README
¶
GoFor Collector
GoFor (Go Forensics) Collector is geared towards augmenting EDR toolsets. Unfortunately, not all EDR toolsets has the capability of collecting forensically relevant files from endpoints. The GoFor Collector looks to remedy that.
Usage
GoFor Collector
To collect all forensic files:
gofor-collector.exe /z whatever.zip /g a
To collect just event logs:
gofor-collector.exe /z whatever.zip /g e
To collect $MFT and registry hives: gofor-collector.exe /z whatever.zip /g mr
For /g concatenate the abbreviation characters together for what you want. The order doesn't matter. Valid values are a for all (defaults to this if you don't use /g), m for $MFT, r for system registries, u for user registries, e for event logs.
Currently Available Features
- GoFor Collector: Windows command line collector that can acquire the files listed below and write them to a zip file.
- OS Drive $MFT
- All user NTUSER.DAT and USRCLASS.DAT
- SYSTEM and SOFTWARE registry hives
- All Windows event EVTX files
Future Plans
- Add support to the GoFor collector for uploading to GCP and AWS.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CollectorClient ¶
type CollectorClient struct {
FileWriteQueue chan fileExportNameAndBytes
VolumeHandle VolumeHandle
FileEqualListForFinding fileEqualListForFinding
FileRegexListForFinding fileRegexListForFinding
// contains filtered or unexported fields
}
func (*CollectorClient) BuildDirectoryTree ¶
func (client *CollectorClient) BuildDirectoryTree() (err error)
Builds a list of directories for the purpose of of mapping MFT records to their parent directories.
func (*CollectorClient) ExportToZip ¶
func (client *CollectorClient) ExportToZip(exportList ExportList, outFileName string)
Collects target files and writes them to a zip file.
type FileToExport ¶
File that you want to export.
type VolumeBootRecord ¶
type VolumeBootRecord struct {
VolumeLetter string
BytesPerSector int64
SectorsPerCluster int64
BytesPerCluster int64
MftByteOffset int64
MftRecordSize int64
ClustersPerIndexRecord int64
}
func ParseVolumeBootRecord ¶
func ParseVolumeBootRecord(volumeBootRecordBytes []byte) (vbr VolumeBootRecord, err error)
Parses a byte slice containing an NTFS volume boot record (VBR)
type VolumeHandle ¶
type VolumeHandle struct {
Handle syscall.Handle
VolumeLetter string
Vbr VolumeBootRecord
MappedDirectories map[uint64]string
MftRecord0 mft.MasterFileTableRecord
}
func (*VolumeHandle) CombineDirectoryInformation ¶
func (volume *VolumeHandle) CombineDirectoryInformation(directoryListChannel *chan map[uint64]mft.Directory, waitForDirectoryCombination *sync.WaitGroup)
Combines a running list of directories from a channel in order to create the systems Directory trees.
func (*VolumeHandle) CreateDirectoryList ¶
func (volume *VolumeHandle) CreateDirectoryList(dataRunQueue *chan mft.DataRun, directoryListChannel *chan map[uint64]mft.Directory, waitGroup *sync.WaitGroup)
Creates a list of directories from an MFT read from a volume handle.
func (*VolumeHandle) ParseMFTRecord0 ¶
func (volume *VolumeHandle) ParseMFTRecord0() (err error)
Source Files
Directories