-  def _ReadLabels(self, artifact_definition_values, artifact_definition, name):
-    """Reads the optional artifact definition labels.
-
-    Args:
-      artifact_definition_values (dict[str, object]): artifact definition
-          values.
-      artifact_definition (ArtifactDefinition): an artifact definition.
-      name (str): name of the artifact definition.
-
-    Raises:
-      FormatError: if there are undefined labels.
-    """
-    labels = artifact_definition_values.get('labels', [])
-
-    undefined_labels = set(labels).difference(self.labels)
-    if undefined_labels:
-      raise errors.FormatError(
-          'Artifact definition: {0:s} found undefined labels: {1:s}.'.format(
-              name, ', '.join(undefined_labels)))
-
-    artifact_definition.labels = labels
-
   # Pylint fails on detecting the type of definition_object based on
   # the docstring.
   # pylint: disable=missing-type-doc
@@ -255,7 +230,6 @@ def ReadArtifactDefinitionValues(self, artifact_definition_values):
         'conditions', [])
     artifact_definition.provides = artifact_definition_values.get(
         'provides', [])
-    self._ReadLabels(artifact_definition_values, artifact_definition, name)
     self._ReadSupportedOS(artifact_definition_values, artifact_definition, name)
     artifact_definition.urls = urls
     self._ReadSources(artifact_definition_values, artifact_definition, name)

diff --git a/test_data/definitions.json b/test_data/definitions.json
@@ -1 +1 @@
-[{"conditions": ["os_major_version >= 6"], "name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "labels": ["Logs"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "provides": ["environ_allusersprofile"], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "provides": ["current_control_set"], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "provides": ["users.homedir"], "supported_os": ["Windows"], "labels": ["Users"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"labels": ["Logs"], "name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"labels": ["Software"], "name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"labels": ["System"], "name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}]
+[{"conditions": ["os_major_version >= 6"], "name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "provides": ["environ_allusersprofile"], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "provides": ["current_control_set"], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "provides": ["users.homedir"], "supported_os": ["Windows"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}]
diff --git a/tests/registry_test.py b/tests/registry_test.py
@@ -96,7 +96,6 @@ def testArtifactDefinitionsRegistry(self):
         b'  attributes: {broken: [\'%%environ_systemroot%%\\System32\\'
         b'winevt\\Logs\\Security.evtx\']}\n'
         b'conditions: [os_major_version >= 6]\n'
-        b'labels: [Logs]\n'
         b'supported_os: [Windows]\n'
         b'urls: [\'http://www.forensicswiki.org/wiki/\n'
         b'Windows_XML_Event_Log_(EVTX)\']\n')