Bugfix: Merge fixes to EWF and ESE libraries (#3280)

Also sync latest SQLiteHunter
Velocidex · Feb 14, 2024 · bcdbe03 · bcdbe03
1 parent ac788f7
commit bcdbe03
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 15 deletions.
diff --git a/artifacts/definitions/Generic/Forensic/SQLiteHunter.yaml b/artifacts/definitions/Generic/Forensic/SQLiteHunter.yaml
diff --git a/docs/references/vql.yaml b/docs/references/vql.yaml
@@ -157,7 +157,27 @@
   metadata:
     permissions: ARTIFACT_WRITER,SERVER_ARTIFACT_WRITER
 - name: artifact_set_metadata
-  description: Sets metadata about the artifact.
+  description: |
+    Sets metadata about the artifact.
+
+    This VQL function is used to clean up the artifact search screen
+    and guide users to assist with investigations.
+
+    Velociraptor comes with a lot of built in artifacts which may be
+    confusing to some users and in specialized deployments it may be
+    preferable to guide users into a small subset of artifacts and
+    hide the rest.
+
+    For example, say you have a set of custom artifacts that you only
+    want to show. Then I would add a special keyword to their
+    description (for example a company name - say "Written by ACME
+    inc"). Then a query like this will hide the others:
+
+    ```vql
+    SELECT name, artifact_set_metadata(name=name, hidden=TRUE)
+    FROM artifact_definitions() WHERE NOT description =~ "ACME"
+    ```
+
   type: Function
   args:
   - name: name
@@ -6992,4 +7012,3 @@
   category: plugin
   metadata:
     permissions: FILESYSTEM_READ
-
diff --git a/go.mod b/go.mod
@@ -95,7 +95,7 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	howett.net/plist v1.0.0
 	www.velocidex.com/golang/evtx v0.2.1-0.20220404133451-1fdf8be7325e
-	www.velocidex.com/golang/go-ese v0.1.1-0.20230821114411-ecb5494187ed
+	www.velocidex.com/golang/go-ese v0.2.1-0.20240207005444-85d57b555f8b
 	www.velocidex.com/golang/go-ntfs v0.1.2-0.20231201083609-cc79ced94180
 	www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3
 	www.velocidex.com/golang/go-prefetch v0.0.0-20220801101854-338dbe61982a
@@ -110,7 +110,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/Velocidex/file-rotatelogs v0.0.0-20211221020724-d12e4dae4e11
-	github.com/Velocidex/go-ewf v0.0.0-20240116235705-14389cfdaa75
+	github.com/Velocidex/go-ewf v0.0.0-20240210123447-97dc81b7d8c3
 	github.com/Velocidex/go-fat v0.0.0-20230923165230-3e6c4265297a
 	github.com/Velocidex/grok v0.0.1
 	github.com/Velocidex/ordereddict v0.0.0-20230909174157-2aa49cc5d11d

diff --git a/go.sum b/go.sum
@@ -118,8 +118,8 @@ github.com/Velocidex/file-rotatelogs v0.0.0-20211221020724-d12e4dae4e11 h1:pQY9p
 github.com/Velocidex/file-rotatelogs v0.0.0-20211221020724-d12e4dae4e11/go.mod h1:Ya1f4Kowt2GC7gbnu1MbNncvI1Lp3i1plN2xLiETJfg=
 github.com/Velocidex/go-elasticsearch/v7 v7.3.1-0.20191001125819-fee0ef9cac6b h1:XaAmLVXrqPv60nbiQtzj5Sch7lwz3XH8x5IocQwRPJg=
 github.com/Velocidex/go-elasticsearch/v7 v7.3.1-0.20191001125819-fee0ef9cac6b/go.mod h1:draN67DBVJDAVmLWDIJ85CrV0UxmIGfWZ4njukhINQs=
-github.com/Velocidex/go-ewf v0.0.0-20240116235705-14389cfdaa75 h1:m/xf4OgH18zn+II7z+HzMsVf4D0V330TL27BJcl/KBo=
-github.com/Velocidex/go-ewf v0.0.0-20240116235705-14389cfdaa75/go.mod h1:JrGP9QRoPe63ijMmU1UTfoGySg+zpgx68XcsGV/dItI=
+github.com/Velocidex/go-ewf v0.0.0-20240210123447-97dc81b7d8c3 h1:0/ra1WgtmIrYZY4oU3pgp5l9A+5/DgJpz3mAyt0eVik=
+github.com/Velocidex/go-ewf v0.0.0-20240210123447-97dc81b7d8c3/go.mod h1:JrGP9QRoPe63ijMmU1UTfoGySg+zpgx68XcsGV/dItI=
 github.com/Velocidex/go-fat v0.0.0-20230923165230-3e6c4265297a h1:dWHPlB3C86vh+M5P14dZxF6Hh8o2/u8FTRF/bs2EM+Q=
 github.com/Velocidex/go-fat v0.0.0-20230923165230-3e6c4265297a/go.mod h1:g74FCv59tsVP48V2o1eyIK8aKbNKPLJIJ+HuiUPVc6E=
 github.com/Velocidex/go-magic v0.0.0-20211018155418-c5dc48282f28 h1:3FMhXfGzZR4oNHmV8NizrviyaTv+2SmLuj+43cMJCUQ=
@@ -1284,8 +1284,8 @@ www.velocidex.com/golang/binparsergen v0.1.1-0.20220107080050-ae6122c5ed14 h1:ja
 www.velocidex.com/golang/binparsergen v0.1.1-0.20220107080050-ae6122c5ed14/go.mod h1:Q/J/huOyH6IlY2aShigY1CnZnw5EO0+FZJgnGEBrT5Q=
 www.velocidex.com/golang/evtx v0.2.1-0.20220404133451-1fdf8be7325e h1:AhcXPgNKhJFAWnPjX5Y7rngvhg3Bgt03yF41sA1S4uY=
 www.velocidex.com/golang/evtx v0.2.1-0.20220404133451-1fdf8be7325e/go.mod h1:ykEQ7AUF9AL+mfCefDmLwmZOnU2So6wM3qKM8xdsHhU=
-www.velocidex.com/golang/go-ese v0.1.1-0.20230821114411-ecb5494187ed h1:TY4zGUexVodrlOE7bmp2Vk+T09B8mGwBPhswUN0uNkk=
-www.velocidex.com/golang/go-ese v0.1.1-0.20230821114411-ecb5494187ed/go.mod h1:6fC9T6UGLbM7icuA0ugomU5HbFC5XA5I30zlWtZT8YE=
+www.velocidex.com/golang/go-ese v0.2.1-0.20240207005444-85d57b555f8b h1:3pFfQuY3k0qViJDlLqmUfGP4YkQIl25Vc/Uq8Pl0qLA=
+www.velocidex.com/golang/go-ese v0.2.1-0.20240207005444-85d57b555f8b/go.mod h1:6fC9T6UGLbM7icuA0ugomU5HbFC5XA5I30zlWtZT8YE=
 www.velocidex.com/golang/go-ntfs v0.1.2-0.20231201083609-cc79ced94180 h1:W2GJtqW0ardE+6phBbPK1023MT7onFwh/GSjwtbLc5E=
 www.velocidex.com/golang/go-ntfs v0.1.2-0.20231201083609-cc79ced94180/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc=
 www.velocidex.com/golang/go-pe v0.1.1-0.20220107093716-e91743c801de/go.mod h1:j9Xy8Z9wxzY2SCB8CqDkkoSzy+eUwevnOrRm/XM2q/A=

diff --git a/vql/parsers/json.go b/vql/parsers/json.go
@@ -521,7 +521,7 @@ func (self WriteJSONPlugin) Call(
 			underlying_file, err := accessors.GetUnderlyingAPIFilename(
 				arg.Accessor, scope, arg.Filename)
 			if err != nil {
-				scope.Log("write_csv: %s", err)
+				scope.Log("write_jsonl: %s", err)
 				return
 			}