Improve artifact definition specification

[joachimmetz]

Done

• Change request: Changes to the format and clean up. #11
  • Rename collectors to sources
  • Split Registry key and value types
  • add file and path separator
• update documentation: Updated documentation. #36

To do

• add tags/labels e.g. for persistence method
  • this is not going to be very useful as filter method since there are many persistence methods
  • Labels will be removed in Change legacy definitions to use alias #465
  • separate "trait" definitions might be more useful, especially if they can be pro-grammatically validated
• Make path relative to the file system root (absolute?)
• Change provides so that it has clear type indicators like sources
• Define a way to specify data streams
• have artifact names contain type information e.g "files" in "browser history files"
  • add source type to artifact name e.g. instead of ChromeHistory use ChromeHistoryFiles
• define environment variables (path expanders)

Based on #12 there is a need to specify:

• NTFS ADS names
• HFS resource fork
• extended attribute names

[joachimmetz]

Not overload FILE but create FILE_DATA_STREAM source type, e.g.

FILE_DATA_STREAM:
paths:
{path:, stream_name:}

Describe the globbing and * handling and literal *
define what the format supports in terms of globs

[joachimmetz]

Think about adding metadata:

_format_version: 20150618
_definition_type: artifact