Skip to content

Commit

Permalink
Replace https://cloudforensicator.com with https://hawkforensics.io
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonnybottles
jonnybottles committed Jan 28, 2025
1 parent d396171 commit be25214
Show file tree
Hide file tree
Showing 8 changed files with 237 additions and 8 deletions.
3 changes: 1 addition & 2 deletions Hawk/changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
## 2.0.1 (2021-02-07)

- Incorporated workflow and pester tests
- Readme file updated with https://cloudforensicator.com link
- Readme file updated with https://hawkforensics.io link
- Updated Azure AD SKU options that identity "Premium Licensing"
- Issue #25 - Unified Audit Log AuditData JSON parsing added to "Exchange_UAL_Audit.csv"

Expand Down Expand Up @@ -106,4 +106,3 @@
- Implemented check to verify that an Exchange operation is enabled for auditing before attempting to pull logs
- Added log pull of user Send activity to the User Investigation (Get-HawkUserMailSendActivity)
- Added log pull of user SharePoint Search activity to the User Investigation (Get-HawkUserSharePointSearchQuery)

2 changes: 1 addition & 1 deletion Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@
Useful for understanding the investigation process or validating parameters.
.LINK
https://cloudforensicator.com
https://hawkforensics.io
.LINK
https://github.com/T0pCyber/hawk
Expand Down
2 changes: 1 addition & 1 deletion Hawk/functions/User/Start-HawkUserInvestigation.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@
Investigates all users with CustomAttribute1="C-level" for January 2024.
Runs in non-interactive mode because multiple parameters were specified.
.LINK
https://cloudforensicator.com
https://hawkforensics.io
.LINK
https://github.com/T0pCyber/hawk
Expand Down
2 changes: 1 addition & 1 deletion Hawk/internal/functions/Write-HawkBanner.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ Function Write-HawkBanner {
========================================
Microsoft Cloud Security Analysis Tool
https://cloudforensicator.com
https://hawkforensics.io
========================================
Expand Down
223 changes: 223 additions & 0 deletions Hawk/tests/internal/functions/Test-HawkInvestigationParameter.Tests.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
Describe 'Test-HawkInvestigationParameter' {
BeforeAll {
# Mock Test-Path to handle both -IsValid and normal path checks
Mock Test-Path -ModuleName Hawk {
param($Path)
if ($Path -eq 'C:\ValidPath') {
return $true
}
return $false
}
}

Context 'When validating FilePath parameter' {
It 'Should fail when FilePath is missing in non-interactive mode' {
# Arrange
$startDate = Get-Date
$endDate = $startDate.AddDays(30)

# Act
$result = Test-HawkInvestigationParameter `
-StartDate $startDate `
-EndDate $endDate `
-NonInteractive

# Assert
$result.IsValid | Should -BeFalse
$result.ErrorMessages | Should -Contain 'FilePath parameter is required in non-interactive mode'
}

It 'Should fail when FilePath is invalid' {
# Arrange
$startDate = Get-Date
$endDate = $startDate.AddDays(30)
$invalidPath = "Z:\NonExistentPath\Invalid"

# Act
$result = Test-HawkInvestigationParameter `
-StartDate $startDate `
-EndDate $endDate `
-FilePath $invalidPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeFalse
$result.ErrorMessages | Should -Contain "Invalid file path provided: $invalidPath"
}

It 'Should pass when all required parameters are valid in non-interactive mode' {
# Arrange
$currentDate = Get-Date
$startDate = $currentDate.AddDays(-30)
$endDate = $currentDate
$validPath = "C:\ValidPath"

# Act
$result = Test-HawkInvestigationParameter `
-StartDate $startDate `
-EndDate $endDate `
-FilePath $validPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeTrue
$result.ErrorMessages | Should -BeNullOrEmpty
}
}

Context 'When validating in interactive mode' {
It 'Should pass when valid dates are provided in interactive mode' {
# Arrange
$currentDate = Get-Date
$startDate = $currentDate.AddDays(-30)
$endDate = $currentDate
$validPath = "C:\ValidPath"

# Act
$result = Test-HawkInvestigationParameter `
-StartDate $startDate `
-EndDate $endDate `
-FilePath $validPath

# Assert
$result.IsValid | Should -BeTrue
$result.ErrorMessages | Should -BeNullOrEmpty
}

It 'Should pass with DaysToLookBack in interactive mode' {
# Arrange
$validPath = "C:\ValidPath"

# Act
$result = Test-HawkInvestigationParameter `
-DaysToLookBack 30 `
-FilePath $validPath

# Assert
$result.IsValid | Should -BeTrue
$result.ErrorMessages | Should -BeNullOrEmpty
}
}

Context 'When validating date parameters' {
It 'Should fail when StartDate is after EndDate' {
# Arrange
$startDate = Get-Date
$endDate = $startDate.AddDays(-30)
$validPath = "C:\ValidPath"

# Act
$result = Test-HawkInvestigationParameter `
-StartDate $startDate `
-EndDate $endDate `
-FilePath $validPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeFalse
$result.ErrorMessages | Should -Contain "StartDate must be before EndDate"
}

It 'Should fail when date range exceeds 365 days' {
# Arrange
$startDate = Get-Date
$endDate = $startDate.AddDays(366)
$validPath = "C:\ValidPath"

# Act
$result = Test-HawkInvestigationParameter `
-StartDate $startDate `
-EndDate $endDate `
-FilePath $validPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeFalse
$result.ErrorMessages | Should -Contain "Date range cannot exceed 365 days"
}

It 'Should fail when EndDate is more than one day in the future' {
# Arrange
$startDate = Get-Date
$endDate = $startDate.AddDays(2)
$validPath = "C:\ValidPath"

# Act
$result = Test-HawkInvestigationParameter `
-StartDate $startDate `
-EndDate $endDate `
-FilePath $validPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeFalse
$result.ErrorMessages | Should -Contain "EndDate cannot be more than one day in the future"
}

It 'Should fail when DaysToLookBack is 0' {
# Arrange
$validPath = "C:\ValidPath"

# Act
$result = Test-HawkInvestigationParameter `
-DaysToLookBack 0 `
-FilePath $validPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeFalse
$result.ErrorMessages | Should -Contain "Either StartDate or DaysToLookBack must be specified in non-interactive mode"
}

It 'Should fail when DaysToLookBack is 366' {
# Arrange
$validPath = "C:\ValidPath"

# Act
$result = Test-HawkInvestigationParameter `
-DaysToLookBack 366 `
-FilePath $validPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeFalse
$result.ErrorMessages | Should -Contain "DaysToLookBack must be between 1 and 365"
}
}

Context 'When validating parameter combinations' {
It 'Should pass when DaysToLookBack is used with EndDate but no StartDate' {
# Arrange
$validPath = "C:\ValidPath"
$endDate = Get-Date

# Act
$result = Test-HawkInvestigationParameter `
-DaysToLookBack 30 `
-EndDate $endDate `
-FilePath $validPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeTrue
$result.ErrorMessages | Should -BeNullOrEmpty
}

It 'Should fail when DaysToLookBack is used with StartDate' {
# Arrange
$validPath = "C:\ValidPath"
$startDate = Get-Date

# Act
$result = Test-HawkInvestigationParameter `
-DaysToLookBack 30 `
-StartDate $startDate `
-FilePath $validPath `
-NonInteractive

# Assert
$result.IsValid | Should -BeFalse
$result.ErrorMessages | Should -Contain "EndDate must be specified when using StartDate in non-interactive mode"
}
}
}
0 Hawk/tests/functions/readme.md → Hawk/tests/internal/functions/readme.md
View file
File renamed without changes.
11 changes: 9 additions & 2 deletions Hawk/tests/pester.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,16 +70,23 @@ if ($TestGeneral)

$global:__pester_data.ScriptAnalyzer | Out-Host

#region Test Commands
#region Test Commands
if ($TestFunctions)
{
Write-PSFMessage -Level Important -Message "Proceeding with individual tests"
foreach ($file in (Get-ChildItem "$PSScriptRoot\functions" -Recurse -File | Where-Object Name -like "*Tests.ps1"))
# Get both regular and internal function tests
$testFiles = @(
Get-ChildItem "$PSScriptRoot\functions" -Recurse -File | Where-Object Name -like "*Tests.ps1"
Get-ChildItem "$PSScriptRoot\internal\functions" -Recurse -File | Where-Object Name -like "*Tests.ps1"
)
foreach ($file in $testFiles)
{
if ($file.Name -notlike $Include) { continue }
if ($file.Name -like $Exclude) { continue }

Write-PSFMessage -Level Significant -Message " Executing $($file.Name)"
# Changed to match the format of general tests output
Write-PSFMessage -Level Significant -Message " Executing <c='em'>$($file.Name)</c>"
$config.TestResult.OutputPath = Join-Path "$PSScriptRoot\..\..\TestResults" "TEST-$($file.BaseName).xml"
$config.Run.Path = $file.FullName
$config.Run.PassThru = $true
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Hawk Documentation and "How to" videos

https://cloudforensicator.com/
https://hawkforensics.io/

# Hawk + Github

Expand Down

0 comments on commit be25214

Please sign in to comment.