/
ntfs.yaml
50 lines (44 loc) 路 1.27 KB
/
ntfs.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# NTFS specific artifacts.
name: NTFSMFTFiles
doc: |
The NTFS $MFT and $MFTMirr file system metadata files.
GRR collection note: you currently need to specify 'use tsk' and
'ignore download size limits' for this artifact to work. This will go away in
the future.
sources:
- type: FILE
attributes:
paths:
- '%%environ_systemdrive%%\$MFT'
- '%%environ_systemdrive%%\$MFTMirr'
separator: '\'
labels: [System]
supported_os: [Windows]
---
name: NTFSLogFile
doc: |
The NTFS $LogFile file system metadata file.
GRR collection note: you currently need to specify 'use tsk' and
'ignore download size limits' for this artifact to work. This will go away in
the future.
sources:
- type: FILE
attributes:
paths: ['%%environ_systemdrive%%\$LogFile']
separator: '\'
urls: ['https://sourceforge.net/projects/linux-ntfs/']
labels: [System]
supported_os: [Windows]
---
name: NTFSUSNJournal
doc: |
The NTFS $UsnJnrl file system metadata file.
Note that this currently does not include the $J alternate data stream name.
sources:
- type: FILE
attributes:
paths: ['%%environ_systemdrive%%\$Extend\$UsnJrnl']
separator: '\'
urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/file_systems/NTFS.html']
labels: [System]
supported_os: [Windows]