-
Notifications
You must be signed in to change notification settings - Fork 7
/
README
108 lines (77 loc) · 3.38 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
EFETCH
---------
Evidence Fetcher (efetch) is a web-based file explorer, viewer, and analyzer.
Efetch supports viewing hundreds of file types including office, registry, PST,
image, and SQLite files. Efetch supports navigating RAW, E01, ZIP, GZ, TAR,
VMDK, VHD, QCOW, and BZ2 files thanks to dfVFS.
DOCKER
--------
The fastest way to get started with Efetch is using Docker. Download efetch and navigate to its direcotry. Then create the Docker image:
```
docker build -t efetch -f Dockerfile .
```
Then run the Docker container in a directory with your evidence:
```
docker run -p 8080:8080 -v $(pwd):$(pwd) -w $(pwd) efetch efetch --address=0.0.0.0 --defaultpath=$(pwd)
```
Finaly navigate to "http://localhost:8080"
INSTALL
---------
Efetch depends on the following files:
* python
* plaso
* setuptools (>=28.5.0)
* pip
* libpff
* zlib
* libjpeg
* libtff
On Ubuntu 14.04 these packages can be installed using the following bash commands:
sudo add-apt-repository -y ppa:gift/stable
sudo add-apt-repository -y ppa:sift/stable
sudo apt-get update
sudo apt-get install python-plaso python-dev python-setuptools unoconv libpff \
libpff-python zlib1g-dev libjpeg-dev libtiff5-dev python-pip
sudo pip install setuptools -U
Once these dependencies are met, efetch can be installed using the python setup tools.
python setup.py install
USAGE
---------
After installation run the command efetch in the terminal and navigate to localhost:8080
in a browser. From the home page, either browse your local file system directly using the
browse option or enter a pathspec. Evidence can be navigated by simply clicking the file
name or icon.
The efetch command supports the following arguments:
usage: efetch [-h] [-d] [-v] [-a ADDRESS] [-p PORT] [-e ELASTIC] [-c CACHE]
[-m MAXFILESIZE] [-f PLUGINSFILE]
optional arguments:
-h, --help show this help message and exit
-d, --debug Displays debug messages
-v, --version Prints Efetch version
-a ADDRESS, --address ADDRESS
IP address for the Efetch server
-p PORT, --port PORT Port for the Efetch server
-e ELASTIC, --elastic ELASTIC
Elasticsearch URL, i.e. localhost:9200
-c CACHE, --cache CACHE
Directory to store cached files
-m MAXFILESIZE, --maxfilesize MAXFILESIZE
Max file size to cache in Megabytes, default 1GB
-f PLUGINSFILE, --pluginsfile PLUGINSFILE
Path to the plugins config file
PLUGINS
---------
Efetch can be easily extended with simple plugins by editing the /etc/efetch_plugin.yml file.
Efetch automatically detects any changes to the plugin file. Below is an example of a ClamAV
efetch plugin:
clamscan:
name: Clam Scan
command: "clamscan '{{ file_cache_path }}'"
Additionally, efetch supports more advanced python plugins. These plugins can be created using
the scripts/create_plugin.py script. For more information see
https://github.com/maurermj08/efetch/wiki/Create-Plugin.
NOTE
---------
Efetch is in Beta and really needs the community's support, so please post any bugs. As far
as this project is concerned, there is no such thing as a bad bug report.
For more information about efetch please see: https://github.com/maurermj08/efetch/wiki