[REQUEST] Access raw data of parsed sub-files from client applications

[keiche]

Is your feature request related to a problem? Please describe.

The recursive and modular nature of Strelka is great for parsing and analyzing files down to their atomic state. Sometimes during the malware analysis process, raw access to a sub-file is helpful. This could be to view the raw contents of a file to create a new Yara signature or to save a sub-file in a local malware database. Exposing the raw file contents to the client app ensures that analysts do not need to manually recreate the Strelka scanner workflow steps to gain access to the full contents of a sub-file.

Describe the solution you'd like

The Strelka backend returns a copy of the binary data for each parsed sub-file to the client. This feature can be toggled on or off in the backend configuration. The data can be compressed to reduce the size and encoded to fit in the JSON output. Adding this capability as a scanner may give the most flexibility of which files to return and whether the feature is enabled.

Describe alternatives you've considered

Besides using a scanner, there are other options that could be used:

• Expanding the protobuf to hold file data in another data structure (rather than event).
  • This may be good if this was a widely used feature, but does require a larger codebase change.
  • This is not as flexible as a scanner.
• Performing this task inside the backend code and placing the file data directly in File.dictionary().
  • This is not as flexible as a scanner.

Additional context

I have created a new scanner as a possible solution to this request and will be creating a PR soon.