Skip to main content

Crate forensicnomicon

Crate forensicnomicon 

Source
Expand description

forensicnomicon — the comprehensive DFIR artifact catalog.

See also: Architecture & knowledge schema | Search widget | Source on GitHub

6,548 forensic artifacts, each enriched beyond just a path. Other registries tell you where an artifact lives. forensicnomicon tells you what it means, how to decode it, how reliable it is as evidence, when to acquire it, what else to collect alongside it, and which detection rules apply — all compiled into your binary at zero runtime cost.

415 entries are fully curated with evidence strength, volatility, and caveats. The remaining 6,133 are generated from seven authoritative corpora — KAPE targets (2,422), ForensicArtifacts YAML (2,545), EVTX/ETW channels (995), Velociraptor (122), RECmd batch files (44), browser paths (37), NirSoft (22) — and carry location, OS scope, decoder, and source citation.

Zero dependencies. Everything in const/static memory.

§Quick start

use forensicnomicon::catalog::{CATALOG, TriagePriority};
use forensicnomicon::evidence::evidence_for;
use forensicnomicon::volatility::acquisition_order;

// Acquisition order for live response (RFC 3227 — most volatile first)
let order = acquisition_order();

// What to triage first
let critical: Vec<_> = CATALOG.for_triage()
    .into_iter()
    .filter(|d| d.triage_priority == TriagePriority::Critical)
    .collect();

// How reliable is this artifact as evidence?
let e = evidence_for("userassist_exe").unwrap();
// e.strength → EvidenceStrength::Strong
// e.caveats  → &["Key can be cleared; absence does not prove non-execution"]

§Module map

§Artifact catalog

  • catalog / artifact — 6,548-entry descriptor registry with decode, ATT&CK mapping, triage priority, parsing profiles, and carving signatures. Start with catalog::CATALOG.

§Enrichments — investigation

§Enrichments — detection

  • mitre — MITRE ATT&CK integration: shared mitre::AttackTechnique type + YARA rule name prefix lookup
  • attack_flow — campaign graph layer: 5 pre-built adversary scenarios with artifact evidence mapping
  • sigma — Sigma rule references per artifact; sigma::sigma_refs_for
  • chainsaw — Chainsaw / Hayabusa hunt rule references
  • navigator — ATT&CK Navigator JSON layer generator
  • yara — YARA rule skeleton generator
  • stix — STIX 2.1 observable mappings and indicator patterns

§Enrichments — collection toolchain

§Static indicator tables

These modules export only &'static slices and boolean lookups — safe in no_std environments:

  • ports — suspicious TCP/UDP ports (is_suspicious_port)
  • lolbins — Windows LOLBAS + Linux GTFOBins
  • persistence — run keys, cron, LaunchAgents, IFEO, AppInit
  • processes — masquerade targets and offensive process names
  • commands — log-wipe commands, rootkit names
  • paths — suspicious staging and hijack paths
  • antiforensics — anti-forensic tool indicators
  • encryption — encryption tool paths
  • remote_access — LOLRMM / RMM tool indicators
  • third_party — PuTTY, WinSCP, cloud sync, browser registry artifacts
  • pca — Windows 11 Program Compatibility Assistant artifacts
  • references — queryable source map per module
  • no_std_compat — documents and validates the no_std-safe API surface

§Extension

§Parsing stack

Raw bytes → ContainerSignature → ContainerProfile → ArtifactDescriptor
         → ArtifactParsingProfile → RecordSignature → Decoder → ArtifactRecord

All layers queryable via CATALOG:

use forensicnomicon::catalog::CATALOG;
let cp = CATALOG.container_profile("windows_registry_hive");
let pp = CATALOG.parsing_profile("userassist_exe");

§Scope boundary

This crate is a forensic catalog first, not a full DFIR parsing engine. Compact stable transforms such as UserAssist ROT13 or FILETIME normalization belong here. Large evolving formats such as full hibernation, WMI repository, or BITS database parsers should stay in separate companion crates.

Re-exports§

pub use catalog as artifact;
pub use lolbins::lolbas_entry;
pub use lolbins::lolbas_names;
pub use lolbins::LolbasEntry;
pub use lolbins::UC_ARCHIVE;
pub use lolbins::UC_BYPASS;
pub use lolbins::UC_CREDENTIALS;
pub use lolbins::UC_DECODE;
pub use lolbins::UC_DEFENSE_EVASION;
pub use lolbins::UC_DOWNLOAD;
pub use lolbins::UC_EXECUTE;
pub use lolbins::UC_NETWORK;
pub use lolbins::UC_PERSIST;
pub use lolbins::UC_PROXY;
pub use lolbins::UC_RECON;
pub use lolbins::UC_UPLOAD;

Modules§

abusable_sites
Cloud services, CDNs, and online platforms systematically abused by attackers for phishing, C2, payload delivery, and data exfiltration.
aff4
AFF4 (Advanced Forensic Format 4) container constants.
antiforensics
antiforensics_aware
Anti-forensics awareness layer.
apm
Apple Partition Map (APM) partition-type strings.
attack_flow
MITRE ATT&CK Flow — campaign graph layer.
boot_signatures
MBR boot-code (bootloader) fingerprints.
bootkit
Boot-sector / MBR malware plaintext markers.
catalog
Universal forensic artifact catalog.
chainsaw
Chainsaw / Hayabusa EVTX detection rule mapping.
commands
dependencies
Artifact dependency graph.
dmg
Apple DMG / UDIF disk-image format constants and offset layouts.
encryption
eventids
Event ID enrichment module.
evidence
Evidence strength / confidence model for forensic artifacts.
evtx
EVTX binary format constants and offset layouts.
ewf
Expert Witness Format (EWF / E01 / Ex01 / L01) constants.
filesystems
Filesystem superblock / boot-sector magic signatures.
forensicartifacts
ForensicArtifacts.com YAML interop.
gpt
GUID Partition Table (GPT) partition-type GUIDs.
handbook
DFIR Handbook
heuristics
Forensic heuristics — detection thresholds and pure predicates.
journald
Systemd journal binary format constants.
lolbins
Living Off the Land Binaries and Scripts (LOLBAS) + Living Off Foreign Land (LOFL) across Windows, Linux, and macOS — all six upstream datasets in a single module.
mitre
MITRE ATT&CK integration.
navigator
ATT&CK Navigator layer generator.
no_std_compat
Validation tests for no_std-compatible APIs.
ntfs
NTFS on-disk structure knowledge: signatures, attribute type codes, well-known MFT record numbers, record-header field offsets, flags, and $FILE_NAME namespaces.
partition_schemes
Disk partitioning-scheme detection from on-disk magic numbers.
partition_types
MBR partition type codes (the 1-byte type field in an MBR partition entry).
paths
pca
Program Compatibility Assistant (PCA) forensic artifact support.
persistence
playbooks
Investigation playbook engine.
plugin
Decoder plugin architecture.
ports
processes
qcow2
QEMU QCOW2 disk-image format constants and offset layouts.
references
Authoritative reference catalog for each public module.
remote_access
report
Normalized cross-scheme forensic report vocabulary — the superset model.
rootkit
Userland LD_PRELOAD rootkit forensic indicators.
sigma
Sigma rule cross-references for catalog artifacts.
sqlite
SQLite and WAL binary format constants.
srum
SRUM (System Resource Usage Monitor) extension table GUIDs and metadata.
stix
STIX 2.1 observable mapping.
temporal
third_party
threat_intel
timelining
Super-timeline construction methodology.
toolchain
KAPE / Velociraptor / toolchain mapping.
version_history
OS version artifact change tracking.
vhd
Legacy Microsoft VHD (Virtual PC / Hyper-V Gen-1) format constants.
vhdx
Microsoft VHDX disk-image format constants and offset layouts.
vmdk
VMware VMDK disk-image format constants and offset layouts.
volatility
Artifact volatility model — RFC 3227 Order of Volatility encoded as data.
yara
YARA rule template generator.