version v0.27.0

cuhsat · Jun 12, 2024 · 81e5d94 · 81e5d94
1 parent 31e17c3
commit 81e5d94
Show file tree

Hide file tree

Showing 21 changed files with 596 additions and 298 deletions.
diff --git a/README.md b/README.md
@@ -100,14 +100,13 @@ Required system commands:
 > Use `make tools` to install [Eric Zimmerman's Tools](https://ericzimmerman.github.io/#!index.md).
 
 #### Roadmap
-- [ ] Support for [System Active Directory](https://forensics.wiki/active_directory/)
-- [ ] Support for [System Registry Hives](https://forensics.wiki/windows_registry/)
-- [ ] Support for [System Prefetch Files](https://forensics.wiki/prefetch/)
-- [x] Support for [System Event Logs](https://forensics.wiki/windows_event_log_%28evt%29/)
-- [ ] Support for [System AmCache](https://forensics.wiki/amcache/)
-- [ ] Support for [User Registry Hives](https://forensics.wiki/windows_registry/)
-- [ ] Support for [User Jump Lists](https://forensics.wiki/jump_lists/)
-- [ ] Support for [User Browser Histories](https://forensics.wiki/google_chrome/)
+- [ ] [System Active Directory](https://forensics.wiki/active_directory/)
+- [ ] [System Prefetch Files](https://forensics.wiki/prefetch/)
+- [x] [System Event Logs](https://forensics.wiki/windows_event_log_%28evt%29/)
+- [ ] [System AmCache](https://forensics.wiki/amcache/)
+- [ ] [User ShellBags](https://forensics.wiki/shell_item/)
+- [x] [User JumpLists](https://forensics.wiki/jump_lists/)
+- [ ] [User Browser Histories](https://forensics.wiki/google_chrome/)
 
 ## License
 Released under the [MIT License](LICENSE).
diff --git a/cmd/ffind/main.go b/cmd/ffind/main.go
@@ -58,7 +58,7 @@ func main() {
 	flag.CommandLine.SetOutput(io.Discard)
 	flag.Parse()
 
-	mnt := sys.Args()
+	mnts, _ := sys.Args()
 
 	if *v {
 		sys.Final("ffind", fact.Version)
@@ -80,12 +80,12 @@ func main() {
 		sys.Fatal("system or user required")
 	}
 
-	if *r && len(mnt) > 1 {
+	if *r && len(mnts) > 1 {
 		sys.Error("relative paths disabled")
 		*r = false
 	}
 
-	for _, p := range mnt {
+	for _, p := range mnts {
 		ffind.Find(p, *Z, *C, *H, *r, *c, *s, *u)
 	}
 }
diff --git a/cmd/flog/main.go b/cmd/flog/main.go
@@ -27,12 +27,10 @@ package main
 import (
 	"flag"
 	"io"
-	"path/filepath"
 
 	"github.com/cuhsat/fact/internal/fact"
 	"github.com/cuhsat/fact/internal/sys"
 	"github.com/cuhsat/fact/pkg/flog"
-	"golang.org/x/sync/errgroup"
 )
 
 func main() {
@@ -45,7 +43,9 @@ func main() {
 	flag.CommandLine.SetOutput(io.Discard)
 	flag.Parse()
 
-	files := flog.StripHash(sys.Args())
+	args, _ := sys.Args()
+
+	files := flog.StripHash(args)
 
 	if *v {
 		sys.Final("flog", fact.Version)
@@ -59,18 +59,9 @@ func main() {
 		sys.Progress = nil
 	}
 
-	g := new(errgroup.Group)
-
-	for _, f := range files {
-		if filepath.Ext(f) == flog.Evtx {
-			g.Go(func() (err error) {
-				_, err = flog.LogEvent(f, *D, *p)
-				return
-			})
-		}
-	}
+	err := flog.Log(files, *D, *p)
 
-	if err := g.Wait(); err != nil {
+	if err != nil {
 		sys.Fatal(err)
 	}
 }
diff --git a/cmd/fmount/main.go b/cmd/fmount/main.go
@@ -60,20 +60,22 @@ func main() {
 	flag.CommandLine.SetOutput(io.Discard)
 	flag.Parse()
 
-	img := sys.Arg()
+	args, xargs := sys.Args()
 
 	if *v {
 		sys.Final("fmount", fact.Version)
 	}
 
-	if *h || len(img) == 0 {
+	if *h || len(args) == 0 {
 		sys.Usage("fmount [-ruszqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-D DIR] IMAGE")
 	}
 
 	if *q {
 		sys.Progress = nil
 	}
 
+	img := args[0]
+
 	if *z {
 		ex, err := fmount.Extract(img)
 
@@ -102,12 +104,12 @@ func main() {
 
 	var err error
 
-	if *r {
-		_, err = fmount.KeyIds(img)
-	} else if *u {
+	if *u {
 		err = fmount.Unmount(img)
+	} else if *r {
+		_, err = fmount.KeyIds(img, xargs)
 	} else {
-		_, err = fmount.Mount(img, *D, *B, *s)
+		_, err = fmount.Mount(img, *D, *B, *s, xargs)
 	}
 
 	if err != nil {

diff --git a/internal/flog/evtx.go b/internal/flog/evtx.go
diff --git a/internal/flog/ez.go b/internal/flog/ez.go
@@ -0,0 +1,54 @@
+// Eric Zimmermann tools.
+package flog
+
+import (
+	"path/filepath"
+
+	"github.com/cuhsat/fact/internal/fact/ez"
+	"github.com/cuhsat/fact/internal/sys"
+)
+
+func EvtxeCmd(src, dir string) (log string, err error) {
+	cmd, err := ez.Path("EvtxECmd.dll")
+
+	if err != nil {
+		return
+	}
+
+	if len(dir) == 0 {
+		dir = filepath.Dir(src)
+	}
+
+	dst := filepath.Base(src) + ".json"
+	log = filepath.Join(dir, dst)
+
+	_, err = sys.StdCall("dotnet", cmd, "-f", src, "--fj", "--json", dir, "--jsonf", dst)
+
+	return
+}
+
+func JleCmd(src, dir string) (log string, err error) {
+	cmd, err := ez.Path("JLECmd.dll")
+
+	if err != nil {
+		return
+	}
+
+	if len(dir) == 0 {
+		dir = filepath.Dir(src)
+	}
+
+	dst := BaseFile(filepath.Base(src))
+	log = filepath.Join(dir, dst)
+
+	_, err = sys.StdCall("dotnet", cmd, "-f", src, "-q", "--csv", dir, "--csvf", dst+".csv")
+
+	switch filepath.Ext(src) {
+	case ".automaticDestinations-ms":
+		log += "_AutomaticDestinations.csv"
+	case ".customDestinations-ms":
+		log += "_CustomDestinations.csv"
+	}
+
+	return
+}
diff --git a/internal/flog/file.go b/internal/flog/file.go
@@ -3,18 +3,28 @@ package flog
 
 import (
 	"bufio"
+	"encoding/csv"
+	"encoding/json"
 	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/cuhsat/fact/internal/sys"
 )
 
-func ReadLines(name string) (lines []string, err error) {
+func BaseFile(name string) string {
+	b := filepath.Base(name)
+
+	return strings.TrimSuffix(b, filepath.Ext(b))
+}
+
+func ConsumeJson(name string) (lines []string, err error) {
 	f, err := os.Open(name)
 
 	if err != nil {
 		return
 	}
 
-	defer f.Close()
-
 	fs := bufio.NewScanner(f)
 
 	fs.Split(bufio.ScanLines)
@@ -23,5 +33,47 @@ func ReadLines(name string) (lines []string, err error) {
 		lines = append(lines, fs.Text())
 	}
 
+	f.Close()
+
+	err = os.Remove(name)
+
+	return
+}
+
+func ConsumeCsv(name string) (lines []string, err error) {
+	f, err := os.Open(name)
+
+	if err != nil {
+		return
+	}
+
+	rr, err := csv.NewReader(f).ReadAll()
+
+	if len(rr) <= 1 {
+		f.Close()
+		return
+	}
+
+	m := map[string]string{}
+
+	for _, r := range rr[1:] {
+		for i, c := range r {
+			m[rr[0][i]] = c
+		}
+
+		b, err := json.Marshal(m)
+
+		if err != nil {
+			sys.Error(err)
+			continue
+		}
+
+		lines = append(lines, string(b))
+	}
+
+	f.Close()
+
+	err = os.Remove(name)
+
 	return
 }
diff --git a/internal/flog/map.go b/internal/flog/map.go
@@ -21,25 +21,41 @@ var (
 )
 
 type Map struct {
+	c map[string]string
 	o object
 }
 
 type object any
 
 func NewMap(s string) (m *Map, err error) {
-	m = &Map{}
+	m = &Map{
+		c: make(map[string]string, 100),
+	}
 
 	b := bytes.TrimPrefix([]byte(s), bom)
 
 	return m, json.Unmarshal(b, &m.o)
 }
 
-func (m *Map) GetString(key string) (value string) {
-	return rget(m.o, strings.Split(key, KeySep))
+func (m *Map) GetString(keys ...string) (value string) {
+	for _, key := range keys {
+		if value, ok := m.c[key]; ok {
+			return value
+		}
+
+		value = rget(m.o, strings.Split(key, KeySep))
+
+		if len(value) > 0 {
+			m.c[key] = value
+			return
+		}
+	}
+
+	return
 }
 
-func (m *Map) GetInt64(key string) (value int64) {
-	value, err := strconv.ParseInt(m.GetString(key), 10, 64)
+func (m *Map) GetInt64(keys ...string) (value int64) {
+	value, err := strconv.ParseInt(m.GetString(keys...), 10, 64)
 
 	if err != nil {
 		return -1 // default
@@ -48,10 +64,10 @@ func (m *Map) GetInt64(key string) (value int64) {
 	return
 }
 
-func (m *Map) GetTime(key string) (value time.Time) {
+func (m *Map) GetTime(keys ...string) (value time.Time) {
 	const layout = "2006-01-02 15:04:05.9999999"
 
-	value, err := time.Parse(layout, m.GetString(key))
+	value, err := time.Parse(layout, m.GetString(keys...))
 
 	if err != nil {
 		return time.UnixMicro(0) // default