This website www.ds4n6.io uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.

OK

[ds4n6_lib] Documentation (v0.5) >> CHRYSALIS Cheat Sheet

CHRYSALIS Cheat Sheet

SUPPORTED TOOLS

Tools Supported autoruns, kape, kansa, plaso, mactime, macrobber, volatility
Advanced Artifact Support (HAM) svclist, pslist, flist, amcache, evtx, winreg, fstl

CORE FUNCTIONS

Function Usage Type Description
whatis() whatis(obj) CLI Identifies the forensic data type of an object (DataFrame -df- or DataFrame Collection -dfs-)
xread() xread(options) GUI Reads tool output data (e.g. plaso output) and stores it in a df/dfs
xmenu() xmenu(obj) GUI Used to easily select a dataframe from dfs, or a column from a df, displaying the selected data and allowing manual (Excel-like) analysis on it
xanalysis() xanalysis(obj, options) GUI Displays a menu with the advanced analysis functions available for the data type (i.e. forensic artifact) given
xdisplay() xdisplay() GUI Used to select the display settings for the dataframes that will be displayed (max. rows, max. columns, etc.)
simple() df.simple(options) CLI Simplifies forensic output (df) showing only the most interesting columns for analysis.
xgrep() xgrep(obj, options) CLI UNIX-like grep for the DataFrame world. Allows the user to search for a regular expression in a DF column or full DF
plaso_get_evtxdfs() plaso_get_evtxdfs(obj,options) CLI Creates dictionary of events from evtx files using Plaso Dataframe dictionary and the hostname.
evtid_dfs_build() evtid_dfs_build(obj) CLI Creates dictionary of event IDs from Security/System events DataFrame. This helps to identify events based on individual event IDs.

You can find examples on how to use those functions here.

KNOWLEDGE

Category Variable Type Alias Description Examples
evtx windows_builtin_accounts_regex str wbar Built-in Windows Account (SYSTEM, LOCAL SERVICE, NETWORK SERVICE, …)
evtx evtid_desc dict (2 levels) - dict of evtID descriptions for the different evtx logs evtid_desc['Security.evtx']
evtid_desc['Security.evtx'][4624]