2025-10-12

Updates in this version

The following are a list of developments since the last release and are currently pushed to the repo:

• Official support for processing local collections or disk images, where multiple collections or images have been downloaded to a drive or network share. There is no new command for this, when you have already downloaded the collections/images you provide the --in-link with the word "local" and provide the local path -l as the folder where the collections are stored on disk and the --data-source-list, -d as the list of files to process, i.e. --in-link local -l x:\ -d "Collection-DC1.zip, Collection-FTP.zip, Veeam.vmdk. You can optionally provide the --out-link as "local", but you must combine that with the --update flag.
• Timeline file for host information file - useful when only ingesting the timeline folder files into a SIEM
• Timeline file for PowerShell history files, ConsoleHost_history.txt
• Tests to confirm the WISKESS has been setup, and reporting any missing packages. Use the command setup -c to check if the setup completed completely.
• Removed bloat-data in the message field of some timeline files, i.e. shellbags, hayabusa, and restructured others so the message field is easier to read in a CSV.
• Fixed an issue in the network CSV in timeline, where multiple entries were shown for the same event
• Fixed an issue with old-whip and GUI when using whipped, where some collections would not be extracted completely
• artefact collection from disk images on Windows are now done in parallel

Full Changelog: v0.0.7-beta...v0.0.7

What's Changed

• patch issue with moving folders that existed by @vividDuck in #14
• regripper timeline fix by @vividDuck in #15

Full Changelog: v0.0.6...v0.0.7

2025-07-09

Main change from the pre-release version 0.0.5 is the whipped command now has backward compatibility support disk images.

Additionally, this version adds the Dockerfile, which you can use to create a docker image to run wiskess. The docker image is pushed to docker hub on each release, here:

wiskess in docker

Or just pull it with docker:

docker pull hullgjhullgj/wiskess_rust

The change in this release is the whipped by wiskess command no longer needs a list of files that you would like to process. Now you have the option of specifying which file(s) you want to process or just providing the link to the files, i.e. Azure storage or AWS S3 link. I had to convert the original whipped.ps1 script to rust to make it operable in Linux and more reliable.

An example command is:

.\wiskess_rust.exe whipped -l "X:\" --start-date 2025-01-01 --end-date 2025-07-09 --in-link "https://myaccount.blob.core.windows.net/my-blob?sv=...%3D" --out-link "https://myaccount.file.core.windows.net/my-processed-files?sv=...%3D"

The original whipped.ps1 functionality is maintained and you can access using the command old-whip and providing the data list.

The whipping of collections is now possible with only providing the --in-link, which is used to list the available collections or disk images. That list is then used to iteratively process all the collections in the cloud storage. You can optionally provide a list of data to process with the -d flag, which is the same as the prior whipped version.

v0.0.5

The change in this release is the whipped by wiskess command no longer needs a list of files that you would like to process. Now you have the option of specifying which file(s) you want to process or just providing the link to the files, i.e. Azure storage or AWS S3 link. I had to convert the original whipped.ps1 script to rust to make it operable in Linux and more reliable.

An example command is:

.\wiskess_rust.exe whipped -l "X:\" --start-date 2025-01-01 --end-date 2025-03-27 --in-link "https://myaccount.blob.core.windows.net/my-blob?sv=...%3D" --out-link "https://myaccount.file.core.windows.net/my-processed-files?sv=...%3D"

Note that this doesn't currently support disk images. Hence I have kept the original whipped.ps1 functionality, which you can access using the old-whipped command and providing the data list.

---

This merges the branch where the whipped.ps1 script has been ported into rust. This has the same functionality as the original whipped.ps1 script, where collections are downloaded from azure storage or aws s3, pre-processed, passed to wiskess and the results uploads to either azure or aws.

The whipping of collections is now possible with only providing the --in-link, which is used to list the available collections or disk images. That list is then used to iteratively process all the collections in the cloud storage. You can optionally provide a list of data to process, which is the same as the prior whipped version.

Note: processing of disk images is still in development with this new version of whipped. Hence I have kept the old version, which you can access using the command old-whipped

Other features include making sure it is being run from an elevated terminal, added the template for srum-dump that was missing before, and updated the EZtools suite to use dotnet9.

What's Changed

• Test whip by @vividDuck in #8
• add dotnet9 setup for windows and linux by @vividDuck in #9

Full Changelog: v0.0.4...v0.0.5

2024-07-24

Wiskess 0.0.4

• GUI - a web user interface that allows you to submit either single or multiple data sources to wiskess or whipped by wiskess
• RegRipper - now integrated by default, data is processed using Regripper 4.0, where results are output to two folders under Registry: one for the normal results and the other for the timeline'd results
• Timeline - add timeline generation for regripper and hindsight
• IOCs - the summary is post-processed into a CSV for ease of use
• Processing config - I've reduced the main config to be less time intense, where 8 process tools (Chainsaw EVTX, EVTX Dump, williballenthin * * Shellbags, KStrike, RDP Bitmap, Polars Enrich, IOCs over pagefile, Executablelist, Loki over the datasource) have been moved to a new config: intense_win.yaml

Full Changelog: v0.0.3...v0.0.4

2024-05-24

Full Changelog: v0.0.2...v0.0.3

2024-05-07

Small fix for non-interactive setup on Windows. There was an issue in previous releases where setup would not complete due to chocolatey not adding git to the path.

Full Changelog: v0.0.1...v0.0.2

First Release

This is the first stable alpha release of Wiskess Rust version. The list of tools used after running setup are:

ANSSI-FR: bmc_tools
Nir Soft: BrowsingHistoryView
Yamato-Security: hayabusa
obsidianforensics: hindsight
brimorlabs: KStrike
Neo23x0: loki
BurntSushi: RipGrep
keydet89: RegRipper
williballenthin: shellbags

davidpany:

• CCM_RUA_Finder
• PyWMIPersistenceFinder

omerbenamram:

• evtx
• mft

WithSecureLabs chainsaw:

• evtx
• Shimcache
• SRUM (System Resource Usage Monitor)

EZTools:

• AmcacheParser
• AppCompatCacheParser
• EvtxECmd
• JLECmd
• LECmd
• MFTECmd
• PECmd
• RBCmd
• RecentFileCacheParser
• RECmd
• SBECmd
• SrumECmd
• SumECmd

S-RM:

• enrich
• polars_enrich.py
• polars_hostinfo.py
• polars_tln.py
• Executablelist.ps1

Whipped Tools:

• AzCopy
• 7zip
• OSFMount

What's Changed

• validation of input/output processing, better logging by @Hullgj in #1
• Bump unsafe-libyaml from 0.2.9 to 0.2.10 by @dependabot in #2
• Improvements for disk image collections by @Hullgj in #3
• Bump mio from 0.8.8 to 0.8.11 by @dependabot in #4
• fix python pack update & install eztools on net6 by @Hullgj in #5
• rdp cache parser by @Hullgj in #6
• upd setup in win by @Hullgj in #7

New Contributors

• @Hullgj made their first contribution in #1
• @dependabot made their first contribution in #2

Full Changelog: https://github.com/S-RM/wiskess_rust/commits/20240430