version v0.14.0

.github/workflows/go.yml

@@ -6,8 +6,10 @@ on:
   pull_request:
     branches: [ "main" ]
 
-jobs:
+env:
+  EZTOOLS: ./bin
 
+jobs:
   build:
     runs-on: ubuntu-latest
     steps:
@@ -18,6 +20,9 @@ jobs:
       with:
         go-version: "1.22"
 
+    - name: Tools
+      run: make tools
+
     - name: Build
       run: go build -v -race ./...
 

.gitignore

@@ -22,7 +22,11 @@ go.work
 
 # Fact files
 bin/
+
 *.dd
 *.evtx
 *.zip
-!internal/testdata/windows*.zip
+
+!cmd/*
+!pkg/*
+!internal/testdata/windows*.zip

README.md

@@ -10,7 +10,7 @@ Forensic Artifacts Collecting Toolkit.
 - [fmount.dd](docs/fmount.dd.md)
 - [ffind](docs/ffind.md)
 - [flog](docs/flog.md)
-- [flog.evt](docs/flog.evt.md)
+- [flog.evtx](docs/flog.evtx.md)
 
 ## License
 Released under the [MIT License](LICENSE).

cmd/flog.evt/main.go → cmd/flog.evtx/main.go

@@ -2,7 +2,7 @@
 //
 // Usage:
 //
-//	flog [-hv] [-D DIRECTORY] [FILE ...]
+//	flog.evtx [-hv] [-D DIRECTORY] [FILE ...]
 //
 // The flags are:
 //
@@ -27,7 +27,7 @@ import (
 	"github.com/cuhsat/fact/internal/fact"
 	"github.com/cuhsat/fact/internal/sys"
 	"github.com/cuhsat/fact/pkg/flog"
-	"github.com/cuhsat/fact/pkg/flog/evt"
+	"github.com/cuhsat/fact/pkg/flog/evtx"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -42,18 +42,18 @@ func main() {
 	files := flog.StripHash(sys.Args())
 
 	if *v {
-		sys.Print("flog", fact.Version)
+		sys.Print("flog.evtx", fact.Version)
 	}
 
 	if *h || len(files) == 0 {
-		sys.Usage("flog [-hv] [-D DIRECTORY] [FILE ...]")
+		sys.Usage("flog.evtx [-hv] [-D DIRECTORY] [FILE ...]")
 	}
 
 	g := new(errgroup.Group)
 
 	for _, f := range files {
 		g.Go(func() error {
-			return evt.Log(f, *D)
+			return evtx.Log(f, *D)
 		})
 	}
 

cmd/flog/main.go

@@ -57,7 +57,7 @@ func main() {
 	g := new(errgroup.Group)
 
 	g.Go(func() error {
-		return flog.Evt(files, args)
+		return flog.Evtx(files, args)
 	})
 
 	if err := g.Wait(); err != nil {

cmd/fmount.dd/main.go

@@ -0,0 +1,119 @@
+// Mount forensic raw or dd disk images for read-only processing.
+//
+// Usage:
+//
+//	fmount.dd [-fsuzhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-D DIRECTORY] IMAGE
+//
+// The flags are:
+//
+//	 -D directory
+//		The mount point directory.
+//	 -H algorithm
+//	 	The hash algorithm to use.
+//	 -V sum
+//	 	The hash sum to verify.
+//	 -f
+//		Force type (bypass check).
+//	 -s
+//		System partition only.
+//	 -u
+//		Unmount image.
+//	 -z
+//		Unzip image.
+//	 -h
+//		Show usage.
+//	 -v
+//		Show version.
+//
+// The arguments are:
+//
+//	 image
+//		The disk images filename.
+package main
+
+import (
+	"flag"
+	"io"
+	"strings"
+
+	"github.com/cuhsat/fact/internal/fact"
+	"github.com/cuhsat/fact/internal/sys"
+	"github.com/cuhsat/fact/pkg/fmount"
+	"github.com/cuhsat/fact/pkg/fmount/dd"
+)
+
+func main() {
+	D := flag.String("D", "", "Mount point")
+	H := flag.String("H", "", "Hash algorithm")
+	V := flag.String("V", "", "Hash sum")
+	f := flag.Bool("f", false, "Force mounting")
+	s := flag.Bool("s", false, "System partition only")
+	u := flag.Bool("u", false, "Unmount image")
+	z := flag.Bool("z", false, "Unzip image")
+	h := flag.Bool("h", false, "Show usage")
+	v := flag.Bool("v", false, "Show version")
+
+	flag.CommandLine.SetOutput(io.Discard)
+	flag.Parse()
+
+	img := sys.Arg()
+
+	if *v {
+		sys.Print("fmount.dd", fact.Version)
+	}
+
+	if *h || len(img) == 0 {
+		sys.Usage("fmount.dd [-fsuzhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-D DIRECTORY] IMAGE")
+	}
+
+	if *z {
+		ex, err := fmount.Extract(img)
+
+		if err != nil {
+			sys.Fatal(err)
+		} else {
+			img = ex
+		}
+	}
+
+	if (len(*H) == 0) != (len(*V) == 0) {
+		sys.Fatal("hash algorithm and sum are required")
+	}
+
+	if len(*H) > 0 && len(*V) > 0 {
+		ok, err := fmount.Verify(img, *H, *V)
+
+		if err != nil {
+			sys.Fatal(err)
+		}
+
+		if !ok {
+			sys.Fatal("hash sum does not match")
+		}
+	}
+
+	if !*f {
+		is, err := dd.Is(img)
+
+		if err != nil {
+			sys.Fatal(err)
+		}
+
+		if !is {
+			sys.Fatal("image type not supported")
+		}
+	}
+
+	if *u {
+		dd.Unmount(img)
+		return
+	}
+
+	p, err := dd.Mount(img, *D, *s)
+
+	if err != nil {
+		sys.Fatal(err)
+	}
+
+	sys.Print(strings.Join(p, "\n"))
+}

docs/flog.evt.md → docs/flog.evtx.md

@@ -1,8 +1,8 @@
-# flog.evt
+# flog.evtx
 Log Windows event log artifacts in [ECS](https://www.elastic.co/guide/en/ecs/current/index.html) schema.
 
 ```sh
-$ flog.evt [-hv] [-D DIRECTORY] [FILE ...]
+$ flog.evtx [-hv] [-D DIRECTORY] [FILE ...]
 ```
 
 Available options:
@@ -15,7 +15,7 @@ Required system commands:
 
 - [dotnet](https://dotnet.microsoft.com/en-us/download/dotnet/6.0)
 
-> Use `scripts/eztools.sh` to install [Eric Zimmerman's Tools](https://ericzimmerman.github.io/#!index.md).
+> Use `make tools` to install [Eric Zimmerman's Tools](https://ericzimmerman.github.io/#!index.md).
 
 ---
 Part of the [Forensic Artifacts Collecting Toolkit](../README.md).

docs/flog.md

@@ -13,7 +13,7 @@ Available options:
 
 Supported artifacts for Windows 7+ systems:
 
-- [System Event Logs](flog.evt.md)
+- [System Event Logs](flog.evtx.md)
 
 ---
 Part of the [Forensic Artifacts Collecting Toolkit](../README.md).

internal/fact/fact.go

@@ -1,4 +1,4 @@
-// FACT definitions.
+// Fact definitions.
 package fact
 
 // Set at compile time

internal/fact/3rd.go → internal/fact/tools.go

@@ -1,4 +1,4 @@
-// FACT 3rd party functions.
+// Fact implementation details.
 package fact
 
 import (

internal/fact/tools_test.go

@@ -0,0 +1,36 @@
+// Fact implementation tests.
+package fact
+
+import (
+	"os"
+	"testing"
+)
+
+func TestTools(t *testing.T) {
+	cases := []struct {
+		name, tool string
+	}{
+		{
+			name: "Test for EvtxECmd",
+			tool: "EvtxECmd.dll",
+		},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			p, err := EzTools(tt.tool)
+
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if len(p) == 0 {
+				t.Fatal(tt.tool + " not found")
+			}
+
+			if _, err := os.Stat(p); os.IsNotExist(err) {
+				t.Fatal(tt.tool + " not found")
+			}
+		})
+	}
+}

internal/fact/zip/zip_test.go

@@ -12,7 +12,7 @@ import (
 
 func TestIndex(t *testing.T) {
 	t.Run("Test index", func(t *testing.T) {
-		idx, err := Index(test.Testdata("windows.zip"))
+		idx, err := Index(test.Testdata("windows", "image.zip"))
 
 		if err != nil {
 			t.Fatal(err)
@@ -28,7 +28,7 @@ func TestUnzip(t *testing.T) {
 	t.Run("Test unzip", func(t *testing.T) {
 		tmp, _ := os.MkdirTemp(os.TempDir(), "zip")
 
-		err := Unzip(test.Testdata("windows.zip"), tmp)
+		err := Unzip(test.Testdata("windows", "image.zip"), tmp)
 
 		if err != nil {
 			t.Fatal(err)

internal/test/test.go

@@ -6,12 +6,14 @@ import (
 	"runtime"
 )
 
-func Testdata(name string) string {
+func Testdata(args ...string) string {
 	_, c, _, ok := runtime.Caller(0)
 
 	if !ok {
 		return "error"
 	}
 
-	return filepath.Join(filepath.Dir(c), "..", "testdata", name)
+	p := []string{filepath.Dir(c), "..", "testdata"}
+
+	return filepath.Join(append(p, args...)...)
 }

pkg/ffind/ffind_test.go

@@ -14,7 +14,7 @@ import (
 
 var (
 	tmp, _  = os.MkdirTemp(os.TempDir(), "ffind")
-	archive = filepath.Join(tmp, "archive.zip")
+	archive = filepath.Join(tmp, "artifacts.zip")
 	sysroot = filepath.Join(tmp, "sysroot")
 )
 
@@ -24,7 +24,7 @@ func TestFind(t *testing.T) {
 	}{
 		{
 			name: "Test find for Windows",
-			file: test.Testdata("windows.zip"),
+			file: test.Testdata("windows", "image.zip"),
 		},
 	}
 
@@ -62,7 +62,7 @@ func TestFind(t *testing.T) {
 
 func BenchmarkFind(b *testing.B) {
 	b.Run("Benchmark find", func(b *testing.B) {
-		file := test.Testdata("windows.zip")
+		file := test.Testdata("windows", "image.zip")
 
 		if err := zip.Unzip(file, sysroot); err != nil {
 			b.Fatal(err)

pkg/flog/evt/evt.go → pkg/flog/evtx/evtx.go

@@ -1,5 +1,5 @@
-// Evt implementation details.
-package evt
+// Evtx implementation details.
+package evtx
 
 import (
 	"fmt"
@@ -14,7 +14,7 @@ import (
 )
 
 const (
-	Evt = "evtx"
+	Evtx = "evtx"
 )
 
 func Log(src string, dir string) (err error) {

pkg/flog/evtx/evtx_test.go

@@ -0,0 +1,2 @@
+// Evtx implementation tests.
+package evtx