Forensic-rs
A Rust-based framework to build tools that analyze forensic artifacts and can be reused as libraries across multiple projects without changing anything.
Note: still in Alpha version
Community
Introduction
The idea behind the framework is to allow the reuse of forensic artifact analysis tools. For this reason, the framework allows decoupling the code of the analysis tools from the reading of the artifacts. Thus, a tool that analyzes UAL artifacts can be used regardless of whether the artifact is inside a ZIP as a result of triage or directly on the file system.
In this way, the same tools can be used if we want to make a triage processor like Plaso, a module within an EDR or even a tool with a graphical interface like Eric Zimmerman's Registry Explorer with the advantage of the reliability of the Rust code and its easy integration into Python scripts.
Supported artifacts
- Windows Registry: See RegistryReader trait.
- SQL databases: See SqlStatement trait. There is also a basic wrapper example around the sqlite crate in sql_tests.
- File Systems: With this trait we can read files and directories. It is very useful because we can stack file systems: A file inside a OleObject inside a ZIP file that is also inside a ZIP. See VirtualFileSystem and the implementation using the standard library (std::fs) in StdVirtualFS.
Registry Example
So in this framework we will have libraries that allows us to access the Windows registry. One in a live environment using the Windows API, and another one that parses a registry hive. So we will also have libraries that extracts data from the registry, theses libraries need to be decoupled from the registry access implementation.
Here is where this framework comes to help with the traits:
So now we can write our analysis library without knowing if we are accessing a live system or a hive file.
- LiveRegistry Library: implements the RegistryReader trait.
- HiveParser Library: implements the RegistryReader trait.
- ShellBags analyzer: accepts a RegistryReader as a parameter to access the registry.
And ShellBags analyzer can be used in a EDR-like agent or as a analysis tool in a forensic case.
SQL Example
Extracted from the SQL trait tests using sqlite db.
let conn = prepare_db;
let w_conn = prepare_wrapper;
let mut statement = w_conn.prepare.unwrap;
test_database_content.expect;
VFS Example
Extracted from StdVirtualFS tests using sqlite db.
const CONTENT: &'static str = "File_Content_Of_VFS";
let tmp = temp_dir;
let tmp_file = tmp.join;
let mut file = create.unwrap;
file.write_all.unwrap;
drop;
let std_vfs = new;
test_file_content;
Logs
To simplify the development of modules, plugins and libraries its availabe some macros with the same syntax as that of the log crate:
// For production use initialize_logger(logger) instead of testing_logger_dummy()
let log_receiver = testing_logger_dummy;
error!;
warn!;
info!;
debug!;
trace!;
assert_eq!;
Notifications and Alerts
To simplify the detection of anomalies when processing or analyzing artifacts, we can use the notifications. It uses a syntax similar as that of the log crate.
// For production use initialize_notifier(notifier) instead of testing_notifier_dummy()
let notification_receiver = testing_notifier_dummy;
notify_high!;
assert_eq!;
List of libraries
- frnsc-liveregistry-rs: Implements RegistryReader using the Windows API to access the registry of a live system. https://github.com/SecSamDev/frnsc-liveregistry-rs
- reg-analyzer-rs: Analyzes registry artifacts for evidences. https://github.com/SecSamDev/reg-analyzer-rs
- Hive Reader: Implements RegistryReader parsing HIVE files. https://github.com/ForensicRS/frnsc-hive