version 0.8.1

.github/workflows/go.yml

@@ -0,0 +1,25 @@
+name: Go
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: "1.22"
+
+    - name: Build
+      run: go build -v -race ./...
+
+    - name: Test
+      run: go test -v -race ./...

.gitignore

@@ -0,0 +1,27 @@
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+# Fact files
+bin/
+*.dd
+*.zip
+!internal/testdata/*

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Christian Uhsat
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,9 @@
+.PHONY: all clean
+
+all: build
+
+build:
+	"$(CURDIR)/scripts/gobuild.sh"
+
+clean:
+	"$(CURDIR)/scripts/goclean.sh"

README.md

@@ -0,0 +1,14 @@
+# FACT
+Forensic Artifacts Collecting Toolkit.
+
+```sh
+$ fmount -T dd image.dd | ffind -H sha256 -Z artifacts.zip
+```
+
+## Tools
+- [fmount](docs/fmount.md)
+- [fmount.dd](docs/fmount.dd.md)
+- [ffind](docs/ffind.md)
+
+## License
+Released under the [MIT License](LICENSE).

cmd/ffind/main.go

@@ -0,0 +1,90 @@
+// Find forensic artifacts in a mount point or on the live system.
+//
+// Usage:
+//
+//	ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256|SHA512] [-Z ARCHIVE] [-F FILE] [SYSROOT]
+//
+// The flags are:
+//
+//	 -H algorithm
+//	 	The hash algorithm to use.
+//	 -Z archive
+//		The artifacts archive name.
+//	 -F file
+//		The filename to write also.
+//	 -r
+//		Output relative paths.
+//	 -s
+//		System artifacts only.
+//	 -u
+//		User artifacts only.
+//	 -q
+//		Quiet mode.
+//	 -h
+//		Show usage.
+//	 -v
+//		Show version.
+//
+// The arguments are:
+//
+//	 sysroot
+//		The systems root path or image mount point.
+//		Defaults to STDIN, then %SYSTEMDRIVE% if not given.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/cuhsat/fact/internal/sys"
+	"github.com/cuhsat/fact/pkg/ffind"
+)
+
+// Changed by ldflags
+var Version string = "dev"
+
+func main() {
+	H := flag.String("H", "", "Hash algorithm")
+	Z := flag.String("Z", "", "Archive name")
+	F := flag.String("F", "", "File to write")
+	r := flag.Bool("r", false, "Relative paths")
+	s := flag.Bool("s", false, "System artifacts only")
+	u := flag.Bool("u", false, "User artifacts only")
+	q := flag.Bool("q", false, "Quiet mode")
+	h := flag.Bool("h", false, "Show usage")
+	v := flag.Bool("v", false, "Show version")
+
+	flag.CommandLine.SetOutput(io.Discard)
+	flag.Parse()
+
+	if *h {
+		sys.Usage("ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256|SHA512] [-Z ARCHIVE] [-F FILE] [SYSROOT]")
+	}
+
+	if *v {
+		sys.Print("ffind", Version)
+	}
+
+	if *q && len(*Z) == 0 {
+		sys.Fatal("archive name required")
+	}
+
+	files := ffind.Find(sys.Input(), *Z, *H, *r, *s, *u)
+
+	if len(*F) > 0 {
+		b := []byte(strings.Join(files, "\n"))
+
+		if err := os.WriteFile(*F, b, 0666); err != nil {
+			sys.Error(err)
+		}
+	}
+
+	if !*q {
+		for _, f := range files {
+			fmt.Fprintln(os.Stdout, f)
+		}
+	}
+}

cmd/fmount/main.go

@@ -0,0 +1,96 @@
+// Mount forensic disk images for read-only processing.
+//
+// Usage:
+//
+//	fmount [-suzhv] [-T RAW|DD] [-D DIRECTORY] IMAGE
+//
+// The flags are:
+//
+//	 -D directory
+//		The mount point directory.
+//	 -T type
+//	    The disk image type.
+//	 -s
+//		System partition only.
+//	 -u
+//		Unmount image.
+//	 -z
+//		Unzip image.
+//	 -h
+//		Show usage.
+//	 -v
+//		Show version.
+//
+// The arguments are:
+//
+//	 image
+//		The disk images filename.
+package main
+
+import (
+	"flag"
+	"io"
+
+	"github.com/cuhsat/fact/internal/sys"
+	"github.com/cuhsat/fact/pkg/fmount"
+	"github.com/cuhsat/fact/pkg/fmount/dd"
+)
+
+// Changed by ldflags
+var Version string = "dev"
+
+func main() {
+	D := flag.String("D", "", "Mount point")
+	T := flag.String("T", "", "Image type")
+	s := flag.Bool("s", false, "System partition only")
+	u := flag.Bool("u", false, "Unmount image")
+	z := flag.Bool("z", false, "Unzip image")
+	h := flag.Bool("h", false, "Show usage")
+	v := flag.Bool("v", false, "Show version")
+
+	flag.CommandLine.SetOutput(io.Discard)
+	flag.Parse()
+
+	img := sys.Input()
+
+	if *v {
+		sys.Print("fmount", Version)
+	}
+
+	if *h || len(img) == 0 {
+		sys.Usage("fmount [-suzhv] [-T RAW|DD] [-D DIRECTORY] IMAGE")
+	}
+
+	it, err := fmount.DetectType(img, *T)
+
+	if err != nil {
+		sys.Fatal(err)
+	}
+
+	args := make([]string, 0)
+
+	if len(*D) > 0 {
+		args = append(args, "-D", *D)
+	}
+
+	if *s {
+		args = append(args, "-s")
+	}
+
+	if *u {
+		args = append(args, "-u")
+	}
+
+	if *z {
+		args = append(args, "-z")
+	}
+
+	args = append(args, img)
+
+	switch it {
+	case dd.RAW, dd.DD:
+		fmount.Forward("fmount.dd", args...)
+	default:
+		sys.Fatal("image type not supported:", it)
+	}
+}

docs/ffind.md

@@ -0,0 +1,31 @@
+# ffind
+Find forensic artifacts in a mount point or on the live system.
+
+```sh
+$ ffind [-rsuqhv] [-H CRC32|MD5|SHA1|SHA256|SHA512] [-Z ARCHIVE] [-F FILE] [SYSROOT]
+```
+
+Available options:
+
+- `-H` Hash algorithm
+- `-Z` Archive name
+- `-F` File to write
+- `-r` Relative paths
+- `-s` System artifacts only
+- `-u` User artifacts only
+- `-q` Quiet mode
+- `-h` Show usage
+- `-v` Show version
+
+Supported artifacts for Windows 7+ systems:
+
+- [System Registry Hives](https://forensics.wiki/windows_registry/)
+- [System Prefetch Files](https://forensics.wiki/prefetch/)
+- [System Event Logs](https://forensics.wiki/windows_event_log_%28evt%29/)
+- [System AmCache](https://forensics.wiki/amcache/)
+- [User Registry Hives](https://forensics.wiki/windows_registry/)
+- [User Jump Lists](https://forensics.wiki/jump_lists/)
+- [User Browser Histories](https://forensics.wiki/google_chrome/)
+
+---
+Part of the [Forensic Artifacts Collecting Toolkit](../README.md).

docs/fmount.dd.md

@@ -0,0 +1,26 @@
+# fmount.dd
+Mount forensic raw or dd disk images for read-only processing.
+
+```sh
+$ fmount.dd [-fsuzhv] [-D DIRECTORY] IMAGE
+```
+
+Available options:
+
+- `-D` Mount point
+- `-f` Force type
+- `-s` System partition only
+- `-u` Unmount image
+- `-z` Unzip image
+- `-h` Show usage
+- `-v` Show version
+
+Required system commands:
+
+- [losetup](https://man7.org/linux/man-pages/man8/losetup.8.html)
+- [lsblk](https://man7.org/linux/man-pages/man8/lsblk.8.html)
+- [mount](https://man7.org/linux/man-pages/man8/mount.8.html)
+- [umount](https://man7.org/linux/man-pages/man8/umount.8.html)
+
+---
+Part of the [Forensic Artifacts Collecting Toolkit](../README.md).

docs/fmount.md

@@ -0,0 +1,23 @@
+# fmount
+Mount forensic disk images for read-only processing.
+
+```sh
+$ fmount [-suzhv] [-T RAW|DD] [-D DIRECTORY] IMAGE
+```
+
+Available options:
+
+- `-D` Mount point
+- `-T` Image type
+- `-s` System partition only
+- `-u` Unmount image
+- `-z` Unzip image
+- `-h` Show usage
+- `-v` Show version
+
+Supported disk formats:
+
+- [DD (Raw)](https://forensics.wiki/raw_image_format/)
+
+---
+Part of the [Forensic Artifacts Collecting Toolkit](../README.md).

go.mod

@@ -0,0 +1,3 @@
+module github.com/cuhsat/fact
+
+go 1.22