Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Linux.Forensics.BodyFile.yaml #928

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Create Linux.Forensics.BodyFile.yaml #928

wants to merge 4 commits into from

Conversation

chrisdfir
Copy link
Contributor

No description provided.

@chrisdfir chrisdfir marked this pull request as draft October 18, 2024 03:57
@chrisdfir chrisdfir marked this pull request as ready for review October 18, 2024 03:59
@chrisdfir chrisdfir marked this pull request as draft October 18, 2024 15:46
@chrisdfir chrisdfir marked this pull request as ready for review October 18, 2024 17:54
@chrisdfir chrisdfir marked this pull request as draft October 18, 2024 22:20
@chrisdfir chrisdfir marked this pull request as ready for review October 18, 2024 22:21
@chrisdfir chrisdfir marked this pull request as draft October 22, 2024 01:11
@chrisdfir chrisdfir marked this pull request as ready for review October 22, 2024 01:47
@chrisdfir
Copy link
Contributor Author

@scudette any issues remaining?

scudette
scudette reviewed Nov 14, 2024
View reviewed changes
content/exchange/artifacts/Linux.Forensics.BodyFile.yaml

-- Use foreach to iterate over the directories and run find recursively
LET RecurseFiles = SELECT Stdout FROM foreach(row=FilePaths, query={
SELECT * FROM execve(argv=["find", str(OSPath), "-maxdepth", MaxRecursionDepth])
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is probably no point shelling out to find - glob is quite capable of doing this.

Can you please explain how this is different from the usual file finder?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. I had difficulties getting a recursion parameter to work correctly using other methods. While not ideal to call out to find, I found this method to work quickly and effectively. Open to your advice.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Take a look at the file finder https://docs.velociraptor.app/artifact_references/pages/linux.search.filefinder/ which does pretty much what this artifact is supposed to do - to get recursion use the double star glob ** as described here https://docs.velociraptor.app/docs/forensic/filesystem/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the reference. I will take a look at the adjustment as time permits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scudette scudette scudette left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chrisdfir @scudette