Skip to main content

DFIR Surface Syntax

The natural way to write a DFIR program is using the Surface Syntax documented here. It is a chained Iterator-style syntax of operators built into DFIR that should be sufficient for most uses. If you want lower-level access you can work with the Core API documented in the Architecture section.

In this chapter we go over the syntax piece by piece: how to embed surface syntax in Rust and how to specify flows, which consist of data sources flowing through operators.

As a teaser, here is a Rust/DFIR "HELLO WORLD" program:

use dfir_rs::dfir_syntax;

fn main() {
let mut df = dfir_syntax! {
source_iter(["Hello", "World"])
-> map(|s| s.to_uppercase())
-> for_each(|s| println!("{}", s));
};

df.run_available();
}