dfir-dd/dfir-toolkit
3
0
Fork 0
Code Issues 1 Pull requests Activity
CLI tools for forensic investigation of Windows artifacts https://github.com/dfir-dd/dfir-toolkit
327 commits 4 branches 22 tags 3 MiB
  • Rust 97.3%
  • Shell 2.7%
Find a file
Jan Starke 1270e3ada8
 regdump: show values in flow-record output
2025-09-29 16:26:11 +02:00
.github/workflows use extended timestamps 2024-03-06 10:48:32 +01:00
common-crates/dfirtk-eventdata fix merge conflict 2024-07-15 13:45:16 +02:00
derive-crates/dfirtk-sessionevent-derive Update Cargo.toml 2024-05-31 15:47:40 +02:00
doc use new fox image 2024-07-30 15:20:51 +02:00
scripts merge develop and update dependencies 2024-06-10 14:31:33 +02:00
src regdump: show values in flow-record output 2025-09-29 16:26:11 +02:00
tests merge from develop 2024-06-10 17:26:43 +02:00
.gitignore hide some more folders from git 2024-04-17 15:36:35 +02:00
Cargo.lock regdump: show values in flow-record output 2025-09-29 16:26:11 +02:00
Cargo.toml regdump: show values in flow-record output 2025-09-29 16:26:11 +02:00
LICENSE Initial commit 2023-07-08 11:57:18 +02:00
README.md Fix missing dependancy in installation instruction 2024-09-24 10:22:09 +02:00

README.md

DFIR Toolkit

Crates.io Crates.io (latest) GitHub Workflow Status (with event) Codecov

Table of contents

Overview of timelining tools

Installation

sudo apt install libscca-dev libssl-dev
cargo install dfir-toolkit

To generate autocompletion scripts for your shell, invoke the tool with the --autocomplete option, e.g.

mactime2 --autocomplete bash | sudo tee /etc/bash_completion.d/mactime2

would install a autocompletion script in /etc/bash_completion.d/mactime2.

Usage

Configuring the global timestamp format

Per default, the DFIR toolkit uses an RFC3339-compliant data format. If you want to, you can change the data format being used by setting the DFIR_DATE environment variable. Let's look at an example:

$ mac2time2 -b tests/data/mactime2/sample.bodyfile -d | head
1970-01-01T00:00:00+00:00,0,macb,V/V---------,0,0,62447617,"/$OrphanFiles"
2022-04-18T10:28:59+00:00,4096,m...,d/drwxr-xr-x,0,0,42729473,"/proc"
2022-04-18T10:28:59+00:00,4096,m...,d/drwxr-xr-x,0,0,36306945,"/sys"
2022-04-21T00:57:50+00:00,7,m...,l/lrwxrwxrwx,0,0,12,"/bin -> usr/bin"
2022-04-21T00:57:50+00:00,7,m...,l/lrwxrwxrwx,0,0,13,"/lib -> usr/lib"
2022-04-21T00:57:50+00:00,9,m...,l/lrwxrwxrwx,0,0,14,"/lib32 -> usr/lib32"
2022-04-21T00:57:50+00:00,9,m...,l/lrwxrwxrwx,0,0,15,"/lib64 -> usr/lib64"
2022-04-21T00:57:50+00:00,10,m...,l/lrwxrwxrwx,0,0,16,"/libx32 -> usr/libx32"
2022-04-21T00:57:50+00:00,8,m...,l/lrwxrwxrwx,0,0,17,"/sbin -> usr/sbin"
2022-04-21T00:57:51+00:00,4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"

$ DFIR_DATE="%F %T (%Z)" mac2time2 -b tests/data/mactime2/sample.bodyfile -d | head
1970-01-01 00:00:00 (UTC),0,macb,V/V---------,0,0,62447617,"/$OrphanFiles"
2022-04-18 10:28:59 (UTC),4096,m...,d/drwxr-xr-x,0,0,42729473,"/proc"
2022-04-18 10:28:59 (UTC),4096,m...,d/drwxr-xr-x,0,0,36306945,"/sys"
2022-04-21 00:57:50 (UTC),7,m...,l/lrwxrwxrwx,0,0,12,"/bin -> usr/bin"
2022-04-21 00:57:50 (UTC),7,m...,l/lrwxrwxrwx,0,0,13,"/lib -> usr/lib"
2022-04-21 00:57:50 (UTC),9,m...,l/lrwxrwxrwx,0,0,14,"/lib32 -> usr/lib32"
2022-04-21 00:57:50 (UTC),9,m...,l/lrwxrwxrwx,0,0,15,"/lib64 -> usr/lib64"
2022-04-21 00:57:50 (UTC),10,m...,l/lrwxrwxrwx,0,0,16,"/libx32 -> usr/libx32"
2022-04-21 00:57:50 (UTC),8,m...,l/lrwxrwxrwx,0,0,17,"/sbin -> usr/sbin"
2022-04-21 00:57:51 (UTC),4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"

The value of DFIR_DATE can be any format string which can also be used in DateTime::strftime (https://docs.rs/chrono/latest/chrono/format/strftime/index.html)