version 0.13.0

cuhsat · May 28, 2024 · f1ee634 · f1ee634
1 parent ebc723a
commit f1ee634
Show file tree

Hide file tree

Showing 41 changed files with 1,017 additions and 140 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,6 @@ go.work
 # Fact files
 bin/
 *.dd
+*.evtx
 *.zip
-!internal/testdata/windows.zip
-!internal/testdata/windows.dd.zip
+!internal/testdata/windows*.zip
diff --git a/Makefile b/Makefile
@@ -1,6 +1,9 @@
 .PHONY: all clean
 
-all: build
+all: build tools
+
+tools:
+	"$(CURDIR)/scripts/eztools.sh"
 
 build:
 	"$(CURDIR)/scripts/gobuild.sh"

diff --git a/README.md b/README.md
@@ -2,13 +2,15 @@
 Forensic Artifacts Collecting Toolkit.
 
 ```sh
-$ fmount -T dd image.dd | ffind -H sha256 -Z artifacts.zip
+# fmount image.dd | ffind | flog
 ```
 
 ## Tools
 - [fmount](docs/fmount.md)
 - [fmount.dd](docs/fmount.dd.md)
 - [ffind](docs/ffind.md)
+- [flog](docs/flog.md)
+- [flog.evt](docs/flog.evt.md)
 
 ## License
 Released under the [MIT License](LICENSE).
diff --git a/cmd/ffind/main.go b/cmd/ffind/main.go
@@ -1,17 +1,17 @@
-// Find forensic artifacts in a mount point or on the live system.
+// Find forensic artifacts in mount points or on the live system.
 //
 // Usage:
 //
-//	ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-Z ARCHIVE] [-F FILE] [MOUNT ...]
+//	ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-Z ARCHIVE] [-L FILE] [MOUNT ...]
 //
 // The flags are:
 //
 //	 -H algorithm
 //	 	The hash algorithm to use.
 //	 -Z archive
 //		The artifacts archive name.
-//	 -F file
-//		The filename to write also.
+//	 -L file
+//		The artifacts listing name.
 //	 -r
 //		Output relative paths.
 //	 -s
@@ -37,19 +37,16 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"strings"
 
+	"github.com/cuhsat/fact/internal/fact"
 	"github.com/cuhsat/fact/internal/sys"
 	"github.com/cuhsat/fact/pkg/ffind"
 )
 
-// Changed by ldflags
-var Version string = "dev"
-
 func main() {
 	H := flag.String("H", "", "Hash algorithm")
 	Z := flag.String("Z", "", "Archive name")
-	F := flag.String("F", "", "File to write")
+	L := flag.String("L", "", "Listing name")
 	r := flag.Bool("r", false, "Relative paths")
 	s := flag.Bool("s", false, "System artifacts only")
 	u := flag.Bool("u", false, "User artifacts only")
@@ -63,15 +60,15 @@ func main() {
 	mnt := sys.Args()
 
 	if *h {
-		sys.Usage("ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-Z ARCHIVE] [-F FILE] [MOUNT ...]")
+		sys.Usage("ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-Z ARCHIVE] [-L FILE] [MOUNT ...]")
 	}
 
 	if *v {
-		sys.Print("ffind", Version)
+		sys.Print("ffind", fact.Version)
 	}
 
-	if *q && len(*F)+len(*Z) == 0 {
-		sys.Fatal("archive or file required")
+	if *q && len(*Z)+len(*L) == 0 {
+		sys.Fatal("archive or listing required")
 	}
 
 	if *r && len(mnt) > 1 {
@@ -80,25 +77,7 @@ func main() {
 	}
 
 	for _, p := range mnt {
-		files := ffind.Find(p, *Z, *H, *r, *s, *u)
-
-		if len(*F) > 0 {
-			f, err := os.OpenFile(*F, os.O_WRONLY|os.O_CREATE, 0666)
-
-			if err != nil {
-				sys.Error(err)
-			}
-
-			b := []byte(strings.Join(files, "\n"))
-
-			if _, err = f.Write(b); err != nil {
-				sys.Error(err)
-			}
-
-			if err = f.Close(); err != nil {
-				sys.Error(err)
-			}
-		}
+		files := ffind.Find(p, *Z, *L, *H, *r, *s, *u)
 
 		if !*q {
 			for _, f := range files {

diff --git a/cmd/flog.evt/main.go b/cmd/flog.evt/main.go
@@ -0,0 +1,63 @@
+// Log Windows event logs information in ECS schema.
+//
+// Usage:
+//
+//	flog [-hv] [-D DIRECTORY] [FILE ...]
+//
+// The flags are:
+//
+//	 -D directory
+//	    The log directory.
+//	 -h
+//		Show usage.
+//	 -v
+//		Show version.
+//
+// The arguments are:
+//
+//	 file
+//		The event log file(s) to process.
+//		Defaults to STDIN if not given.
+package main
+
+import (
+	"flag"
+	"io"
+
+	"github.com/cuhsat/fact/internal/fact"
+	"github.com/cuhsat/fact/internal/sys"
+	"github.com/cuhsat/fact/pkg/flog"
+	"github.com/cuhsat/fact/pkg/flog/evt"
+	"golang.org/x/sync/errgroup"
+)
+
+func main() {
+	D := flag.String("D", "", "Log directory")
+	h := flag.Bool("h", false, "Show usage")
+	v := flag.Bool("v", false, "Show version")
+
+	flag.CommandLine.SetOutput(io.Discard)
+	flag.Parse()
+
+	files := flog.StripHash(sys.Args())
+
+	if *v {
+		sys.Print("flog", fact.Version)
+	}
+
+	if *h || len(files) == 0 {
+		sys.Usage("flog [-hv] [-D DIRECTORY] [FILE ...]")
+	}
+
+	g := new(errgroup.Group)
+
+	for _, f := range files {
+		g.Go(func() error {
+			return evt.Log(f, *D)
+		})
+	}
+
+	if err := g.Wait(); err != nil {
+		sys.Fatal(err)
+	}
+}
diff --git a/cmd/flog/main.go b/cmd/flog/main.go
@@ -0,0 +1,66 @@
+// Log forensic artifacts information in ECS schema.
+//
+// Usage:
+//
+//	flog [-hv] [-D DIRECTORY] [FILE ...]
+//
+// The flags are:
+//
+//	 -D directory
+//	    The log directory.
+//	 -h
+//		Show usage.
+//	 -v
+//		Show version.
+//
+// The arguments are:
+//
+//	 file
+//		The artifact file(s) to process.
+//		Defaults to STDIN if not given.
+package main
+
+import (
+	"flag"
+	"io"
+
+	"github.com/cuhsat/fact/internal/fact"
+	"github.com/cuhsat/fact/internal/sys"
+	"github.com/cuhsat/fact/pkg/flog"
+	"golang.org/x/sync/errgroup"
+)
+
+func main() {
+	D := flag.String("D", "", "Log directory")
+	h := flag.Bool("h", false, "Show usage")
+	v := flag.Bool("v", false, "Show version")
+
+	flag.CommandLine.SetOutput(io.Discard)
+	flag.Parse()
+
+	files := flog.StripHash(sys.Args())
+
+	if *v {
+		sys.Print("flog", fact.Version)
+	}
+
+	if *h || len(files) == 0 {
+		sys.Usage("flog [-hv] [-D DIRECTORY] [FILE ...]")
+	}
+
+	args := make([]string, 0)
+
+	if len(*D) > 0 {
+		args = append(args, "-D", *D)
+	}
+
+	g := new(errgroup.Group)
+
+	g.Go(func() error {
+		return flog.Evt(files, args)
+	})
+
+	if err := g.Wait(); err != nil {
+		sys.Fatal(err)
+	}
+}
diff --git a/cmd/fmount/main.go b/cmd/fmount/main.go
@@ -35,14 +35,12 @@ import (
 	"flag"
 	"io"
 
+	"github.com/cuhsat/fact/internal/fact"
 	"github.com/cuhsat/fact/internal/sys"
 	"github.com/cuhsat/fact/pkg/fmount"
 	"github.com/cuhsat/fact/pkg/fmount/dd"
 )
 
-// Changed by ldflags
-var Version string = "dev"
-
 func main() {
 	D := flag.String("D", "", "Mount point")
 	T := flag.String("T", "", "Image type")
@@ -60,7 +58,7 @@ func main() {
 	img := sys.Arg()
 
 	if *v {
-		sys.Print("fmount", Version)
+		sys.Print("fmount", fact.Version)
 	}
 
 	if *h || len(img) == 0 {

diff --git a/docs/ffind.md b/docs/ffind.md
@@ -1,15 +1,15 @@
 # ffind
-Find forensic artifacts in a mount point or on the live system.
+Find forensic artifacts in mount points or on the live system.
 
 ```sh
-$ ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-Z ARCHIVE] [-F FILE] [MOUNT ...]
+$ ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-Z ARCHIVE] [-L FILE] [MOUNT ...]
 ```
 
 Available options:
 
 - `-H` Hash algorithm
 - `-Z` Archive name
-- `-F` File to write
+- `-L` Listing name
 - `-r` Relative paths
 - `-s` System artifacts only
 - `-u` User artifacts only

diff --git a/docs/flog.evt.md b/docs/flog.evt.md
@@ -0,0 +1,21 @@
+# flog.evt
+Log Windows event log artifacts in [ECS](https://www.elastic.co/guide/en/ecs/current/index.html) schema.
+
+```sh
+$ flog.evt [-hv] [-D DIRECTORY] [FILE ...]
+```
+
+Available options:
+
+- `-D` Log directory
+- `-h` Show usage
+- `-v` Show version
+
+Required system commands:
+
+- [dotnet](https://dotnet.microsoft.com/en-us/download/dotnet/6.0)
+
+> Run `scripts/eztools.sh` to install [Eric Zimmerman's Tools](https://ericzimmerman.github.io/#!index.md).
+
+---
+Part of the [Forensic Artifacts Collecting Toolkit](../README.md).
diff --git a/docs/flog.md b/docs/flog.md
@@ -0,0 +1,19 @@
+# flog
+Log forensics artifacts in [ECS](https://www.elastic.co/guide/en/ecs/current/index.html) schema.
+
+```sh
+$ flog [-hv] [-D DIRECTORY] [FILE ...]
+```
+
+Available options:
+
+- `-D` Log directory
+- `-h` Show usage
+- `-v` Show version
+
+Supported artifacts for Windows 7+ systems:
+
+- [System Event Logs](flog.evt.md)
+
+---
+Part of the [Forensic Artifacts Collecting Toolkit](../README.md).
diff --git a/docs/fmount.dd.md b/docs/fmount.dd.md
@@ -2,7 +2,7 @@
 Mount forensic raw or dd disk images for read-only processing.
 
 ```sh
-$ fmount.dd [-fsuzhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-D DIRECTORY] IMAGE
+# fmount.dd [-fsuzhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-D DIRECTORY] IMAGE
 ```
 
 Available options:

diff --git a/docs/fmount.md b/docs/fmount.md
@@ -2,7 +2,7 @@
 Mount forensic disk images for read-only processing.
 
 ```sh
-$ fmount [-suzhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-T RAW|DD] [-D DIRECTORY] IMAGE
+# fmount [-suzhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-T RAW|DD] [-D DIRECTORY] IMAGE
 ```
 
 Available options:

diff --git a/go.mod b/go.mod
@@ -1,3 +1,7 @@
 module github.com/cuhsat/fact
 
 go 1.22
+
+require (
+	golang.org/x/sync v0.7.0 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
diff --git a/internal/fact/3rd.go b/internal/fact/3rd.go
@@ -0,0 +1,22 @@
+// FACT 3rd party functions.
+package fact
+
+import (
+	"os"
+	"path/filepath"
+)
+
+func EzTools(asm string) (p string, err error) {
+	env := os.ExpandEnv("$EZTOOLS")
+
+	if len(env) > 0 {
+		p = filepath.Join(env, asm)
+		return
+	}
+
+	wd, err := os.Getwd()
+
+	p = filepath.Join(wd, asm)
+
+	return
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
		golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=