Article Excerpt
DFIR Toolkit Table of contents Installation Overview of timelining tools Tools cleanhive evtx2bodyfile evtxanalyze evtxscan evtxcat evtxls es4forensics hivescan ipgrep lnk2bodyfile mactime2 mft2bodyfile ntdsextract2 pol_export procbins regdump regls regview ts2date usnjrnl_dump Overview of timelini
property | value |
tags | defensive-tradecraft,dfir,email-forensics,github-repo,offensive-tradecraft,osint,recon,tradecraft-tool |
url | |
original_word_count | 1262 |
Long Summary
DFIR Toolkit is a collection of tools designed to help digital forensics investigators with their investigations. It includes tools for timelining, cleaning hive files, analyzing evtx files, finding time skews in evtx files, displaying events from evtx files, creating an index for elasticsearch, scanning registry hive files, replacing mactime, exporting Windows Registry Policy Files, and dumping registry files.
The installation process is simple and straightforward. It requires the user to run the command “cargo install dfir-toolkit”.
The timelining tools include cleanhive, which merges logfiles into a hive file. It has several options, such as -L, --log, -v, --verbose, -q, --quiet, -O, --output, and -h, --help.
The evtx2bodyfile tool is used to convert evtx files to bodyfile format. It has several options, such as -J, --json, -S, --strict, -v, --verbose, -q, --quiet, -h, --help, and -V, --version. An example of its usage is “evtx2bodyfile Security.evtx >Security.bodyfile”.
The evtxanalyze tool is used to analyze evtx files. It has several options, such as -v, --verbose, -q, --quiet, -h, --help, and -V, --version.
The evtxscan tool is used to find time skews in an evtx file. It has several options, such as -S, --show-records, -N, --negative-tolerance, -h, --help, and -V, --version.
The evtxcat tool is used to display one or more events from an evtx file. It has several options, such as --min, --max, -i, --id, -T, --display-table, -F, --format, -h, --help, and -V, --version.
The evtxls tool is used to display one or more events from an evtx file. It has several options, such as -d, --delimiter, -i, --include, -x, --exclude, -c, --colors, -f, --from, -t,
Short Summary
📓 dfir-dd/dfir-toolkit
👉🏽 DFIR Toolkit Table of contents Installation Overview of timelining tools Tools cleanhive evtx2bodyfile evtxanalyze evtxscan evtxcat evtxls es4forensics hivescan ipgrep lnk2bodyfile mactime2 mft2bodyfile ntdsextract2 pol_export procbins regdump regls regview ts2date usnjrnl_dump Overview of timelini 👉🏽-to, -s, --summary, -a, --all, -h, --help, and -V, --version.
The elastic_index tool is used to create an index for elasticsearch. It has several options, such as -n, --name, -u, --url, -w, --worker, -t, --task, -p, --param, and -h, --help.
The mactime_replacer tool is used to replace mactime in the output of the bodyfile. It has several options, such as -b, --bodyfile, -o, --output, -d, --delimiter, and -h, --help.
The regpolicy_exporter tool is used to export Windows Registry Policy Files. It has several options, such as -i, --input, -o, --output, -m, --mode, -c, --compression, -p, --password, and -h, --help.
The registry_dumper tool is used to dump registry files. It has several options, such as -c, --cluster, -i, --index, -t, --type, -u, --url, and -h, --help.
🔗 source link: https://github.com/dfir-dd/dfir-toolkit
🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/dfir-dd-dfirtoolkit
#DFIRToolkit #DigitalForensics #Investigations #Tools #Installation
