update README.md

README.md

@@ -17,7 +17,7 @@
   - [x] [`cleanhive`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/cleanhive.md)
   - [x] [`pf2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pf2bodyfile.md)
   - [x] [`evtx2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtx2bodyfile.md)
-  - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/avtxanalyze.md)
+  - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxanalyze.md)
   - [x] [`evtxscan`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxscan.md)
   - [x] [`evtxcat`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxcat.md)
   - [x] [`evtxls`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxls.md)
@@ -90,4 +90,6 @@ $ DFIR_DATE="%F %T (%Z)" mac2time2 -b tests/data/mactime2/sample.bodyfile -d | h
 2022-04-21 00:57:51 (UTC),4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"
 ```
 
-The value of `DFIR_DATE` can be any format string which can also be used in `DateTime::strftime` (<https://docs.rs/chrono/latest/chrono/format/strftime/index.html>)
+The value of `DFIR_DATE` can be any format string which can also be used in `DateTime::strftime` (<https://docs.rs/chrono/latest/chrono/format/strftime/index.html>)
+
+

doc/cleanhive.md

@@ -99,6 +99,42 @@ merges logfiles into a hive file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `cleanhive`
+
+This document contains the help content for the `cleanhive` command-line program.
+
+**Command Overview:**
+
+* [`cleanhive`↴](#cleanhive)
+
+## `cleanhive`
+
+merges logfiles into a hive file
+
+**Usage:** `cleanhive [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to dump
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-O`, `--output <DST_HIVE>` — name of the file to which the cleaned hive will be written
+
+  Default value: `-`
+
+
+
 <hr/>
 
 <small><i>

doc/es4forensics.md

@@ -213,6 +213,86 @@ This crates provides structs and functions to insert timeline data into an elast
 
 
 
+## `es4forensics import`
+
+**Usage:** `es4forensics import [OPTIONS] [INPUT_FILE]`
+
+###### **Arguments:**
+
+* `<INPUT_FILE>` — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
+
+  Default value: `-`
+
+###### **Options:**
+
+* `--bulk-size <BULK_SIZE>` — number of timeline entries to combine in one bulk operation
+
+  Default value: `1000`
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `es4forensics`
+
+This document contains the help content for the `es4forensics` command-line program.
+
+**Command Overview:**
+
+* [`es4forensics`↴](#es4forensics)
+* [`es4forensics create-index`↴](#es4forensics-create-index)
+* [`es4forensics import`↴](#es4forensics-import)
+
+## `es4forensics`
+
+This crates provides structs and functions to insert timeline data into an elasticsearch index
+
+**Usage:** `es4forensics [OPTIONS] --index <INDEX_NAME> --password <PASSWORD> <COMMAND>`
+
+###### **Subcommands:**
+
+* `create-index` — 
+* `import` — 
+
+###### **Options:**
+
+* `--strict` — strict mode: do not only warn, but abort if an error occurs
+* `-I`, `--index <INDEX_NAME>` — name of the elasticsearch index
+* `-H`, `--host <HOST>` — server name or IP address of elasticsearch server
+
+  Default value: `localhost`
+* `-P`, `--port <PORT>` — API port number of elasticsearch server
+
+  Default value: `9200`
+* `--proto <PROTOCOL>` — protocol to be used to connect to elasticsearch
+
+  Default value: `https`
+
+  Possible values: `http`, `https`
+
+* `-k`, `--insecure` — omit certificate validation
+
+  Default value: `false`
+* `-U`, `--username <USERNAME>` — username for elasticsearch server
+
+  Default value: `elastic`
+* `-W`, `--password <PASSWORD>` — password for authenticating at elasticsearch
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
+## `es4forensics create-index`
+
+**Usage:** `es4forensics create-index`
+
+
+
 ## `es4forensics import`
 
 **Usage:** `es4forensics import [OPTIONS] [INPUT_FILE]`

doc/evtx2bodyfile.md

@@ -108,6 +108,45 @@ creates bodyfile from Windows evtx files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtx2bodyfile`
+
+This document contains the help content for the `evtx2bodyfile` command-line program.
+
+**Command Overview:**
+
+* [`evtx2bodyfile`↴](#evtx2bodyfile)
+
+## `evtx2bodyfile`
+
+creates bodyfile from Windows evtx files
+
+**Usage:** `evtx2bodyfile [OPTIONS] [EVTX_FILES]...`
+
+###### **Arguments:**
+
+* `<EVTX_FILES>` — names of the evtx files
+
+###### **Options:**
+
+* `-F`, `--format <FORMAT>` — select output format
+
+  Default value: `bodyfile`
+
+  Possible values: `json`, `bodyfile`
+
+* `-S`, `--strict` — fail upon read error
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>

doc/evtxanalyze.md

@@ -226,6 +226,94 @@ generate a process tree
 
 
 
+## `evtxanalyze sessions`
+
+display sessions
+
+**Usage:** `evtxanalyze sessions [OPTIONS] <EVTX_FILES_DIR>`
+
+###### **Arguments:**
+
+* `<EVTX_FILES_DIR>` — Names of the evtx files to parse
+
+###### **Options:**
+
+* `--include-anonymous` — include anonymous sessions
+
+
+
+## `evtxanalyze session`
+
+display one single session
+
+**Usage:** `evtxanalyze session <EVTX_FILES_DIR> <SESSION_ID>`
+
+###### **Arguments:**
+
+* `<EVTX_FILES_DIR>` — Names of the evtx files to parse
+* `<SESSION_ID>` — Session ID
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxanalyze`
+
+This document contains the help content for the `evtxanalyze` command-line program.
+
+**Command Overview:**
+
+* [`evtxanalyze`↴](#evtxanalyze)
+* [`evtxanalyze pstree`↴](#evtxanalyze-pstree)
+* [`evtxanalyze sessions`↴](#evtxanalyze-sessions)
+* [`evtxanalyze session`↴](#evtxanalyze-session)
+
+## `evtxanalyze`
+
+crate provide functions to analyze evtx files
+
+**Usage:** `evtxanalyze [OPTIONS] <COMMAND>`
+
+###### **Subcommands:**
+
+* `pstree` — generate a process tree
+* `sessions` — display sessions
+* `session` — display one single session
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
+## `evtxanalyze pstree`
+
+generate a process tree
+
+**Usage:** `evtxanalyze pstree [OPTIONS] <EVTX_FILE>`
+
+###### **Arguments:**
+
+* `<EVTX_FILE>` — Name of the evtx file to parse
+
+###### **Options:**
+
+* `-U`, `--username <USERNAME>` — display only processes of this user (case insensitive regex search)
+* `-F`, `--format <FORMAT>` — output format
+
+  Default value: `csv`
+
+  Possible values: `json`, `markdown`, `csv`, `latex`, `dot`
+
+
+
+
 ## `evtxanalyze sessions`
 
 display sessions

doc/evtxcat.md

@@ -117,6 +117,48 @@ Display one or more events from an evtx file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxcat`
+
+This document contains the help content for the `evtxcat` command-line program.
+
+**Command Overview:**
+
+* [`evtxcat`↴](#evtxcat)
+
+## `evtxcat`
+
+Display one or more events from an evtx file
+
+**Usage:** `evtxcat [OPTIONS] <EVTX_FILE>`
+
+###### **Arguments:**
+
+* `<EVTX_FILE>` — Name of the evtx file to read from
+
+###### **Options:**
+
+* `--min <MIN>` — filter: minimal event record identifier
+* `--max <MAX>` — filter: maximal event record identifier
+* `-i`, `--id <ID>` — show only the one event with this record identifier
+* `-T`, `--display-table` — don't display the records in a table format
+* `-F`, `--format <FORMAT>` — output format
+
+  Default value: `xml`
+
+  Possible values: `json`, `xml`
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>