cleanhive](#cleanhive)evtx2bodyfile](#evtx2bodyfile)evtxanalyze](#evtxanalyze)evtxscan](#evtxscan)evtxcat](#evtxcat)evtxls](#evtxls)es4forensics](#es4forensics)hivescan](#hivescan)ipgrep](#ipgrep)lnk2bodyfile](https://github.com/janstarke/lnk2bodyfile)mactime2](#mactime2)mft2bodyfile](https://github.com/janstarke/mft2bodyfile)ntdsextract2](https://github.com/janstarke/ntdsextract2)pol_export](#pol_export)procbins](https://github.com/janstarke/procbins)regdump](#regdump)regls](https://github.com/janstarke/regls)regview](https://github.com/janstarke/regview)ts2date](https://github.com/janstarke/ts2date)usnjrnl_dump](https://github.com/janstarke/usnjrnl)
bash
cargo install dfir-toolkit
cleanhiveThis document contains the help content for the cleanhive command-line program.
Command Overview:
cleanhivemerges logfiles into a hive file
Usage: cleanhive [OPTIONS] --output <DST_HIVE> <HIVE_FILE>
<HIVE_FILE> — name of the file to dump-L, --log <LOGFILES> — transaction LOG file(s). This argument can be specified one or two times-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence-O, --output <DST_HIVE> — name of the file to which the cleaned hive will be written--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
dfir-toolkitThis document contains the help content for the dfir-toolkit command-line program.
Command Overview:
dfir-toolkitCLI tools for digital forensics and incident response
Usage: dfir-toolkit [OPTIONS] --index <INDEX_NAME> --password <PASSWORD> <COMMAND>
create-index — import — --strict — strict mode: do not only warn, but abort if an error occurs-I, --index <INDEX_NAME> — name of the elasticsearch index-H, --host <HOST> — server name or IP address of elasticsearch server
Default value: localhost
-P, --port <PORT> — API port number of elasticsearch server
Default value: 9200
--proto <PROTOCOL> — protocol to be used to connect to elasticsearch
Default value: https
Possible values: http, https
-k, --insecure — omit certificate validation
Default value: false
-U, --username <USERNAME> — username for elasticsearch server
Default value: elastic
-W, --password <PASSWORD> — password for authenticating at elasticsearch-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence--markdown-help — print help in markdown formatdfir-toolkit create-indexUsage: dfir-toolkit create-index
dfir-toolkit importUsage: dfir-toolkit import [OPTIONS] [INPUT_FILE]
<INPUT_FILE> — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
Default value: -
--bulk-size <BULK_SIZE> — number of timeline entries to combine in one bulk operation
Default value: 1000
This document was generated automatically by
clap-markdown.
dfir-toolkitThis document contains the help content for the dfir-toolkit command-line program.
Command Overview:
dfir-toolkitCLI tools for digital forensics and incident response
Usage: dfir-toolkit [OPTIONS] [EVTX_FILES]...
<EVTX_FILES> — names of the evtx files-J, --json — output json for elasticsearch instead of bodyfile-S, --strict — fail upon read error-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
dfir-toolkitThis document contains the help content for the dfir-toolkit command-line program.
Command Overview:
dfir-toolkitUsage: dfir-toolkit [OPTIONS] <COMMAND>
pstree — generate a process treesessions — display sessionssession — display one single session-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence--markdown-help — print help in markdown formatdfir-toolkit pstreegenerate a process tree
Usage: dfir-toolkit pstree [OPTIONS] <EVTX_FILE>
<EVTX_FILE> — Name of the evtx file to parse-U, --username <USERNAME> — display only processes of this user (case insensitive regex search)-F, --format <FORMAT> — output format
Default value: csv
Possible values: json, markdown, csv, latex, dot
dfir-toolkit sessionsdisplay sessions
Usage: dfir-toolkit sessions [OPTIONS] <EVTX_FILES_DIR>
<EVTX_FILES_DIR> — Names of the evtx files to parse--include-anonymous — include anonymous sessionsdfir-toolkit sessiondisplay one single session
Usage: dfir-toolkit session <EVTX_FILES_DIR> <SESSION_ID>
<EVTX_FILES_DIR> — Names of the evtx files to parse<SESSION_ID> — Session ID
This document was generated automatically by
clap-markdown.
evtxcatThis document contains the help content for the evtxcat command-line program.
Command Overview:
evtxcatDisplay one or more events from an evtx file
Usage: evtxcat [OPTIONS] <EVTX_FILE>
<EVTX_FILE> — Name of the evtx file to read from--min <MIN> — filter: minimal event record identifier--max <MAX> — filter: maximal event record identifier-i, --id <ID> — show only the one event with this record identifier-T, --display-table — don't display the records in a table format-F, --format <FORMAT>
Default value: xml
Possible values: json, xml
--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
dfir-toolkitThis document contains the help content for the dfir-toolkit command-line program.
Command Overview:
dfir-toolkitCLI tools for digital forensics and incident response
Usage: dfir-toolkit [OPTIONS] [EVTX_FILES]...
<EVTX_FILES> — Name of the evtx files to read from-d, --delimiter <DELIMITER> — use this delimiter instead of generating fixed space columns-i, --include <INCLUDED_EVENT_IDS> — List events with only the specified event ids, separated by ','-x, --exclude <EXCLUDED_EVENT_IDS> — Exclude events with the specified event ids, separated by ','-c, --colors — highlight interesting content using colors-f, --from <NOT_BEFORE> — hide events older than the specified date (hint: use RFC 3339 syntax)-t, --to <NOT_AFTER> — hide events newer than the specified date (hint: use RFC 3339 syntax)-r, --regex <HIGHLIGHT> — highlight event data based on this regular expression-s, --sort <SORT_ORDER> — sort order
Default value: storage
Possible values:
storage:
don't change order, output records as they are storedrecord-id:
sort by event record idtime:
sort by date and time-b, --base-fields <DISPLAY_SYSTEM_FIELDS> — display fields common to all events. multiple values must be separated by ','
Default values: event-id, event-record-id
Possible values:
event-id:
The identifier that the provider used to identify the eventevent-record-id:
The record number assigned to the event when it was loggedactivity-id:
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activityrelated-activity-id:
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifierprocess-id:
The ID of the process that created the event-B, --hide-base-fields — don't display any common event fields at all. This corresponds to specifying '--base-fields' without any values (which is not allowed, that's why there is this flag)
Default value: false
--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
evtxscanThis document contains the help content for the evtxscan command-line program.
Command Overview:
evtxscanFind time skews in an evtx file
Usage: evtxscan [OPTIONS] <EVTX_FILE>
<EVTX_FILE> — name of the evtx file to scan-S, --show-records — display also the contents of the records befor and after a time skew-N, --negative-tolerance <NEGATIVE_TOLERANCE> — negative tolerance limit (in seconds): time skews to the past below this limit will be ignored
Default value: 5
--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
dfir-toolkitThis document contains the help content for the dfir-toolkit command-line program.
Command Overview:
dfir-toolkitscans a registry hive file for deleted entries
Usage: dfir-toolkit [OPTIONS] <HIVE_FILE>
<HIVE_FILE> — name of the file to scan-L, --log <LOGFILES> — transaction LOG file(s). This argument can be specified one or two times-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence-b — output as bodyfile format--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
dfir-toolkitThis document contains the help content for the dfir-toolkit command-line program.
Command Overview:
dfir-toolkitCLI tools for digital forensics and incident response
Usage: dfir-toolkit [OPTIONS] [FILE]...
<FILE>-i, --include <INCLUDE> — display only lines who match ALL of the specified criteria. Values are delimited with comma
Possible values: ipv4, ipv6, public, private, loopback
-x, --exclude <EXCLUDE> — hide lines who match ANY of the specified criteria. Values are delimited with comma
Possible values: ipv4, ipv6, public, private, loopback
-I, --ignore-ips <IGNORE_IPS> — ignore any of the specified IP addresses. Values are delimited with comma
-c, --colors — highlight interesting content using colors-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
dfir-toolkitThis document contains the help content for the dfir-toolkit command-line program.
Command Overview:
dfir-toolkitCLI tools for digital forensics and incident response
Usage: dfir-toolkit [OPTIONS]
-b <INPUT_FILE> — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
Default value: -
-F, --format <OUTPUT_FORMAT> — output format, if not specified, default value is 'txt'
Possible values: csv, txt, json, elastic
-d — output as CSV instead of TXT. This is a conveniance option, which is identical to --format=csv and will be removed in a future release. If you specified --format and -d, the latter will be ignored
-j — output as JSON instead of TXT. This is a conveniance option, which is identical to --format=json and will be removed in a future release. If you specified --format and -j, the latter will be ignored-f, --from-timezone <SRC_ZONE> — name of offset of source timezone (or 'list' to display all possible values-t, --to-timezone <DST_ZONE> — name of offset of destination timezone (or 'list' to display all possible values--strict — strict mode: do not only warn, but abort if an error occurs-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
dfir-toolkitThis document contains the help content for the dfir-toolkit command-line program.
Command Overview:
dfir-toolkitCLI tools for digital forensics and incident response
Usage: dfir-toolkit [OPTIONS] <POLFILE>
<POLFILE> — Name of the file to read-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.
regdumpThis document contains the help content for the regdump command-line program.
Command Overview:
regdumpCLI tools for digital forensics and incident response
Usage: regdump [OPTIONS] <HIVE_FILE>
<HIVE_FILE> — name of the file to dump-L, --log <LOGFILES> — transaction LOG file(s). This argument can be specified one or two times-b, --bodyfile — print as bodyfile format-I, --ignore-base-block — ignore the base block (e.g. if it was encrypted by some ransomware)-T, --hide-timestamps — hide timestamps, if output is in reg format-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence--markdown-help — print help in markdown format
This document was generated automatically by
clap-markdown.