diff --git a/Cargo.lock b/Cargo.lock index 8ab75dd..3374b4e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -742,7 +742,7 @@ dependencies = [ "more-asserts", "nt_hive2", "num", - "num-derive 0.3.3", + "num-derive 0.4.0", "num-traits", "ouroboros", "phf", @@ -1056,11 +1056,12 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" [[package]] name = "forensic-rs" -version = "0.9.0" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7c13db42df6d5d46653880721c6de181ba19528014bee43d68b3c76fc02bcf0" +checksum = "1e878efbc5ee339c257d8c18b1c8535864bcfb0ec9a4b7c0a6afd3aed718cf20" dependencies = [ "serde", + "thiserror", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 0c459da..9047f40 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -177,7 +177,7 @@ lnk = {version="0.5.1", optional=true} libc = {version="0.2", optional=true} num = {version="0", optional=true} frnsc-prefetch = {version="0.9", optional=true} -forensic-rs = {version="0.9", optional=true} +forensic-rs = {version="0.9.1", optional=true} [dev-dependencies] diff --git a/src/bin/pf2bodyfile/main.rs b/src/bin/pf2bodyfile/main.rs index 2bc5d2b..62d6c6a 100644 --- a/src/bin/pf2bodyfile/main.rs +++ b/src/bin/pf2bodyfile/main.rs @@ -1,7 +1,6 @@ mod cli; use std::path::Path; -use anyhow::bail; use cli::Cli; use dfir_toolkit::common::bodyfile::Bodyfile3Line; use dfir_toolkit::common::FancyParser; @@ -17,19 +16,20 @@ fn main() -> anyhow::Result<()> { let mut fs = ChRootFileSystem::new(Path::new("."), Box::new(StdVirtualFS::new())); for input in cli.prefetch_files().iter() { - let _path = input.path().as_os_str().to_string_lossy(); + let pf_file_name = input.path().file_name().unwrap().to_string_lossy(); - let file = fs.open(input.path()).or_else(|why| bail!("{why}"))?; - let pf_file = read_prefetch_file(&pf_file_name, file).or_else(|why| bail!("{why}"))?; - let executable = &pf_file.name; - let run_count = &pf_file.run_count; + let pf_file = read_prefetch_file(&pf_file_name, fs.open(input.path())?)?; for time in pf_file.last_run_times { - let ts = winstructs::timestamp::WinTimestamp::new(&time.filetime().to_le_bytes())?; - let accessed = ts.to_datetime().into(); + let accessed = + winstructs::timestamp::WinTimestamp::new(&time.filetime().to_le_bytes())? + .to_datetime() + .into(); + let bf_line = Bodyfile3Line::new() .with_owned_name(format!( - "Prefetch: run '{executable}' (run {run_count} times, read from '{pf_file_name}')" + "Prefetch: run '{}' (run {} times, read from '{pf_file_name}')", + pf_file.name, pf_file.run_count )) .with_atime(accessed); println!("{bf_line}"); @@ -39,7 +39,8 @@ fn main() -> anyhow::Result<()> { let mf = &metric.file; let bf_line = Bodyfile3Line::new() .with_owned_name(format!( - "Prefetch: running '{executable} loads '{mf}', read from '{pf_file_name}')" + "Prefetch: running '{} possibly loaded '{mf}', read from '{pf_file_name}')", + pf_file.name )) .with_atime(accessed); println!("{bf_line}"); @@ -49,3 +50,4 @@ fn main() -> anyhow::Result<()> { } Ok(()) } +