forensics

package
v0.0.0-...-33f6857 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2025 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	HasLinkTargetIDList = 1 << 0
	HasLinkInfo         = 1 << 1
	HasName             = 1 << 2
	HasRelativePath     = 1 << 3
	HasWorkingDir       = 1 << 4
	HasArguments        = 1 << 5
	HasIconLocation     = 1 << 6
	IsUnicode           = 1 << 7
)

Variables

This section is empty.

Functions

func CalculateEntropy 

func CalculateEntropy(data []byte) float64

CalculateEntropy 计算数据的香农熵

Types

type LnkInfo 

type LnkInfo struct {
	HeaderTimes  [3]time.Time // Creation, Access, Write
	TargetPath   string
	RelativePath string
	WorkDir      string
	IconLocation string
}

LnkInfo 包含 LNK 文件的关键取证信息

func ParseLnk 

func ParseLnk(path string) (*LnkInfo, error)

ParseLnk 解析 .lnk 文件

type PrefetchInfo 

type PrefetchInfo struct {
	ExecutableName string
	RunCount       uint32
	LastRunTimes   []time.Time
	FilesLoaded    []string // 依赖的文件列表
	Hash           uint32
}

PrefetchInfo 包含解析后的 Prefetch 信息

func ParsePrefetch 

func ParsePrefetch(path string) (*PrefetchInfo, error)

ParsePrefetch is a stub for non-Windows systems

type ShimCacheEntry 

type ShimCacheEntry struct {
	Path           string
	LastModified   time.Time
	IsExecuted     bool // ShimCache 只能证明文件存在,除了 Win10+ 10ts 格式可能暗示执行
	InsertPosition int
}

ShimCacheEntry 代表 ShimCache 中的一条记录

func ParseShimCache 

func ParseShimCache(data []byte) ([]ShimCacheEntry, error)

ParseShimCache 解析 AppCompatCache 二进制数据 支持 Windows 10 (10ts 签名) 格式

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.