Welcome to forensicstore’s documentation!¶
JSONLite is a database that can be used to store elements and files.
-
class
forensicstore.forensicstore.
ForensicStore
(url: str, create: bool, application_id: int = 1701602669)¶ ForensicStore is a class to database that can be used to store forensic elements and files.
Parameters: url (str) – Location of the database. Needs to be a path or a valid pyfilesystem2 url -
add_directory_element
(artifact: str, dir_path: str, created: Union[datetime.datetime, str], modified: Union[datetime.datetime, str], accessed: Union[datetime.datetime, str], errors: [<class 'str'>]) → str¶ Add a new STIX 2.0 Directory Object
Parameters: - artifact (str) – Artifact name (non STIX field)
- dir_path (str) – Specifies the path, as originally observed, to the directory on the file system.
- created (datetime or str) – Specifies the date/time the file was created.
- modified (datetime or str) – Specifies the date/time the file was last written to/modified.
- accessed (datetime or str) – Specifies the date/time the file was last accessed.
- errors (list) – List of errors
Returns: ID if the inserted element
Return type: str
-
add_file_element
(artifact, name, created, modified, accessed, origin, errors) → str¶ Add a new STIX 2.0 File Object
Parameters: - artifact (str) – Artifact name (non STIX field)
- name (str) – Specifies the name of the file.
- created (datetime or str) – Specifies the date/time the file was created.
- modified (datetime or str) – Specifies the date/time the file was last written to/modified.
- accessed (datetime or str) – Specifies the date/time the file was last accessed.
- origin (dict) – Origin of the file (non STIX field)
- errors (list) – List of errors
Returns: ID if the inserted element
Return type: str
-
add_file_element_export
(element_id: str, export_name=None)¶ Creates a writeable context for the contents of the file. Size and hash values are automatically calculated for the written data.
Parameters: - element_id (str) – ID of the element
- export_name (str) – Optional export name
Returns: A file object with a .write method
Return type: HashedFile
-
add_process_element
(artifact, name, created, cwd, command_line, return_code, errors) → str¶ Add a new STIX 2.0 Process Object
Parameters: - artifact (str) – Artifact name (non STIX field)
- name (str) – Specifies the name of the process.
- created (datetime or str) – Specifies the date/time at which the process was created.
- cwd (str) – Specifies the current working directory of the process.
- command_line (str) – Specifies the full command line used in executing the process, including the process name (depending on the operating system).
- return_code (int) – Return code of the process (non STIX field)
- errors (list) – List of errors
Returns: ID if the inserted element
Return type: str
-
add_process_element_stderr
(element_id: str)¶ Creates a writeable context for the output on stderr of a process.
Parameters: element_id (str) – ID of the element Returns: A file object with a .write method Return type: HashedFile
-
add_process_element_stdout
(element_id: str)¶ Creates a writeable context for the output on stdout of a process.
Parameters: element_id (str) – ID of the element Returns: A file object with a .write method Return type: HashedFile
-
add_process_element_wmi
(element_id: str)¶ Creates a writeable context for the WMI output of a process.
Parameters: element_id (str) – ID of the element Returns: A file object with a .write method Return type: HashedFile
-
add_registry_key_element
(artifact, modified, key, errors) → str¶ Add a new STIX 2.0 Windows Registry Key Object
Parameters: - artifact (str) – Artifact name (non STIX field)
- modified (datetime or str) – Specifies the last date/time that the registry key was modified.
- key (str) – Specifies the full registry key including the hive.
- errors (list) – List of errors
Returns: ID if the inserted element
Return type: str
-
add_registry_value_element
(key_id: str, data_type: str, data: bytes, name: str)¶ Add a STIX 2.0 Windows Registry Value Type
Parameters: - key_id (str) – element ID of the parent windows registry key
- data_type (str) – Specifies the registry (REG_*) data type used in the registry value.
- data (bytes) – Specifies the data contained in the registry value.
- name (str) – Specifies the name of the registry value. For specifying the default value in a registry key, an empty string MUST be used.
-
all
() → []¶ Get all elements with any time from the ForensicStore :return: element generator with the results :rtype: [dict]
-
close
()¶ Save ForensicStore to its location.
-
get
(element_id: str) → dict¶ Get a single element by the element_id
Parameters: element_id (str) – ID of the element Returns: Single element Return type: dict
-
getinfo
(element_path, namespaces=None)¶ Get info regarding a file or directory.
-
import_forensicstore
(url: str)¶ Import forensicstore file
Parameters: url (str) – Location of the observed data file. Needs to be a path or a valid pyfilesystem2 url
-
insert
(element: dict) → str¶ Insert a single element into the store
Parameters: element (dict) – New element Returns: ID if the inserted element Return type: int
-
listdir
(element_path)¶ Get a list of resources in a directory.
-
makedir
(element_path, permissions=None, recreate=False)¶ Make a directory.
-
openbin
(element_path, mode='r', buffering=-1, **options)¶ Open a binary file.
-
remove
(element_path)¶ Remove a file.
-
removedir
(element_path)¶ Remove a directory.
-
select
(conditions=None) → []¶ Select elements from the ForensicStore
Parameters: conditions ([dict]) – List of key values pairs. elements matching any list element are returned Returns: element generator with the results Return type: [dict]
-
setinfo
(element_path, info)¶ Set resource information.
-
store_file
(file_path: str) -> (<class 'str'>, <class 'forensicstore.hashed_file.HashedFile'>)¶ Creates a writeable context for the contents of the file.
Parameters: file_path (str) – Relative location of the new file Returns: A file object with a .write method Return type: HashedFile
-
update
(element_id: str, partial_element: dict) → str¶ Update a single element
Parameters: - element_id (str) – ID of the element
- partial_element (dict) – Changes for the element
-
validate_element
(element: dict)¶ Validate a single element
Parameters: element (dict) – element for validation Raises: TypeError – If element is invalid
-
-
exception
forensicstore.forensicstore.
StoreExistsError
¶
-
exception
forensicstore.forensicstore.
StoreNotExitsError
¶