osquery-1/specs/carves.table

table_name("carves")
description("Forensic Memory Carves")
schema([
    Column("time", BIGINT, "Time at which the carve was kicked off"),
    Column("sha256", TEXT, "A SHA256 sum of the carved archive"),
    Column("size", INTEGER, "Size of the carved archive"),
    Column("path", TEXT, "The path of the requested carve"),
    Column("status", TEXT, "Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED"),
    Column("carve_guid", TEXT, "Identifying value of the carve session"),
    Column("carve", INTEGER, "Set this value to '1' to start a file carve")
])
attributes(user_data=True)
implementation("forensic/carves@genCarves")
examples([
  "select * from carves where status like '%FAIL%'",
  "select * from carves where path like '/Users/%/Downloads/% and carve=1'",
])
Adding file carving feature to osquery (#3038) 2017-04-21 02:00:26 +00:00			`table_name("carves")`
			`description("Forensic Memory Carves")`
			`schema([`
			`Column("time", BIGINT, "Time at which the carve was kicked off"),`
			`Column("sha256", TEXT, "A SHA256 sum of the carved archive"),`
			`Column("size", INTEGER, "Size of the carved archive"),`
			`Column("path", TEXT, "The path of the requested carve"),`
			`Column("status", TEXT, "Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED"),`
			`Column("carve_guid", TEXT, "Identifying value of the carve session"),`
			`Column("carve", INTEGER, "Set this value to '1' to start a file carve")`
			`])`
			`attributes(user_data=True)`
			`implementation("forensic/carves@genCarves")`
			`examples([`
			`"select * from carves where status like '%FAIL%'",`
			`"select * from carves where path like '/Users/%/Downloads/% and carve=1'",`
			`])`