-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #24 from dfir-dd/23-usage-of-pure-rust-scca-library
23 usage of pure rust scca library
- Loading branch information
Showing
18 changed files
with
125 additions
and
624 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
[package] | ||
name = "dfir-toolkit" | ||
version = "0.10.0" | ||
version = "0.10.1" | ||
edition = "2021" | ||
authors = ["Jan Starke <[email protected]>", "Deborah Mahn <[email protected]>"] | ||
description = "CLI tools for digital forensics and incident response" | ||
|
@@ -99,7 +99,7 @@ evtx2bodyfile = ["evtx", "getset", "ouroboros", "indicatif"] | |
ipgrep = [] | ||
ts2date = ["regex"] | ||
lnk2bodyfile = ["lnk"] | ||
pf2bodyfile = ["num", "libc"] | ||
pf2bodyfile = ["num", "libc", "frnsc-prefetch", "forensic-rs"] | ||
|
||
regdump = ["nt_hive2"] | ||
hivescan = ["nt_hive2"] | ||
|
@@ -176,6 +176,8 @@ lnk = {version="0.5.1", optional=true} | |
# pf2bodyfile | ||
libc = {version="0.2", optional=true} | ||
num = {version="0", optional=true} | ||
frnsc-prefetch = {version="0.9", optional=true} | ||
forensic-rs = {version="0.9.1", optional=true} | ||
|
||
[dev-dependencies] | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,38 +1,93 @@ | ||
mod cli; | ||
|
||
use cli::Cli; | ||
use dfir_toolkit::common::bodyfile::Bodyfile3Line; | ||
use dfir_toolkit::common::FancyParser; | ||
use dfir_toolkit::scca::File; | ||
use forensic_rs::prelude::*; | ||
use frnsc_prefetch::prelude::*; | ||
use log::{error, warn}; | ||
use std::path::Path; | ||
|
||
fn main() -> anyhow::Result<()> { | ||
let cli = Cli::parse_cli(); | ||
|
||
if cli.prefetch_files().iter().any(|f| !f.can_seek()) { | ||
anyhow::bail!( | ||
"{} cannot read from a stream; you must specify a file", | ||
env!("CARGO_BIN_NAME") | ||
); | ||
if cli.prefetch_files().iter().any(|f| !f.path().exists()) { | ||
anyhow::bail!("some files you specified do not exist"); | ||
} | ||
|
||
if cli.prefetch_files().iter().any(|f| ! f.path().is_file()) { | ||
anyhow::bail!( | ||
"{} you must specify a file", | ||
env!("CARGO_BIN_NAME") | ||
); | ||
if cli.prefetch_files().iter().any(|f| !f.path().is_file()) { | ||
anyhow::bail!("some paths you specified are no files"); | ||
} | ||
|
||
let vfs = Box::new(StdVirtualFS::new()); | ||
|
||
for input in cli.prefetch_files().iter() { | ||
let path = input.path().as_os_str().to_string_lossy(); | ||
let pf_file = input.path().file_name().unwrap().to_string_lossy(); | ||
let file = File::open(&path)?; | ||
let executable = file.utf8_executable_filename()?; | ||
let run_count = file.run_count()?; | ||
for time in file.last_run_times()? { | ||
match input.parent() { | ||
Some(parent) => { | ||
let mut fs = ChRootFileSystem::new(parent, vfs.clone()); | ||
if let Some(pf_os_filename) = input.path().file_name() { | ||
if let Some(pf_filename) = pf_os_filename.to_str() { | ||
let pf_file = read_prefetch_file( | ||
pf_filename, | ||
fs.open(Path::new(&pf_filename.to_string()))?, | ||
)?; | ||
|
||
pf_file.display_prefetch_file(pf_filename, *cli.include_metrics())?; | ||
} else { | ||
error!("invalid Unicode characters in filename: '{pf_os_filename:?}'") | ||
} | ||
} else { | ||
warn!("unable to handle directories; you must specify concrete file names"); | ||
} | ||
} | ||
None => { | ||
error!("specified path has no parent: {input}") | ||
} | ||
} | ||
} | ||
Ok(()) | ||
} | ||
|
||
trait DisplayPrefetchFile { | ||
fn display_prefetch_file( | ||
&self, | ||
pf_file_name: &str, | ||
include_metrics: bool, | ||
) -> anyhow::Result<()>; | ||
} | ||
|
||
impl DisplayPrefetchFile for PrefetchFile { | ||
fn display_prefetch_file( | ||
&self, | ||
pf_file_name: &str, | ||
include_metrics: bool, | ||
) -> anyhow::Result<()> { | ||
for time in &self.last_run_times { | ||
let accessed = | ||
winstructs::timestamp::WinTimestamp::new(&time.filetime().to_le_bytes())? | ||
.to_datetime() | ||
.into(); | ||
|
||
let bf_line = Bodyfile3Line::new() | ||
.with_owned_name(format!("Prefetch: '{executable}' (run {run_count} times, read from '{pf_file}')")) | ||
.with_atime(time.into()); | ||
.with_owned_name(format!( | ||
"Prefetch: run '{}' (run {} times, read from '{pf_file_name}')", | ||
self.name, self.run_count | ||
)) | ||
.with_atime(accessed); | ||
println!("{bf_line}"); | ||
|
||
if include_metrics { | ||
for metric in &self.metrics { | ||
let mf = &metric.file; | ||
let bf_line = Bodyfile3Line::new() | ||
.with_owned_name(format!( | ||
"Prefetch: running '{} possibly loaded '{mf}', read from '{pf_file_name}')", | ||
self.name | ||
)) | ||
.with_atime(accessed); | ||
println!("{bf_line}"); | ||
} | ||
} | ||
} | ||
Ok(()) | ||
} | ||
Ok(()) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,6 @@ | ||
pub mod registry; | ||
pub mod common; | ||
pub mod evtx; | ||
pub mod scca; | ||
|
||
#[cfg(feature="elastic")] | ||
pub mod es4forensics; |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.