A forensicstore is a forensic database that contains selected forensic artifacts.
The forensicstore format implements the following conventions:
- The forensicstore is a sqlite 3 database containing metadata element and
compressed raw artifacts.
- The
elements
table contains all collected registry keys and values as well as
metadata on files, paths, and processes. - The files themselves as well as any process output is saved in the
sqlar
table. - Elements are represented as json objects.
- Elements are valid STIX 2.1 Observable Objects where applicable.
- Files stored in the forensicstore are referenced by element attributes ending
in
_path
, e.g. export_path
, stdout_path
and wmi_path
. - Element attributes ending in
_time
or named atime
, ctime
or mtime
are
assumed to be dates and should be stored according RFC3339/ISO 8601. - Any element stored in the forensicstore can have an errors attribute that
contains
errors
that are related to retrival or processing of this element. - Raw artifacts are stored using the deflate compression algorithm.
- Artifacts with a compressed size larger than 1,000,000,000 Byte (1 GB) cannot
be stored.