Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Note: this project is not currently maintained and has been succeeded by Hayabusa. Please check out Hayabusa for all of your Windows event analysis needs.
RustyBlue is a Rust implementation of Eric Conrad's DeepBlueCLI, a DFIR tool that detects various Windows attacks by analyzing event logs. It cannot take advantage of some of the PowerShell features to do remote investigations or use a GUI but it is very lightweight and fast so its main purpose is to be used on large event log files and to be a reference for writing more Windows event log analysis tools in Rust.
DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI
Analyze one event log file:
-f or --filepath=<FilePath>
Analyze event log files in a directory:
-d or --dirpath=<DirectoryPath>
Print credits:
-c or --credits
rusty_blue.exe --filepath=C:\Users\user\Downloads\security.evtx
rusty_blue.exe --dirpath=C:\WindowsEventLogs
You can compile the cloned source code with the following command:
cargo build --release
You can download the compiled binaries for Windows, Linux and MacOS here: https://github.com/Yamato-Security/RustyBlue/releases/