diff --git a/artemis-docs/README.md b/artemis-docs/README.md index aaba2fa1..47a81d80 100644 --- a/artemis-docs/README.md +++ b/artemis-docs/README.md @@ -1,6 +1,7 @@ # Website -This website is built using [Docusaurus 2](https://docusaurus.io/), a modern static website generator. +This website is built using [Docusaurus 2](https://docusaurus.io/), a modern +static website generator. ### Installation @@ -14,7 +15,8 @@ $ yarn $ yarn start ``` -This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server. +This command starts a local development server and opens up a browser window. +Most changes are reflected live without having to restart the server. ### Build @@ -22,7 +24,8 @@ This command starts a local development server and opens up a browser window. Mo $ yarn build ``` -This command generates static content into the `build` directory and can be served using any static contents hosting service. +This command generates static content into the `build` directory and can be +served using any static contents hosting service. ### Deployment @@ -38,4 +41,5 @@ Not using SSH: $ GIT_USER= yarn deploy ``` -If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch. +If you are using GitHub pages for hosting, this command is a convenient way to +build the website and push to the `gh-pages` branch. diff --git a/artemis-docs/babel.config.js b/artemis-docs/babel.config.js index e00595da..bfd75dbd 100644 --- a/artemis-docs/babel.config.js +++ b/artemis-docs/babel.config.js @@ -1,3 +1,3 @@ module.exports = { - presets: [require.resolve('@docusaurus/core/lib/babel/preset')], + presets: [require.resolve("@docusaurus/core/lib/babel/preset")], }; diff --git a/artemis-docs/docs/API/Artifacts/_category_.json b/artemis-docs/docs/API/Artifacts/_category_.json index 59eaa208..6934f3f0 100644 --- a/artemis-docs/docs/API/Artifacts/_category_.json +++ b/artemis-docs/docs/API/Artifacts/_category_.json @@ -1,8 +1,8 @@ { - "label": "Forensic Aritfacts", - "position": 3, - "link": { - "type": "generated-index", - "description": "Functions to interact with endpoint forensic artifacts" - } -} \ No newline at end of file + "label": "Forensic Aritfacts", + "position": 3, + "link": { + "type": "generated-index", + "description": "Functions to interact with endpoint forensic artifacts" + } +} diff --git a/artemis-docs/docs/API/Artifacts/windows.md b/artemis-docs/docs/API/Artifacts/windows.md index 7c557673..85f8f210 100644 --- a/artemis-docs/docs/API/Artifacts/windows.md +++ b/artemis-docs/docs/API/Artifacts/windows.md @@ -360,13 +360,76 @@ Parse the Windows Security.evtx and try to correlate Logon and Logoff events. ### lookupSecurityKey(path, offset) -> `SecurityKey` -Parse Security Key data from Registry at provided Security Key offset. The offset must be a postive number greater than 0. -You can use `getRegistry(path)` to pull a list of keys which contain Security Key offset data. +Parse Security Key data from Registry at provided Security Key offset. The +offset must be a postive number greater than 0. You can use `getRegistry(path)` +to pull a list of keys which contain Security Key offset data. It is not recommended to bulk lookup Security Key info due the amount of data. -Security Keys contain information about Registry key permissions and ACLs. Its not super useful. +Security Keys contain information about Registry key permissions and ACLs. Its +not super useful. | Param | Type | Description | | ------ | -------- | ----------------------------- | | path | `string` | Path to Windows Registry file | | offset | `number` | Offset to Security Key | + +### parseTable(path, tables) -> `Record | Error` + +Parse an ESE database table at provided path. Will return a HashMap of tables. +Where there string key is the table name. Table rows are returned in double +array where each row is an array. Will bypass locked files and works dirty or +clean ESE databases. + +:::warning + +Larger ESE databases will consume more memory and resources + +::: + +Sample output for one table (SmTbleSmp) that has two rows: + +```typescript +{ + "SmTblSmp": [ + [ + { + "column_type": "Float64", + "column_name": "SectionID", + "column_data": "1" + }, + { + "column_type": "LongBinary", + "column_name": "Name", + "column_data": "bABzAGEAYQBuAG8AbgB5AG0AbwB1AHMAbgBhAG0AZQBsAG8AbwBrAHUAcAA=" + }, + { + "column_type": "LongBinary", + "column_name": "Value", + "column_data": "MAAAAA==" + } + ], + [ + { + "column_type": "Float64", + "column_name": "SectionID", + "column_data": "1" + }, + { + "column_type": "LongBinary", + "column_name": "Name", + "column_data": "ZQBuAGEAYgBsAGUAZwB1AGUAcwB0AGEAYwBjAG8AdQBuAHQA" + }, + { + "column_type": "LongBinary", + "column_name": "Value", + "column_data": "MAAAAA==" + } + ] + ] +} +``` + +| Param | Type | Description | +| ------ | ---------- | ---------------------------- | +| path | `string` | Path to Windows ESE database | +| tables | `string[]` | One or more tables to parse | diff --git a/artemis-docs/docs/API/Helper/_category_.json b/artemis-docs/docs/API/Helper/_category_.json index e8448ff9..ef87a9d1 100644 --- a/artemis-docs/docs/API/Helper/_category_.json +++ b/artemis-docs/docs/API/Helper/_category_.json @@ -1,8 +1,8 @@ { - "label": "Helper Functions", - "position": 2, - "link": { - "type": "generated-index", - "description": "Generic Functions to Help with Scripting" - } -} \ No newline at end of file + "label": "Helper Functions", + "position": 2, + "link": { + "type": "generated-index", + "description": "Generic Functions to Help with Scripting" + } +} diff --git a/artemis-docs/docs/Artifacts/Application Artifacts/_category_.json b/artemis-docs/docs/Artifacts/Application Artifacts/_category_.json index 99c50d95..7d473bf9 100644 --- a/artemis-docs/docs/Artifacts/Application Artifacts/_category_.json +++ b/artemis-docs/docs/Artifacts/Application Artifacts/_category_.json @@ -1,8 +1,8 @@ { - "label": "Application Artifacts", - "position": 4, - "link": { - "type": "generated-index", - "description": "Forensic artifacts for specific applications" - } -} \ No newline at end of file + "label": "Application Artifacts", + "position": 4, + "link": { + "type": "generated-index", + "description": "Forensic artifacts for specific applications" + } +} diff --git a/artemis-docs/docs/Artifacts/Linux Artifacts/_category_.json b/artemis-docs/docs/Artifacts/Linux Artifacts/_category_.json index f2720ef0..b2413243 100644 --- a/artemis-docs/docs/Artifacts/Linux Artifacts/_category_.json +++ b/artemis-docs/docs/Artifacts/Linux Artifacts/_category_.json @@ -1,8 +1,8 @@ { - "label": "Linux Artifacts", - "position": 5, - "link": { - "type": "generated-index", - "description": "Forensic artifacts for Linux systems" - } -} \ No newline at end of file + "label": "Linux Artifacts", + "position": 5, + "link": { + "type": "generated-index", + "description": "Forensic artifacts for Linux systems" + } +} diff --git a/artemis-docs/docs/Artifacts/Windows Artfacts/_category_.json b/artemis-docs/docs/Artifacts/Windows Artfacts/_category_.json index 24032797..4bb79230 100644 --- a/artemis-docs/docs/Artifacts/Windows Artfacts/_category_.json +++ b/artemis-docs/docs/Artifacts/Windows Artfacts/_category_.json @@ -1,8 +1,8 @@ { - "label": "Windows Artifacts", - "position": 6, - "link": { - "type": "generated-index", - "description": "Forensic artifacts for Windows systems" - } -} \ No newline at end of file + "label": "Windows Artifacts", + "position": 6, + "link": { + "type": "generated-index", + "description": "Forensic artifacts for Windows systems" + } +} diff --git a/artemis-docs/docs/Artifacts/macOS Artifacts/_category_.json b/artemis-docs/docs/Artifacts/macOS Artifacts/_category_.json index 2e309354..68d8db2e 100644 --- a/artemis-docs/docs/Artifacts/macOS Artifacts/_category_.json +++ b/artemis-docs/docs/Artifacts/macOS Artifacts/_category_.json @@ -1,8 +1,8 @@ { - "label": "macOS Artifacts", - "position": 5, - "link": { - "type": "generated-index", - "description": "Forensic artifacts for macOS systems" - } -} \ No newline at end of file + "label": "macOS Artifacts", + "position": 5, + "link": { + "type": "generated-index", + "description": "Forensic artifacts for macOS systems" + } +} diff --git a/artemis-docs/docs/Contributing/building.md b/artemis-docs/docs/Contributing/building.md index 03cff764..51e65588 100644 --- a/artemis-docs/docs/Contributing/building.md +++ b/artemis-docs/docs/Contributing/building.md @@ -46,14 +46,20 @@ cargo build cargo build --release ``` -# Advanced -If you want to build the entire artemis project, you will need additional prerequisites. These additional prerequisites are required to build the experimental server and webui. +# Advanced + +If you want to build the entire artemis project, you will need additional +prerequisites. These additional prerequisites are required to build the +experimental server and webui. ## Advanced Prerequisites -1. Install [NodeJS](https://nodejs.org/en). Required to install TailWindCSS and DaisyUI + +1. Install [NodeJS](https://nodejs.org/en). Required to install TailWindCSS and + DaisyUI 2. Add WASM support for Rust `rustup target add wasm32-unknown-unknown` 3. Install TailWindCSS `npm install -D tailwindcss` 4. Install DaisyUI `npm i -D daisyui@latest` 5. Install Typography `npm install -D @tailwindcss/typography` -6. Install [Trunk](https://trunkrs.dev/). Required to compile webui to web assembly -7. Build the entire project with `just build` \ No newline at end of file +6. Install [Trunk](https://trunkrs.dev/). Required to compile webui to web + assembly +7. Build the entire project with `just build` diff --git a/artemis-docs/docs/Intro/Collections/Examples/_category_.json b/artemis-docs/docs/Intro/Collections/Examples/_category_.json index 9ea4007c..7b441e90 100644 --- a/artemis-docs/docs/Intro/Collections/Examples/_category_.json +++ b/artemis-docs/docs/Intro/Collections/Examples/_category_.json @@ -1,8 +1,8 @@ { - "label": "Examples", - "position": 5, - "link": { - "type": "generated-index", - "description": "Exmaple TOML Collections" - } -} \ No newline at end of file + "label": "Examples", + "position": 5, + "link": { + "type": "generated-index", + "description": "Exmaple TOML Collections" + } +} diff --git a/artemis-docs/docs/Intro/Collections/_category_.json b/artemis-docs/docs/Intro/Collections/_category_.json index 2e3c1d46..9051fe43 100644 --- a/artemis-docs/docs/Intro/Collections/_category_.json +++ b/artemis-docs/docs/Intro/Collections/_category_.json @@ -1,8 +1,8 @@ { - "label": "Collections", - "position": 5, - "link": { - "type": "generated-index", - "description": "How to collect data with artemis" - } -} \ No newline at end of file + "label": "Collections", + "position": 5, + "link": { + "type": "generated-index", + "description": "How to collect data with artemis" + } +} diff --git a/artemis-docs/docs/Intro/Library/_category_.json b/artemis-docs/docs/Intro/Library/_category_.json index 9b5772e8..044a27f0 100644 --- a/artemis-docs/docs/Intro/Library/_category_.json +++ b/artemis-docs/docs/Intro/Library/_category_.json @@ -1,8 +1,8 @@ { - "label": "Artemis Library", - "position": 6, - "link": { - "type": "generated-index", - "description": "Artemis Core as library" - } -} \ No newline at end of file + "label": "Artemis Library", + "position": 6, + "link": { + "type": "generated-index", + "description": "Artemis Core as library" + } +} diff --git a/artemis-docs/docs/Intro/Scripting/_category_.json b/artemis-docs/docs/Intro/Scripting/_category_.json index 0c13a60b..902758b1 100644 --- a/artemis-docs/docs/Intro/Scripting/_category_.json +++ b/artemis-docs/docs/Intro/Scripting/_category_.json @@ -1,8 +1,8 @@ { - "label": "Artemis Scripting", - "position": 5, - "link": { - "type": "generated-index", - "description": "Scripting with JavaScript" - } -} \ No newline at end of file + "label": "Artemis Scripting", + "position": 5, + "link": { + "type": "generated-index", + "description": "Scripting with JavaScript" + } +} diff --git a/artemis-docs/package.json b/artemis-docs/package.json index 9196f958..a18aaf53 100644 --- a/artemis-docs/package.json +++ b/artemis-docs/package.json @@ -44,4 +44,4 @@ "engines": { "node": ">=16.14" } -} \ No newline at end of file +} diff --git a/src/windows/ese.ts b/src/windows/ese.ts new file mode 100644 index 00000000..63317889 --- /dev/null +++ b/src/windows/ese.ts @@ -0,0 +1,21 @@ +import { EseTable } from "../../types/windows/ese.ts"; + +/** + * Function to parse any ESE database and tables + * @param path Path to ESE database + * @param tables Tables that should be parsed + * @returns HashMap of tables and their contents + */ +export function parseTable( + path: string, + tables: string[], +): Record | Error { + //@ts-ignore: Custom Artemis function + const data = Deno.core.ops.get_table(path, tables); + if (data instanceof Error) { + return data; + } + + const results: Record = JSON.parse(data); + return results; +} diff --git a/src/windows/registry.ts b/src/windows/registry.ts index fdc30190..cc7f0945 100644 --- a/src/windows/registry.ts +++ b/src/windows/registry.ts @@ -19,13 +19,16 @@ export function getRegistry(path: string): Registry[] { * @param offset Offset to Security Key to lookupSecurityKey * @returns `SecurityKey` object data */ -export function lookupSecurityKey(path: string, offset: number): SecurityKey | Error { +export function lookupSecurityKey( + path: string, + offset: number, +): SecurityKey | Error { if (offset <= 0) { return new Error("Cannot use negative offset or zero!"); } - //@ts-ignore: Custom Artemis function - const data: string = Deno.core.ops.get_sk_info(path, offset); + //@ts-ignore: Custom Artemis function + const data: string = Deno.core.ops.get_sk_info(path, offset); - const results: SecurityKey = JSON.parse(data); - return results; -} \ No newline at end of file + const results: SecurityKey = JSON.parse(data); + return results; +} diff --git a/types/windows/ese.ts b/types/windows/ese.ts new file mode 100644 index 00000000..d1b510a8 --- /dev/null +++ b/types/windows/ese.ts @@ -0,0 +1,31 @@ +/** Generic Interface for dumpting ESE tables */ +export interface EseTable { + column_type: ColumnType; + column_name: string; + /**Binary data is base64 encoded. All data is decompressed if possible */ + column_data: string; +} + +export enum ColumnType { + Nil = "Nil", + Bit = "Bit", + UnsignedByte = "UnsignedByte", + Short = "Short", + Long = "Long", + Currency = "Currency", + Float32 = "Float32", + Float64 = "Float64", + DateTime = "DateTime", + Binary = "Binary", + /** Can be ASCII or Unicode */ + Text = "Text", + LongBinary = "LongBinary", + /**Can be ASCII or Unicode */ + LongText = "LongText", + SuperLong = "SuperLong", + UnsignedLong = "UnsignedLong", + LongLong = "LongLong", + Guid = "Guid", + UnsingedShort = "UnsingedShort", + Unknown = "Unknown" +} \ No newline at end of file