Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/ts2date #4

Merged
merged 12 commits into from
Sep 25, 2023
30 changes: 6 additions & 24 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 8 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,14 @@ name = "ipgrep"
path = "src/bin/ipgrep/main.rs"
required-features = ["ipgrep"]

[[bin]]
name = "ts2date"
path = "src/bin/ts2date/main.rs"
required-features = ["ts2date"]

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[features]
default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep"]
default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep", "ts2date"]
mactime2 = ["gzip", "elastic", "chrono-tz", "thiserror", "bitflags", "encoding_rs_io"]
gzip = ["flate2"]
elastic = ["elasticsearch", "tokio", "futures", "serde_json", "sha2", "base64", "num-traits", "num-derive", "strum", "strum_macros", "tokio-async-drop"]
Expand All @@ -81,6 +86,7 @@ evtxls = ["evtx", "colored", "lazy-regex", "regex", "sigpipe", "dfirtk-eventdata
evtxanalyze = ["evtx", "dfirtk-sessionevent-derive", "dfirtk-eventdata"]
evtx2bodyfile = ["evtx", "getset", "ouroboros", "indicatif"]
ipgrep = []
ts2date = ["regex"]

regdump = ["nt_hive2"]
hivescan = ["nt_hive2"]
Expand All @@ -98,6 +104,7 @@ log = {version = "0.4", features = [ "release_max_level_info" ]}
serde = { version = "1.0", features = ["derive"] }
simplelog = "0.12"
winstructs = "0.3.0"
regex = {version = "1", optional=true}

clap-markdown = "0.1.3"
clap_complete = "4"
Expand All @@ -119,7 +126,6 @@ evtx={version="0.8", optional=true}
colored_json = {version="3", optional=true}
term-table = {version = "1.3", optional=true}
termsize = {version = "0.1", optional=true}
regex = {version = "1", optional=true}
colored = {version = "2", optional=true}
lazy-regex = {version = "3.0.0", optional=true}
sigpipe = {version = "0", optional=true}
Expand Down
59 changes: 48 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
- [x] [`regdump`](#regdump)
- [ ] [`regls`](https://github.com/janstarke/regls)
- [ ] [`regview`](https://github.com/janstarke/regview)
- [ ] [`ts2date`](https://github.com/janstarke/ts2date)
- [x] [`ts2date`](#ts2date)
- [ ] [`usnjrnl_dump`](https://github.com/janstarke/usnjrnl)

# Overview of timelining tools
Expand Down Expand Up @@ -94,7 +94,7 @@ This document contains the help content for the `es4forensics` command-line prog

## `es4forensics`

CLI tools for digital forensics and incident response
This crates provides structs and functions to insert timeline data into an elasticsearch index

**Usage:** `es4forensics [OPTIONS] --index <INDEX_NAME> --password <PASSWORD> <COMMAND>`

Expand Down Expand Up @@ -172,7 +172,7 @@ This document contains the help content for the `evtx2bodyfile` command-line pro

## `evtx2bodyfile`

CLI tools for digital forensics and incident response
Parses a lot of evtx files and prints a bodyfile

**Usage:** `evtx2bodyfile [OPTIONS] [EVTX_FILES]...`

Expand Down Expand Up @@ -209,7 +209,7 @@ This document contains the help content for the `evtxanalyze` command-line progr

## `evtxanalyze`

CLI tools for digital forensics and incident response
crate provide functions to analyze evtx files

**Usage:** `evtxanalyze [OPTIONS] <COMMAND>`

Expand Down Expand Up @@ -294,7 +294,7 @@ This document contains the help content for the `evtxcat` command-line program.

## `evtxcat`

CLI tools for digital forensics and incident response
Display one or more events from an evtx file

**Usage:** `evtxcat [OPTIONS] <EVTX_FILE>`

Expand Down Expand Up @@ -336,7 +336,7 @@ This document contains the help content for the `evtxls` command-line program.

## `evtxls`

CLI tools for digital forensics and incident response
Display one or more events from an evtx file

**Usage:** `evtxls [OPTIONS] [EVTX_FILES]...`

Expand Down Expand Up @@ -406,7 +406,7 @@ This document contains the help content for the `evtxscan` command-line program.

## `evtxscan`

CLI tools for digital forensics and incident response
Find time skews in an evtx file

**Usage:** `evtxscan [OPTIONS] <EVTX_FILE>`

Expand Down Expand Up @@ -476,7 +476,7 @@ This document contains the help content for the `ipgrep` command-line program.

## `ipgrep`

CLI tools for digital forensics and incident response
search for IP addresses in text files

**Usage:** `ipgrep [OPTIONS] [FILE]...`

Expand Down Expand Up @@ -518,7 +518,7 @@ This document contains the help content for the `mactime2` command-line program.

## `mactime2`

CLI tools for digital forensics and incident response
replacement for `mactime`

**Usage:** `mactime2 [OPTIONS]`

Expand Down Expand Up @@ -562,7 +562,7 @@ This document contains the help content for the `pol_export` command-line progra

## `pol_export`

CLI tools for digital forensics and incident response
Exporter for Windows Registry Policy Files

**Usage:** `pol_export [OPTIONS] <POLFILE>`

Expand Down Expand Up @@ -594,7 +594,7 @@ This document contains the help content for the `regdump` command-line program.

## `regdump`

CLI tools for digital forensics and incident response
parses registry hive files and prints a bodyfile

**Usage:** `regdump [OPTIONS] <HIVE_FILE>`

Expand All @@ -613,6 +613,43 @@ CLI tools for digital forensics and incident response



<hr/>

<small><i>
This document was generated automatically by
<a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
</i></small>

# Command-Line Help for `ts2date`

This document contains the help content for the `ts2date` command-line program.

**Command Overview:**

* [`ts2date`↴](#ts2date)

## `ts2date`

replaces UNIX timestamps in a stream by a formatted date

**Usage:** `ts2date [OPTIONS] [INPUT_FILE] [OUTPUT_FILE]`

###### **Arguments:**

* `<INPUT_FILE>` — name of the file to read (default from stdin)

Default value: `-`
* `<OUTPUT_FILE>` — name of the file to write (default to stdout)

Default value: `-`

###### **Options:**

* `-v`, `--verbose` — More output per occurrence
* `-q`, `--quiet` — Less output per occurrence



<hr/>

<small><i>
Expand Down
2 changes: 1 addition & 1 deletion scripts/update-md.sh
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ cat >README.md <<'EOF'
- [x] [`regdump`](#regdump)
- [ ] [`regls`](https://github.com/janstarke/regls)
- [ ] [`regview`](https://github.com/janstarke/regview)
- [ ] [`ts2date`](https://github.com/janstarke/ts2date)
- [x] [`ts2date`](#ts2date)
- [ ] [`usnjrnl_dump`](https://github.com/janstarke/usnjrnl)

# Overview of timelining tools
Expand Down
7 changes: 4 additions & 3 deletions src/apps/mactime2/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,19 @@ use clio::Input;
use log::LevelFilter;
use chrono_tz::Tz;

use crate::common::HasVerboseFlag;
use crate::common::{HasVerboseFlag,TzArgument};

use super::{OutputFormat, TzArgument};
use super::OutputFormat;

#[cfg(feature = "gzip")]
const BODYFILE_HELP: &str =
"path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)";
#[cfg(not(feature = "gzip"))]
const BODYFILE_HELP: &str = "path to input file or '-' for stdin";

/// replacement for `mactime`
#[derive(Parser)]
#[clap(name="mactime2", author, version, about, long_about = None)]
#[clap(name="mactime2", author, version, long_about = None)]

pub struct Cli {
#[clap(short('b'), value_parser, value_hint=ValueHint::FilePath, default_value="-", help=BODYFILE_HELP, display_order(100))]
Expand Down
2 changes: 0 additions & 2 deletions src/apps/mactime2/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ pub mod error;
pub mod filter;
mod output;
mod cli;
mod tzargument;

pub use application::*;
pub use cli::*;
pub (crate) use tzargument::*;
3 changes: 2 additions & 1 deletion src/bin/es4forensics/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@ pub(crate) enum Action {
},
}

/// This crates provides structs and functions to insert timeline data into an elasticsearch index.
#[derive(Parser)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version, about, long_about = None)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version, long_about = None)]
pub struct Cli {
#[command(subcommand)]
pub(crate) action: Action,
Expand Down
3 changes: 2 additions & 1 deletion src/bin/evtx2bodyfile/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@ use dfir_toolkit::common::HasVerboseFlag;
use getset::Getters;
use log::LevelFilter;

/// creates bodyfile from Windows evtx files
#[derive(Parser, Clone, Getters)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version, about, long_about = None)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version, long_about = None)]
#[getset(get = "pub (crate)")]
pub(crate) struct Cli {
/// names of the evtx files
Expand Down
3 changes: 2 additions & 1 deletion src/bin/evtxanalyze/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,9 @@ pub enum Command {
},
}

/// crate provide functions to analyze evtx files
#[derive(Parser)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version, about, long_about = None)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version, long_about = None)]
pub(crate) struct Cli {
#[command(subcommand)]
pub(crate) command: Command,
Expand Down
2 changes: 1 addition & 1 deletion src/bin/evtxcat/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ use crate::output_format::OutputFormat;

/// Display one or more events from an evtx file
#[derive(Parser)]
#[clap(name=env!("CARGO_BIN_NAME"),author,version,about)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version)]
pub (crate) struct Cli {
/// Name of the evtx file to read from
pub (crate) evtx_file: String,
Expand Down
2 changes: 1 addition & 1 deletion src/bin/evtxls/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ pub(crate) enum SortOrder {

/// Display one or more events from an evtx file
#[derive(Parser)]
#[clap(name=env!("CARGO_BIN_NAME"), author,version,about,long_about=None)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version,long_about=None)]
pub(crate) struct Cli {
/// Name of the evtx files to read from
pub(crate) evtx_files: Vec<String>,
Expand Down
2 changes: 1 addition & 1 deletion src/bin/evtxscan/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use log::LevelFilter;

/// Find time skews in an evtx file
#[derive(Parser)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version, about)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version)]
pub (crate) struct Cli {
/// name of the evtx file to scan
pub (crate) evtx_file: String,
Expand Down
3 changes: 2 additions & 1 deletion src/bin/ipgrep/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ use log::LevelFilter;

use crate::{ip_filter::IpFilter, format_ipv4};

/// search for IP addresses in text files
#[derive(Parser)]
#[clap(name=env!("CARGO_BIN_NAME"), author,version,about,long_about=None)]
#[clap(name=env!("CARGO_BIN_NAME"), author, version,long_about=None)]
pub(crate) struct Cli {
pub(crate) file: Vec<PathBuf>,

Expand Down
Loading
Loading