/fact

A basic shell pipeline for extracting forensic artifacts from disk images. Relevant artifacts will be processed and provided in ECS format for ingestion with Logstash.

Primary LanguageGoMIT LicenseMIT

Forensic Artifacts Collecting Toolkit

A basic shell pipeline for extracting forensic artifacts from disk images. Relevant artifacts will be processed and provided in ECS format for ingestion with Logstash.

# fmount image.dd | ffind | flog -D logstash

Tools

fmount

Mount disk images for read-only processing.

# fmount [-ruszqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-D DIR] IMAGE

Available options:

  • -D Mount point
  • -B BitLocker key
  • -H Hash algorithm
  • -V Verify hash sum
  • -r Recovery key ids
  • -u Unmount image
  • -s System partition only
  • -z Unzip image
  • -q Quiet mode
  • -h Show usage
  • -v Show version

Supported image types on Linux systems:

Required system commands:

ffind

Find forensic artifacts in mount points or on the live system.

$ ffind [-rcsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-C CSV] [-Z ZIP] [MOUNT ...]

Available options:

  • -H Hash algorithm
  • -C CSV listing name
  • -Z Zip archive name
  • -r Relative paths
  • -c Volume shadow copy
  • -s System artifacts only
  • -u User artifacts only
  • -q Quiet mode
  • -h Show usage
  • -v Show version

Supported artifacts for Windows 7+ systems:

flog

Log forensic artifacts as JSON in ECS format.

$ flog [-pqhv] [-D DIRECTORY] [FILE ...]

Available options:

  • -D Log directory
  • -p Pretty JSON
  • -q Quiet mode
  • -h Show usage
  • -v Show version

Required system commands:

Use make tools to install Eric Zimmerman's Tools.

Supported artifacts for Windows 7+ systems:

License

Released under the MIT License.