===============================================================
usage.txt
===============================================================
Windows Forensic Toolchest(TM) (WFT) v3.0.08 (2014_03_16)
Copyright (C) 2003-2014 Monty McDougal. All rights reserved.
URL: http://www.foolmoon.net/security/
EMAIL: wft(at)foolmoon(dot)net
===============================================================
===============================================================
USAGE
===============================================================
===============================================================
Windows Forensic Toolchest(TM) (WFT) v3.0.08
Copyright (C) 2003-2014 Monty McDougal.  All rights reserved.
http://www.foolmoon.net/security/
===============================================================

usage: wft -usage

       Outputs these instructions to stdout

usage: wft -about

       Outputs information about WFT to stdout

usage: wft -license

       Outputs the WFT license to stdout

usage: wft -md5 filename

       Outputs MD5 checksum for file filename to stdout

usage: wft -sha1 filename

       Outputs SHA1 checksum for file filename to stdout

usage: wft -wfthash filename

       Outputs WFT checksum (MD5:SHA1) for file filename to stdout

usage: wft -checkcfg incfgfile [-toolpath path_to_tools]

       Checks a config file for errors in format or checksum

usage: wft -fixcfg incfgfile outcfgfile [-toolpath path_to_tools]

       Outputs a new config file with updated checksums
       Note:  Also updates v1.0 and v2.0 config files to the v3.0.08
              format (except <%drive%> macros)

usage: wft -genreport report_path [-reg regfile]

       Outputs WFT report for a previous WFT run
       Note:  The XML file wft_rpt.xml must exist in report_path

usage: wft -update

       Updates WFT and config file(s) via http

usage: wft -fetchtools [-toolpath path_to_tools]

       Downloads default WFT utilities via http\ftp

usage: wft [-browser [browser]] 
           [-case casename] 
           [-cfg cfgfile] 
           [-color] 
           [-def deffile] 
           [-drive drive_letters] 
           [-dst destination] 
           [-hash hash] 
           [-interactive] 
           [-name investigator] 
           [-nocolor] 
           [-nodefault] 
           [-nointeractive] 
           [-noprunetools] 
           [-noreport] 
           [-noslow] 
           [-nowrite] 
           [-os host_os] 
           [-prompt] 
           [-prunetools] 
           [-report] 
           [-shell cmdshell] 
           [-slow] 
           [-toolpath path_to_tools] 
           [-write] 

       Executes WFT with behavior as defined below:

       -browser [user browser]
       Causes WFT to open the output 'index.htm' in user browser
       Note:  Browser defaults to system browser if not specified
              Otherwise WFT executes [browser] with 'index.htm' argument
                i.e. '[browser] $dst$\index.htm'
              No [browser] validation is performed, so a full path
              is NOT required for execution
                i.e. argument 'netscape' would use the default path

       -case casename
       Specifies the casename of the case to be included in main page
       Note:  If casename has a space it will need to be in quotes for DOS
                i.e. -case "Fluffy Bunny Attacks Again"

       -color
       Causes WFT to use color in console output

       -cfg cfgfile
       Uses cfgfile to determine which tools to run by WFT
       Note:  Cfgfile defaults to '.\wft.cfg' if not specified

       -def deffile
       Uses deffile to determine interactive defaults for WFT
       Note:  Deffile defaults to '.\wft.def' if not specified

       -drive drive_letters
       Specifies the drives to be used by WFT
       Note:  Defaults to 'auto' which is all FIXED_DISKs

       -dst destination
       Defines the path that WFT reports will be written to
       Note:  Destination defaults to '.\' directory if not specified
              Destination directories will be created if they do not exist
              Destination should be a remote file system or removable disk
                i.e. '\\computer\share\directory\'
              Destination can include command-line macros
                i.e. $magic$ = expands to '$systemname$\$date$\$time$'
                     $systemname$ = SYSTEM NAME of the current computer
                     $date$ = current DATE in the format 'YYYY_MM_DD'
                     $time$ = current TIME in the format 'HH_MM_SS'

       -hash hash
       Specifies the hash to be used by WFT
       Note:  Hash defaults to 'md5' if not specified
              Supported hash values are 'md5', 'sha1', and 'none'

       -interactive
       Causes WFT to run interactively
       Note:  Any additional command-line arguments become defaults

       -name investigator
       Specifies the name of the investigator to be included in reports
       Note:  If name has a space it will need to be in quotes for DOS
                i.e. -name "Monty McDougal"

       -nocolor
       Causes WFT not to use color in console output

       -nodefault
       Causes WFT not to use default file

       -nointeractive
       Causes WFT to not run interactively
       Note:  This overrides WFT defaults

       -noprunetools
       Causes WFT not to prune tools list to remove tools skipped based on OS
       Note:  This overrides WFT defaults

       -noreport
       Causes WFT not to create HTML (H) reports
       Note:  This overrides WFT defaults
              It also overrides the -browser option if it is also specified

       -noslow
       Causes WFT not to run slow (S) executables in cfgfile
       Note:  This overrides WFT defaults

       -nowrite
       Causes WFT not to run executables that write (W) to source machine
       Note:  This overrides WFT defaults

       -os host_os
       Specifies the OS string used by WFT for OS specific functions
       Note:  OS defaults to 'auto' for host_os auto detection
              OS 'host' will use untrusted host paths / binaries
                i.e. -toolpath for OS commands becomes 'C:\WINNT\system32\'

       -prompt
       Causes WFT to prompt about running prompt (P) executables
       Note:  Argument -prompt does not override -noslow or -nowrite options

       -prunetools
       Causes WFT to prune tools list to remove tools skipped based on OS

       -report
       Causes WFT to create HTML (H) reports

       -shell cmdshell
       Redefines shell references from '<%os%>\cmd.exe' to cmdshell
       Note:  Cmdshell defaults to 'cmd.exe' for the specified '-os'
              Cmdshell 'host' will use untrusted system shell
                i.e. 'host' becomes 'C:\WINNT\system32\cmd.exe'

       -slow
       Causes WFT to run slow (S) executables in cfgfile

       -toolpath path_to_tools
       Defines the path where wft tools are stored
       Note:  Path_to_tools defaults to '.\' directory if not specified
              Path_to_tools can be a remote file system or removable disk
                i.e. '\\computer\share\directory\'

       -write
       Causes WFT to run executables that write (W) to source machine
===============================================================
