Merge pull request #12 from dfir-dd/feature/lnk2bodyfile

Feature/lnk2bodyfile
dfir-dd · Nov 3, 2023 · 03e3ae2 · 03e3ae2
2 parents 4947424 + 5871a1b
commit 03e3ae2
Show file tree

Hide file tree

Showing 41 changed files with 1,095 additions and 115 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "dfir-toolkit"
-version = "0.8.2"
+version = "0.9.0"
 edition = "2021"
 authors = ["Jan Starke <jan.starke@posteo.de>", "Deborah Mahn <deborah.mahn@dfir-dd.de>"]
 description = "CLI tools for digital forensics and incident response"
@@ -72,9 +72,14 @@ name = "ts2date"
 path = "src/bin/ts2date/main.rs"
 required-features = ["ts2date"]
 
+[[bin]]
+name = "lnk2bodyfile"
+path = "src/bin/lnk2bodyfile/main.rs"
+required-features = ["lnk2bodyfile"]
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [features]
-default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep", "ts2date"]
+default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep", "ts2date", "lnk2bodyfile"]
 mactime2 = ["gzip", "elastic", "chrono-tz", "thiserror", "bitflags", "encoding_rs_io"]
 gzip = ["flate2"]
 elastic = ["elasticsearch", "tokio", "futures", "serde_json", "sha2", "base64", "num-traits", "num-derive", "strum", "strum_macros", "tokio-async-drop"]
@@ -87,6 +92,7 @@ evtxanalyze = ["evtx", "dfirtk-sessionevent-derive", "dfirtk-eventdata"]
 evtx2bodyfile = ["evtx", "getset", "ouroboros", "indicatif"]
 ipgrep = []
 ts2date = ["regex"]
+lnk2bodyfile = ["lnk"]
 
 regdump = ["nt_hive2"]
 hivescan = ["nt_hive2"]
@@ -156,6 +162,9 @@ strum_macros = {version="0", optional=true}
 # nt-hive2
 nt_hive2 = {version="4.0.1", optional=true}
 
+# lnk2bodyfile
+lnk = {version="0.5.1", optional=true}
+
 [dev-dependencies]
 
 # mactime2

diff --git a/README.md b/README.md
@@ -23,7 +23,7 @@
   - [x] [`es4forensics`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/es4forensics.md)
   - [x] [`hivescan`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/hivescan.md)
   - [x] [`ipgrep`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/ipgrep.md)
-  - [ ] [`lnk2bodyfile`](https://github.com/janstarke/lnk2bodyfile)
+  - [x] [`lnk2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/lnk2bodyfile.md)
   - [x] [`mactime2`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/mactime2.md)
   - [ ] [`mft2bodyfile`](https://github.com/janstarke/mft2bodyfile)
   - [ ] [`ntdsextract2`](https://github.com/janstarke/ntdsextract2)

diff --git a/doc/cleanhive.md b/doc/cleanhive.md
@@ -27,6 +27,42 @@ merges logfiles into a hive file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `cleanhive`
+
+This document contains the help content for the `cleanhive` command-line program.
+
+**Command Overview:**
+
+* [`cleanhive`↴](#cleanhive)
+
+## `cleanhive`
+
+merges logfiles into a hive file
+
+**Usage:** `cleanhive [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to dump
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-O`, `--output <DST_HIVE>` — name of the file to which the cleaned hive will be written
+
+  Default value: `-`
+
+
+
 <hr/>
 
 <small><i>

diff --git a/doc/es4forensics.md b/doc/es4forensics.md
@@ -53,6 +53,86 @@ This crates provides structs and functions to insert timeline data into an elast
 
 
 
+## `es4forensics import`
+
+**Usage:** `es4forensics import [OPTIONS] [INPUT_FILE]`
+
+###### **Arguments:**
+
+* `<INPUT_FILE>` — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
+
+  Default value: `-`
+
+###### **Options:**
+
+* `--bulk-size <BULK_SIZE>` — number of timeline entries to combine in one bulk operation
+
+  Default value: `1000`
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `es4forensics`
+
+This document contains the help content for the `es4forensics` command-line program.
+
+**Command Overview:**
+
+* [`es4forensics`↴](#es4forensics)
+* [`es4forensics create-index`↴](#es4forensics-create-index)
+* [`es4forensics import`↴](#es4forensics-import)
+
+## `es4forensics`
+
+This crates provides structs and functions to insert timeline data into an elasticsearch index
+
+**Usage:** `es4forensics [OPTIONS] --index <INDEX_NAME> --password <PASSWORD> <COMMAND>`
+
+###### **Subcommands:**
+
+* `create-index` — 
+* `import` — 
+
+###### **Options:**
+
+* `--strict` — strict mode: do not only warn, but abort if an error occurs
+* `-I`, `--index <INDEX_NAME>` — name of the elasticsearch index
+* `-H`, `--host <HOST>` — server name or IP address of elasticsearch server
+
+  Default value: `localhost`
+* `-P`, `--port <PORT>` — API port number of elasticsearch server
+
+  Default value: `9200`
+* `--proto <PROTOCOL>` — protocol to be used to connect to elasticsearch
+
+  Default value: `https`
+
+  Possible values: `http`, `https`
+
+* `-k`, `--insecure` — omit certificate validation
+
+  Default value: `false`
+* `-U`, `--username <USERNAME>` — username for elasticsearch server
+
+  Default value: `elastic`
+* `-W`, `--password <PASSWORD>` — password for authenticating at elasticsearch
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
+## `es4forensics create-index`
+
+**Usage:** `es4forensics create-index`
+
+
+
 ## `es4forensics import`
 
 **Usage:** `es4forensics import [OPTIONS] [INPUT_FILE]`

diff --git a/doc/evtx2bodyfile.md b/doc/evtx2bodyfile.md
@@ -30,6 +30,45 @@ creates bodyfile from Windows evtx files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtx2bodyfile`
+
+This document contains the help content for the `evtx2bodyfile` command-line program.
+
+**Command Overview:**
+
+* [`evtx2bodyfile`↴](#evtx2bodyfile)
+
+## `evtx2bodyfile`
+
+creates bodyfile from Windows evtx files
+
+**Usage:** `evtx2bodyfile [OPTIONS] [EVTX_FILES]...`
+
+###### **Arguments:**
+
+* `<EVTX_FILES>` — names of the evtx files
+
+###### **Options:**
+
+* `-F`, `--format <FORMAT>` — select output format
+
+  Default value: `bodyfile`
+
+  Possible values: `json`, `bodyfile`
+
+* `-S`, `--strict` — fail upon read error
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>