rdump¶
rdump is used to process, filter and format target-query results. By default, target-query generates records. Records in this sense are binary representations of parsed artefacts. They are transformed to text by the default mechanism. An example is given below:
<record key1="value1" key2="value2" >
With rdump
you can transform the stream of records to your liking. The rdump
utility allows you to:
Select certain fields from the records.
Filter certain records.
Create additional derived fields.
Limit the output.
Format the results.
Write the results through an adapter.
Hint
Don’t know yet what a record is? Read more here for a detailed explanation.
Field Selection¶
Imagine we’re going to extract a list of users from a forensic image using:
$ target-query host.img -f users
To select only the ‘name’ and ‘home’ fields we use the -F
option:
$ target-query host.img -f users | rdump -F name,home
Using the -X
option we can exclude fields:
$ target-query host.img -f users | rdump -X hostname,domain,sid
Filtering¶
Filtering records can be done through the -s
option.
The selection option must be a Python-expression, where the record is represented with the symbol r
.
So to eliminate all records that, for example, have no domain value:
$ target-query host.img -f users | rdump -F name,home -s "r.domain is not None"
Note
You can filter on fields that are not selected.
Derivations¶
It is possible to create new fields derived from other fields. This can be done by using
an expression and the -E
option. The following example lists all dll files from
a host and adds the filename to a separate field:
$ target-query host.img -f walkfs | rdump -s "r.path.suffix=='.dll'" -F path,file,size -E "file=path.name"
<filesystem/entry path='\sysvol\Program Files\Ethereal\libgdk_pixbuf-2.0-0.dll' size=0.11 MB file='libgdk_pixbuf-2.0-0.dll'>
<filesystem/entry path='\sysvol\Program Files\Ethereal\libgmodule-2.0-0.dll' size=26.6 KB file='libgmodule-2.0-0.dll'>
<filesystem/entry path='\sysvol\Program Files\Ethereal\libgobject-2.0-0.dll' size=0.25 MB file='libgobject-2.0-0.dll'>
....and many more....
Limiting¶
The example above yields quite a lot records. Limiting the number of records can be done through
the --count
and --skip
options:
$ target-query host.img -f walkfs | rdump -s "r.path.suffix=='.dll'" -F path,file,size -E "file=path.name" --skip=1 --count=3
<filesystem/entry path='\sysvol\My Documents\COMMANDS\cygwinb19.dll' size=0.38 MB file='cygwinb19.dll'>
<filesystem/entry path='\sysvol\My Documents\ENUMERATION\NT\Cerberus\dnsscan.dll' size=40.0 KB file='dnsscan.dll'>
<filesystem/entry path='\sysvol\My Documents\ENUMERATION\NT\Cerberus\fingerscan.dll' size=40.0 KB file='fingerscan.dll'>
Formatting¶
A Python-style formatting rule can be specified using the -f
option. The following example applies the format
{file} {size}
to the records:
$ target-query host.img -f walkfs | rdump -s "r.path.suffix=='.dll'" -F path,file,size -E "file=path.name" --skip=1 --count=3 -f "Filename: {file} Size: {size}"
Filename: cygwinb19.dll Size: 0.38 MB
Filename: dnsscan.dll Size: 40.0 KB
Filename: fingerscan.dll Size: 40.0 KB
Instead of having to design your own format you can also choose one of these per-defined formats:
JSON (
-j
or--mode=json
)CSV (
-C
or--mode=csv
)Line (
-L
or--mode=line
)
Adapter Formatting¶
It is also possible to let an adapter take care of the formatting. For instance, if you wish to have your
records in an archive format with a year-month-day folder structure, you can employ the -w
option and
choose the archive adapter: archive://outputdir
. For complete list of adapters use -a
.
Note
For a complete overview of all options see here.