GoFor_Collector

package module
v0.0.0-...-2adaa43 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 8, 2019 License: MPL-2.0 Imports: 12 Imported by: 0

README

GoDoc contributions welcome

GoFor Collector

GoFor (Go Forensics) Collector is geared towards augmenting EDR toolsets. Unfortunately, not all EDR toolsets has the capability of collecting forensically relevant files from endpoints. The GoFor Collector looks to remedy that.

Usage

GoFor Collector

To collect all forensic files: gofor-collector.exe /z whatever.zip /g a

To collect just event logs: gofor-collector.exe /z whatever.zip /g e

To collect $MFT and registry hives: gofor-collector.exe /z whatever.zip /g mr

For /g concatenate the abbreviation characters together for what you want. The order doesn't matter. Valid values are a for all (defaults to this if you don't use /g), m for $MFT, r for system registries, u for user registries, e for event logs.

Currently Available Features

  • GoFor Collector: Windows command line collector that can acquire the files listed below and write them to a zip file.
    • OS Drive $MFT
    • All user NTUSER.DAT and USRCLASS.DAT
    • SYSTEM and SOFTWARE registry hives
    • All Windows event EVTX files

Future Plans

  • Add support to the GoFor collector for uploading to GCP and AWS.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CollectorClient 

type CollectorClient struct {
	FileWriteQueue chan fileExportNameAndBytes

	VolumeHandle            VolumeHandle
	FileEqualListForFinding fileEqualListForFinding
	FileRegexListForFinding fileRegexListForFinding
	// contains filtered or unexported fields
}

func (*CollectorClient) BuildDirectoryTree 

func (client *CollectorClient) BuildDirectoryTree() (err error)

Builds a list of directories for the purpose of of mapping MFT records to their parent directories.

func (*CollectorClient) ExportToZip 

func (client *CollectorClient) ExportToZip(exportList ExportList, outFileName string)

Collects target files and writes them to a zip file.

type ExportList 

type ExportList []FileToExport

Slice of files that you want to export.

type FileToExport 

type FileToExport struct {
	FullPath string
	Type     string
}

File that you want to export.

type VolumeBootRecord 

type VolumeBootRecord struct {
	VolumeLetter           string
	BytesPerSector         int64
	SectorsPerCluster      int64
	BytesPerCluster        int64
	MftByteOffset          int64
	MftRecordSize          int64
	ClustersPerIndexRecord int64
}

func ParseVolumeBootRecord 

func ParseVolumeBootRecord(volumeBootRecordBytes []byte) (vbr VolumeBootRecord, err error)

Parses a byte slice containing an NTFS volume boot record (VBR)

type VolumeHandle 

type VolumeHandle struct {
	Handle            syscall.Handle
	VolumeLetter      string
	Vbr               VolumeBootRecord
	MappedDirectories map[uint64]string
	MftRecord0        mft.MasterFileTableRecord
}

func (*VolumeHandle) CombineDirectoryInformation 

func (volume *VolumeHandle) CombineDirectoryInformation(directoryListChannel *chan map[uint64]mft.Directory, waitForDirectoryCombination *sync.WaitGroup)

Combines a running list of directories from a channel in order to create the systems Directory trees.

func (*VolumeHandle) CreateDirectoryList 

func (volume *VolumeHandle) CreateDirectoryList(dataRunQueue *chan mft.DataRun, directoryListChannel *chan map[uint64]mft.Directory, waitGroup *sync.WaitGroup)

Creates a list of directories from an MFT read from a volume handle.

func (*VolumeHandle) ParseMFTRecord0 

func (volume *VolumeHandle) ParseMFTRecord0() (err error)

Source Files

View all Source files

Directories

Path Synopsis
cmd
gofor-collector command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.