Skip to content

Rename root#436

Open
halpomeranz wants to merge 71 commits into
tclahr:mainfrom
halpomeranz:rename-root
Open

Rename root#436
halpomeranz wants to merge 71 commits into
tclahr:mainfrom
halpomeranz:rename-root

Conversation

@halpomeranz
Copy link
Copy Markdown
Contributor

@halpomeranz halpomeranz commented Feb 13, 2026

Renaming "[root]" to "collected_files" makes things easier in the uac code and also for analysts using the collected files.

I'm not wedded to "collected_files" if you want to change the name to something else. There are only a very few spots in the uac script needed to make the change.

This is apropos of Issue #435

ekt0-syn and others added 30 commits August 21, 2025 15:28
@ekt0-syn
Update ss.yaml to show bpf filters
bb3c355 
Detect running processes that inserted BPF filters in the Linux server
@ekt0-syn
Removed unnecessary newline
11102ce
@william-billaud
Update spotlight.yaml
0af8287 
Fix typo
@tclahr
refactor: development version
394565a
@tclahr
Merge branch 'develop' into patch-1
cf0aa84
@tclahr
Merge pull request tclahr#399 from william-billaud/patch-1
71f5462 
Fix yaml typo in spotlight.yaml
@tclahr
Merge branch 'develop' into patch-1
cc66067
@tclahr
refactor: update changelog
3f033a2
@tclahr
Merge pull request tclahr#398 from ekt0-syn/patch-1
785a6d5 
Update ss.yaml to show bpf filters
@tclahr
fix: azure storage sas url
7147dc9 
Add output and log filenames to the Azure Storage SAS URL.

Fixes tclahr#389
@tclahr
refactor: remove --azure-storage-sas-url-log-file option
76c8e40 
The output and log file names are now automatically appended to the URL provided in `--azure-storage-sas-url` ([tclahr#389](tclahr#389)). Consequently, the `--azure-storage-sas-url-log-file` option is no longer needed and has been removed.
@tclahr
feat: simplify payload default and URL placeholders in transfer scripts
c896b44
@tclahr
fix: update statx binaries
79e0c3e
@tclahr
Merge pull request tclahr#403 from tclahr/update_statx
2119563 
fix: update statx binaries
@tclahr
feat: add statf tool for FreeBSD based systems
db61978
@tclahr
Merge pull request tclahr#404 from tclahr/add_statf_tool
c805cf2 
feat: add statf tool for FreeBSD based systems
@tclahr
Merge branch 'develop' into fix_azure_sas_storage_url
0b75c55
@tclahr
Merge pull request tclahr#405 from tclahr/fix_azure_sas_storage_url
fd0efa1 
Fix azure sas storage url
@tclahr
fix: parse special permissions in statx binary
c3f97cb
@tclahr
Merge pull request tclahr#406 from tclahr/update_statx
6a0610f 
fix: parse special permissions in statx binary
@mnrkbys
artif: add binfmt_misc artifact
e073f5f
@tclahr
feat: add new github actions
64fa525 
Add an action to close stale pull requests older than 180 days.
@tclahr
Merge branch 'develop' into binfmt_misc
e7f8fc7
@tclahr
add changelog
f8e7ea3
@tclahr
Merge pull request tclahr#409 from mnrkbys/binfmt_misc
ccde018 
artif: add binfmt_misc artifact
@tclahr
refactor: fix typo
caf2c86
@tclahr
fix: bug preventing artifact collection mountpoint
2c8b071 
Resolved a bug that prevented proper artifact collection when the mountpoint of a mounted disk image included spaces or special characters.
@tclahr
fix: correct mount point path handling
2f9cfe6
@tclahr
Merge pull request tclahr#410 from tclahr/fix_mount_point_with_spaces
7b4f05d 
Fix mount point with spaces
@tclahr
artif: update artifact
9994c66
tclahr and others added 26 commits January 17, 2026 10:46
@tclahr
Merge branch 'develop' into find-with-command
055467d
@tclahr
update _find_based_collector call
394411c 
Add one more parameter as command was added to _find_based_collector function.
@tclahr
Merge pull request tclahr#422 from halpomeranz/find-with-command
a8eb432 
feat: find collectors may include a command to use with xargs
@tclahr
Merge branch 'develop' into add_artifacts
ed1a62d
@tclahr
Merge pull request tclahr#428 from tclahr/add_artifacts
1b63c59 
Add artifacts
@tclahr
Merge branch 'develop' into new-persistence-artifacts
522aa60
@tclahr
update CHANGELOG.md
315f03a
@tclahr
Merge pull request tclahr#426 from halpomeranz/new-persistence-artifacts
a13afbc 
artif: add additional possible persistence locations
@tclahr
Merge branch 'develop' into collect-boot-files
fe293dc
@tclahr
move vmlinu* collection to avml.yaml
ea92027
@tclahr
update CHANGELOG.md
86cdbc3
@tclahr
Merge branch 'develop' into new-ssh-artifacts
4c2b169
@tclahr
move to a different artifact directory
8c4f3c0 
Move artifact to a different artifact directory.
Add changelog.
Collect the SSH private key path only, and not the full key content.
@tclahr
fix artifact path
4015966
@tclahr
artif: update avml memory size limit
e67d6a8 
Add System.map* to avml.yaml.
@tclahr
Merge pull request tclahr#425 from halpomeranz/collect-boot-files
8c3e24f 
artif: collect /boot
@tclahr
artif: collect public key instead
f05172b
@tclahr
Merge branch 'develop' into new-ssh-artifacts
c2466de
@tclahr
store output into separate directories by user
135f3d1
@tclahr
change path to avoid searching across the entire fs
3d8603a
@tclahr
Merge branch 'develop' into systemd-journal
40617f8
@tclahr
Merge pull request tclahr#423 from halpomeranz/systemd-journal
8bf92de 
fix: look for systemd journal only in /var/log
@tclahr
Merge branch 'develop' into new-ssh-artifacts
c692a48
@tclahr
Merge pull request tclahr#424 from halpomeranz/new-ssh-artifacts
fc3b373 
artif: collect SSH public keys, test secret keys for null passphrases
@tclahr
update foreach to return file name only
6055e8a
@halpomeranz
feat: rename "[root]" to "collected_files"
beb73e4 
Not only is the new name more descriptive, it's a lot less hassle in
both the "uac" code and also for later analysis.

Signed-off-by: Hal Pomeranz <hrpomeranz@gmail.com>
@halpomeranz
Copy link
Copy Markdown
Contributor Author

halpomeranz commented Feb 13, 2026

Unit tests will need to be updated to account for the new directory name

@tclahr
Copy link
Copy Markdown
Owner

tclahr commented Feb 18, 2026

I decided to use [root] with [] as a referente to FTK which also uses [root] to map root file systems.

The issue here is that some tools such as Cyber Triage, dissect... they might be using [root] as a reference to find and parse files.
If we decide to rename [root], I would say it should be done in a major release (v4).
I would use files as the new name as it matches with what we have inside artifacts directory.

@william-billaud
Copy link
Copy Markdown
Contributor

william-billaud commented Feb 18, 2026

Regarding the dissect plugins it would be easy to change it. Let me know if you plan it one day (or I will probably see it).

But I'm agree, the '[root]' name is now part of the UAC 'API' and is probably used in a lot of automation and changing it would be better in a major release.

@halpomeranz
Copy link
Copy Markdown
Contributor Author

halpomeranz commented Feb 23, 2026

How much more code do I have to push in order for you to call it a major release? :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@halpomeranz @tclahr @william-billaud @ekt0-syn @mnrkbys