The Windows.KapeFiles.Targets artifact collects files into a Zip file. Zip files can not generally preserve timestamps since they only have a single timestamp concept. Velociraptor will only record the modified time in the zip file header itself but all the times are present in the metadata file:
“Windows.KapeFiles.Targets/All File Metadata.json”
Sometimes, users wish to extract the contents of a collection to a directory, and run an external tool over the data. Some such external tools assume the file timestamps (e.g. prefetch files) are meaningful. In this case we need to preserve the timestamps.
You can use this artifact to extract the content of a collection while preserving the timestamps. The artifact will read the metadata file, unpack the contents of the container and set the timestamps on the resulting file.
NOTE: Windows allows 3 timestamps to be set (MAC time except for Btime), while Linux only allows 2 timestamps (Modified and Accessed).
velociraptor-v0.6.7-linux-amd64 artifacts collect Windows.KapeFiles.Extract --args ContainerPath=Collection-DESKTOP-2OR51GL-2021-07-16_06_56_50_-0700_PDT.zip --args OutputDirectory=/tmp/MyOutput/
name: Windows.KapeFiles.Extract
description: |
The Windows.KapeFiles.Targets artifact collects files into a Zip
file. Zip files can not generally preserve timestamps since they
only have a single timestamp concept. Velociraptor will only record
the modified time in the zip file header itself but all the times
are present in the metadata file:
"Windows.KapeFiles.Targets/All File Metadata.json"
Sometimes, users wish to extract the contents of a collection to a
directory, and run an external tool over the data. Some such
external tools assume the file timestamps (e.g. prefetch files) are
meaningful. In this case we need to preserve the timestamps.
You can use this artifact to extract the content of a collection
while preserving the timestamps. The artifact will read the metadata
file, unpack the contents of the container and set the timestamps on
the resulting file.
NOTE: Windows allows 3 timestamps to be set (MAC time except for
Btime), while Linux only allows 2 timestamps (Modified and
Accessed).
## Example - command line invocation
```
velociraptor-v0.6.7-linux-amd64 artifacts collect Windows.KapeFiles.Extract --args ContainerPath=Collection-DESKTOP-2OR51GL-2021-07-16_06_56_50_-0700_PDT.zip --args OutputDirectory=/tmp/MyOutput/
```
type: SERVER
parameters:
- name: OutputDirectory
description: Directory to write on (must be set).
- name: ContainerPath
description: Path to container (zip file) to unpack.
sources:
- query: |
LET MetadataFile = ("results", "Windows.KapeFiles.Targets/All File Metadata.json")
LET UploadsFile = "uploads.json"
// Path to the root of the container
LET RootPathSpec = pathspec(DelegateAccessor="auto",
path_type="zip",
DelegatePath=ContainerPath)
// The pathspec for where to store the file
LET OutputPathSpec = pathspec()
// Memoize the metadata stored in the container file so we can
// quickly extract the file times.
LET AllFileMetadata <= memoize(
key="SourceFile",
query={
SELECT *
FROM parse_jsonl(accessor="collector",
filename=RootPathSpec + MetadataFile)
})
LET ALLUploads = SELECT *, RootPathSpec + _Components AS FileUpload,
OutputPathSpec + _Components[2:] AS Dest,
get(item=AllFileMetadata,
field=vfs_path) AS Metadata
FROM parse_jsonl(accessor="collector",
filename=RootPathSpec + UploadsFile)
WHERE Type != "idx"
SELECT *, upload_directory(
accessor="collector",
output=OutputDirectory,
mtime=Metadata.Modified,
atime=Metadata.LastAccessed,
ctime=Metadata.Created,
name=Dest,
file=RootPathSpec + _Components) AS UploadedFile
FROM ALLUploads