Files
A regular macOS filelisting. artemis uses the
walkdir crate to recursively walk the files
and directories on the system. This artifact will fail on any System Integrity
Protection (SIP) protected files. Since a filelisting can be extremely large
every 100k entries artemis will output the data and then continue.
Other Parsers:
- Any tool that can recursively list files and directories
References:
- N/A
TOML Collection
system = "macos"
[output]
name = "files_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "abdc"
collection_id = 1
output = "local"
[[artifacts]]
artifact_name = "files" # Name of artifact
[artifacts.files]
start_path = "/usr/bin" # Start of file listing
# Optional
depth = 5 # How many sub directories to descend
# Optional
metadata = true # Get executable metadata
# Optional
md5 = true # MD5 all files
# Optional
sha1 = false # SHA1 all files
# Optional
sha256 = false # SHA256 all files
# Optional
path_regex = "" # Regex for paths
# Optional
file_regex = "" # Regex for files
Collection Options
start_pathWhere to start the file listing. Must exist on the endpoint. To start at root use/. This configuration is requireddepthSpecify how many directories to descend from thestart_path. Default is one (1). Must be a postive number. Max value is 255. This configuration is optionalmetadataGet Macho data fromMachofiles. This configuration is optional. Default is falsemd5Boolean value to enable MD5 hashing on all files. This configuration is optional. Default is falsesha1Boolean value to enable SHA1 hashing on all files. This configuration is optional. Default is falsesha256Boolean value to enable SHA256 hashing on all files. This configuration is optional. Default is falsepath_regexOnly descend into paths (directories) that match the provided regex. This configuration is optional. Default is no Regexfile_regexOnly return entres that match the provided regex. This configuration is optional. Default is no Regex
Output Structure
An array of MacosFileInfo entries
export interface MacosFileInfo {
/**Full path to file or directory */
full_path: string;
/**Directory path */
directory: string;
/**Filename */
filename: string;
/**Extension of file if any */
extension: string;
/**Created timestamp in UNIXEPOCH seconds */
created: number;
/**Modified timestamp in UNIXEPOCH seconds */
modified: number;
/**Changed timestamp in UNIXEPOCH seconds */
changed: number;
/**Accessed timestamp in UNIXEPOCH seconds */
accessed: number;
/**Size of file in bytes */
size: number;
/**Inode associated with entry */
inode: number;
/**Mode of file entry */
mode: number;
/**User ID associated with file */
uid: number;
/**Group ID associated with file */
gid: number;
/**MD5 of file */
md5: string;
/**SHA1 of file */
sha1: string;
/**SHA256 of file */
sha256: string;
/**Is the entry a file */
is_file: boolean;
/**Is the entry a directory */
is_directory: boolean;
/**Is the entry a symbolic links */
is_symlink: boolean;
/**Depth the file from provided start point */
depth: number;
/**Macho binary metadata */
binary_info: MachoInfo[];
}