I do get the following error message when running pf2bodyfile:
Error: IO operations error: creation time is not available for the filesystem

My setup:

• kali linux
• I have connected an external drive with NTFS filesystem.
• An E01 image is stored on the external drive
• I have mounted the E01 image, the mountpath is also on the external drive

The function format_date was copied from 'src/bin/mactime2/application.rs' to 'src/common/forensics_timestamp.rs', so the function could be removed from Mactime2Application.
Additionally, the calls of the function, for e.g. in 'src/bin/mactime2/output/csv_output.rs' (impl Mactime2Writer for CsvOutput) and in 'src/bin/mactime2/output/txt_output.rs' (impl Mactime2Writer for TxtOutput), have to be adjusted.

I have developed a pure rust prefetch parser, it is still in development and is designed to work with the Forensic-RS framework, but it can work in this project so as not to use bindings to C code.

https://crates.io/crates/frnsc-prefetch

It does not use the Windows-exclusive RtlDecompressBuffer function that other implementations use, which allows it to be used on any platform compatible with the standard Rust library.
It also gives you accurate traces and metrics, such as which blocks were loaded into runtime memory, as a resource, or fetched from disk without going through the prefetch.

The logs generated during processing can be accessed through Rust code by initializing the logger. They are not sent directly to stdout or stderr. logger

You can also check for anomalies detected during processing through the notification system and create hooks when certain anomalies occur. notifications

Tracking issue for:

• https://github.com/dfir-dd/dfir-toolkit/security/code-scanning/28

mactime2 with timezone specification (no matter if source (-f) or destination (-t)) does not seem to work properly.

For example, the command mactime2 -b <bodyfile> -d -t UTC also just lists the possible timezone values instead of processing the data. The output is equal to listing of timezone values with e.g. mactime2 -t list

I guess there is an issue inside https://github.com/dfir-dd/dfir-toolkit/blob/master/src/bin/mactime2/main.rs in

if matches!(cli.src_zone(), Some(_list)) {
        display_zones(); return Ok(());
    }
    if matches!(cli.dst_zone(), Some(_list)) {
        display_zones(); return Ok(());
    }

I get the following error message, when I try to create a timeline from the registry with regdump and specify a transaction log, that is empty.

$ regdump -L ntuser.dat.LOG1 -L ntuser.dat.LOG2 -b NTUSER.DAT > ntuser.body

Error: AssertFail at 0x0: "! log_entries.is_empty()"

It would be cool when the program continues to process the contents despite an empty transaction log and outputs a small warning that the transaction log is empty.

Stack Trace for the 'UnexpectedEof' error

hivescan SYSTEM
[00:00:12] ██████████████████████████████████████░░  22745024/23834624 (95%) scanning cells                              
thread 'main' panicked at /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/nt_hive2-4.0.2/src/cell_iterator.rs:152:101:
called `Result::unwrap()` on an `Err` value: Custom { kind: UnexpectedEof, error: "cannot seek beyond end of file" }
stack backtrace:
   0: rust_begin_unwind
             at /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/std/src/panicking.rs:645:5
   1: core::panicking::panic_fmt
             at /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/panicking.rs:72:14
   2: core::result::unwrap_failed
             at /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112/library/core/src/result.rs:1653:5
   3: <nt_hive2::cell_iterator::CellIterator<B,C> as core::iter::traits::iterator::Iterator>::next
   4: hivescan::regtreebuilder::RegTreeBuilder::from_hive
   5: hivescan::hivescanapplication::HiveScanApplication::run
   6: hivescan::main