forked from DFIR-ORC/dfir-orc.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfiguring_console_output.html
212 lines (191 loc) · 12.1 KB
/
configuring_console_output.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Configuring Console Output, Logging — DFIR ORC documentation</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/solar.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/language_data.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Configuring Process Priority" href="configuring_process.html" />
<link rel="prev" title="Configuring Attributes of ntfs_find and ntfs_exclude Elements" href="configuring_ntfs_opt.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="configuring_process.html" title="Configuring Process Priority"
accesskey="N">next</a>
<li class="right" >
<a href="configuring_ntfs_opt.html" title="Configuring Attributes of ntfs_find and ntfs_exclude Elements"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> »</li>
<li class="nav-item nav-item-2"><a href="info_tools.html" accesskey="U">Common Options & Properties</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a><ul class="current">
<li class="toctree-l2 current"><a class="reference internal" href="info_tools.html">Common Options & Properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="FatInfo.html">FatInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="FastFind.html">FastFind</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetThis.html">GetThis</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSamples.html">GetSamples</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSectors.html">GetSectors</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSInfo.html">NTFSInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSUtil.html">NTFSUtil</a></li>
<li class="toctree-l2"><a class="reference internal" href="ObjInfo.html">ObjInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="RegInfo.html">RegInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="USNInfo.html">USNInfo</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="configuring-console-output-logging">
<h1>Configuring Console Output, Logging<a class="headerlink" href="#configuring-console-output-logging" title="Permalink to this headline">¶</a></h1>
<p>Tools default console output is sent to the default output console (CONOUT$).
It can be configured to log into a file, output verbose logs, and/or print information to an attached debugger console.</p>
<div class="section" id="usage">
<h2>Usage<a class="headerlink" href="#usage" title="Permalink to this headline">¶</a></h2>
<p>In XML configuration file, the console output is configured within the <code class="docutils literal notranslate"><span class="pre">logging</span></code> element.</p>
<div class="section" id="file-attribute-logfile-file-option">
<h3><code class="docutils literal notranslate"><span class="pre">file</span></code> Attribute, <code class="docutils literal notranslate"><span class="pre">/logfile=<File></span></code> Option<a class="headerlink" href="#file-attribute-logfile-file-option" title="Permalink to this headline">¶</a></h3>
<p>Logs to a file. The log file is created if it does not exist or truncated if it does.
The containing folder must exist and be writeable (or no logging is performed).</p>
<p>Unlike console output, the logging is only written to the file every 1048576 bytes (or 1MB) and at the end of the tool execution.
This implies that tool progress cannot be followed from log file using “tail -f” tools.</p>
<blockquote>
<div><div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><logging</span> <span class="na">file=</span><span class="s">"c:\Temp\dfir-orc.log"</span><span class="nt">/></span>
</pre></div>
</div>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">logfile</span><span class="o">=</span><span class="n">c</span><span class="p">:</span>\<span class="n">Temp</span>\<span class="n">dfir</span><span class="o">-</span><span class="n">orc</span><span class="o">.</span><span class="n">log</span>
</pre></div>
</div>
</div></blockquote>
</div>
<div class="section" id="noconsole-attribute-noconsole-option">
<h3><code class="docutils literal notranslate"><span class="pre">noconsole</span></code> Attribute, <code class="docutils literal notranslate"><span class="pre">/noconsole</span></code> Option<a class="headerlink" href="#noconsole-attribute-noconsole-option" title="Permalink to this headline">¶</a></h3>
<p>This option disabled console output.</p>
<blockquote>
<div><div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><logging</span> <span class="na">noconsole=</span><span class="s">""</span><span class="nt">/></span>
</pre></div>
</div>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">noconsole</span>
</pre></div>
</div>
</div></blockquote>
</div>
<div class="section" id="verbose-attribute-verbose-option">
<h3><code class="docutils literal notranslate"><span class="pre">verbose</span></code> Attribute, <code class="docutils literal notranslate"><span class="pre">/verbose</span></code> Option<a class="headerlink" href="#verbose-attribute-verbose-option" title="Permalink to this headline">¶</a></h3>
<p>Enables verbose output</p>
<blockquote>
<div><div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><logging</span> <span class="na">verbose=</span><span class="s">""</span><span class="nt">/></span>
</pre></div>
</div>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">verbose</span>
</pre></div>
</div>
</div></blockquote>
</div>
<div class="section" id="debug-attribute-debug-option">
<h3><code class="docutils literal notranslate"><span class="pre">debug</span></code> Attribute, <code class="docutils literal notranslate"><span class="pre">/debug</span></code> Option<a class="headerlink" href="#debug-attribute-debug-option" title="Permalink to this headline">¶</a></h3>
<p>Enables debug logging. The debug mode also adds debug related traces like source file name and line number where the output is logged.</p>
<blockquote>
<div><div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><logging</span> <span class="na">debug=</span><span class="s">""</span><span class="nt">/></span>
</pre></div>
</div>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">debug</span>
</pre></div>
</div>
</div></blockquote>
<p>Example of debug logging:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>[NTFSInfo_Output.cpp:86] Orc.Exe Version 10.0
[NTFSInfo_Output.cpp:87] Start time: 10/08/2019 12:47:50.159 (UTC)
[NTFSInfo_Output.cpp:89] Walker used : MFT
[NTFSInfo_Output.cpp:90] Output file : NTFSInfo.csv
[NTFSInfo_Output.cpp:94]
</pre></div>
</div>
</div>
</div>
<div class="section" id="typical-usage-example">
<h2>Typical Usage Example<a class="headerlink" href="#typical-usage-example" title="Permalink to this headline">¶</a></h2>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>.\DFIR-Orc.exe NTFSInfo /noconsole /debug /logfile=c:\temp\ntfsinfo.log
</pre></div>
</div>
<p>This example does not output anything to the console (quiet mode), log information directly into an attached debugger and create “c:\temp\ntfsinfo.log” containing the console output.</p>
<p>The equivalent XML syntax is:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><logging</span> <span class="na">file=</span><span class="s">"c:\temp\ntfsinfo.log"</span> <span class="na">noconsole=</span><span class="s">""</span> <span class="na">debug=</span><span class="s">""</span> <span class="nt">/></span>
</pre></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="configuring_process.html" title="Configuring Process Priority"
>next</a>
<li class="right" >
<a href="configuring_ntfs_opt.html" title="Configuring Attributes of ntfs_find and ntfs_exclude Elements"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> »</li>
<li class="nav-item nav-item-2"><a href="info_tools.html" >Common Options & Properties</a> »</li>
</ul>
</div>
<script type="text/javascript">
$(document).ready(function() {
$(".toggle > *").hide();
$(".toggle .header").show();
$(".toggle .header").click(function() {
$(this).parent().children().not(".header").toggle(400);
$(this).parent().children(".header").toggleClass("open");
})
});
</script>
</body>
</html>