DFIR Surface Syntax
The natural way to write a DFIR program is using the Surface Syntax documented here.
It is a chained Iterator
-style syntax of operators built into DFIR that should be sufficient
for most uses. If you want lower-level access you can work with the Core API
documented in the Architecture section.
In this chapter we go over the syntax piece by piece: how to embed surface syntax in Rust and how to specify flows, which consist of data sources flowing through operators.
As a teaser, here is a Rust/DFIR "HELLO WORLD" program:
use dfir_rs::dfir_syntax;
fn main() {
let mut df = dfir_syntax! {
source_iter(["Hello", "World"])
-> map(|s| s.to_uppercase())
-> for_each(|s| println!("{}", s));
};
df.run_available();
}