{"id":20266347,"url":"https://github.com/dfir-dd/dfir-toolkit","last_synced_at":"2025-04-04T16:17:12.870Z","repository":{"id":179667218,"uuid":"663866341","full_name":"dfir-dd/dfir-toolkit","owner":"dfir-dd","description":"CLI tools for forensic investigation of Windows artifacts","archived":false,"fork":false,"pushed_at":"2024-04-12T15:52:22.000Z","size":1149,"stargazers_count":235,"open_issues_count":5,"forks_count":20,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-04-14T05:37:43.968Z","etag":null,"topics":["cli","dfir","digital-forensics","digital-forensics-incident-response","forensic-analysis","forensics","forensics-tools","rust","rust-lang"],"latest_commit_sha":null,"homepage":"https://github.com/dfir-dd/dfir-toolkit","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dfir-dd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-07-08T09:57:17.000Z","updated_at":"2024-04-15T09:00:18.947Z","dependencies_parsed_at":null,"dependency_job_id":"deae91f5-42c7-411f-945f-33a262424c8b","html_url":"https://github.com/dfir-dd/dfir-toolkit","commit_stats":null,"previous_names":["janstarke/dfir-toolset","dfir-dd/dfir-toolkit","janstarke/dfir-toolkit"],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfir-dd%2Fdfir-toolkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfir-dd%2Fdfir-toolkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfir-dd%2Fdfir-toolkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfir-dd%2Fdfir-toolkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dfir-dd","download_url":"https://codeload.github.com/dfir-dd/dfir-toolkit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247208190,"owners_count":20901570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","dfir","digital-forensics","digital-forensics-incident-response","forensic-analysis","forensics","forensics-tools","rust","rust-lang"],"created_at":"2024-11-14T12:08:48.630Z","updated_at":"2025-04-04T16:17:12.838Z","avatar_url":"https://github.com/dfir-dd.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# DFIR Toolkit\n\n\u003cimg align=\"right\" width=\"128px\" src=\"https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/images/dfir_fox_128.png?raw=true\" /\u003e\n\n[![Crates.io](https://img.shields.io/crates/v/dfir-toolkit)](https://crates.io/crates/dfir-toolkit)\n[![Crates.io (latest)](https://img.shields.io/crates/dv/dfir-toolkit)](https://crates.io/crates/dfir-toolkit)\n![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/dfir-dd/dfir-toolkit/cargo_test.yml)\n[![Codecov](https://img.shields.io/codecov/c/github/dfir-dd/dfir-toolkit)](https://app.codecov.io/gh/dfir-dd/dfir-toolkit)\n\n\n# Table of contents\n\n- [Installation](#installation)\n- [Overview of timelining tools](#overview-of-timelining-tools)\n- [Tools](#tools)\n  - [x] [`cleanhive`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/cleanhive.md)\n  - [x] [`pf2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pf2bodyfile.md)\n  - [x] [`evtx2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtx2bodyfile.md)\n  - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxanalyze.md)\n  - [x] [`evtxscan`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxscan.md)\n  - [x] [`evtxcat`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxcat.md)\n  - [x] [`evtxls`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxls.md)\n  - [x] [`es4forensics`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/es4forensics.md)\n  - [x] [`hivescan`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/hivescan.md)\n  - [x] [`ipgrep`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/ipgrep.md)\n  - [x] [`lnk2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/lnk2bodyfile.md)\n  - [x] [`mactime2`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/mactime2.md)\n  - [ ] [`mft2bodyfile`](https://github.com/janstarke/mft2bodyfile)\n  - [ ] [`ntdsextract2`](https://github.com/janstarke/ntdsextract2)\n  - [x] [`pol_export`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pol_export.md)\n  - [ ] [`procbins`](https://github.com/janstarke/procbins)\n  - [x] [`regdump`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/regdump.md)\n  - [ ] [`regview`](https://github.com/janstarke/regview)\n  - [x] [`ts2date`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/ts2date.md)\n  - [ ] [`usnjrnl_dump`](https://github.com/janstarke/usnjrnl)\n  - [x] [`zip2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/zip2bodyfile.md)\n\n# Overview of timelining tools\n\n\u003cimg src=\"https://raw.githubusercontent.com/dfir-dd/dfir-toolkit/main/doc/images/tools.svg\"\u003e\n\n# Installation\n\n```bash\nsudo apt install libscca-dev libssl-dev\ncargo install dfir-toolkit\n```\n\nTo generate autocompletion scripts for your shell, invoke the tool with the `--autocomplete` option, e.g.\n\n```bash\nmactime2 --autocomplete bash | sudo tee /etc/bash_completion.d/mactime2\n```\n\nwould install a autocompletion script in `/etc/bash_completion.d/mactime2`.\n\n# Usage\n\n## Configuring the global timestamp format\n\nPer default, the DFIR toolkit uses an RFC3339-compliant data format. If you want to, you can change the data format\nbeing used by setting the `DFIR_DATE` environment variable. Let's look at an example:\n\n```shell\n$ mac2time2 -b tests/data/mactime2/sample.bodyfile -d | head\n1970-01-01T00:00:00+00:00,0,macb,V/V---------,0,0,62447617,\"/$OrphanFiles\"\n2022-04-18T10:28:59+00:00,4096,m...,d/drwxr-xr-x,0,0,42729473,\"/proc\"\n2022-04-18T10:28:59+00:00,4096,m...,d/drwxr-xr-x,0,0,36306945,\"/sys\"\n2022-04-21T00:57:50+00:00,7,m...,l/lrwxrwxrwx,0,0,12,\"/bin -\u003e usr/bin\"\n2022-04-21T00:57:50+00:00,7,m...,l/lrwxrwxrwx,0,0,13,\"/lib -\u003e usr/lib\"\n2022-04-21T00:57:50+00:00,9,m...,l/lrwxrwxrwx,0,0,14,\"/lib32 -\u003e usr/lib32\"\n2022-04-21T00:57:50+00:00,9,m...,l/lrwxrwxrwx,0,0,15,\"/lib64 -\u003e usr/lib64\"\n2022-04-21T00:57:50+00:00,10,m...,l/lrwxrwxrwx,0,0,16,\"/libx32 -\u003e usr/libx32\"\n2022-04-21T00:57:50+00:00,8,m...,l/lrwxrwxrwx,0,0,17,\"/sbin -\u003e usr/sbin\"\n2022-04-21T00:57:51+00:00,4096,m...,d/drwxr-xr-x,0,0,38010881,\"/srv\"\n```\n\n```shell\n$ DFIR_DATE=\"%F %T (%Z)\" mac2time2 -b tests/data/mactime2/sample.bodyfile -d | head\n1970-01-01 00:00:00 (UTC),0,macb,V/V---------,0,0,62447617,\"/$OrphanFiles\"\n2022-04-18 10:28:59 (UTC),4096,m...,d/drwxr-xr-x,0,0,42729473,\"/proc\"\n2022-04-18 10:28:59 (UTC),4096,m...,d/drwxr-xr-x,0,0,36306945,\"/sys\"\n2022-04-21 00:57:50 (UTC),7,m...,l/lrwxrwxrwx,0,0,12,\"/bin -\u003e usr/bin\"\n2022-04-21 00:57:50 (UTC),7,m...,l/lrwxrwxrwx,0,0,13,\"/lib -\u003e usr/lib\"\n2022-04-21 00:57:50 (UTC),9,m...,l/lrwxrwxrwx,0,0,14,\"/lib32 -\u003e usr/lib32\"\n2022-04-21 00:57:50 (UTC),9,m...,l/lrwxrwxrwx,0,0,15,\"/lib64 -\u003e usr/lib64\"\n2022-04-21 00:57:50 (UTC),10,m...,l/lrwxrwxrwx,0,0,16,\"/libx32 -\u003e usr/libx32\"\n2022-04-21 00:57:50 (UTC),8,m...,l/lrwxrwxrwx,0,0,17,\"/sbin -\u003e usr/sbin\"\n2022-04-21 00:57:51 (UTC),4096,m...,d/drwxr-xr-x,0,0,38010881,\"/srv\"\n```\n\nThe value of `DFIR_DATE` can be any format string which can also be used in `DateTime::strftime` (\u003chttps://docs.rs/chrono/latest/chrono/format/strftime/index.html\u003e)\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfir-dd%2Fdfir-toolkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdfir-dd%2Fdfir-toolkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfir-dd%2Fdfir-toolkit/lists"}