A Rust-based framework to build tools that analyze forensic artifacts and can be reused as libraries across multiple projects without changing anything.
Note: still in Alpha version
The idea behind the framework is to allow the reuse of forensic artifact analysis tools. For this reason, the framework allows decoupling the code of the analysis tools from the reading of the artifacts. Thus, a tool that analyzes UAL artifacts can be used regardless of whether the artifact is inside a ZIP as a result of triage or directly on the file system.
In this way, the same tools can be used if we want to make a triage processor like Plaso, a module within an EDR or even a tool with a graphical interface like Eric Zimmerman's Registry Explorer with the advantage of the reliability of the Rust code and its easy integration into Python scripts.
So in this framework we will have libraries that allows us to access the Windows registry. One in a live environment using the Windows API, and another one that parses a registry hive. So we will also have libraries that extracts data from the registry, theses libraries need to be decoupled from the registry access implementation.
Here is where this framework comes to help with the traits:
rust
pub trait RegistryReader {
fn open_key(&mut self, hkey : RegHiveKey, key_name : &str) -> ForensicResult<RegHiveKey>;
fn read_value(&self, hkey : RegHiveKey, value_name : &str) -> ForensicResult<RegValue>;
fn enumerate_values(&self, hkey : RegHiveKey) -> ForensicResult<Vec<String>>;
fn enumerate_keys(&self, hkey : RegHiveKey) -> ForensicResult<Vec<String>>;
fn key_at(&self, hkey : RegHiveKey, pos : u32) -> ForensicResult<String>;
fn value_at(&self, hkey : RegHiveKey, pos : u32) -> ForensicResult<String>;
}
So now we can write our analysis library without knowing if we are accessing a live system or a hive file. * LiveRegistry Library: implements the RegistryReader trait. * HiveParser Library: implements the RegistryReader trait. * ShellBags analyzer: accepts a RegistryReader as a parameter to access the registry.
And ShellBags analyzer can be used in a EDR-like agent or as a analysis tool in a forensic case.
Extracted from the SQL trait tests using sqlite db. ```rust let conn = preparedb(); let wconn = preparewrapper(conn); let mut statement = wconn.prepare("SELECT name, age FROM users;").unwrap(); testdatabasecontent(statement.as_mut()).expect("Should not return error");
fn testdatabasecontent<'a>(statement : &mut dyn SqlStatement) -> ForensicResult<()> { assert!(statement.next()?); let name : String = statement.read(0)?.tryinto()?; let age : usize = statement.read(1)?.tryinto()?; asserteq!("Alice", name); asserteq!(42, age); assert!(statement.next()?); let name : String = statement.read(0)?.tryinto()?; let age : usize = statement.read(1)?.tryinto()?; asserteq!("Bob", name); asserteq!(69, age); assert!(!statement.next()?); Ok(()) } ```
Extracted from StdVirtualFS tests using sqlite db.
```rust const CONTENT: &'static str = "FileContentOfVFS"; let tmp = std::env::tempdir(); let tmpfile = tmp.join("testvfsfile.txt"); let mut file = std::fs::File::create(&tmpfile).unwrap(); file.writeall(CONTENT.asbytes()).unwrap(); drop(file);
let stdvfs = StdVirtualFS::new(); testfilecontent(&stdvfs,&tmp_file);
fn testfilecontent(stdvfs : &impl VirtualFileSystem, tmpfile : &PathBuf) { let content = stdvfs.readtostring(tmpfile).unwrap(); assert_eq!(CONTENT, content);
} ```