def main():
args = do_common_argparse_config("Show reconstructed EVTX records.")
with State(args.project_json) as state:
if len(state.get_reconstructed_records()) == 0:
print ("# No reconstructed records found.")
for event in state.get_reconstructed_records():
print(event["xml"])
def main():
args = do_common_argparse_config("Reconstruct lost EVTX records using recovered templates.")
with State(args.project_json) as state:
with TemplateDatabase(args.templates_json) as templates:
num_reconstructed, num_unreconstructed = reconstruct_lost_records(state, templates, progress_class=args.progress_class)
print("# Reconstructed %d records." % num_reconstructed)
print("# Failed to reconstruct %d records." % num_unreconstructed)
def main():
args = do_common_argparse_config("Find valid EVTX chunks.")
with State(args.project_json) as state:
with Mmap(args.image) as buf:
num_chunks_found = find_evtx_chunks(state, buf, progress_class=args.progress_class)
print("# Found %d valid chunks." % num_chunks_found)
def main():
args = do_common_argparse_config("Find valid EVTX chunks.")
with State(args.project_json) as state:
with Mmap(args.image) as buf:
num_chunks_found = find_evtx_chunks(
state, buf, progress_class=args.progress_class)
print("# Found %d valid chunks." % num_chunks_found)
def main():
args = do_common_argparse_config("Extract lost EVTX records")
with State(args.project_json) as state:
with Mmap(args.image) as buf:
num_extracted, num_failures = extract_lost_evtx_records(state, buf, args.progress_class)
print("# Extracted %d records." % num_extracted)
print("# Failed to extract %d potential records." % num_failures)
def main():
args = do_common_argparse_config(
"Reconstruct lost EVTX records using recovered templates.")
with State(args.project_json) as state:
with TemplateDatabase(args.templates_json) as templates:
num_reconstructed, num_unreconstructed = reconstruct_lost_records(
state, templates, progress_class=args.progress_class)
print("# Reconstructed %d records." % num_reconstructed)
print("# Failed to reconstruct %d records." % num_unreconstructed)
def main():
args = do_common_argparse_config("Extract lost EVTX records")
with State(args.project_json) as state:
with Mmap(args.image) as buf:
num_extracted, num_failures = extract_lost_evtx_records(
state, buf, args.progress_class)
print("# Extracted %d records." % num_extracted)
print("# Failed to extract %d potential records." % num_failures)
def main():
args = do_common_argparse_config("Extract valid EVTX records and templates.")
with State(args.project_json) as state:
if len(state.get_valid_chunk_offsets()) == 0:
logger.warn("No valid chunk offsets recorded. Perhaps you haven't yet run find_evtx_chunks?")
return
with TemplateDatabase(args.templates_json) as templates:
with Mmap(args.image) as buf:
num_templates_before = templates.get_number_of_templates()
num_valid_records_before = len(state.get_valid_records())
extract_valid_evtx_records_and_templates(state, templates, buf, progress_class=args.progress_class)
num_templates_after = templates.get_number_of_templates()
num_valid_records_after = len(state.get_valid_records())
print("# Found %d new templates." % (num_templates_after - num_templates_before))
print("# Found %d new valid records." % (num_valid_records_after - num_valid_records_before))
def main():
args = do_common_argparse_config("Find offsets of EVTX records.")
with State(args.project_json) as state:
ranges = []
range_start = 0
for chunk_offset in state.get_valid_chunk_offsets():
ranges.append((range_start, chunk_offset))
range_start = chunk_offset + 0x10000
ranges.append((range_start, os.stat(args.image).st_size)) # from here to end of file
with Mmap(args.image) as buf:
num_potential_records_before = len(state.get_potential_record_offsets())
for offset in find_lost_evtx_records(buf, ranges, progress_class=args.progress_class):
state.add_potential_record_offset(offset)
num_potential_records_after = len(state.get_potential_record_offsets())
print("# Found %d potential EVTX records." % (num_potential_records_after - num_potential_records_before))
def main():
args = do_common_argparse_config(
"Extract valid EVTX records and templates.")
with State(args.project_json) as state:
if len(state.get_valid_chunk_offsets()) == 0:
logger.warn(
"No valid chunk offsets recorded. Perhaps you haven't yet run find_evtx_chunks?"
)
return
with TemplateDatabase(args.templates_json) as templates:
with Mmap(args.image) as buf:
num_templates_before = templates.get_number_of_templates()
num_valid_records_before = len(state.get_valid_records())
extract_valid_evtx_records_and_templates(
state, templates, buf, progress_class=args.progress_class)
num_templates_after = templates.get_number_of_templates()
num_valid_records_after = len(state.get_valid_records())
print("# Found %d new templates." %
(num_templates_after - num_templates_before))
print("# Found %d new valid records." %
(num_valid_records_after - num_valid_records_before))
def main():
args = do_common_argparse_config("Find offsets of EVTX records.")
with State(args.project_json) as state:
ranges = []
range_start = 0
for chunk_offset in state.get_valid_chunk_offsets():
ranges.append((range_start, chunk_offset))
range_start = chunk_offset + 0x10000
ranges.append(
(range_start,
os.stat(args.image).st_size)) # from here to end of file
with Mmap(args.image) as buf:
num_potential_records_before = len(
state.get_potential_record_offsets())
for offset in find_lost_evtx_records(
buf, ranges, progress_class=args.progress_class):
state.add_potential_record_offset(offset)
num_potential_records_after = len(
state.get_potential_record_offsets())
print("# Found %d potential EVTX records." %
(num_potential_records_after - num_potential_records_before))
