|Tools Supported||autoruns, kape, kansa, plaso, mactime, macrobber, volatility|
|Advanced Artifact Support (HAM)||svclist, pslist, flist, amcache, evtx, winreg, fstl|
The main purpose of the project has been doing your job as easier as possible, creating new functions to perform all the hard work for you.
|whatis()||whatis(obj)||CLI||Identifies the forensic data type of an object (DataFrame -df- or DataFrame Collection -dfs-)|
|xread()||xread(options)||GUI||Reads tool output data (e.g. plaso output) and stores it in a df/dfs|
|xmenu()||xmenu(obj)||GUI||Used to easily select a dataframe from dfs, or a column from a df, displaying the selected data and allowing manual (Excel-like) analysis on it|
|xanalysis()||xanalysis(obj, options)||GUI||Displays a menu with the advanced analysis functions available for the data type (i.e. forensic artifact) given|
|xdisplay()||xdisplay()||GUI||Used to select the display settings for the dataframes that will be displayed (max. rows, max. columns, etc.)|
|simple()||df.simple(options)||CLI||Simplifies forensic output (df) showing only the most interesting columns for analysis.|
|xgrep()||xgrep(obj, options)||CLI||UNIX-like grep for the DataFrame world. Allows the user to search for a regular expression in a DF column or full DF|
|plaso_get_evtxdfs()||plaso_get_evtxdfs(obj,options)||CLI||Creates dictionary of events from evtx files using Plaso Dataframe dictionary and the hostname.|
|evtid_dfs_build()||evtid_dfs_build(obj)||CLI||Creates dictionary of event IDs from Security/System events DataFrame. This helps to identify events based on individual event IDs.|
There are other functions available in ds4n6_lib, but we have selected the ones that are more user-friendly as the “Core” ones, which allow you to access most of the functionalities of the framework with minimum effort. In the future we will be publishing more low level details for those users who need more flexibility in order to create scripts, analysis pipelines, etc.
You can find examples on how to use those functions here.
As a summary, in this release we have focused on the following aspects:
You can find more technical information about the library here.