[CHANGE] Create a table for file system artifacts #119

steffenfritz · 2024-11-13T18:44:22Z

Is your feature request related to a problem? Please describe.
FileTrove will find artifacts that are not files nor directories, but maybe relevant and the information should not be lost, e.g. named pipes.

The idea is to create a table with this schema

uuid | sessionuuid | path | registry | type | description

where

type = {named_pipe, socket, block_device, link, ...}.

and we can use

b      block (buffered) special
c      character (unbuffered) special
[d     directory]
p      named pipe (FIFO)
[f     regular file]
l      symbolic  link [?]
s      socket
D      door (Solaris)

as type labels. These match mostly the string representations of file mode bits.

See also: #112 (comment)

The text was updated successfully, but these errors were encountered:

steffenfritz · 2025-01-07T20:22:34Z

For some special cases like "System Volume Information" on NTFS in combination with non-native NTFS operating systems filepath.WalkDir might fail. These cases should not cancel the run and write these types also into the artifacts table.

steffenfritz added the enhancement New feature or request label Nov 13, 2024

steffenfritz self-assigned this Nov 13, 2024

steffenfritz added this to the v1.0.0-BETA.4 milestone Dec 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CHANGE] Create a table for file system artifacts #119

[CHANGE] Create a table for file system artifacts #119

steffenfritz commented Nov 13, 2024

steffenfritz commented Jan 7, 2025

[CHANGE] Create a table for file system artifacts #119

[CHANGE] Create a table for file system artifacts #119

Comments

steffenfritz commented Nov 13, 2024

steffenfritz commented Jan 7, 2025