forked from DFIR-ORC/dfir-orc.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfiguring_tool_output.html
258 lines (237 loc) · 14.7 KB
/
configuring_tool_output.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Configuring Tool Output — DFIR ORC documentation</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/solar.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/language_data.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="FatInfo" href="FatInfo.html" />
<link rel="prev" title="Configuring Process Priority" href="configuring_process.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="FatInfo.html" title="FatInfo"
accesskey="N">next</a>
<li class="right" >
<a href="configuring_process.html" title="Configuring Process Priority"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> »</li>
<li class="nav-item nav-item-2"><a href="info_tools.html" accesskey="U">Common Options & Properties</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a><ul class="current">
<li class="toctree-l2 current"><a class="reference internal" href="info_tools.html">Common Options & Properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="FatInfo.html">FatInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="FastFind.html">FastFind</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetThis.html">GetThis</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSamples.html">GetSamples</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSectors.html">GetSectors</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSInfo.html">NTFSInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSUtil.html">NTFSUtil</a></li>
<li class="toctree-l2"><a class="reference internal" href="ObjInfo.html">ObjInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="RegInfo.html">RegInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="USNInfo.html">USNInfo</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="configuring-tool-output">
<h1>Configuring Tool Output<a class="headerlink" href="#configuring-tool-output" title="Permalink to this headline">¶</a></h1>
<p>DFIR ORC tools configure their output in a unified way.
The syntax is simple and straightforward:</p>
<ul>
<li><p>Command line argument:</p>
<blockquote>
<div><div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>/out=<span class="p"><</span>MyOutput>
</pre></div>
</div>
</div></blockquote>
</li>
<li><p>XML configuration file:</p>
<blockquote>
<div><div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><output></span>MyOutput<span class="nt"></output></span>
</pre></div>
</div>
</div></blockquote>
</li>
</ul>
<p>Where <MyOutput> can be a file (usually CSV), a directory or an archive.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The option <code class="docutils literal notranslate"><span class="pre">/out</span></code> can vary in some tools typically when they have more than one output like NTFSInfo (see MyTool.exe -h for details).</p>
</div>
<div class="section" id="file-output">
<h2>File Output<a class="headerlink" href="#file-output" title="Permalink to this headline">¶</a></h2>
<p>The simplest form of output:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>MyTool.exe /out=c:\temp\foo.csv
</pre></div>
</div>
<p>In this example, if <code class="docutils literal notranslate"><span class="pre">C:\temp</span></code> directory doesn’t exist, it is created. If the directory already exists, it must be writable. If the output file already exists, it is overwritten.</p>
<p>The CSV file is only written to every 1048576 bytes (or 1 MB) and at the end of the tool execution.
This implies that tool progress cannot be followed using tools like “tail -f”.</p>
<p>The following tools do not support this output:</p>
<ul class="simple">
<li><p><a class="reference internal" href="GetSectors.html"><span class="doc">GetSectors</span></a>,</p></li>
<li><p><a class="reference internal" href="GetThis.html"><span class="doc">GetThis</span></a>,</p></li>
<li><p><a class="reference internal" href="GetSamples.html"><span class="doc">GetSamples</span></a>,</p></li>
<li><p><a class="reference internal" href="NTFSUtil.html"><span class="doc">NTFSUtil</span></a>,</p></li>
<li><p><a class="reference internal" href="RegInfo.html"><span class="doc">RegInfo</span></a>.</p></li>
</ul>
</div>
<div class="section" id="directory-output">
<h2>Directory Output<a class="headerlink" href="#directory-output" title="Permalink to this headline">¶</a></h2>
<p>Directory output takes the form:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>MyTool.exe /out=c:\temp\test
</pre></div>
</div>
<p>In this example, if <code class="docutils literal notranslate"><span class="pre">C:\temp\test</span></code> directory doesn’t exist, it is created. If a parent directory doesn’t exist, it is also created. Already existing directories must be writable.</p>
<p>The following tools do not support this output:</p>
<ul class="simple">
<li><p><a class="reference internal" href="FastFind.html"><span class="doc">FastFind</span></a>,</p></li>
<li><p><a class="reference internal" href="NTFSUtil.html"><span class="doc">NTFSUtil</span></a>.</p></li>
</ul>
</div>
<div class="section" id="archive-output">
<h2>Archive Output<a class="headerlink" href="#archive-output" title="Permalink to this headline">¶</a></h2>
<p>The simplest form of output for an archive is:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>MyTool.exe /out=c:\temp\foo.zip
</pre></div>
</div>
<p>In this example, if <code class="docutils literal notranslate"><span class="pre">C:\temp</span></code> directory doesn’t exist, it is created. If the directory already exists, it must be writable. If the output archive already exists, it is overwritten.</p>
<p>The archive format is selected based on extension of “foo”:</p>
<ul class="simple">
<li><p>Foo.zip selects the zip format.</p></li>
<li><p>Foo.7z selects the LZMA/7zip format (www.7zip.org).</p></li>
<li><p>Foo.cab selects the MSCF Microsoft cabinet format.</p></li>
</ul>
<p>The following tools do not follow this output syntax:</p>
<ul class="simple">
<li><p><a class="reference internal" href="FastFind.html"><span class="doc">FastFind</span></a>,</p></li>
<li><p><a class="reference internal" href="NTFSUtil.html"><span class="doc">NTFSUtil</span></a>,</p></li>
<li><p><a class="reference internal" href="RegInfo.html"><span class="doc">RegInfo</span></a>.</p></li>
</ul>
<div class="section" id="compression-only-for-zip-and-7z-format">
<h3>Compression (only for zip and 7z Format)<a class="headerlink" href="#compression-only-for-zip-and-7z-format" title="Permalink to this headline">¶</a></h3>
<p>The level of compression in the archive can be specified using either an XML configuration file (with a <code class="docutils literal notranslate"><span class="pre">compression</span></code> attribute) or a command-line option (with the <code class="docutils literal notranslate"><span class="pre">/compression</span></code> option).
Supported values are:</p>
<ul class="simple">
<li><p>None</p></li>
<li><p>Fastest</p></li>
<li><p>Fast</p></li>
<li><p>Normal</p></li>
<li><p>Maximum</p></li>
<li><p>Ultra</p></li>
</ul>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><output</span> <span class="na">compression=</span><span class="s">"fast"</span><span class="nt">></span>MyOutput.7z<span class="nt"></output></span>
</pre></div>
</div>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>MyTool.exe /out=c:\temp\foo.zip /compression=Normal
</pre></div>
</div>
</div>
<div class="section" id="password-only-for-zip-and-7z-format">
<span id="cfg-tool-output-pwd"></span><h3>Password (only for zip and 7z Format)<a class="headerlink" href="#password-only-for-zip-and-7z-format" title="Permalink to this headline">¶</a></h3>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The only tools supporting this option are GetThis and GetSamples.</p>
</div>
<p>The output archive can be password protected by providing either the <code class="docutils literal notranslate"><span class="pre">/password</span></code> option or a <code class="docutils literal notranslate"><span class="pre">password</span></code> attribute for the <code class="docutils literal notranslate"><span class="pre">output</span></code> element in an XML configuration file.</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><output</span> <span class="na">password=</span><span class="s">"avproof"</span><span class="nt">></span>MyOutput.7z<span class="nt"></output></span>
</pre></div>
</div>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>MyTool.exe /out=MyOutput.7z /password=<span class="s2">"avproof"</span>
</pre></div>
</div>
<p>This password should not be regarded as a security feature but can be used to evade anti-viruses when collecting malicious samples.
In order to encrypt archives, one should use the corresponding feature in <a class="reference internal" href="wolf_config.html#wolf-config-recipient-element"><span class="std std-ref">wolf_config</span></a>.</p>
</div>
</div>
<div class="section" id="file-character-encoding">
<h2>File Character Encoding<a class="headerlink" href="#file-character-encoding" title="Permalink to this headline">¶</a></h2>
<p>To reduce output file size and ease file analysis on Linux systems (that seems to have issues with UTF16), the default encoding for CSV is UTF8.
The command-line options <code class="docutils literal notranslate"><span class="pre">/utf8</span></code> and <code class="docutils literal notranslate"><span class="pre">/utf16</span></code> can be used to explicitly control the encoding of the output.</p>
<p>Also, XML configuration files elements <code class="docutils literal notranslate"><span class="pre">output</span></code> can have an optional attribute <code class="docutils literal notranslate"><span class="pre">encoding</span></code>:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><output</span> <span class="na">encoding=</span><span class="s">"utf16"</span><span class="nt">></span>c:\temp<span class="nt"></output></span>
</pre></div>
</div>
<p>Or</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><output</span> <span class="na">encoding=</span><span class="s">"utf8"</span><span class="nt">></span>c:\temp\test.csv<span class="nt"></output></span>
</pre></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="FatInfo.html" title="FatInfo"
>next</a>
<li class="right" >
<a href="configuring_process.html" title="Configuring Process Priority"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> »</li>
<li class="nav-item nav-item-2"><a href="info_tools.html" >Common Options & Properties</a> »</li>
</ul>
</div>
<script type="text/javascript">
$(document).ready(function() {
$(".toggle > *").hide();
$(".toggle .header").show();
$(".toggle .header").click(function() {
$(this).parent().children().not(".header").toggle(400);
$(this).parent().children(".header").toggleClass("open");
})
});
</script>
</body>
</html>