CLI tools for forensic investigation of Windows artifacts
Overview of timelining tools
Install
cargo install dfir-toolkit
Tool
cleanhive
merges logfiles into a hive file
evtx2bodyfile
Usage: evtx2bodyfile [OPTIONS] [EVTX_FILES]...
Arguments: [EVTX_FILES]... names of the evtx files
Options: -J, --json output json for elasticsearch instead of bodyfile -S, --strict fail upon read error -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -h, --help Print help -V, --version Print version
Example
# convert to bodyfile only evtx2bodyfile Security.evtx >Security.bodyfile
Commands: pstree generate a process tree sessions display sessions session display one single session help Print this message or the help of the given subcommand(s)
Options: -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -h, --help Print help
evtxscan
Finds time skews in an evtx file
Find time skews in an evtx file
Usage: evtxscan [OPTIONS] <EVTX_FILE>
Arguments: <EVTX_FILE> name of the evtx file to scan
Options: -S, --show-records display also the contents of the records befor and after a time skew -N, --negative-tolerance <NEGATIVE_TOLERANCE> negative tolerance limit (in seconds): time skews to the past below this limit will be ignored [default: 5] -h, --help Print help -V, --version Print version
evtxcat
Display one or more events from an evtx file
Usage: evtxcat [OPTIONS] <EVTX_FILE>
Arguments: <EVTX_FILE> Name of the evtx file to read from
Options: --min <MIN> filter: minimal event record identifier --max <MAX> filter: maximal event record identifier -i, --id <ID> show only the one event with this record identifier -T, --display-table don't display the records in a table format -F, --format <FORMAT> [default: xml] [possible values: json, xml] -h, --help Print help -V, --version Print version
evtxls
Display one or more events from an evtx file
Usage: evtxls [OPTIONS] [EVTX_FILES]...
Arguments: [EVTX_FILES]... Name of the evtx files to read from
Options: -d, --delimiter <DELIMITER> use this delimiter instead of generating fixed space columns
-i, --include <INCLUDED_EVENT_IDS> List events with only the specified event ids, separated by ','
-x, --exclude <EXCLUDED_EVENT_IDS> Exclude events with the specified event ids, separated by ','
-c, --colors highlight interesting content using colors
-f, --from <NOT_BEFORE> hide events older than the specified date (hint: use RFC 3339 syntax)
-t, --to <NOT_AFTER> hide events newer than the specified date (hint: use RFC 3339 syntax)
-r, --regex <HIGHLIGHT> highlight event data based on this regular expression
-s, --sort <SORT_ORDER> sort order
[default: storage]
Possible values: - storage: don't change order, output records as they are stored - record-id: sort by event record id - time: sort by date and time
-b, --base-fields <DISPLAY_SYSTEM_FIELDS> display fields common to all events. multiple values must be separated by ','
[default: event-id event-record-id]
Possible values: - event-id: The identifier that the provider used to identify the event - event-record-id: The record number assigned to the event when it was logged - activity-id: A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity - related-activity-id: A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier - process-id: The ID of the process that created the event
-B, --hide-base-fields don't display any common event fields at all. This corresponds to specifying '--base-fields' without any values (which is not allowed, that's why there is this flag)
Commands: create-index import help Print this message or the help of the given subcommand(s)
Options: -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence --strict strict mode: do not only warn, but abort if an error occurs -I, --index <INDEX_NAME> name of the elasticsearch index -H, --host <HOST> server name or IP address of elasticsearch server [default: localhost] -P, --port <PORT> API port number of elasticsearch server [default: 9200] --proto <PROTOCOL> protocol to be used to connect to elasticsearch [default: https] [possible values: http, https] -k, --insecure omit certificate validation -U, --username <USERNAME> username for elasticsearch server [default: elastic] -W, --password <PASSWORD> password for authenticating at elasticsearch -h, --help Print help -V, --version Print version
hivescan
scans a registry hive file for deleted entries
Usage: hivescan [OPTIONS] <HIVE_FILE>
Arguments: <HIVE_FILE> name of the file to scan
Options: -L, --log <LOGFILES> transaction LOG file(s). This argument can be specified one or two times -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -b output as bodyfile format -h, --help Print help -V, --version Print version
mactime2
Replacement for mactime
Changes to original mactime
no implicit conversion of timestamp to local date/time
possibility of explicit timezone correction
other datetime format (RFC3339) which always includes the timezone offset
faster
mft2bodyfile
yet to be come
pol_export
Exporter for Windows Registry Policy Files
USAGE: pol_export <POLFILE>
ARGS: <POLFILE> Name of the file to read
OPTIONS: -h, --help Print help information -V, --version Print version information
Options: -L, --log <LOGFILES> transaction LOG file(s). This argument can be specified one or two times -b, --bodyfile print as bodyfile format -I, --ignore-base-block ignore the base block (e.g. if it was encrypted by some ransomware) -T, --hide-timestamps hide timestamps, if output is in reg format -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -h, --help Print help -V, --version Print version
