DFIR Toolkit

Installation

bash cargo install dfir-toolkit

Tools

evtx2bodyfile

to be come

mactime2

to be come

mft2bodyfile

to be come

pol_export

Exporter for Windows Registry Policy Files

Usage

```bash USAGE: pol_export

ARGS: Name of the file to read

OPTIONS: -h, --help Print help information -V, --version Print version information ```

More information

• https://docs.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-file-format