tommy/dfdewey
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dfdewey/docs/usage.md
Jason Solomon 927dc21800 Add note about Elasticsearch memory setting.
2020-11-23 14:21:51 +11:00

2.5 KiB
Raw Blame History

Using dfDewey

usage: dfdcli.py [-h] [--no_base64] [--no_gzip] [--no_zip] [-s SEARCH] [--search_list SEARCH_LIST] case [image]

positional arguments:
  case                  case ID
  image                 image file (default: 'all')

optional arguments:
  -h, --help            show this help message and exit
  --no_base64           don't decode base64
  --no_gzip             don't decompress gzip
  --no_zip              don't decompress zip
  -s SEARCH, --search SEARCH
                        search query
  --search_list SEARCH_LIST
                        file with search queries

Docker

If using Elasticsearch and PostgreSQL in Docker, they can be started using docker-compose from the docker folder.

docker-compose up -d

Note: Java memory for Elasticsearch is set high to improve performance when indexing large volumes of data. If running on a system with limited resources, you can change the setting in docker/docker-compose.yml.

To shut the containers down again (and purge the data), run:

docker-compose down

Running dfDewey in Docker

The docker folder also contains a Dockerfile to build dfDewey and its dependencies into a Docker image.

Build the image from the docker folder with:

docker build -t <docker_name> ./

When running dfDewey within a Docker container, we need to give the container access to the host network so it will be able to access Elasticsearch and PostgreSQL in their respective containers. We also need to map a folder in the container to allow access to the image we want to process. For example:

docker run --network=host -v ~/images/:/mnt/images <docker_name> dfdewey -h

Processing an Image

To process an image in dfDewey, you need to supply a CASE and IMAGE.

dfdcli.py testcase /path/to/image.dd

dfDewey will have bulk_extractor decode base64 data, and decompress gzip / zip data by default. These can be disabled by adding the flags --no_base64, --no_gzip, and --no_zip.

Searching

To search the index for a single image, you need to supply a CASE, IMAGE, and SEARCH.

dfdcli.py testcase /path/to/image.dd -s 'foo'

If an IMAGE is not provided, dfDewey will search all images in the given case.

dfDewey can also search for a list of terms at once. The terms can be placed in a text file one per line. In this case, only the number of results for each term is returned.

dfdcli.py testcase /path/to/image.dd --search_list search_terms.txt