feat: dump the raw content of ESE databases and analyse SRUM databases

.gitignore

@@ -10,4 +10,4 @@ target
 # Profiling
 flamegraph.svg
 perf.data
-perf.data.old
+perf.data.old

Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "chainsaw"
 version = "2.7.3"
-repository = "https://github.com/countercept/chainsaw"
+repository = "https://github.com/WithSecureLabs/chainsaw"
 description = "Rapidly Search and Hunt Through Windows Forensic Artefacts"
 authors = ["James Dorgan <james@dorgan.io>","Alex Kornitzer <alex.kornitzer@withsecure.com>"]
 readme = "README.md"
@@ -20,8 +20,10 @@ chrono-tz = { version = "0.8", features = ["serde"] }
 clap = { version = "4.0", features = ["derive"] }
 crossterm = "0.27"
 evtx = "0.8"
+hex = "0.4.3"
 indicatif = "0.17"
 lazy_static = "1.4.0"
+libesedb = "0.2.4"
 mft = "0.6"
 notatin = "1.0"
 once_cell = "1.0"

src/analyse/mod.rs

@@ -1 +1,2 @@
 pub mod shimcache;
+pub mod srum;

src/analyse/shimcache.rs

@@ -4,7 +4,7 @@ use chrono::{DateTime, Utc};
 use regex::Regex;
 
 use crate::file::hve::{
-    amcache::{AmcacheArtifact, FileEntry, ProgramEntry},
+    amcache::{AmcacheArtefact, FileEntry, ProgramEntry},
     shimcache::{EntryType, ShimcacheEntry},
     Parser as HveParser,
 };
@@ -47,12 +47,12 @@ impl TimelineEntity {
     }
 }
 
-pub struct ShimcacheAnalyzer {
+pub struct ShimcacheAnalyser {
     amcache_path: Option<PathBuf>,
     shimcache_path: PathBuf,
 }
 
-impl ShimcacheAnalyzer {
+impl ShimcacheAnalyser {
     pub fn new(shimcache_path: PathBuf, amcache_path: Option<PathBuf>) -> Self {
         Self {
             amcache_path,
@@ -83,7 +83,7 @@ impl ShimcacheAnalyzer {
         );
 
         // Load amcache
-        let amcache: Option<AmcacheArtifact> = if let Some(amcache_path) = &self.amcache_path {
+        let amcache: Option<AmcacheArtefact> = if let Some(amcache_path) = &self.amcache_path {
             let mut amcache_parser = HveParser::load(amcache_path)?;
             cs_eprintln!(
                 "[+] Amcache hive file loaded from {:?}",