Thinking about some of the live_response artifacts that could also be useful offline

[clausing]

There are quite a number of the live_response artifacts that would be really useful against mounted images in an offline mode (the next logical step after my offline_ir_triage profile pull request, thanx for incorporating that). For example, the setuid, setgid, immutable, hidden_files, and hidden_directories artifacts would all be very useful to me to with mounted images to get a quick first look before doing a deeper dive. My question is, should I modify the live_response versions to add the "%mount_point%" to the paths or create new artifacts or a new category to move the (modified) ones that would be useful in both places? I'm happy to modify the ones that are useful to me, but I figured I'd look for guidance before I make a pull request.

[tclahr]

Hi,
The best would be changing the existing artifact to add %mount_point%.
You are welcome to create a PR for review.
Thanks!

[clausing]

Hmm... It turns out that you must already be doing some sort of chroot or similar because some of the ones I wanted actually already work without any modification. In that case, I think I'll just just make some changes to my offline_ir_triage profile instead. Look for a pull request soon and thanx for all the work you put into this, I love the tool and it has saved my butt more times than I can count in the last couple of years.

[tclahr]

Correct. The file, hash, find, and stat collectors automatically prepend the mount point to the path property. You only need to use %mount_point% in the command collector (if required).