dfdewey/docs/usage.md

104 lines
3.2 KiB
Markdown
Raw Normal View History

2020-04-15 16:58:28 +10:00
# Using dfDewey
```shell
usage: dfdewey [-h] [-c CONFIG] [--no_base64] [--no_gzip] [--no_zip] [--reparse] [--reindex] [--delete] [--highlight] [-s SEARCH] [--search_list SEARCH_LIST] case [image]
positional arguments:
case case ID
image image file (default: 'all')
2020-04-15 16:58:28 +10:00
optional arguments:
-h, --help show this help message and exit
2021-09-03 13:14:24 +10:00
-c CONFIG, --config CONFIG
datastore config file
2020-04-15 16:58:28 +10:00
--no_base64 don't decode base64
--no_gzip don't decompress gzip
--no_zip don't decompress zip
--reparse reparse filesystem (will delete existing filesystem mapping)
2021-04-01 16:57:16 +11:00
--reindex recreate index (will delete existing index)
--delete delete image (filesystem mapping and index)
2021-08-18 09:48:41 +10:00
--highlight highlight search term in results
2020-04-15 16:58:28 +10:00
-s SEARCH, --search SEARCH
search query
--search_list SEARCH_LIST
file with search queries
```
2020-06-24 11:06:09 +10:00
## Docker
If using OpenSearch and PostgreSQL in Docker, they can be started using
2020-06-24 11:06:09 +10:00
[docker-compose](https://docs.docker.com/compose/install/) from the `docker`
folder.
```shell
docker-compose up -d
```
Note: Java memory for OpenSearch is set high to improve performance when
indexing large volumes of data. If running on a system with limited resources,
you can change the setting in `docker/docker-compose.yml`.
2020-06-24 11:06:09 +10:00
To shut the containers down again (and purge the data), run:
```shell
docker-compose down
```
### Running dfDewey in Docker
The `docker` folder also contains a `Dockerfile` to build dfDewey and its
dependencies into a Docker image.
2021-09-08 14:35:57 +10:00
To build the image (must be run from the root of the repo):
2020-06-24 11:06:09 +10:00
```shell
2021-09-08 14:35:57 +10:00
docker build -t <docker_name> -f ./docker/Dockerfile .
2020-06-24 11:06:09 +10:00
```
When running dfDewey within a Docker container, we need to give the container
access to the host network so it will be able to access OpenSearch and
2020-06-24 11:06:09 +10:00
PostgreSQL in their respective containers. We also need to map a folder in the
container to allow access to the image we want to process. For example:
```shell
docker run --network=host -v ~/images/:/mnt/images <docker_name> dfdewey -h
```
2020-04-15 16:58:28 +10:00
## Processing an Image
To process an image in dfDewey, you need to supply a `CASE` and `IMAGE`.
```shell
2021-09-08 14:35:57 +10:00
dfdewey testcase /path/to/image.dd
2020-04-15 16:58:28 +10:00
```
dfDewey will have bulk_extractor decode base64 data, and decompress gzip / zip
data by default. These can be disabled by adding the flags `--no_base64`,
`--no_gzip`, and `--no_zip`.
If an image has already been processed, you can opt to reparse and reindex the
image (this will first delete the existing data) by adding the flags
`--reparse` and `--reindex`.
You can also delete the data for a given image from the datastores by adding
the `--delete` flag.
2020-04-15 16:58:28 +10:00
## Searching
To search the index for a single image, you need to supply a `CASE`, `IMAGE`,
and `SEARCH`.
```shell
2021-09-08 14:35:57 +10:00
dfdewey testcase /path/to/image.dd -s 'foo'
2020-04-15 16:58:28 +10:00
```
If an `IMAGE` is not provided, dfDewey will search all images in the given case.
dfDewey can also search for a list of terms at once. The terms can be placed in
a text file one per line. In this case, only the number of results for each term
is returned.
```shell
2021-09-08 14:35:57 +10:00
dfdewey testcase /path/to/image.dd --search_list search_terms.txt
2020-04-15 16:58:28 +10:00
```