-
Notifications
You must be signed in to change notification settings - Fork 262
Expand file tree
/
Copy pathLinux.Forensics.BodyFile.yaml
More file actions
30 lines (27 loc) · 1.05 KB
/
Linux.Forensics.BodyFile.yaml
File metadata and controls
30 lines (27 loc) · 1.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: Linux.Forensics.BodyFile
author: Chris DiSalle - @chrisdfir, David Roman - @countz3r0
description: |
This artifact collects detailed file metadata from all Linux directories.
It gathers information such as file size, modification time, access time, creation time, and whether the file is a directory or a symbolic link.
For symbolic links, the artifact also captures the target path that the symlink points to. The collection is limited to 10 directory levels deep to ensure efficient analysis.
reference:
- https://trustedsec.com/blog/incident-response-bring-out-the-body-file
- https://wiki.sleuthkit.org/index.php?title=Body_file
precondition: SELECT OS FROM info() WHERE OS = 'linux'
sources:
- name: BodyFileStats
query: |
SELECT OSPath,
Name,
Size,
IsDir,
IsLink,
Data.Link,
Mtime,
Atime,
Ctime,
Btime,
format(format="%o", args=[Mode]) AS OctalMode,
Mode.String AS StringMode,
Data
FROM glob(globs='**10', root='''/''')