Skip to content

Latest commit

 

History

History
122 lines (107 loc) · 7.41 KB

README.rst

File metadata and controls

122 lines (107 loc) · 7.41 KB
> dfxlibs -h
  usage: dfxlibs [-h] [-m META_FOLDER] [-s SCAN_DIR] [--meta_create] [-i IMAGE [IMAGE ...]]
                 [--bde_recovery BDE_RECOVERY] [--part PART] [-pevtx] [-pf] [-pvss]
                 [--hash HASH [HASH ...]] [--filetypes] [-ppf] [-preg] [-plnk] [-pusn] [-cevtx] [-cpf]
                 [-clnk] [-cusn] [--analyze_start ANALYZE_START] [--analyze_end ANALYZE_END] [-aar]
                 [-ardp] [-asi] [-aut] [-aui] [-sfn SCAN_FILENAME] [-sft SCAN_FILETYPE]
                 [-shl SCAN_HASHLIST] [-e EXTRACT [EXTRACT ...]] [-lp]

  dfxlibs: A python digital forensics toolkit (version 0.1.0)

  optional arguments:
    -h, --help            show this help message and exit

  General Arguments:
    These parameters are used in all categories.

    -m META_FOLDER, --meta_folder META_FOLDER
                          folder to store and load meta information for one image
    -s SCAN_DIR, --scan_dir SCAN_DIR
                          folder to scan for meta folders. Used for scan options
    --meta_create         create meta information folder if not exists
    -i IMAGE [IMAGE ...], --image IMAGE [IMAGE ...]
                          forensic image file. This parameter is stored in the meta information folder,
                          so it is only needed for the first call on an image. If this parameter is
                          given on proceeding calls, it will overwrite the parameter in the meta
                          information folder (so be careful to not mix up different images in one meta
                          information folder).
    --bde_recovery BDE_RECOVERY
                          Bitlocker recovery key for bitlocker encrypted volumes
    --part PART           Specify partition for actions like --prepare_files. It must be named as given
                          in the --list_partitions output. Without --part all partitions in an image
                          will be included.

  Preparation:
    These arguments prepare the data from the image for further analysis

    -pevtx, --prepare_evtx
                          read all windows evtx logs in a given Image and stores them in a sqlite
                          database in the meta_folder. You can specify a partition with --part.
    -pf, --prepare_files  Scan files and directories of all partitions. You can specify a partition with
                          --part. The file entries will be stored in the meta_folder in a sqlite
                          database
    -pvss, --prepare_vss  Scan for files and directories in volume shadow copies of all partitions. You
                          can specify a partition with --part. The file entries will be stored in the
                          meta_folder in a sqlite database
    --hash HASH [HASH ...]
                          Hash all files <256 MiB of all partitions. You can specify a partition with
                          --part. Possible algorithms are md5, sha1, sha256 and tlsh. A minimum filesize
                          of 50 bytes is required for tlsh. The result is stored in the file database.
    --filetypes           turn on signature based detection of filetypes of all files in all partitions.
                          The result is stored in the file database. You can specify a partition with
                          --part.
    -ppf, --prepare_prefetch
                          reading prefetch files and stores the entries in a sqlite database in the
                          meta_folder. You can specify a partition with --part.
    -preg, --prepare_reg  read the windows registry and stores them in a sqlite database in the
                          meta_folder. You can specify a partition with --part.
    -plnk, --prepare_lnk  reading lnk files and stores the entries in a sqlite database in the
                          meta_folder. You can specify a partition with --part.
    -pusn, --prepare_usn  reading ntfs usn journals and stores the entries in a sqlite database in the
                          meta_folder. You can specify a partition with --part.

  Carving:
    These arguments are for different carving options.

    -cevtx, --carve_evtx  carve for windows evtx entries and stores them in the same database as for the
                          --prepare_evtx argument
    -cpf, --carve_prefetch
                          carve for prefetch files and stores them in the same database as for the
                          --prepare_prefetch argument
    -clnk, --carve_lnk    carve for lnk files and stores them in the same database as for the
                          --prepare_lnk argument
    -cusn, --carve_usn    carve for ntfs usn journal entries and stores them in the same database as for
                          the --prepare_usn argument

  Analyze:
    These arguments are for in-depth analysis of the image.

    --analyze_start ANALYZE_START
                          Specify a start date in format YYYY-MM-DD for event based analysis (e.g.
                          logins). Only events after or equal the given date are analyzed.
    --analyze_end ANALYZE_END
                          Specify a end date in format YYYY-MM-DD for event based analysis (e.g.
                          logins). Only events before or equal the given date are analyzed.
    -aar, --analyze_autoruns
                          list different autorun jobs
    -ardp, --analyze_rdp_sessions
                          list rdp sessions from system logs
    -asi, --analyze_sys_infos
                          list multiple system information
    -aut, --analyze_uptimes
                          list timeranges, when the system was up and running. Up and running is defined
                          by at least one eventlog entry within 60 minutes
    -aui, --analyze_user_infos
                          list multiple user information

  Scan:
    These arguments are for scanning multiple images for search parameters.

    -sfn SCAN_FILENAME, --scan_filename SCAN_FILENAME
                          scan for matches for given filename. "%" (any sequence of zero or more
                          characters) and "_" (single character) can be used as wildcards
    -sft SCAN_FILETYPE, --scan_filetype SCAN_FILETYPE
                          scan for matches for given filetype
    -shl SCAN_HASHLIST, --scan_hashlist SCAN_HASHLIST
                          scan for matches from given hashlist file (one hash per line)

  Special actions:
    These parameters contains short and simple actions.

    -e EXTRACT [EXTRACT ...], --extract EXTRACT [EXTRACT ...]
                          Extracts files from the image and stores them to the meta_folder. You have to
                          give the full path and filename (with leading slash - even slashes instead of
                          backslashes for windows images) or a meta address. As default source
                          "filesystem" for regular files in the image will be used. You can give another
                          file-source (e.g. "vss#0" for shadow copy store 0) by just adding it in front
                          of your path and separate it with a colon (e.g. "vss#0:/path/testfile.txt" for
                          /path/testfile.txt from vss#0). You can give multiple files at once
    -lp, --list_partitions
                          print partition list