Scalpy [bot]

- Library loader configuration and cache - /etc/ld.so.conf - /etc/ld.so.conf.d/\* - /etc/ld.so.cache Parse the information in `ld.so.conf` and its include directory `/etc/ld.so.conf.d/*` into records. Ideally we also want to be...

Return all `/boot/initrd-.img` and `/boot/initramfs-.img` files as records.

- PAM configuration + binaries - /etc/pam.d/\* - all referred /lib/security/pam_\* modules Parse the contents of the config files in the `/etc/pam.d/` to records. As a fallback `/etc/pam.conf` config file...

The category system is created to serve two adjacent goals: 1. Define a “killchain” category with a number of sub-categories (defined in the questionaire spreadsheet). 1. Have the user define...

Parse entries in `/etc/mtab`. This file is edited by the `mount` and `umount` command. Entries in this file are similar to `/etc/fstab` and `/proc/mounts`.

Parse entries in `/proc/mounts` to records. Entries in `/proc/mounts` are similar to entries in `/etc/fstab` and `/etc/mtab`.

See: [https://wiki.osdev.org/Target_Triplet](https://wiki.osdev.org/Target_Triplet|smart-link)

Implement the detection in a similar way as done for generic Unix. Maybe wait for Mach-O support in dissect.executable?

EventID=4104 Provider_Name=”Microsoft-Windows-PowerShell” Windows created eventlogs when PS scripts are executed. Due to the size limit of one event eventry, Windows splits the content over multiple 4104 events. Scripts are now...