ScanPgp¶
Collects metadata from PGP files.
Source code in strelka/src/python/strelka/scanners/scan_pgp.py
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 | |
Features¶
The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.
| Feature | Support |
|---|---|
IOC Support |
|
Emit Files |
|
Extended Docs |
|
Malware Scanner |
|
Image Thumbnails |
Tastes¶
Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.
| Source Filetype | Include / Exclude |
|---|---|
application/pgp-keys |
|
pgp_file |
|
text/PGP |
Scanner Fields¶
This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.
| Field Name | Field Type |
|---|---|
elapsed |
str |
flags |
list |
public_key_encrypted_session_keys |
list |
public_keys |
list |
public_keys.creation_time |
str |
public_keys.fingerprint |
bytes |
public_keys.key_id |
bytes |
public_keys.key_value |
NoneType |
public_keys.pub_algorithm_type |
str |
public_keys.pubkey_version |
int |
secret_keys |
list |
secret_keys.creation_time |
str |
secret_keys.fingerprint |
bytes |
secret_keys.key_id |
bytes |
secret_keys.key_value |
NoneType |
secret_keys.pub_algorithm_type |
NoneType |
secret_keys.pubkey_version |
NoneType |
signatures |
list |
signatures.creation_time |
str |
signatures.hash_algorithm |
str |
signatures.key_id |
bytes |
signatures.length |
int |
signatures.pub_algorithm |
str |
signatures.sig_type |
str |
signatures.sig_version |
int |
total |
dict |
total.public_key_encrypted_session_keys |
int |
total.public_keys |
int |
total.secret_keys |
int |
total.signatures |
int |
total.trusts |
int |
total.user_attributes |
int |
total.user_ids |
int |
trusts |
list |
user_attributes |
list |
user_ids |
list |
user_ids.user |
str |
user_ids.user_email |
str |
user_ids.user_name |
str |
Sample Event¶
Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.
test_scan_event = {
"elapsed": 0.001,
"flags": [],
"public_key_encrypted_session_keys": [],
"public_keys": [],
"secret_keys": [],
"trusts": [],
"user_attributes": [],
"user_ids": [],
"signatures": [
{
"creation_time": "2023-01-16T01:26:37",
"hash_algorithm": "SHA512",
"key_id": b"CA352AC023CAA9FF",
"length": 435,
"pub_algorithm": "RSA Encrypt or Sign",
"sig_type": "Signature of a canonical text document",
"sig_version": 4,
}