docker_hayabusa/start.sh

#!/bin/sh
# Check if folder was mounted under /data
if [ ! -d /data ]; then
    echo "[!] No Folder was mounted to /data"
    echo "[=] Make sure a folder containing the Windows Logs (evtx) is mounted. Example:"
    echo "[=]"
    echo "[>] # docker run -it --rm --network=none -v /path/to/logfiles:/data tabledevil/hayabusa"
    exit 1
fi

# Check which destination is writable /data or /output
if [ -w /output ]; then
    echo "[!] Output folder was mounted and is writable"
    echo "[>] Using /output as destination for report"
    output="/output"
elif [ -w /data ]; then
    echo "[!] Mounted folder /data can be written"
    echo "[>] Using /data as destination for report"
    output="/data"
else
    echo "[!] No writable output folder available"
    echo "[=] Make sure either the folder mounted under /data is writable ..."
    echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/hayabusa"
    echo "[=] ... or mount a writable folder to /output"
    echo "[>] # docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/hayabusa"
    exit 1
fi

# Set output destination
outdir="${output}"
timestamp=$(date +%s)
output="${output}/hayabusa_${timestamp}"
echo "Output is going to: ${output}"

# Run hayabusa with the included rules
/opt/hayabusa/hayabusa csv-timeline -p timesketch-verbose -r /opt/hayabusa/rules/ -w -m low -U -H "${output}.html" -o "${output}.ts.csv" -C -d /data
/opt/hayabusa/hayabusa json-timeline -p verbose -r /opt/hayabusa/rules/ -w -L -o "${output}_takajo.jsonl" -d /data

# Check if takajo exists before running it
if [ -x /opt/hayabusa/takajo ]; then
    ( cd /opt/hayabusa && ./takajo automagic -t "${output}_takajo.jsonl" -o "${outdir}/takajo" )
else
    echo "[!] Takajo is not available on this platform."
fi