8000 GitHub - dfir-dd/dfir-toolkit: CLI tools for forensic investigation of Windows artifacts
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

dfir-dd/dfir-toolkit

BranchesTags

Folders and files

< 8000 td class="react-directory-row-name-cell-large-screen" colSpan="1">
derive-crates/dfirtk-sessionevent-derive
NameName
Last commit message
Last commit date

Latest commit

 

History

320 Commits
.github/workflows
.github/workflows
 
 
common-crates/dfirtk-eventdata
common-crates/dfirtk-eventdata
 
 
derive-crates/dfirtk-sessionevent-derive
 
 
doc
doc
 
 
scripts
scripts
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

DFIR Toolkit

Crates.io Crates.io (latest) GitHub Workflow Status (with event) Codecov

Table of contents

Overview of timelining tools

Installation

sudo apt install libscca-dev libssl-dev
cargo install dfir-toolkit

To generate autocompletion scripts for your shell, invoke the tool with the --autocomplete option, e.g.

mactime2 --autocomplete bash | sudo tee /etc/bash_completion.d/mactime2

would install a autocompletion script in /etc/bash_completion.d/mactime2.

Usage

Configuring the global timestamp format

Per default, the DFIR toolkit uses an RFC3339-compliant data format. If you want to, you can change the data format being used by setting the DFIR_DATE environment variable. Let's look at an example:

$ mac2time2 -b tests/data/mactime2/sample.bodyfile -d | head
1970-01-01T00:00:00+00:00,0,macb,V/V---------,0,0,62447617,"/$OrphanFiles"
2022-04-18T10:28:59+00:00,4096,m...,d/drwxr-xr-x,0,0,42729473,"/proc"
2022-04-18T10:28:59+00:00,4096,m...,d/drwxr-xr-x,0,0,36306945,"/sys"
2022-04-21T00:57:50+00:00,7,m...,l/lrwxrwxrwx,0,0,12,"/bin -> usr/bin"
2022-04-21T00:57:50+00:00,7,m...,l/lrwxrwxrwx,0,0,13,"/lib -> usr/lib"
2022-04-21T00:57:50+00:00,9,m...,l/lrwxrwxrwx,0,0,14,"/lib32 -> usr/lib32"
2022-04-21T00:57:50+00:00,9,m...,l/lrwxrwxrwx,0,0,15,"/lib64 -> usr/lib64"
2022-04-21T00:57:50+00:00,10,m...,l/lrwxrwxrwx,0,0,16,"/libx32 -> usr/libx32"
2022-04-21T00:57:50+00:00,8,m...,l/lrwxrwxrwx,0,0,17,"/sbin -> usr/sbin"
2022-04-21T00:57:51+00:00,4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"
$ DFIR_DATE="%F %T (%Z)" mac2time2 -b tests/data/mactime2/sample.bodyfile -d | head
1970-01-01 00:00:00 (UTC),0,macb,V/V---------,0,0,62447617,"/$OrphanFiles"
2022-04-18 10:28:59 (UTC),4096,m...,d/drwxr-xr-x,0,0,42729473,"/proc"
2022-04-18 10:28:59 (UTC),4096,m...,d/drwxr-xr-x,0,0,36306945,"/sys"
2022-04-21 00:57:50 (UTC),7,m...,l/lrwxrwxrwx,0,0,12,"/bin -> usr/bin"
2022-04-21 00:57:50 (UTC),7,m...,l/lrwxrwxrwx,0,0,13,"/lib -> usr/lib"
2022-04-21 00:57:50 (UTC),9,m...,l/lrwxrwxrwx,0,0,14,"/lib32 -> usr/lib32"
2022-04-21 00:57:50 (UTC),9,m...,l/lrwxrwxrwx,0,0,15,"/lib64 -> usr/lib64"
2022-04-21 00:57:50 (UTC),10,m...,l/lrwxrwxrwx,0,0,16,"/libx32 -> usr/libx32"
2022-04-21 00:57:50 (UTC),8,m...,l/lrwxrwxrwx,0,0,17,"/sbin -> usr/sbin"
2022-04-21 00:57:51 (UTC),4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"

The value of DFIR_DATE can be any format string which can also be used in DateTime::strftime (https://docs.rs/chrono/latest/chrono/format/strftime/index.html)

About

CLI tools for forensic investigation of Windows artifacts

github.com/dfir-dd/dfir-toolkit

Topics

rust cli forensics dfir rust-lang digital-forensics forensic-analysis digital-forensics-incident-response forensics-tools

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

337 stars

Watchers

4 watching

Forks

28 forks
Report repository

Releases 22

v0.11.2 Latest
Aug 1, 2024
+ 21 releases

Packages

No packages published

Contributors 8

Languages
0