Merge pull request #19 from dfir-dd/feature/scca2bodyfile

Feature/scca2bodyfile

.github/workflows/cargo_publish.yml

@@ -8,6 +8,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
         - uses: actions/checkout@v2
+
+        - name: Install required libscca-dev
+          run: sudo apt install -y libscca-dev
+
         - uses: actions-rs/toolchain@v1
           with:
               toolchain: stable

.github/workflows/cargo_test.yml

@@ -8,6 +8,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+
+      - name: Install required libscca-dev
+        run: sudo apt install -y libscca-dev
+
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable

.github/workflows/coverage.yml

@@ -8,6 +8,9 @@ jobs:
     steps:
 
       - uses: actions/checkout@v1
+
+      - name: Install required libscca-dev
+        run: sudo apt install -y libscca-dev
 
       - uses: actions-rs/toolchain@v1
         with:

.github/workflows/rust-clippy.yml

@@ -38,6 +38,9 @@ jobs:
           components: clippy
           override: true
 
+      - name: Install required libscca-dev
+        run: sudo apt install -y libscca-dev
+
       - name: Install required cargo
         run: cargo install clippy-sarif sarif-fmt
 

Cargo.toml

@@ -77,9 +77,15 @@ name = "lnk2bodyfile"
 path = "src/bin/lnk2bodyfile/main.rs"
 required-features = ["lnk2bodyfile"]
 
+
+[[bin]]
+name = "pf2bodyfile"
+path = "src/bin/pf2bodyfile/main.rs"
+required-features = ["pf2bodyfile"]
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [features]
-default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep", "ts2date", "lnk2bodyfile"]
+default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep", "ts2date", "lnk2bodyfile", "pf2bodyfile"]
 mactime2 = ["gzip", "elastic", "chrono-tz", "thiserror", "bitflags", "encoding_rs_io"]
 gzip = ["flate2"]
 elastic = ["elasticsearch", "tokio", "futures", "serde_json", "sha2", "base64", "num-traits", "num-derive", "strum", "strum_macros", "tokio-async-drop"]
@@ -93,6 +99,7 @@ evtx2bodyfile = ["evtx", "getset", "ouroboros", "indicatif"]
 ipgrep = []
 ts2date = ["regex"]
 lnk2bodyfile = ["lnk"]
+pf2bodyfile = ["num", "libc"]
 
 regdump = ["nt_hive2"]
 hivescan = ["nt_hive2"]
@@ -166,6 +173,10 @@ nt_hive2 = {version="4.0.1", optional=true}
 # lnk2bodyfile
 lnk = {version="0.5.1", optional=true}
 
+# pf2bodyfile
+libc = {version="0.2", optional=true}
+num = {version="0", optional=true}
+
 [dev-dependencies]
 
 # mactime2

README.md

@@ -15,6 +15,7 @@
 - [Overview of timelining tools](#overview-of-timelining-tools)
 - [Tools](#tools)
   - [x] [`cleanhive`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/cleanhive.md)
+  - [x] [`pf2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pf2bodyfile.md)
   - [x] [`evtx2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtx2bodyfile.md)
   - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxanalyze.md)
   - [x] [`evtxscan`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxscan.md)
@@ -42,6 +43,7 @@
 # Installation
 
 ```bash
+sudo apt install libscca-dev
 cargo install dfir-toolkit
 ```
 
@@ -88,4 +90,6 @@ $ DFIR_DATE="%F %T (%Z)" mac2time2 -b tests/data/mactime2/sample.bodyfile -d | h
 2022-04-21 00:57:51 (UTC),4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"
 ```
 
-The value of `DFIR_DATE` can be any format string which can also be used in `DateTime::strftime` (<https://docs.rs/chrono/latest/chrono/format/strftime/index.html>)
+The value of `DFIR_DATE` can be any format string which can also be used in `DateTime::strftime` (<https://docs.rs/chrono/latest/chrono/format/strftime/index.html>)
+
+

doc/cleanhive.md

@@ -63,6 +63,78 @@ merges logfiles into a hive file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `cleanhive`
+
+This document contains the help content for the `cleanhive` command-line program.
+
+**Command Overview:**
+
+* [`cleanhive`↴](#cleanhive)
+
+## `cleanhive`
+
+merges logfiles into a hive file
+
+**Usage:** `cleanhive [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to dump
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-O`, `--output <DST_HIVE>` — name of the file to which the cleaned hive will be written
+
+  Default value: `-`
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `cleanhive`
+
+This document contains the help content for the `cleanhive` command-line program.
+
+**Command Overview:**
+
+* [`cleanhive`↴](#cleanhive)
+
+## `cleanhive`
+
+merges logfiles into a hive file
+
+**Usage:** `cleanhive [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to dump
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-O`, `--output <DST_HIVE>` — name of the file to which the cleaned hive will be written
+
+  Default value: `-`
+
+
+
 <hr/>
 
 <small><i>