DFIR Toolkit

Table of contents

Overview of timelining tools

Installation

bash cargo install dfir-toolkit

Tools

cleanhive

merges logfiles into a hive file

Usage

``` Usage: cleanhive [OPTIONS] --output

Arguments: name of the file to dump

Options: -L, --log transaction LOG file(s). This argument can be specified one or two times -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -O, --output name of the file to which the cleaned hive will be written -h, --help Print help -V, --version Print version ```

evtx2bodyfile

Usage

``` Usage: evtx2bodyfile [OPTIONS] [EVTX_FILES]...

Arguments: [EVTX_FILES]... names of the evtx files

Options: -J, --json output json for elasticsearch instead of bodyfile -S, --strict fail upon read error -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -h, --help Print help -V, --version Print version ```

Example

```shell

convert to bodyfile only

evtx2bodyfile Security.evtx >Security.bodyfile

create a complete timeline

evtx2bodyfile *.evtx | mactime2 -d -b >evtx_timeline.csv ```

evtxanalyze

Analyze evtx files

Usage

``` Usage: evtxanalyze [OPTIONS]

Commands: pstree generate a process tree sessions display sessions session display one single session help Print this message or the help of the given subcommand(s)

Options: -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -h, --help Print help ```

evtxscan

Finds time skews in an evtx file

Example

Usage

``` Find time skews in an evtx file

Usage: evtxscan [OPTIONS]

Arguments: name of the evtx file to scan

Options: -S, --show-records display also the contents of the records befor and after a time skew -N, --negative-tolerance negative tolerance limit (in seconds): time skews to the past below this limit will be ignored [default: 5] -h, --help Print help -V, --version Print version ```

evtxcat

Display one or more events from an evtx file

Example

Usage

```

Usage: evtxcat [OPTIONS]

Arguments: Name of the evtx file to read from

Options: --min filter: minimal event record identifier --max filter: maximal event record identifier -i, --id show only the one event with this record identifier -T, --display-table don't display the records in a table format -F, --format [default: xml] [possible values: json, xml] -h, --help Print help -V, --version Print version

```

evtxls

Display one or more events from an evtx file

Usage

``` Usage: evtxls [OPTIONS] [EVTX_FILES]...

Arguments: [EVTX_FILES]... Name of the evtx files to read from

Options: -d, --delimiter use this delimiter instead of generating fixed space columns

-i, --include List events with only the specified event ids, separated by ','

-x, --exclude Exclude events with the specified event ids, separated by ','

-c, --colors highlight interesting content using colors

-f, --from hide events older than the specified date (hint: use RFC 3339 syntax)

-t, --to hide events newer than the specified date (hint: use RFC 3339 syntax)

-r, --regex highlight event data based on this regular expression

-s, --sort sort order

      [default: storage]

      Possible values:
      - storage:   don't change order, output records as they are stored
      - record-id: sort by event record id
      - time:      sort by date and time

-b, --base-fields display fields common to all events. multiple values must be separated by ','

      [default: event-id event-record-id]

      Possible values:
      - event-id:            The identifier that the provider used to identify the event
      - event-record-id:     The record number assigned to the event when it was logged
      - activity-id:         A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity
      - related-activity-id: A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier
      - process-id:          The ID of the process that created the event

-B, --hide-base-fields don't display any common event fields at all. This corresponds to specifying '--base-fields' without any values (which is not allowed, that's why there is this flag)

-h, --help Print help (see a summary with '-h')

-V, --version Print version ```

es4forensics

Usage

``` Usage: es4forensics [OPTIONS] --index --password

Commands: create-index
import
help Print this message or the help of the given subcommand(s)

Options: -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence --strict strict mode: do not only warn, but abort if an error occurs -I, --index name of the elasticsearch index -H, --host server name or IP address of elasticsearch server [default: localhost] -P, --port API port number of elasticsearch server [default: 9200] --proto protocol to be used to connect to elasticsearch [default: https] [possible values: http, https] -k, --insecure omit certificate validation -U, --username username for elasticsearch server [default: elastic] -W, --password password for authenticating at elasticsearch -h, --help Print help -V, --version Print version ```

hivescan

scans a registry hive file for deleted entries

Usage

``` Usage: hivescan [OPTIONS]

Arguments: name of the file to scan

Options: -L, --log transaction LOG file(s). This argument can be specified one or two times -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -b output as bodyfile format -h, --help Print help -V, --version Print version

```

mactime2

Replacement for mactime

Changes to original mactime

Usage

``` Usage: mactime2 [OPTIONS]

Options: -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -b path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped) [default: -] -f, --from-timezone name of offset of source timezone (or 'list' to display all possible values -t, --to-timezone name of offset of destination timezone (or 'list' to display all possible values --strict strict mode: do not only warn, but abort if an error occurs -F, --format output format, if not specified, default value is 'txt' [possible values: csv, txt, json, elastic] -d output as CSV instead of TXT. This is a conveniance option, which is identical to --format=csv and will be removed in a future release. If you specified --format and -d, the latter will be ignored -j output as JSON instead of TXT. This is a conveniance option, which is identical to --format=json and will be removed in a future release. If you specified --format and -j, the latter will be ignored -h, --help Print help information -V, --version Print version information

```

mft2bodyfile

yet to be come

pol_export

Exporter for Windows Registry Policy Files

Usage

```bash USAGE: pol_export

ARGS: Name of the file to read

OPTIONS: -h, --help Print help information -V, --version Print version information ```

More information

regdump

Usage

``` Usage: regdump [OPTIONS]

Arguments: name of the file to dump

Options: -L, --log transaction LOG file(s). This argument can be specified one or two times -b, --bodyfile print as bodyfile format -I, --ignore-base-block ignore the base block (e.g. if it was encrypted by some ransomware) -T, --hide-timestamps hide timestamps, if output is in reg format -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -h, --help Print help -V, --version Print version ```