Merge pull request #4 from dfir-dd/feature/ts2date

Feature/ts2date

Cargo.toml

@@ -67,9 +67,14 @@ name = "ipgrep"
 path = "src/bin/ipgrep/main.rs"
 required-features = ["ipgrep"]
 
+[[bin]]
+name = "ts2date"
+path = "src/bin/ts2date/main.rs"
+required-features = ["ts2date"]
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [features]
-default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep"]
+default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep", "ts2date"]
 mactime2 = ["gzip", "elastic", "chrono-tz", "thiserror", "bitflags", "encoding_rs_io"]
 gzip = ["flate2"]
 elastic = ["elasticsearch", "tokio", "futures", "serde_json", "sha2", "base64", "num-traits", "num-derive", "strum", "strum_macros", "tokio-async-drop"]
@@ -81,6 +86,7 @@ evtxls = ["evtx", "colored", "lazy-regex", "regex", "sigpipe", "dfirtk-eventdata
 evtxanalyze = ["evtx", "dfirtk-sessionevent-derive", "dfirtk-eventdata"]
 evtx2bodyfile = ["evtx", "getset", "ouroboros", "indicatif"]
 ipgrep = []
+ts2date = ["regex"]
 
 regdump = ["nt_hive2"]
 hivescan = ["nt_hive2"]
@@ -98,6 +104,7 @@ log = {version = "0.4", features = [ "release_max_level_info" ]}
 serde = { version = "1.0", features = ["derive"] }
 simplelog = "0.12"
 winstructs = "0.3.0"
+regex = {version = "1", optional=true}
 
 clap-markdown = "0.1.3"
 clap_complete = "4"
@@ -119,7 +126,6 @@ evtx={version="0.8", optional=true}
 colored_json = {version="3", optional=true}
 term-table = {version = "1.3", optional=true}
 termsize = {version = "0.1", optional=true}
-regex = {version = "1", optional=true}
 colored = {version = "2", optional=true}
 lazy-regex = {version = "3.0.0", optional=true}
 sigpipe = {version = "0", optional=true}

README.md

@@ -24,7 +24,7 @@
   - [x] [`regdump`](#regdump)
   - [ ] [`regls`](https://github.com/janstarke/regls)
   - [ ] [`regview`](https://github.com/janstarke/regview)
-  - [ ] [`ts2date`](https://github.com/janstarke/ts2date)
+  - [x] [`ts2date`](#ts2date)
   - [ ] [`usnjrnl_dump`](https://github.com/janstarke/usnjrnl)
 
 # Overview of timelining tools
@@ -94,7 +94,7 @@ This document contains the help content for the `es4forensics` command-line prog
 
 ## `es4forensics`
 
-CLI tools for digital forensics and incident response
+This crates provides structs and functions to insert timeline data into an elasticsearch index
 
 **Usage:** `es4forensics [OPTIONS] --index <INDEX_NAME> --password <PASSWORD> <COMMAND>`
 
@@ -172,7 +172,7 @@ This document contains the help content for the `evtx2bodyfile` command-line pro
 
 ## `evtx2bodyfile`
 
-CLI tools for digital forensics and incident response
+Parses a lot of evtx files and prints a bodyfile
 
 **Usage:** `evtx2bodyfile [OPTIONS] [EVTX_FILES]...`
 
@@ -209,7 +209,7 @@ This document contains the help content for the `evtxanalyze` command-line progr
 
 ## `evtxanalyze`
 
-CLI tools for digital forensics and incident response
+crate provide functions to analyze evtx files
 
 **Usage:** `evtxanalyze [OPTIONS] <COMMAND>`
 
@@ -294,7 +294,7 @@ This document contains the help content for the `evtxcat` command-line program.
 
 ## `evtxcat`
 
-CLI tools for digital forensics and incident response
+Display one or more events from an evtx file
 
 **Usage:** `evtxcat [OPTIONS] <EVTX_FILE>`
 
@@ -336,7 +336,7 @@ This document contains the help content for the `evtxls` command-line program.
 
 ## `evtxls`
 
-CLI tools for digital forensics and incident response
+Display one or more events from an evtx file
 
 **Usage:** `evtxls [OPTIONS] [EVTX_FILES]...`
 
@@ -406,7 +406,7 @@ This document contains the help content for the `evtxscan` command-line program.
 
 ## `evtxscan`
 
-CLI tools for digital forensics and incident response
+Find time skews in an evtx file
 
 **Usage:** `evtxscan [OPTIONS] <EVTX_FILE>`
 
@@ -476,7 +476,7 @@ This document contains the help content for the `ipgrep` command-line program.
 
 ## `ipgrep`
 
-CLI tools for digital forensics and incident response
+search for IP addresses in text files
 
 **Usage:** `ipgrep [OPTIONS] [FILE]...`
 
@@ -518,7 +518,7 @@ This document contains the help content for the `mactime2` command-line program.
 
 ## `mactime2`
 
-CLI tools for digital forensics and incident response
+replacement for `mactime`
 
 **Usage:** `mactime2 [OPTIONS]`
 
@@ -562,7 +562,7 @@ This document contains the help content for the `pol_export` command-line progra
 
 ## `pol_export`
 
-CLI tools for digital forensics and incident response
+Exporter for Windows Registry Policy Files
 
 **Usage:** `pol_export [OPTIONS] <POLFILE>`
 
@@ -594,7 +594,7 @@ This document contains the help content for the `regdump` command-line program.
 
 ## `regdump`
 
-CLI tools for digital forensics and incident response
+parses registry hive files and prints a bodyfile
 
 **Usage:** `regdump [OPTIONS] <HIVE_FILE>`
 
@@ -613,6 +613,43 @@ CLI tools for digital forensics and incident response
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `ts2date`
+
+This document contains the help content for the `ts2date` command-line program.
+
+**Command Overview:**
+
+* [`ts2date`↴](#ts2date)
+
+## `ts2date`
+
+replaces UNIX timestamps in a stream by a formatted date
+
+**Usage:** `ts2date [OPTIONS] [INPUT_FILE] [OUTPUT_FILE]`
+
+###### **Arguments:**
+
+* `<INPUT_FILE>` — name of the file to read (default from stdin)
+
+  Default value: `-`
+* `<OUTPUT_FILE>` — name of the file to write (default to stdout)
+
+  Default value: `-`
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>

scripts/update-md.sh

@@ -29,7 +29,7 @@ cat >README.md <<'EOF'
   - [x] [`regdump`](#regdump)
   - [ ] [`regls`](https://github.com/janstarke/regls)
   - [ ] [`regview`](https://github.com/janstarke/regview)
-  - [ ] [`ts2date`](https://github.com/janstarke/ts2date)
+  - [x] [`ts2date`](#ts2date)
   - [ ] [`usnjrnl_dump`](https://github.com/janstarke/usnjrnl)
 
 # Overview of timelining tools

src/apps/mactime2/cli.rs

@@ -3,18 +3,19 @@ use clio::Input;
 use log::LevelFilter;
 use chrono_tz::Tz;
 
-use crate::common::HasVerboseFlag;
+use crate::common::{HasVerboseFlag,TzArgument};
 
-use super::{OutputFormat, TzArgument};
+use super::OutputFormat;
 
 #[cfg(feature = "gzip")]
 const BODYFILE_HELP: &str =
     "path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)";
 #[cfg(not(feature = "gzip"))]
 const BODYFILE_HELP: &str = "path to input file or '-' for stdin";
 
+/// replacement for `mactime`
 #[derive(Parser)]
-#[clap(name="mactime2", author, version, about, long_about = None)]
+#[clap(name="mactime2", author, version, long_about = None)]
 
 pub struct Cli {
     #[clap(short('b'), value_parser, value_hint=ValueHint::FilePath, default_value="-", help=BODYFILE_HELP, display_order(100))]

src/apps/mactime2/mod.rs

@@ -5,8 +5,6 @@ pub mod error;
 pub mod filter;
 mod output;
 mod cli;
-mod tzargument;
 
 pub use application::*;
 pub use cli::*;
-pub (crate) use tzargument::*;

src/bin/es4forensics/cli.rs

@@ -26,8 +26,9 @@ pub(crate) enum Action {
     },
 }
 
+/// This crates provides structs and functions to insert timeline data into an elasticsearch index.
 #[derive(Parser)]
-#[clap(name=env!("CARGO_BIN_NAME"), author, version, about, long_about = None)]
+#[clap(name=env!("CARGO_BIN_NAME"), author, version, long_about = None)]
 pub struct Cli {
     #[command(subcommand)]
     pub(crate) action: Action,

src/bin/evtx2bodyfile/cli.rs

@@ -5,8 +5,9 @@ use dfir_toolkit::common::HasVerboseFlag;
 use getset::Getters;
 use log::LevelFilter;
 
+/// creates bodyfile from Windows evtx files
 #[derive(Parser, Clone, Getters)]
-#[clap(name=env!("CARGO_BIN_NAME"), author, version, about, long_about = None)]
+#[clap(name=env!("CARGO_BIN_NAME"), author, version, long_about = None)]
 #[getset(get = "pub (crate)")]
 pub(crate) struct Cli {
     /// names of the evtx files

src/bin/evtxanalyze/cli.rs

@@ -57,8 +57,9 @@ pub enum Command {
     },
 }
 
+/// crate provide functions to analyze evtx files
 #[derive(Parser)]
-#[clap(name=env!("CARGO_BIN_NAME"), author, version, about, long_about = None)]
+#[clap(name=env!("CARGO_BIN_NAME"), author, version, long_about = None)]
 pub(crate) struct Cli {
     #[command(subcommand)]
     pub(crate) command: Command,

src/bin/evtxcat/cli.rs

@@ -6,7 +6,7 @@ use crate::output_format::OutputFormat;
 
 /// Display one or more events from an evtx file
 #[derive(Parser)]
-#[clap(name=env!("CARGO_BIN_NAME"),author,version,about)]
+#[clap(name=env!("CARGO_BIN_NAME"), author, version)]
 pub (crate) struct Cli {
     /// Name of the evtx file to read from
     pub (crate) evtx_file: String,

src/bin/evtxls/cli.rs

@@ -20,7 +20,7 @@ pub(crate) enum SortOrder {
 
 /// Display one or more events from an evtx file
 #[derive(Parser)]
-#[clap(name=env!("CARGO_BIN_NAME"), author,version,about,long_about=None)]
+#[clap(name=env!("CARGO_BIN_NAME"), author, version,long_about=None)]
 pub(crate) struct Cli {
     /// Name of the evtx files to read from
     pub(crate) evtx_files: Vec<String>,

src/bin/evtxscan/cli.rs

@@ -5,7 +5,7 @@ use log::LevelFilter;
 
 /// Find time skews in an evtx file
 #[derive(Parser)]
-#[clap(name=env!("CARGO_BIN_NAME"), author, version, about)]
+#[clap(name=env!("CARGO_BIN_NAME"), author, version)]
 pub (crate) struct Cli {
     /// name of the evtx file to scan
     pub (crate) evtx_file: String,

src/bin/ipgrep/cli.rs

@@ -6,8 +6,9 @@ use log::LevelFilter;
 
 use crate::{ip_filter::IpFilter, format_ipv4};
 
+/// search for IP addresses in text files
 #[derive(Parser)]
-#[clap(name=env!("CARGO_BIN_NAME"), author,version,about,long_about=None)]
+#[clap(name=env!("CARGO_BIN_NAME"), author, version,long_about=None)]
 pub(crate) struct Cli {
     pub(crate) file: Vec<PathBuf>,