use 0.9.1 from forensic-rs

dfir-dd · Feb 9, 2024 · 0ec0a9d · 0ec0a9d
1 parent 73edd29
commit 0ec0a9d
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 14 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -177,7 +177,7 @@ lnk = {version="0.5.1", optional=true}
 libc = {version="0.2", optional=true}
 num = {version="0", optional=true}
 frnsc-prefetch = {version="0.9", optional=true}
-forensic-rs = {version="0.9", optional=true}
+forensic-rs = {version="0.9.1", optional=true}
 
 [dev-dependencies]
 

diff --git a/src/bin/pf2bodyfile/main.rs b/src/bin/pf2bodyfile/main.rs
@@ -1,7 +1,6 @@
 mod cli;
 use std::path::Path;
 
-use anyhow::bail;
 use cli::Cli;
 use dfir_toolkit::common::bodyfile::Bodyfile3Line;
 use dfir_toolkit::common::FancyParser;
@@ -17,19 +16,20 @@ fn main() -> anyhow::Result<()> {
     let mut fs = ChRootFileSystem::new(Path::new("."), Box::new(StdVirtualFS::new()));
 
     for input in cli.prefetch_files().iter() {
-        let _path = input.path().as_os_str().to_string_lossy();
+
         let pf_file_name = input.path().file_name().unwrap().to_string_lossy();
-        let file = fs.open(input.path()).or_else(|why| bail!("{why}"))?;
-        let pf_file = read_prefetch_file(&pf_file_name, file).or_else(|why| bail!("{why}"))?;
-        let executable = &pf_file.name;
-        let run_count = &pf_file.run_count;
+        let pf_file = read_prefetch_file(&pf_file_name, fs.open(input.path())?)?;
 
         for time in pf_file.last_run_times {
-            let ts = winstructs::timestamp::WinTimestamp::new(&time.filetime().to_le_bytes())?;
-            let accessed = ts.to_datetime().into();
+            let accessed =
+                winstructs::timestamp::WinTimestamp::new(&time.filetime().to_le_bytes())?
+                    .to_datetime()
+                    .into();
+
             let bf_line = Bodyfile3Line::new()
                 .with_owned_name(format!(
-                    "Prefetch: run '{executable}' (run {run_count} times, read from '{pf_file_name}')"
+                    "Prefetch: run '{}' (run {} times, read from '{pf_file_name}')",
+                    pf_file.name, pf_file.run_count
                 ))
                 .with_atime(accessed);
             println!("{bf_line}");
@@ -39,7 +39,8 @@ fn main() -> anyhow::Result<()> {
                     let mf = &metric.file;
                     let bf_line = Bodyfile3Line::new()
                         .with_owned_name(format!(
-                            "Prefetch: running '{executable} loads '{mf}', read from '{pf_file_name}')"
+                            "Prefetch: running '{} possibly loaded '{mf}', read from '{pf_file_name}')",
+                            pf_file.name
                         ))
                         .with_atime(accessed);
                     println!("{bf_line}");
@@ -49,3 +50,4 @@ fn main() -> anyhow::Result<()> {
     }
     Ok(())
 }
+