dfir-dd / dfir-toolkit Goto Github PK

CLI tools for forensic investigation of Windows artifacts

Home Page: https://github.com/dfir-dd/dfir-toolkit

License: GNU General Public License v3.0

Rust 97.51% Shell 2.49%

cli dfir digital-forensics digital-forensics-incident-response forensic-analysis forensics forensics-tools rust rust-lang

dfir-toolkit's Introduction

dfir-toolkit's People

Contributors

Stargazers

Watchers

dfir-toolkit's Issues

Regdump | Creation of timeline fails, when the given transaction log is empty

I get the following error message, when I try to create a timeline from the registry with regdump and specify a transaction log, that is empty.

$ regdump -L ntuser.dat.LOG1 -L ntuser.dat.LOG2 -b NTUSER.DAT > ntuser.body

Error: AssertFail at 0x0: "! log_entries.is_empty()"

It would be cool when the program continues to process the contents despite an empty transaction log and outputs a small warning that the transaction log is empty.

pf2bodyfile | Creation time is not available

I do get the following error message when running pf2bodyfile:
Error: IO operations error: creation time is not available for the filesystem

My setup:

kali linux
I have connected an external drive with NTFS filesystem.
An E01 image is stored on the external drive
I have mounted the E01 image, the mountpath is also on the external drive

Usage of pure rust SCCA library

I have developed a pure rust prefetch parser, it is still in development and is designed to work with the Forensic-RS framework, but it can work in this project so as not to use bindings to C code.

https://crates.io/crates/frnsc-prefetch

It does not use the Windows-exclusive RtlDecompressBuffer function that other implementations use, which allows it to be used on any platform compatible with the standard Rust library.
It also gives you accurate traces and metrics, such as which blocks were loaded into runtime memory, as a resource, or fetched from disk without going through the prefetch.

The logs generated during processing can be accessed through Rust code by initializing the logger. They are not sent directly to stdout or stderr. logger

You can also check for anomalies detected during processing through the notification system and create hooks when certain anomalies occur. notifications

ipgrep: `Error: attempted to set a logger after the logging system was already initialized`

timestamp conversion fail after switching to new API

test output::csv_output::tests::test_correct_ts_random_tz ... FAILED
test output::txt_output::tests::test_correct_ts_random_tz ... FAILED
test output::csv_output::tests::test_correct_ts_UTC ... FAILED
test output::txt_output::tests::test_correct_ts_UTC ... FAILED

failures:

---- output::csv_output::tests::test_correct_ts_random_tz stdout ----
thread 'output::csv_output::tests::test_correct_ts_random_tz' panicked at src/bin/mactime2/output/csv_output.rs:99:13:
assertion `left == right` failed: Timestamp 2037489506 converted to '2024-05-16T03:45:46-04:00' and back to 1715831146 (offset was -14400s)
  left: 2037489506
 right: 1715831146
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

---- output::txt_output::tests::test_correct_ts_random_tz stdout ----
thread 'output::txt_output::tests::test_correct_ts_random_tz' panicked at src/bin/mactime2/output/txt_output.rs:118:13:
assertion `left == right` failed: Timestamp 1352388422 converted to '2024-05-16T03:45:46-04:00' and back to 1715831146 (offset was -14400s)
  left: 1352388422
 right: 1715831146

---- output::csv_output::tests::test_correct_ts_UTC stdout ----
thread 'output::csv_output::tests::test_correct_ts_UTC' panicked at src/bin/mactime2/output/csv_output.rs:67:13:
assertion `left == right` failed: Timestamp 3898258695 converted to '2024-05-16T07:45:46+00:00' and back to 1715845546
  left: 3898258695
 right: 1715845546

---- output::txt_output::tests::test_correct_ts_UTC stdout ----
thread 'output::txt_output::tests::test_correct_ts_UTC' panicked at src/bin/mactime2/output/txt_output.rs:83:13:
assertion `left == right` failed: Timestamp 630314567 converted to '2024-05-16T07:45:46+00:00' and back to 1715845546
  left: 630314567
 right: 1715845546


failures:
    output::csv_output::tests::test_correct_ts_UTC
    output::csv_output::tests::test_correct_ts_random_tz
    output::txt_output::tests::test_correct_ts_UTC
    output::txt_output::tests::test_correct_ts_random_tz

test result: FAILED. 0 passed; 4 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

error: test failed, to rerun pass `--bin mactime2`

autocompletion doesn't autocomplete filenames

Removing duplicate 'format_date' function

The function format_date was copied from 'src/bin/mactime2/application.rs' to 'src/common/forensics_timestamp.rs', so the function could be removed from Mactime2Application.
Additionally, the calls of the function, for e.g. in 'src/bin/mactime2/output/csv_output.rs' (impl Mactime2Writer for CsvOutput) and in 'src/bin/mactime2/output/txt_output.rs' (impl Mactime2Writer for TxtOutput), have to be adjusted.

Bug in lnk2bodyfile

forensics

mactime2 writes invalid CSV in some cases

Example:

2022-11-16T08:26:43+00:00,0,m...,,0,0,0,"{"activity_id":null,"channel_name":"Microsoft-Windows-WER-PayloadHealth/Operational","computer":"WIN-J56D9ENVG6H","custom_data":{"EventData":{"#attributes":{"Name":"WER_PAYLOAD_HEALTH_FAIL"},"BytesUploaded":0,"HttpExchangeResult":2147954402,"PayloadSize":4569,"Protocol":"Watson","RequestStatusCode":0,"ServerName":"umwatson.events.data.microsoft.com","Stage":"s1event","TransportHr":2147954402,"UploadDuration":21094}},"event_id":2,"event_record_id":1,"level":4,"provider_name":"Microsoft-Windows-WER-PayloadHealth","timestamp":"2022-11-16T08:26:43.409044Z"}"

Fix code scanning alert - lint clippy::incorrect_partial_ord_impl_on_ord_type has been renamed to clippy::non_canonical_par...

Tracking issue for:

https://github.com/dfir-dd/dfir-toolkit/security/code-scanning/28

invalid contact data

mactime2 does not work correctly with the time zone specification

mactime2 with timezone specification (no matter if source (-f) or destination (-t)) does not seem to work properly.

For example, the command mactime2 -b <bodyfile> -d -t UTC also just lists the possible timezone values instead of processing the data. The output is equal to listing of timezone values with e.g. mactime2 -t list

I guess there is an issue inside https://github.com/dfir-dd/dfir-toolkit/blob/master/src/bin/mactime2/main.rs in

if matches!(cli.src_zone(), Some(_list)) {
        display_zones(); return Ok(());
    }
    if matches!(cli.dst_zone(), Some(_list)) {
        display_zones(); return Ok(());
    }

hivescan SYSTEM
[00:00:12] ██████████████████████████████████████░░  22745024/23834624 (95%) scanning cells                              
thread 'main' panicked at /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/nt_hive2-4.0.2/src/cell_iterator.rs:152:101:
called `Result::unwrap()` on an `Err` value: Custom { kind: UnexpectedEof, error: "cannot seek beyond end of file" }
stack backtrace:
   0: rust_begin_unwind
             at /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:645:5
   1: core::panicking::panic_fmt
             at /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/panicking.rs:72:14
   2: core::result::unwrap_failed
             at /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/result.rs:1653:5
   3: <nt_hive2::cell_iterator::CellIterator<B,C> as core::iter::traits::iterator::Iterator>::next
   4: hivescan::regtreebuilder::RegTreeBuilder::from_hive
   5: hivescan::hivescanapplication::HiveScanApplication::run
   6: hivescan::main

Compile Error

error: multiple release_max_level_* features set
   --> /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/log-0.4.22/src/lib.rs:382:1
    |
382 | compile_error!("multiple release_max_level_* features set");
    | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

   Compiling parking_lot_core v0.9.10
   Compiling time-core v0.1.2
   Compiling futures-core v0.3.30
   Compiling vcpkg v0.2.15
   Compiling rayon-core v1.12.1
   Compiling bytes v1.6.0
error: could not compile `log` (lib) due to 1 previous error
warning: build failed, waiting for other jobs to finish...
error: failed to compile `dfir-toolkit v0.11.0`, intermediate artifacts can be found at `/tmp/cargo-install35TIvg`.
To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.

Markdown Help generation with clap fails

          Markdown Help generation with clap fails

Originally posted by @Explie in #45 (review)

dfir-dd / dfir-toolkit Goto Github PK

dfir-toolkit's Introduction

DFIR Toolkit

Table of contents

Overview of timelining tools

Installation

Usage

Configuring the global timestamp format

dfir-toolkit's People

Contributors

Stargazers

Watchers

Forkers

dfir-toolkit's Issues

Recommend Projects

Recommend Topics

Recommend Org