cleanhive](#cleanhive)evtx2bodyfile](#evtx2bodyfile)evtxanalyze](#evtxanalyze)evtxscan](#evtxscan)evtxcat](#evtxcat)evtxls](#evtxls)es4forensics](#es4forensics)hivescan](#hivescan)ipgrep](#ipgrep)lnk2bodyfile](https://github.com/janstarke/lnk2bodyfile)mactime2](#mactime2)mft2bodyfile](https://github.com/janstarke/mft2bodyfile)ntdsextract2](https://github.com/janstarke/ntdsextract2)pol_export](#pol_export)procbins](https://github.com/janstarke/procbins)regdump](#regdump)regls](https://github.com/janstarke/regls)regview](https://github.com/janstarke/regview)ts2date](https://github.com/janstarke/ts2date)usnjrnl_dump](https://github.com/janstarke/usnjrnl)
bash
cargo install dfir-toolkit
To generate autocompletion scripts for your shell, invoke the tool with the --autocomplete option, e.g.
bash
mactime2 --autocomplete bash | sudo tee /etc/bash_completion.d/mactime2
would install a autocompletion script in /etc/bash_completion.d/mactime2.
cleanhiveThis document contains the help content for the cleanhive command-line program.
Command Overview:
cleanhivemerges logfiles into a hive file
Usage: cleanhive [OPTIONS] <HIVE_FILE>
<HIVE_FILE> — name of the file to dump-L, --log <LOGFILES> — transaction LOG file(s). This argument can be specified one or two times-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence-O, --output <DST_HIVE> — name of the file to which the cleaned hive will be written
Default value: -
This document was generated automatically by
clap-markdown.
es4forensicsThis document contains the help content for the es4forensics command-line program.
Command Overview:
es4forensicsCLI tools for digital forensics and incident response
Usage: es4forensics [OPTIONS] --index <INDEX_NAME> --password <PASSWORD> <COMMAND>
create-index — import — --strict — strict mode: do not only warn, but abort if an error occurs-I, --index <INDEX_NAME> — name of the elasticsearch index-H, --host <HOST> — server name or IP address of elasticsearch server
Default value: localhost
-P, --port <PORT> — API port number of elasticsearch server
Default value: 9200
--proto <PROTOCOL> — protocol to be used to connect to elasticsearch
Default value: https
Possible values: http, https
-k, --insecure — omit certificate validation
Default value: false
-U, --username <USERNAME> — username for elasticsearch server
Default value: elastic
-W, --password <PASSWORD> — password for authenticating at elasticsearch-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrencees4forensics create-indexUsage: es4forensics create-index
es4forensics importUsage: es4forensics import [OPTIONS] [INPUT_FILE]
<INPUT_FILE> — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
Default value: -
--bulk-size <BULK_SIZE> — number of timeline entries to combine in one bulk operation
Default value: 1000
This document was generated automatically by
clap-markdown.
evtx2bodyfileThis document contains the help content for the evtx2bodyfile command-line program.
Command Overview:
evtx2bodyfileCLI tools for digital forensics and incident response
Usage: evtx2bodyfile [OPTIONS] [EVTX_FILES]...
<EVTX_FILES> — names of the evtx files-J, --json — output json for elasticsearch instead of bodyfile-S, --strict — fail upon read error-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence
This document was generated automatically by
clap-markdown.
evtxanalyzeThis document contains the help content for the evtxanalyze command-line program.
Command Overview:
evtxanalyzeCLI tools for digital forensics and incident response
Usage: evtxanalyze [OPTIONS] <COMMAND>
pstree — generate a process treesessions — display sessionssession — display one single session-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrenceevtxanalyze pstreegenerate a process tree
Usage: evtxanalyze pstree [OPTIONS] <EVTX_FILE>
<EVTX_FILE> — Name of the evtx file to parse-U, --username <USERNAME> — display only processes of this user (case insensitive regex search)-F, --format <FORMAT> — output format
Default value: csv
Possible values: json, markdown, csv, latex, dot
evtxanalyze sessionsdisplay sessions
Usage: evtxanalyze sessions [OPTIONS] <EVTX_FILES_DIR>
<EVTX_FILES_DIR> — Names of the evtx files to parse--include-anonymous — include anonymous sessionsevtxanalyze sessiondisplay one single session
Usage: evtxanalyze session <EVTX_FILES_DIR> <SESSION_ID>
<EVTX_FILES_DIR> — Names of the evtx files to parse<SESSION_ID> — Session ID
This document was generated automatically by
clap-markdown.
evtxcatThis document contains the help content for the evtxcat command-line program.
Command Overview:
evtxcatCLI tools for digital forensics and incident response
Usage: evtxcat [OPTIONS] <EVTX_FILE>
<EVTX_FILE> — Name of the evtx file to read from--min <MIN> — filter: minimal event record identifier--max <MAX> — filter: maximal event record identifier-i, --id <ID> — show only the one event with this record identifier-T, --display-table — don't display the records in a table format-F, --format <FORMAT> — output format
Default value: xml
Possible values: json, xml
-v, --verbose — More output per occurrence
-q, --quiet — Less output per occurrence
This document was generated automatically by
clap-markdown.
evtxlsThis document contains the help content for the evtxls command-line program.
Command Overview:
evtxlsCLI tools for digital forensics and incident response
Usage: evtxls [OPTIONS] [EVTX_FILES]...
<EVTX_FILES> — Name of the evtx files to read from-d, --delimiter <DELIMITER> — use this delimiter instead of generating fixed space columns-i, --include <INCLUDED_EVENT_IDS> — List events with only the specified event ids, separated by ','-x, --exclude <EXCLUDED_EVENT_IDS> — Exclude events with the specified event ids, separated by ','-c, --colors — highlight interesting content using colors-f, --from <NOT_BEFORE> — hide events older than the specified date (hint: use RFC 3339 syntax)-t, --to <NOT_AFTER> — hide events newer than the specified date (hint: use RFC 3339 syntax)-r, --regex <HIGHLIGHT> — highlight event data based on this regular expression-s, --sort <SORT_ORDER> — sort order
Default value: storage
Possible values:
storage:
don't change order, output records as they are storedrecord-id:
sort by event record idtime:
sort by date and time-b, --base-fields <DISPLAY_SYSTEM_FIELDS> — display fields common to all events. multiple values must be separated by ','
Default values: event-id, event-record-id
Possible values:
event-id:
The identifier that the provider used to identify the eventevent-record-id:
The record number assigned to the event when it was loggedactivity-id:
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activityrelated-activity-id:
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifierprocess-id:
The ID of the process that created the event-B, --hide-base-fields — don't display any common event fields at all. This corresponds to specifying '--base-fields' without any values (which is not allowed, that's why there is this flag)
Default value: false
-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence
This document was generated automatically by
clap-markdown.
evtxscanThis document contains the help content for the evtxscan command-line program.
Command Overview:
evtxscanCLI tools for digital forensics and incident response
Usage: evtxscan [OPTIONS] <EVTX_FILE>
<EVTX_FILE> — name of the evtx file to scan-S, --show-records — display also the contents of the records befor and after a time skew-N, --negative-tolerance <NEGATIVE_TOLERANCE> — negative tolerance limit (in seconds): time skews to the past below this limit will be ignored
Default value: 5
-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence
This document was generated automatically by
clap-markdown.
hivescanThis document contains the help content for the hivescan command-line program.
Command Overview:
hivescanscans a registry hive file for deleted entries
Usage: hivescan [OPTIONS] <HIVE_FILE>
<HIVE_FILE> — name of the file to scan-L, --log <LOGFILES> — transaction LOG file(s). This argument can be specified one or two times-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence-b — output as bodyfile format
This document was generated automatically by
clap-markdown.
ipgrepThis document contains the help content for the ipgrep command-line program.
Command Overview:
ipgrepCLI tools for digital forensics and incident response
Usage: ipgrep [OPTIONS] [FILE]...
<FILE>-i, --include <INCLUDE> — display only lines who match ALL of the specified criteria. Values are delimited with comma
Possible values: ipv4, ipv6, public, private, loopback
-x, --exclude <EXCLUDE> — hide lines who match ANY of the specified criteria. Values are delimited with comma
Possible values: ipv4, ipv6, public, private, loopback
-I, --ignore-ips <IGNORE_IPS> — ignore any of the specified IP addresses. Values are delimited with comma
-c, --colors — highlight interesting content using colors-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence
This document was generated automatically by
clap-markdown.
mactime2This document contains the help content for the mactime2 command-line program.
Command Overview:
mactime2CLI tools for digital forensics and incident response
Usage: mactime2 [OPTIONS]
-b <INPUT_FILE> — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
Default value: -
-F, --format <OUTPUT_FORMAT> — output format, if not specified, default value is 'txt'
Possible values: csv, txt, json, elastic
-d — output as CSV instead of TXT. This is a conveniance option, which is identical to --format=csv and will be removed in a future release. If you specified --format and -d, the latter will be ignored
-j — output as JSON instead of TXT. This is a conveniance option, which is identical to --format=json and will be removed in a future release. If you specified --format and -j, the latter will be ignored-f, --from-timezone <SRC_ZONE> — name of offset of source timezone (or 'list' to display all possible values
Default value: UTC
-t, --to-timezone <DST_ZONE> — name of offset of destination timezone (or 'list' to display all possible values
Default value: UTC
--strict — strict mode: do not only warn, but abort if an error occurs-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence
This document was generated automatically by
clap-markdown.
pol_exportThis document contains the help content for the pol_export command-line program.
Command Overview:
pol_exportCLI tools for digital forensics and incident response
Usage: pol_export [OPTIONS] <POLFILE>
<POLFILE> — Name of the file to read-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence
This document was generated automatically by
clap-markdown.
regdumpThis document contains the help content for the regdump command-line program.
Command Overview:
regdumpCLI tools for digital forensics and incident response
Usage: regdump [OPTIONS] <HIVE_FILE>
<HIVE_FILE> — name of the file to dump-L, --log <LOGFILES> — transaction LOG file(s). This argument can be specified one or two times-b, --bodyfile — print as bodyfile format-I, --ignore-base-block — ignore the base block (e.g. if it was encrypted by some ransomware)-T, --hide-timestamps — hide timestamps, if output is in reg format-v, --verbose — More output per occurrence-q, --quiet — Less output per occurrence
This document was generated automatically by
clap-markdown.