{"id":22660851,"url":"https://github.com/cuhsat/fact","last_synced_at":"2025-03-29T08:24:59.398Z","repository":{"id":240437406,"uuid":"802125932","full_name":"cuhsat/fact","owner":"cuhsat","description":"Forensic Artifacts Collecting Toolset","archived":false,"fork":false,"pushed_at":"2024-05-28T16:04:07.000Z","size":183,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-05-29T07:09:37.141Z","etag":null,"topics":["artifacts","collecting","dfir","digital-forensics","digital-forensics-incident-response","digitalforensics","forensic-artefact-search","forensic-artifact","forensic-artifacts","forensicartifacts","go","golang","incident-response","incident-response-tooling","incidentresponse","infosec","infosectools","toolkit","toolset","windows"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cuhsat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-17T15:12:42.000Z","updated_at":"2024-05-31T14:01:57.895Z","dependencies_parsed_at":"2024-05-31T14:01:50.294Z","dependency_job_id":null,"html_url":"https://github.com/cuhsat/fact","commit_stats":null,"previous_names":["cuhsat/fact"],"tags_count":40,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cuhsat%2Ffact","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cuhsat%2Ffact/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cuhsat%2Ffact/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cuhsat%2Ffact/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cuhsat","download_url":"https://codeload.github.com/cuhsat/fact/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246158456,"owners_count":20732806,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifacts","collecting","dfir","digital-forensics","digital-forensics-incident-response","digitalforensics","forensic-artefact-search","forensic-artifact","forensic-artifacts","forensicartifacts","go","golang","incident-response","incident-response-tooling","incidentresponse","infosec","infosectools","toolkit","toolset","windows"],"created_at":"2024-12-09T11:12:35.470Z","updated_at":"2025-03-29T08:24:59.370Z","avatar_url":"https://github.com/cuhsat.png","language":"Go","readme":"# Forensic Artifacts Collecting Toolkit\n\nA basic shell pipeline for extracting forensic artifacts from disk images. Relevant artifacts will be processed and provided in [ECS](https://www.elastic.co/guide/en/ecs/current/index.html) format for ingestion with [Logstash](https://www.elastic.co/de/logstash).\n\n```sh\n# fmount image.dd | ffind | flog -D logstash\n```\n\n## Tools\n\n### fmount\nMount disk images for read-only processing.\n\n```sh\n# fmount [-ruszqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-D DIR] IMAGE\n```\n\nAvailable options:\n\n- `-D` Mount point\n- `-B` BitLocker key\n- `-H` Hash algorithm\n- `-V` Verify hash sum\n- `-r` Recovery key ids \n- `-u` Unmount image\n- `-s` System partition only\n- `-z` Unzip image\n- `-q` Quiet mode\n- `-h` Show usage\n- `-v` Show version\n\nSupported image types on Linux systems:\n\n- [vdi](https://forensics.wiki/virtual_disk_image_%28vdi%29/)\n- [vpc](https://cloud.ibm.com/docs/vpc?topic=vpc-planning-custom-images)\n- [vhdx](https://forensics.wiki/virtual_hard_disk_%28vhd%29/)\n- [vmdk](https://forensics.wiki/vmware_virtual_disk_format_%28vmdk%29/)\n- [parallels](https://github.com/libyal/libphdi/blob/main/documentation/Parallels%20Hard%20Disk%20image%20format.asciidoc)\n- [qcow2](https://forensics.wiki/qcow_image_format/)\n- [qcow](https://forensics.wiki/qcow_image_format/)\n- [raw](https://forensics.wiki/raw_image_format/)\n\nRequired system commands:\n\n- [dislocker](https://github.com/Aorimn/dislocker)\n- [qemu-nbd](https://www.qemu.org/docs/master/tools/qemu-nbd.html)\n- [lsblk](https://man7.org/linux/man-pages/man8/lsblk.8.html)\n- [mount](https://man7.org/linux/man-pages/man8/mount.8.html)\n- [umount](https://man7.org/linux/man-pages/man8/umount.8.html)\n\n### ffind\nFind forensic artifacts in mount points or on the live system.\n\n```sh\n$ ffind [-rcsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-C CSV] [-Z ZIP] [MOUNT ...]\n```\n\nAvailable options:\n\n- `-H` Hash algorithm\n- `-C` CSV listing name\n- `-Z` Zip archive name\n- `-r` Relative paths\n- `-c` Volume shadow copy\n- `-s` System artifacts only\n- `-u` User artifacts only\n- `-q` Quiet mode\n- `-h` Show usage\n- `-v` Show version\n\nSupported artifacts for Windows 7+ systems:\n\n- [System Active Directory](https://forensics.wiki/active_directory/)\n- [System Registry Hives](https://forensics.wiki/windows_registry/)\n- [System Prefetch Files](https://forensics.wiki/prefetch/)\n- [System Event Logs](https://forensics.wiki/windows_event_log_%28evt%29/)\n- [System AmCache](https://forensics.wiki/amcache/)\n- [User Registry Hives](https://forensics.wiki/windows_registry/)\n- [User Jump Lists](https://forensics.wiki/jump_lists/)\n- [User Browser Histories](https://forensics.wiki/google_chrome/)\n\n### flog\nLog forensic artifacts as JSON in [ECS](https://www.elastic.co/guide/en/ecs/current/index.html) format.\n\n```sh\n$ flog [-pqhv] [-D DIRECTORY] [FILE ...]\n```\n\nAvailable options:\n\n- `-D` Log directory\n- `-p` Pretty JSON\n- `-q` Quiet mode\n- `-h` Show usage\n- `-v` Show version\n\nRequired system commands:\n\n- [dotnet](https://dotnet.microsoft.com/en-us/download/dotnet/6.0)\n\n\u003e Use `make tools` to install [Eric Zimmerman's Tools](https://ericzimmerman.github.io/#!index.md).\n\nSupported artifacts for Windows 7+ systems:\n\n- [System Event Logs](https://forensics.wiki/windows_event_log_%28evt%29/)\n- [User JumpLists](https://forensics.wiki/jump_lists/)\n- [User ShellBags](https://forensics.wiki/shell_item/)\n- [User Browser Histories](https://forensics.wiki/google_chrome/)\n\n## License\nReleased under the [MIT License](LICENSE).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcuhsat%2Ffact","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcuhsat%2Ffact","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcuhsat%2Ffact/lists"}