Skip to main content

Crate forensicnomicon

Crate forensicnomicon 

Source
Expand description

forensicnomicon — the comprehensive DFIR artifact catalog.

See also: Architecture & knowledge schema | Search widget | Source on GitHub

6,548 forensic artifacts, each enriched beyond just a path. Other registries tell you where an artifact lives. forensicnomicon tells you what it means, how to decode it, how reliable it is as evidence, when to acquire it, what else to collect alongside it, and which detection rules apply — all compiled into your binary at zero runtime cost.

415 entries are fully curated with evidence strength, volatility, and caveats. The remaining 6,133 are generated from seven authoritative corpora — KAPE targets (2,422), ForensicArtifacts YAML (2,545), EVTX/ETW channels (995), Velociraptor (122), RECmd batch files (44), browser paths (37), NirSoft (22) — and carry location, OS scope, decoder, and source citation.

Zero dependencies. Everything in const/static memory.

§Quick start

use forensicnomicon::catalog::{CATALOG, TriagePriority};
use forensicnomicon::evidence::evidence_for;
use forensicnomicon::volatility::acquisition_order;

// Acquisition order for live response (RFC 3227 — most volatile first)
let order = acquisition_order();

// What to triage first
let critical: Vec<_> = CATALOG.for_triage()
    .into_iter()
    .filter(|d| d.triage_priority == TriagePriority::Critical)
    .collect();

// How reliable is this artifact as evidence?
let e = evidence_for("userassist_exe").unwrap();
// e.strength → EvidenceStrength::Strong
// e.caveats  → &["Key can be cleared; absence does not prove non-execution"]

§Module map

§Artifact catalog

  • catalog / artifact — 6,548-entry descriptor registry with decode, ATT&CK mapping, triage priority, parsing profiles, and carving signatures. Start with catalog::CATALOG.

§Enrichments — investigation

§Enrichments — detection

  • mitre — MITRE ATT&CK integration: shared mitre::AttackTechnique type + YARA rule name prefix lookup
  • attack_flow — campaign graph layer: 5 pre-built adversary scenarios with artifact evidence mapping
  • sigma — Sigma rule references per artifact; sigma::sigma_refs_for
  • chainsaw — Chainsaw / Hayabusa hunt rule references
  • navigator — ATT&CK Navigator JSON layer generator
  • yara — YARA rule skeleton generator
  • stix — STIX 2.1 observable mappings and indicator patterns

§Enrichments — collection toolchain

§Static indicator tables

These modules export only &'static slices and boolean lookups — safe in no_std environments:

  • ports — suspicious TCP/UDP ports (is_suspicious_port)
  • lolbins — Windows LOLBAS + Linux GTFOBins
  • persistence — run keys, cron, LaunchAgents, IFEO, AppInit
  • processes — masquerade targets and offensive process names
  • services — known-good Windows service-baseline catalogs: standalone OwnProcess service exes (is_known_service_binary) and svchost-hosted ServiceDlls (is_known_service_dll) for service-masquerade leads (T1543.003)
  • drivers — LOLDrivers BYOVD denylist (is_known_vulnerable_driver): known-vulnerable/malicious driver .sys basenames — the inverse of the service allowlists, presence is the lead (T1543.003 / T1068)
  • commands — log-wipe commands, rootkit names
  • paths — suspicious staging and hijack paths
  • antiforensics — anti-forensic tool indicators
  • encryption — encryption tool paths
  • remote_access — LOLRMM / RMM tool indicators
  • third_party — PuTTY, WinSCP, cloud sync, browser registry artifacts
  • pca — Windows 11 Program Compatibility Assistant artifacts
  • peripheral — external-device bus taxonomy (DMA / mass-storage class, MITRE)
  • shlink — Shell Link (.LNK) [MS-SHLLINK] format constants
  • jumplist — Jump List (*.automaticDestinations-ms / *.customDestinations-ms) DestList / CustomDestinations offset tables + AppID map
  • shellbagsBagMRU PIDL / shell-item class-type knowledge
  • shell_history — bash/zsh/fish/PSReadLine format facts + tampering indicators
  • references — queryable source map per module
  • no_std_compat — documents and validates the no_std-safe API surface

§Extension

§Parsing stack

Raw bytes → ContainerSignature → ContainerProfile → ArtifactDescriptor
         → ArtifactParsingProfile → RecordSignature → Decoder → ArtifactRecord

All layers queryable via CATALOG:

use forensicnomicon::catalog::CATALOG;
let cp = CATALOG.container_profile("windows_registry_hive");
let pp = CATALOG.parsing_profile("userassist_exe");

§Scope boundary

This crate is a forensic catalog first, not a full DFIR parsing engine. Compact stable transforms such as UserAssist ROT13 or FILETIME normalization belong here. Large evolving formats such as full hibernation, WMI repository, or BITS database parsers should stay in separate companion crates.

Re-exports§

pub use lolbins::lolbas_entry;
pub use lolbins::lolbas_names;
pub use lolbins::LolbasEntry;
pub use lolbins::UC_ARCHIVE;
pub use lolbins::UC_BYPASS;
pub use lolbins::UC_CREDENTIALS;
pub use lolbins::UC_DECODE;
pub use lolbins::UC_DEFENSE_EVASION;
pub use lolbins::UC_DOWNLOAD;
pub use lolbins::UC_EXECUTE;
pub use lolbins::UC_NETWORK;
pub use lolbins::UC_PERSIST;
pub use lolbins::UC_PROXY;
pub use lolbins::UC_RECON;
pub use lolbins::UC_UPLOAD;

Modules§

abusable_sites
Cloud services, CDNs, and online platforms systematically abused by attackers for phishing, C2, payload delivery, and data exfiltration.
aff4
AFF4 (Advanced Forensic Format 4) container constants.
antiforensics
antiforensics_aware
Anti-forensics awareness layer.
apm
Apple Partition Map (APM) partition-type strings.
appcompatcache
AppCompatCache (ShimCache) on-disk format constants, by Windows build.
artifact
Forensic artifact catalog — assembled dataset + global CATALOG.
attack_events
Native event-signature → MITRE ATT&CK technique knowledge.
attack_flow
MITRE ATT&CK Flow — campaign graph layer.
boot_signatures
MBR boot-code (bootloader) fingerprints.
bootkit
Boot-sector / MBR malware plaintext markers.
cadet
CADETCategories of Activity in Digital Evidence Taxonomy.
catalog
Forensic artifact catalog — assembled dataset + global CATALOG.
chainsaw
Chainsaw / Hayabusa EVTX detection rule mapping.
commands
decmpfs
HFS+/APFS transparent-compression (decmpfs) on-disk format constants.
dependencies
Artifact dependency graph.
dmg
Apple DMG / UDIF disk-image format constants and offset layouts.
dpapi
DPAPI (Data Protection API) blob format knowledge — algorithm IDs, the provider GUID, Chrome cookie prefixes, and the hash/cipher parameter tables.
drivers
Known-vulnerable / known-malicious driver denylist (Bring Your Own Vulnerable Driver — BYOVD) sourced from the LOLDrivers project.
encryption
eventids
Event ID enrichment module.
evidence
Evidence strength helpers over the assembled global catalog.
evtx
EVTX binary format constants and offset layouts.
ewf
Expert Witness Format (EWF / E01 / Ex01 / L01) constants.
filesystems
Filesystem superblock / boot-sector magic signatures.
forensicartifacts
ForensicArtifacts.com YAML interop.
gpt
GUID Partition Table (GPT) partition-type GUIDs.
handbook
forensicnomicon
heuristics
Forensic heuristics — detection thresholds and pure predicates.
history
[H] State-History layer — zero-dep KNOWLEDGE-tier types and traits.
journald
Systemd journal binary format constants.
jumplist
Windows Jump List format constants — *.automaticDestinations-ms (DestList) and *.customDestinations-ms, plus the per-application AppID.
lolbins
Living Off the Land Binaries and Scripts (LOLBAS) + Living Off Foreign Land (LOFL) across Windows, Linux, and macOS — all six upstream datasets in a single module.
mitre
MITRE ATT&CK integration.
navigator
ATT&CK Navigator layer generator.
no_std_compat
Validation tests for no_std-compatible APIs.
ntfs
NTFS on-disk structure knowledge: signatures, attribute type codes, well-known MFT record numbers, record-header field offsets, flags, and $FILE_NAME namespaces.
obf
Runtime deobfuscation for AV-triggerable signature literals.
olecf
OLE Compound File Binary ([MS-CFB]) format constants and offset layouts.
partition_schemes
Disk partitioning-scheme detection from on-disk magic numbers.
partition_types
MBR partition type codes (the 1-byte type field in an MBR partition entry).
paths
pca
Program Compatibility Assistant (PCA) forensic artifact support.
peripheral
Peripheral (external-device) connection forensic knowledge.
persistence
playbooks
Investigation playbook engine.
plugin
Decoder plugin architecture.
ports
processes
qcow2
QEMU QCOW2 disk-image format constants and offset layouts.
references
Authoritative reference catalog for each public module.
remote_access
report
Normalized cross-scheme forensic report vocabulary — the superset model.
rootkit
Userland LD_PRELOAD rootkit forensic indicators.
services
Known-good Windows service-binary catalog — the baseline a System32 service-masquerade detector subtracts legitimate binaries against.
shell_history
Shell command-history format facts and history-tampering indicators.
shellbags
ShellBags — BagMRU PIDL / shell-item (ITEMIDLIST) forensic knowledge.
shlink
Shell Link (.LNK) binary file format constants — [MS-SHLLINK].
sigma
Sigma rule cross-references for catalog artifacts.
sqlite
SQLite and WAL binary format constants.
srum
SRUM (System Resource Usage Monitor) extension table GUIDs and metadata.
stix
STIX 2.1 observable mapping.
temporal
third_party
threat_intel
timelining
Super-timeline construction methodology.
toolchain
KAPE / Velociraptor / toolchain mapping.
version_history
OS version artifact change tracking.
vhd
Legacy Microsoft VHD (Virtual PC / Hyper-V Gen-1) format constants.
vhdx
Microsoft VHDX disk-image format constants and offset layouts.
vmdk
VMware VMDK disk-image format constants and offset layouts.
volatility
Artifact volatility helpers over the assembled global catalog.
yara
YARA rule template generator.