From 7e0cbb0c715dbee9989fbc33bf5ae56877f6f036 Mon Sep 17 00:00:00 2001
From: Loic Jaquemet <loic.jaquemet+github@gmail.com>
Date: Sun, 2 Jul 2017 20:57:18 -0600
Subject: [PATCH] lets try this

---
 ...ry-dump.rst => capture-process-memory.rst} | 13 ++++++--
 docs/getting-started.rst                      | 30 -------------------
 docs/index.rst                                |  3 +-
 docs/usage.rst                                | 20 +++++++++++--
 4 files changed, 28 insertions(+), 38 deletions(-)
 rename docs/{capture-a-memory-dump.rst => capture-process-memory.rst} (84%)
 delete mode 100644 docs/getting-started.rst

diff --git a/docs/capture-a-memory-dump.rst b/docs/capture-process-memory.rst
similarity index 84%
rename from docs/capture-a-memory-dump.rst
rename to docs/capture-process-memory.rst
index 096b4a9d..97aba5ce 100644
--- a/docs/capture-a-memory-dump.rst
+++ b/docs/capture-process-memory.rst
@@ -45,7 +45,7 @@ Making your own memory mappings handler
 =======================================
 
 If you have a different technique to access a process memory, you can implement the
-``haystack.abc.IMemoryLoader`` and ``haystack.abc.IMemoryMapping`` interface for
+``haystack.abc.interfaces.IMemoryLoader`` and ``haystack.abc.interfaces.IMemoryMapping`` interface for
 your favorite technique.
 Check out the `Frida plugin <https://github.com/trolldbois/python-haystack/blob/master/haystack/mappings/fridaprocess.py>`_
 for example.
@@ -53,5 +53,12 @@ for example.
 Alternatively, if you can copy the process' memory mappings to file, you can "interface"
 with the basic, simple, haystack memory dump file format by doing the following:
 The basic format is a folder containing each memory mapping in a separate file :
-  - memory content in a file named after it's start/end addresses ( ex: 0x000700000-0x000800000 )
-  - a file named 'mappings' containing memory mappings metadata.  ( ex: mappings )
+ - memory content in a file named after it's start/end addresses ( ex: 0x000700000-0x000800000 )
+ - a file named 'mappings' containing memory mappings metadata.  ( ex: mappings )
+
+
+.. autoclass:: haystack.abc.interfaces.IMemoryLoader
+   :members:
+
+.. autoclass:: haystack.abc.interfaces.IMemoryMapping
+   :members:
diff --git a/docs/getting-started.rst b/docs/getting-started.rst
deleted file mode 100644
index 97d9bdbf..00000000
--- a/docs/getting-started.rst
+++ /dev/null
@@ -1,30 +0,0 @@
-Getting started
-===============
-
-First you need to install python-haystack_. Please refer to the
-:ref:`installation` section of the documentation.
-
-Then you need a process memory dump. Please refer to the :ref:`capture-a-memory-dump`
-section of the documentation.
-We will name the process memory dump `memory.dmp` for the rest of this documentation.
-
-*What is it all about?*
-
-Yeti is about organizing observables, indicators of compromise, TTPs, and
-knowledge on threat actors in a single, unified repository. Ideally, this
-repository should be queryable in an automated way by other tools (spoiler:
-it is!)
-
-Malware stolen data
--------------------
-
-You just analyzed the latest Dridex sample and you figured out that it's using
-a subdirectory in the user's ``Roaming`` directory to store its data, and you'd
-like to document this. *(Whether this is a strong indicator or not is another
-story)*.
-
-You start by adding a new **Entity** of type **Malware** called Dridex. Navigate
-to **New > Malware**, and populate the fields.
-
-Creating a Malware Entity
-^^^^^^^^^^^^^^^^^^^^^^^^^
\ No newline at end of file
diff --git a/docs/index.rst b/docs/index.rst
index bfbc6df0..5346a487 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -44,9 +44,8 @@ Contents:
 
 .. toctree::
   installation
-  getting-started
-  capture-process-memory
   usage
+  capture-process-memory
 
 .. _python-haystack: https://github.com/trolldbois/python-haystack/
 .. _python-haystack-reverse: https://github.com/trolldbois/python-haystack-reverse/
diff --git a/docs/usage.rst b/docs/usage.rst
index 867d7f9f..8375f443 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -1,7 +1,17 @@
-.. _command-line:
+.. _usage:
+
+Usage
+=====
+
+First you need to install python-haystack_. Please refer to the
+:ref:`installation` section of the documentation.
+
+Then you need a process memory dump. Please refer to the :ref:`capture-process-memory`
+section of the documentation.
+We will name the process memory dump `memory.dmp` for the rest of this documentation.
 
 Command line usage
-==================
+------------------
 
 A few entry points exists for different purposes
 
@@ -19,8 +29,12 @@ You can use the following URL to designate your memory handler/dump:
  - ``volatility://`` load a volatility image
 
 API usage
-=========
+---------
 
 .. automodule:: haystack.search.api
    :members:
 
+.. _python-haystack: https://github.com/trolldbois/python-haystack/
+.. _python-haystack-reverse: https://github.com/trolldbois/python-haystack-reverse/
+.. _python-haystack-gui: https://github.com/trolldbois/python-haystack-gui/
+.. _python-haystack-docs: https://github.com/trolldbois/python-haystack-docs/