valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 01:55:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
58be58c29d
osquery-1/specs/carves.table
seph a73ffad3bf tables: Add constraints and testing (#6105) 
Co-Authored-By: Teddy Reed <teddy@casualhacking.io>
2019-12-12 20:45:15 -05:00

18 lines
827 B
Plaintext
Raw Blame History

table_name("carves")
description("Forensic Carves.")
schema([
Column("time", BIGINT, "Time at which the carve was kicked off"),
Column("sha256", TEXT, "A SHA256 sum of the carved archive"),
Column("size", INTEGER, "Size of the carved archive"),
Column("path", TEXT, "The path of the requested carve", required=True),
Column("status", TEXT, "Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED"),
Column("carve_guid", TEXT, "Identifying value of the carve session", index=True),
Column("carve", INTEGER, "Set this value to '1' to start a file carve", additional=True)
])
attributes(user_data=True)
implementation("forensic/carves@genCarves")
examples([
"select * from carves where status like '%FAIL%'",
"select * from carves where path like '/Users/%/Downloads/%' and carve=1",
])
Reference in New Issue View Git Blame Copy Permalink