Initial timesketch support (#18)

puffyCid · Mar 31, 2024 · 48a31e0 · 48a31e0
1 parent fd9f9f0
commit 48a31e0
Show file tree

Hide file tree

Showing 130 changed files with 2,852 additions and 660 deletions.
diff --git a/artemis-docs/docs/API/Artifacts/windows.md b/artemis-docs/docs/API/Artifacts/windows.md
@@ -109,7 +109,7 @@ Parse RecycleBin file at provided path.
 | ----- | ------ | ------------------------ |
 | path  | string | Path to RecycleBin file. |
 
-### getRegistry(path) -> Registry[] | WindowsError
+### getRegistry(path) -> RegistryData | WindowsError
 
 Parse Registry file at provided path.
 

diff --git a/artemis-docs/docs/API/Helper/network.md b/artemis-docs/docs/API/Helper/network.md
@@ -8,20 +8,17 @@ The artemis API allows a user to make HTTP network requests using the
 [reqwest](https://docs.rs/reqwest/latest/reqwest/index.html) crate. It can be
 used to interact with external services or services that expose an API.
 
-### request(url, protocol, body, headers) -> ClientResponse | HttpError
+### request(client, body) -> ClientResponse | HttpError
 
 Make a very simple GET or POST request to the provided URL. You may specify an
-optional body or headers. By default headers will use
-`Content-Type: application/json`.
+optional body.
 
 The body must be in raw bytes if provided. This function is async
 
-| Param    | Type                         | Description                                                          |
-| -------- | ---------------------------- | -------------------------------------------------------------------- |
-| url      | string                       | URL to target                                                        |
-| protocol | Protocol                     | Protocol to use. Currently only GET or POST                          |
-| body     | Uint8Array                   | Optional body to send with request                                   |
-| headers  | Record&lt;string, string&gt; | Optional headers to use. Default is `Content-Type: application/json` |
+| Param  | Type          | Description                        |
+| ------ | ------------- | ---------------------------------- |
+| client | ClientRequest | ClientRequest object               |
+| body   | Uint8Array    | Optional body to send with request |
 
 ### VirusTotal Class
 

diff --git a/artemis-docs/docs/Artifacts/Windows Artfacts/amcache.md b/artemis-docs/docs/Artifacts/Windows Artfacts/amcache.md
@@ -10,11 +10,15 @@ keywords:
 Windows `Amcache` stores metadata related to execution of Windows applications.
 Data is stored in the `C:\Windows\appcompat\Programs\Amcache.hve` Registry file.
 This Registry file also contains other metadata such as OS, hardware, and
-application info. However, artemis will only collect data related to the
-execution of Windows applications.
+application info. However, the Amcache artifact will only collect data related
+to the possible execution of Windows applications.
 
-The `Registry` artifact may be used if you want to collect the full `Registry`
-data from `Amcache.hve`.
+<sup>*</sup> While an entry in Amcache often implies the application was
+executed, Windows may pre-populate Amcache with entries based on a user
+browsing to a directory that contains an application.
+
+You can use the [Registry](./registry.md) artifact to parse the Amcache file if
+you want to view other metadata such as OS, hardware, more.
 
 Other Parsers:
 
@@ -59,8 +63,8 @@ An array of `Amcache` entries
 
 ```typescript
 export interface Amcache {
-  /**Timestamp when the application was first executed in UNIXEPOCH seconds */
-  first_execution: number;
+  /**Last modified time for Registry key in UNIXEPOCH seconds */
+  last_modified: number;
   /**Path to application */
   path: string;
   /**Name of application */

diff --git a/artemis-docs/docs/Artifacts/Windows Artfacts/rawfiles.md b/artemis-docs/docs/Artifacts/Windows Artfacts/rawfiles.md
@@ -127,7 +127,7 @@ export interface RawFileInfo {
   /**Parent MFT reference for entry */
   parent_mft_references: number;
   /**Attributes associated with entry */
-  attributess: string[];
+  attributes: string[];
   /**MD5 of file. Optional */
   md5: string;
   /**SHA1 of file. Optional */
@@ -146,7 +146,7 @@ export interface RawFileInfo {
   sid: number;
   /**SID  string associated with entry*/
   user_sid: string;
-  /**Group SID associated with enry */
+  /**Group SID associated with entry */
   group_sid: string;
   /**Drive letter */
   drive: string;

diff --git a/artemis-docs/docs/Artifacts/Windows Artfacts/shimdb.md b/artemis-docs/docs/Artifacts/Windows Artfacts/shimdb.md
@@ -66,7 +66,7 @@ export interface Shimdb {
 /**
  * SDB files are composed of `TAGS`. There are multiple types of `TAGS`
  * `data` have `TAGS` that can be represented via a JSON object
- * `list_data` have `TAGS` that can be rerpesented as an array of JSON objects
+ * `list_data` have `TAGS` that can be represented as an array of JSON objects
  *
  * Example:
  * ```
@@ -116,7 +116,7 @@ export interface DatabaseData {
    * The SDB file may contain additional metadata information
    * May include additional `TAGS`
    */
-  additional_metdata: Record<string, string>;
+  additional_metadata: Record<string, string>;
   /**Array of `TAGS` associated with the SDB file */
   list_data: TagData[];
 }

diff --git a/artemis-docs/docs/Artifacts/Windows Artfacts/srum.md b/artemis-docs/docs/Artifacts/Windows Artfacts/srum.md
@@ -133,7 +133,7 @@ export interface ApplicationTimeline {
   comp_rendered_timeline: number;
   /**Comp dirtied value for entry */
   comp_dirtied_timeline: number;
-  /**Comp propaged value for entry */
+  /**Comp propagated value for entry */
   comp_propagated_timeline: number;
   /**Audio input value for entry */
   audio_in_timeline: number;
@@ -153,7 +153,7 @@ export interface ApplicationTimeline {
   psm_foreground_s: number;
   /**User input seconds count */
   user_input_s: number;
-  /**Comp rendered seconds countr */
+  /**Comp rendered seconds count */
   comp_rendered_s: number;
   /**Comp dirtied seconds count */
   comp_dirtied_s: number;
@@ -191,7 +191,7 @@ export interface ApplicationTimeline {
   display_required_timeline: number;
   /**Keyboard input timeline value for entry */
   keyboard_input_timeline: number;
-  /**Keybouard input seconds count */
+  /**Keyboard input seconds count */
   keyboard_input_s: number;
   /**Mouse input seconds count */
   mouse_input_s: number;
@@ -224,7 +224,7 @@ export interface AppVfu {
 
 ```typescript
 /**
- * SRUM table associated witn EnergyInfo `{DA73FB89-2BEA-4DDC-86B8-6E048C6DA477}`
+ * SRUM table associated with EnergyInfo `{DA73FB89-2BEA-4DDC-86B8-6E048C6DA477}`
  */
 export interface EnergyInfo {
   /**ID in for row in the ESE table */
@@ -235,7 +235,7 @@ export interface EnergyInfo {
   app_id: string;
   /**SID associated with the application process */
   user_id: string;
-  /**Base64 encoded binary data associated witn EnegyInfo entry */
+  /**Base64 encoded binary data associated with EnergyInfo entry */
   binary_data: string;
 }
 ```
@@ -287,7 +287,7 @@ export interface NetworkInfo {
   interface_luid: number;
   /**L2 profile ID associated with entry */
   l2_profile_id: number;
-  /**L2 profiel flags associated with entry */
+  /**L2 profile flags associated with entry */
   l2_profile_flags: number;
   /**Bytes sent associated with entry */
   bytes_sent: number;

diff --git a/artemis-docs/docs/Artifacts/Windows Artfacts/tasks.md b/artemis-docs/docs/Artifacts/Windows Artfacts/tasks.md
@@ -68,6 +68,17 @@ export interface TaskData {
   jobs: TaskJob[];
 }
 
+/**
+ * JSON representation of the Task XML schema.
+ * Most of the schema is Optional. Only `Actions` is required
+ */
+export interface TaskData {
+  /**Array of `TaskXml` parsed XML files */
+  tasks: TaskXml[];
+  /**Array of `TaskJob` parsed Job files */
+  jobs: TaskJob[];
+}
+
 /**
  * JSON representation of the Task XML schema.
  * Most of the schema is Optional. Only `Actions` is required
@@ -99,7 +110,7 @@ export interface TaskJob {
   error_retry_count: number;
   /**Error retry interval for the Task */
   error_retry_interval: number;
-  /**Idle deadlin for Task */
+  /**Idle deadline for Task */
   idle_deadline: number;
   /**Idle wait for Task */
   idle_wait: number;
@@ -127,7 +138,7 @@ export interface TaskJob {
   author: string;
   /**Comments associated with Task */
   comments: string;
-  /**Base64 encoded User data associatd with Task */
+  /**Base64 encoded User data associated with Task */
   user_data: string;
   /**Start Error associated with Task */
   start_error: number;
@@ -185,7 +196,7 @@ interface RegistrationInfo {
 interface Triggers {
   /**Boot triggers for Task */
   boot: BootTrigger[];
-  /**Regirstration triggers for Task. Format is exactly same as BootTriger*/
+  /**Registration triggers for Task. Format is exactly same as BootTrigger*/
   registration: BootTrigger[];
   /**Idle triggers for Task */
   idle: IdleTrigger[];
@@ -199,7 +210,7 @@ interface Triggers {
   session: SessionTrigger[];
   /**Calendar triggers for Task */
   calendar: CalendarTrigger[];
-  /**Windows Notifications triggers for Trask */
+  /**Windows Notifications triggers for Task */
   wnf: WnfTrigger[];
 }
 
@@ -383,7 +394,7 @@ interface ByMonthDayWeek {
  * Settings determine how to run Task Actions
  */
 interface Settings {
-  /**Start Task on demans */
+  /**Start Task on demand */
   allow_start_on_demand?: boolean;
   /**Restart if fails */
   restart_on_failure?: RestartType;
@@ -393,12 +404,12 @@ interface Settings {
   disallow_start_if_on_batteries?: boolean;
   /**Stop Task if going on battery power */
   stop_if_going_on_batteries?: boolean;
-  /**Task can be terminated if time limts exceeded */
+  /**Task can be terminated if time limits exceeded */
   allow_hard_terminate?: boolean;
   /**If scheduled time is missed, Task may be started */
   start_when_available?: boolean;
   /**Run based on network profile name */
-  newtork_profile_name?: string;
+  network_profile_name?: string;
   /**Run only if network connection available */
   run_only_if_network_available?: boolean;
   /**Wake system from standby or hibernate to run */
@@ -413,7 +424,7 @@ interface Settings {
   idle_settings?: IdleSettings;
   /**Network settings to run */
   network_settings?: NetworkSettings;
-  /**Taks execution time limit */
+  /**Task execution time limit */
   execution_time_limit?: string;
   /**Task Priority. Lowest is 1. Highest is 10 */
   priority?: number;
@@ -423,8 +434,8 @@ interface Settings {
   use_unified_scheduling_engine?: boolean;
   /**Task is disabled on Remote App Sessions */
   disallow_start_on_remote_app_session?: boolean;
-  /**Options to run Task during system maintence periods */
-  maintence_settings?: MaintenceSettings;
+  /**Options to run Task during system maintenance periods */
+  maintenance?: MaintenanceSettings;
   /**Task disabled on next OS startup */
   volatile?: boolean;
 }
@@ -464,14 +475,14 @@ interface NetworkSettings {
 }
 
 /**
- * Maintence options
+ * Maintenance options
  */
-interface MaintenceSettings {
-  /**Duration of maintence */
+interface MaintenanceSettings {
+  /**Duration of maintenance */
   period: string;
   /**Deadline for Task to run */
   deadline?: string;
-  /**Task can run idependently of other Tasks with `MaintenceSettings` */
+  /**Task can run independently of other Tasks with `MaintenanceSettings` */
   exclusive?: boolean;
 }
 
@@ -491,7 +502,7 @@ interface Principals {
   run_level?: string;
   /**Process Token SID associated with Task */
   process_token_sid_type?: string;
-  /**Array of privlege value */
+  /**Array of privileges value */
   required_privileges?: string[];
   /**Unique user selected ID */
   id_attribute?: string;
@@ -517,7 +528,7 @@ interface Actions {
 interface ExecType {
   /**Command to execute */
   command: string;
-  /**Arguements for command */
+  /**Arguments for command */
   arguments?: string;
   /**Path to a directory */
   working_directory?: string;

diff --git a/artemis-docs/docs/Artifacts/Windows Artfacts/wmipersist.md b/artemis-docs/docs/Artifacts/Windows Artfacts/wmipersist.md
@@ -93,7 +93,7 @@ export interface EventLogConsumer {
   /**Name of system where WMI sends events */
   MachineName: string;
   /**Max queue for consumer in bytes */
-  MaxmiumQueueSize: number;
+  MaximumQueueSize: number;
   /**Unique ID for consumer */
   Name: string;
   /**Event category */
@@ -125,7 +125,7 @@ export interface ActiveScriptConsumer {
   /**Name of system where WMI sends events */
   MachineName: string;
   /**Max queue for consumer in bytes */
-  MaxmiumQueueSize: number;
+  MaximumQueueSize: number;
   /**Unique ID for consumer */
   Name: string;
   /**How many seconds to wait until process is killed. Zero (0) means process will not be killed */
@@ -147,7 +147,7 @@ export interface CommandLineConsumer {
   /**Name of system where WMI sends events */
   MachineName: string;
   /**Max queue for consumer in bytes */
-  MaxmiumQueueSize: number;
+  MaximumQueueSize: number;
   /**Unique ID for consumer */
   Name: string;
   /**Specifies command to execute */
@@ -174,7 +174,7 @@ export interface CommandLineConsumer {
   KillTimeout: number;
   /**Priority of process threads */
   Priority: number;
-  /**Determinse if process is launched with interactive WinStation or default WinStation */
+  /**Determines if process is launched with interactive WinStation or default WinStation */
   RunInteractively: boolean;
   /**Determines Window show state */
   ShowWindowCommand: number;
@@ -209,7 +209,7 @@ export interface LogFileConsumer {
   /**Name of system where WMI sends events */
   MachineName: string;
   /**Max queue for consumer in bytes */
-  MaxmiumQueueSize: number;
+  MaximumQueueSize: number;
   /**Unique ID for consumer */
   Name: string;
   /**Whether log file is Unicode or multibyte code file */
@@ -229,7 +229,7 @@ export interface SmtpConsumer {
   /**Name of system where WMI sends events */
   MachineName: string;
   /**Max queue for consumer in bytes */
-  MaxmiumQueueSize: number;
+  MaximumQueueSize: number;
   /**Unique ID for consumer */
   Name: string;
   /**Addresses to send email (BCC) */
@@ -251,4 +251,5 @@ export interface SmtpConsumer {
   /**Addresses to send email to */
   ToLine: string;
 }
+
 ```