Lib.rs

解析实现
#forensics #cli #timestamp #digital #response #dfir #toolkit

bin+lib dfir-toolkit

数字取证和事件响应的 CLI 工具

Jan Starke 5 位贡献者 开发

26 个不稳定版本 (10 个重大更改)

0.11.2 2024 年 8 月 1 日
0.11.1 2024 年 7 月 15 日
0.11.0 2024 年 6 月 13 日
0.10.1 2024 年 2 月 13 日
0.6.3 2023 年 7 月 25 日

#233 in 解析器实现

Download history 1/week @ 2024-04-24 2/week @ 2024-05-15 187/week @ 2024-05-22 11/week @ 2024-05-29 12/week @ 2024-06-05 130/week @ 2024-06-12 5/week @ 2024-06-19 101/week @ 2024-07-03 130/week @ 2024-07-10 21/week @ 2024-07-17 5/week @ 2024-07-24 122/week @ 2024-07-31 6/week @ 2024-08-07

每月 184 次下载

GPL-3.0 许可证

2.5MB
7.5K SLoC

DFIR Toolkit

Crates.io Crates.io (latest) GitHub Workflow Status (with event) Codecov

目录

时间线工具概述

安装

sudo apt install libscca-dev
cargo install dfir-toolkit

要为您的 shell 生成自动完成脚本,请使用 --autocomplete 选项调用工具,例如:

mactime2 --autocomplete bash | sudo tee /etc/bash_completion.d/mactime2

将在 /etc/bash_completion.d/mactime2 中安装自动完成脚本。

用法

配置全局时间戳格式

默认情况下,DFIR 工具包使用与 RFC3339 兼容的数据格式。如果您想更改正在使用的数据格式,可以通过设置 DFIR_DATE 环境变量来实现。让我们看看一个例子

$ mac2time2 -b tests/data/mactime2/sample.bodyfile -d | head
1970-01-01T00:00:00+00:00,0,macb,V/V---------,0,0,62447617,"/$OrphanFiles"
2022-04-18T10:28:59+00:00,4096,m...,d/drwxr-xr-x,0,0,42729473,"/proc"
2022-04-18T10:28:59+00:00,4096,m...,d/drwxr-xr-x,0,0,36306945,"/sys"
2022-04-21T00:57:50+00:00,7,m...,l/lrwxrwxrwx,0,0,12,"/bin -> usr/bin"
2022-04-21T00:57:50+00:00,7,m...,l/lrwxrwxrwx,0,0,13,"/lib -> usr/lib"
2022-04-21T00:57:50+00:00,9,m...,l/lrwxrwxrwx,0,0,14,"/lib32 -> usr/lib32"
2022-04-21T00:57:50+00:00,9,m...,l/lrwxrwxrwx,0,0,15,"/lib64 -> usr/lib64"
2022-04-21T00:57:50+00:00,10,m...,l/lrwxrwxrwx,0,0,16,"/libx32 -> usr/libx32"
2022-04-21T00:57:50+00:00,8,m...,l/lrwxrwxrwx,0,0,17,"/sbin -> usr/sbin"
2022-04-21T00:57:51+00:00,4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"

$ DFIR_DATE="%F %T (%Z)" mac2time2 -b tests/data/mactime2/sample.bodyfile -d | head
1970-01-01 00:00:00 (UTC),0,macb,V/V---------,0,0,62447617,"/$OrphanFiles"
2022-04-18 10:28:59 (UTC),4096,m...,d/drwxr-xr-x,0,0,42729473,"/proc"
2022-04-18 10:28:59 (UTC),4096,m...,d/drwxr-xr-x,0,0,36306945,"/sys"
2022-04-21 00:57:50 (UTC),7,m...,l/lrwxrwxrwx,0,0,12,"/bin -> usr/bin"
2022-04-21 00:57:50 (UTC),7,m...,l/lrwxrwxrwx,0,0,13,"/lib -> usr/lib"
2022-04-21 00:57:50 (UTC),9,m...,l/lrwxrwxrwx,0,0,14,"/lib32 -> usr/lib32"
2022-04-21 00:57:50 (UTC),9,m...,l/lrwxrwxrwx,0,0,15,"/lib64 -> usr/lib64"
2022-04-21 00:57:50 (UTC),10,m...,l/lrwxrwxrwx,0,0,16,"/libx32 -> usr/libx32"
2022-04-21 00:57:50 (UTC),8,m...,l/lrwxrwxrwx,0,0,17,"/sbin -> usr/sbin"
2022-04-21 00:57:51 (UTC),4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"

DFIR_DATE 的值可以是任何可以在 DateTime::strftime 中使用的格式字符串(https://docs.rs/chrono/latest/chrono/format/strftime/index.html

依赖关系

~11–28MB
~499K SLoC