forensic_rs/
context.rs

1use std::cell::RefCell;
2
3use crate::artifact::Artifact;
4
5thread_local! {
6    pub(crate) static FORENSIC_CONTEXT : RefCell<ForensicContext> = RefCell::new(ForensicContext::default());
7}
8
9
10#[derive(Default, Debug, Clone)]
11pub struct ForensicContext {
12    pub host : String,
13    pub artifact : Artifact,
14    pub tenant : String
15}
16
17/// Simplifys the creation of new events with the context of the analysis: artifact being processed, name of the machine where the artifacts came from and the name of the client/tenant.
18pub fn initialize_context(context: ForensicContext) {
19    let _ = FORENSIC_CONTEXT.with(|v| {
20        let mut brw = v.borrow_mut();
21        *brw = context;
22        Ok::<(), ()>(())
23    });
24    // Wait for local_key_cell_methods
25    //COMPONENT_LOGGER.replace(msngr);
26}
27
28/// Gets the context of the analysis
29pub fn context() -> ForensicContext {
30    FORENSIC_CONTEXT.with(|context| context.borrow().clone())
31}
32
33/// Changes the type of artifact being processed by the current thread
34pub fn set_artifact<A : Into<Artifact>>(artifact : A) {
35    let artifact = artifact.into();
36    FORENSIC_CONTEXT.with(|context| {
37        let mut borrowed = context.borrow_mut();
38        borrowed.artifact = artifact;
39    })
40}
41
42/// Change the tenant ID for which artifacts are being processed by the current thread
43pub fn set_tenant(tenant : String) {
44    FORENSIC_CONTEXT.with(|context| {
45        let mut borrowed = context.borrow_mut();
46        borrowed.tenant = tenant;
47    })
48}
49/// Change the name of the computer for which artifacts are being processed by the current thread
50pub fn set_host(host : String) {
51    FORENSIC_CONTEXT.with(|context| {
52        let mut borrowed = context.borrow_mut();
53        borrowed.host = host;
54    })
55}
56
57#[test]
58fn should_initialize_log_with_context() {
59    use crate::artifact::Artifact;
60    use crate::artifact::RegistryArtifacts;
61    let context = ForensicContext {
62        artifact : RegistryArtifacts::AutoRuns.into(),
63        host : "Agent007".into(),
64        tenant : "MI6".into()
65    };
66    initialize_context(context);
67    let log = crate::data::ForensicData::default();
68    assert_eq!("Agent007", log.host());
69    assert_eq!("MI6", TryInto::<&str>::try_into(log.field(crate::dictionary::ARTIFACT_TENANT).unwrap()).unwrap());
70    assert_eq!(Into::<Artifact>::into(RegistryArtifacts::AutoRuns), *log.artifact());
71}