docs update

artemis-docs/README.md

@@ -1,6 +1,7 @@
 # Website
 
-This website is built using [Docusaurus 2](https://docusaurus.io/), a modern static website generator.
+This website is built using [Docusaurus 2](https://docusaurus.io/), a modern
+static website generator.
 
 ### Installation
 
@@ -14,15 +15,17 @@ $ yarn
 $ yarn start
 ```
 
-This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server.
+This command starts a local development server and opens up a browser window.
+Most changes are reflected live without having to restart the server.
 
 ### Build
 
 ```
 $ yarn build
 ```
 
-This command generates static content into the `build` directory and can be served using any static contents hosting service.
+This command generates static content into the `build` directory and can be
+served using any static contents hosting service.
 
 ### Deployment
 
@@ -38,4 +41,5 @@ Not using SSH:
 $ GIT_USER=<Your GitHub username> yarn deploy
 ```
 
-If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch.
+If you are using GitHub pages for hosting, this command is a convenient way to
+build the website and push to the `gh-pages` branch.

artemis-docs/babel.config.js

@@ -1,3 +1,3 @@
 module.exports = {
-  presets: [require.resolve('@docusaurus/core/lib/babel/preset')],
+  presets: [require.resolve("@docusaurus/core/lib/babel/preset")],
 };

artemis-docs/docs/API/Artifacts/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Forensic Aritfacts",
-    "position": 3,
-    "link": {
-        "type": "generated-index",
-        "description": "Functions to interact with endpoint forensic artifacts"
-    }
-}
+  "label": "Forensic Aritfacts",
+  "position": 3,
+  "link": {
+    "type": "generated-index",
+    "description": "Functions to interact with endpoint forensic artifacts"
+  }
+}

artemis-docs/docs/API/Artifacts/windows.md

@@ -360,13 +360,76 @@ Parse the Windows Security.evtx and try to correlate Logon and Logoff events.
 
 ### lookupSecurityKey(path, offset) -> `SecurityKey`
 
-Parse Security Key data from Registry at provided Security Key offset. The offset must be a postive number greater than 0.
-You can use `getRegistry(path)` to pull a list of keys which contain Security Key offset data.
+Parse Security Key data from Registry at provided Security Key offset. The
+offset must be a postive number greater than 0. You can use `getRegistry(path)`
+to pull a list of keys which contain Security Key offset data.
 
 It is not recommended to bulk lookup Security Key info due the amount of data.
-Security Keys contain information about Registry key permissions and ACLs. Its not super useful.
+Security Keys contain information about Registry key permissions and ACLs. Its
+not super useful.
 
 | Param  | Type     | Description                   |
 | ------ | -------- | ----------------------------- |
 | path   | `string` | Path to Windows Registry file |
 | offset | `number` | Offset to Security Key        |
+
+### parseTable(path, tables) -> `Record<string, EseTable[][]> | Error`
+
+Parse an ESE database table at provided path. Will return a HashMap of tables.
+Where there string key is the table name. Table rows are returned in double
+array where each row is an array. Will bypass locked files and works dirty or
+clean ESE databases.
+
+:::warning
+
+Larger ESE databases will consume more memory and resources
+
+:::
+
+Sample output for one table (SmTbleSmp) that has two rows:
+
+```typescript
+{
+    "SmTblSmp": [
+        [
+            {
+                "column_type": "Float64",
+                "column_name": "SectionID",
+                "column_data": "1"
+            },
+            {
+                "column_type": "LongBinary",
+                "column_name": "Name",
+                "column_data": "bABzAGEAYQBuAG8AbgB5AG0AbwB1AHMAbgBhAG0AZQBsAG8AbwBrAHUAcAA="
+            },
+            {
+                "column_type": "LongBinary",
+                "column_name": "Value",
+                "column_data": "MAAAAA=="
+            }
+        ],
+        [
+            {
+                "column_type": "Float64",
+                "column_name": "SectionID",
+                "column_data": "1"
+            },
+            {
+                "column_type": "LongBinary",
+                "column_name": "Name",
+                "column_data": "ZQBuAGEAYgBsAGUAZwB1AGUAcwB0AGEAYwBjAG8AdQBuAHQA"
+            },
+            {
+                "column_type": "LongBinary",
+                "column_name": "Value",
+                "column_data": "MAAAAA=="
+            }
+        ]
+    ]
+}
+```
+
+| Param  | Type       | Description                  |
+| ------ | ---------- | ---------------------------- |
+| path   | `string`   | Path to Windows ESE database |
+| tables | `string[]` | One or more tables to parse  |

artemis-docs/docs/API/Helper/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Helper Functions",
-    "position": 2,
-    "link": {
-        "type": "generated-index",
-        "description": "Generic Functions to Help with Scripting"
-    }
-}
+  "label": "Helper Functions",
+  "position": 2,
+  "link": {
+    "type": "generated-index",
+    "description": "Generic Functions to Help with Scripting"
+  }
+}

artemis-docs/docs/Artifacts/Application Artifacts/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Application Artifacts",
-    "position": 4,
-    "link": {
-        "type": "generated-index",
-        "description": "Forensic artifacts for specific applications"
-    }
-}
+  "label": "Application Artifacts",
+  "position": 4,
+  "link": {
+    "type": "generated-index",
+    "description": "Forensic artifacts for specific applications"
+  }
+}

artemis-docs/docs/Artifacts/Linux Artifacts/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Linux Artifacts",
-    "position": 5,
-    "link": {
-        "type": "generated-index",
-        "description": "Forensic artifacts for Linux systems"
-    }
-}
+  "label": "Linux Artifacts",
+  "position": 5,
+  "link": {
+    "type": "generated-index",
+    "description": "Forensic artifacts for Linux systems"
+  }
+}

artemis-docs/docs/Artifacts/Windows Artfacts/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Windows Artifacts",
-    "position": 6,
-    "link": {
-        "type": "generated-index",
-        "description": "Forensic artifacts for Windows systems"
-    }
-}
+  "label": "Windows Artifacts",
+  "position": 6,
+  "link": {
+    "type": "generated-index",
+    "description": "Forensic artifacts for Windows systems"
+  }
+}

artemis-docs/docs/Artifacts/macOS Artifacts/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "macOS Artifacts",
-    "position": 5,
-    "link": {
-        "type": "generated-index",
-        "description": "Forensic artifacts for macOS systems"
-    }
-}
+  "label": "macOS Artifacts",
+  "position": 5,
+  "link": {
+    "type": "generated-index",
+    "description": "Forensic artifacts for macOS systems"
+  }
+}

artemis-docs/docs/Contributing/building.md

@@ -46,14 +46,20 @@ cargo build
 cargo build --release
 ```
 
-# Advanced 
-If you want to build the entire artemis project, you will need additional prerequisites. These additional prerequisites are required to build the experimental server and webui. 
+# Advanced
+
+If you want to build the entire artemis project, you will need additional
+prerequisites. These additional prerequisites are required to build the
+experimental server and webui.
 
 ## Advanced Prerequisites
-1. Install [NodeJS](https://nodejs.org/en). Required to install TailWindCSS and DaisyUI
+
+1. Install [NodeJS](https://nodejs.org/en). Required to install TailWindCSS and
+   DaisyUI
 2. Add WASM support for Rust `rustup target add wasm32-unknown-unknown`
 3. Install TailWindCSS `npm install -D tailwindcss`
 4. Install DaisyUI `npm i -D daisyui@latest`
 5. Install Typography `npm install -D @tailwindcss/typography`
-6. Install [Trunk](https://trunkrs.dev/). Required to compile webui to web assembly
-7. Build the entire project with `just build`
+6. Install [Trunk](https://trunkrs.dev/). Required to compile webui to web
+   assembly
+7. Build the entire project with `just build`

artemis-docs/docs/Intro/Collections/Examples/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Examples",
-    "position": 5,
-    "link": {
-        "type": "generated-index",
-        "description": "Exmaple TOML Collections"
-    }
-}
+  "label": "Examples",
+  "position": 5,
+  "link": {
+    "type": "generated-index",
+    "description": "Exmaple TOML Collections"
+  }
+}

artemis-docs/docs/Intro/Collections/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Collections",
-    "position": 5,
-    "link": {
-        "type": "generated-index",
-        "description": "How to collect data with artemis"
-    }
-}
+  "label": "Collections",
+  "position": 5,
+  "link": {
+    "type": "generated-index",
+    "description": "How to collect data with artemis"
+  }
+}

artemis-docs/docs/Intro/Library/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Artemis Library",
-    "position": 6,
-    "link": {
-        "type": "generated-index",
-        "description": "Artemis Core as library"
-    }
-}
+  "label": "Artemis Library",
+  "position": 6,
+  "link": {
+    "type": "generated-index",
+    "description": "Artemis Core as library"
+  }
+}

artemis-docs/docs/Intro/Scripting/_category_.json

@@ -1,8 +1,8 @@
 {
-    "label": "Artemis Scripting",
-    "position": 5,
-    "link": {
-        "type": "generated-index",
-        "description": "Scripting with JavaScript"
-    }
-}
+  "label": "Artemis Scripting",
+  "position": 5,
+  "link": {
+    "type": "generated-index",
+    "description": "Scripting with JavaScript"
+  }
+}

artemis-docs/package.json

@@ -44,4 +44,4 @@
   "engines": {
     "node": ">=16.14"
   }
-}
+}

src/windows/ese.ts

@@ -0,0 +1,21 @@
+import { EseTable } from "../../types/windows/ese.ts";
+
+/**
+ * Function to parse any ESE database and tables
+ * @param path Path to ESE database
+ * @param tables Tables that should be parsed
+ * @returns HashMap of tables and their contents
+ */
+export function parseTable(
+  path: string,
+  tables: string[],
+): Record<string, EseTable[][]> | Error {
+  //@ts-ignore: Custom Artemis function
+  const data = Deno.core.ops.get_table(path, tables);
+  if (data instanceof Error) {
+    return data;
+  }
+
+  const results: Record<string, EseTable[][]> = JSON.parse(data);
+  return results;
+}

src/windows/registry.ts

@@ -19,13 +19,16 @@ export function getRegistry(path: string): Registry[] {
  * @param offset Offset to Security Key to lookupSecurityKey
  * @returns `SecurityKey` object data
  */
-export function lookupSecurityKey(path: string, offset: number): SecurityKey | Error {
+export function lookupSecurityKey(
+  path: string,
+  offset: number,
+): SecurityKey | Error {
   if (offset <= 0) {
     return new Error("Cannot use negative offset or zero!");
   }
-    //@ts-ignore: Custom Artemis function
-    const data: string = Deno.core.ops.get_sk_info(path, offset);
+  //@ts-ignore: Custom Artemis function
+  const data: string = Deno.core.ops.get_sk_info(path, offset);
 
-    const results: SecurityKey = JSON.parse(data);
-    return results;
-}
+  const results: SecurityKey = JSON.parse(data);
+  return results;
+}