Welcome to forensicstore’s documentation!

JSONLite is a database that can be used to store elements and files.

class forensicstore.forensicstore.ForensicStore(url: str, create: bool, application_id: int = 1701602669)

ForensicStore is a class to database that can be used to store forensic elements and files.

Parameters:url (str) – Location of the database. Needs to be a path or a valid pyfilesystem2 url

add_directory_element(artifact: str, dir_path: str, created: Union[datetime.datetime, str], modified: Union[datetime.datetime, str], accessed: Union[datetime.datetime, str], errors: [<class 'str'>]) → str

Add a new STIX 2.0 Directory Object

Parameters:

• artifact (str) – Artifact name (non STIX field)
• dir_path (str) – Specifies the path, as originally observed, to the directory on the file system.
• created (datetime or str) – Specifies the date/time the file was created.
• modified (datetime or str) – Specifies the date/time the file was last written to/modified.
• accessed (datetime or str) – Specifies the date/time the file was last accessed.
• errors (list) – List of errors

Returns:

ID if the inserted element

Return type:

str

add_file_element(artifact, name, created, modified, accessed, origin, errors) → str

Add a new STIX 2.0 File Object

Parameters:

• artifact (str) – Artifact name (non STIX field)
• name (str) – Specifies the name of the file.
• created (datetime or str) – Specifies the date/time the file was created.
• modified (datetime or str) – Specifies the date/time the file was last written to/modified.
• accessed (datetime or str) – Specifies the date/time the file was last accessed.
• origin (dict) – Origin of the file (non STIX field)
• errors (list) – List of errors

Returns:

ID if the inserted element

Return type:

str

add_file_element_export(element_id: str, export_name=None)

Creates a writeable context for the contents of the file. Size and hash values are automatically calculated for the written data.

Parameters:

• element_id (str) – ID of the element
• export_name (str) – Optional export name

Returns:

A file object with a .write method

Return type:

HashedFile

add_process_element(artifact, name, created, cwd, command_line, return_code, errors) → str

Add a new STIX 2.0 Process Object

Parameters:

• artifact (str) – Artifact name (non STIX field)
• name (str) – Specifies the name of the process.
• created (datetime or str) – Specifies the date/time at which the process was created.
• cwd (str) – Specifies the current working directory of the process.
• command_line (str) – Specifies the full command line used in executing the process, including the process name (depending on the operating system).
• return_code (int) – Return code of the process (non STIX field)
• errors (list) – List of errors

Returns:

ID if the inserted element

Return type:

str

add_process_element_stderr(element_id: str)

Creates a writeable context for the output on stderr of a process.

Parameters:element_id (str) – ID of the element Returns:A file object with a .write method Return type:HashedFile

add_process_element_stdout(element_id: str)

Creates a writeable context for the output on stdout of a process.

Parameters:element_id (str) – ID of the element Returns:A file object with a .write method Return type:HashedFile

add_process_element_wmi(element_id: str)

Creates a writeable context for the WMI output of a process.

Parameters:element_id (str) – ID of the element Returns:A file object with a .write method Return type:HashedFile

add_registry_key_element(artifact, modified, key, errors) → str

Add a new STIX 2.0 Windows Registry Key Object

Parameters:

• artifact (str) – Artifact name (non STIX field)
• modified (datetime or str) – Specifies the last date/time that the registry key was modified.
• key (str) – Specifies the full registry key including the hive.
• errors (list) – List of errors

Returns:

ID if the inserted element

Return type:

str

add_registry_value_element(key_id: str, data_type: str, data: bytes, name: str)

Add a STIX 2.0 Windows Registry Value Type

Parameters:

• key_id (str) – element ID of the parent windows registry key
• data_type (str) – Specifies the registry (REG_*) data type used in the registry value.
• data (bytes) – Specifies the data contained in the registry value.
• name (str) – Specifies the name of the registry value. For specifying the default value in a registry key, an empty string MUST be used.

all() → []

Get all elements with any time from the ForensicStore :return: element generator with the results :rtype: [dict]

close()

Save ForensicStore to its location.

get(element_id: str) → dict

Get a single element by the element_id

Parameters:element_id (str) – ID of the element Returns:Single element Return type:dict

getinfo(element_path, namespaces=None)

Get info regarding a file or directory.

import_forensicstore(url: str)

Import forensicstore file

Parameters:url (str) – Location of the observed data file. Needs to be a path or a valid pyfilesystem2 url

insert(element: dict) → str

Insert a single element into the store

Parameters:element (dict) – New element Returns:ID if the inserted element Return type:int

listdir(element_path)

Get a list of resources in a directory.

makedir(element_path, permissions=None, recreate=False)

Make a directory.

openbin(element_path, mode='r', buffering=-1, **options)

Open a binary file.

remove(element_path)

Remove a file.

removedir(element_path)

Remove a directory.

select(conditions=None) → []

Select elements from the ForensicStore

Parameters:conditions ([dict]) – List of key values pairs. elements matching any list element are returned Returns:element generator with the results Return type:[dict]

setinfo(element_path, info)

Set resource information.

store_file(file_path: str) -> (<class 'str'>, <class 'forensicstore.hashed_file.HashedFile'>)

Creates a writeable context for the contents of the file.

Parameters:file_path (str) – Relative location of the new file Returns:A file object with a .write method Return type:HashedFile

update(element_id: str, partial_element: dict) → str

Update a single element

Parameters:

• element_id (str) – ID of the element
• partial_element (dict) – Changes for the element

validate_element(element: dict)

Validate a single element

Parameters:element (dict) – element for validation Raises:TypeError – If element is invalid

exception forensicstore.forensicstore.StoreExistsError

exception forensicstore.forensicstore.StoreNotExitsError

Indices and tables

• Index
• Module Index
• Search Page