def main(): args = do_common_argparse_config("Show reconstructed EVTX records.") with State(args.project_json) as state: if len(state.get_reconstructed_records()) == 0: print ("# No reconstructed records found.") for event in state.get_reconstructed_records(): print(event["xml"])
def main(): args = do_common_argparse_config("Reconstruct lost EVTX records using recovered templates.") with State(args.project_json) as state: with TemplateDatabase(args.templates_json) as templates: num_reconstructed, num_unreconstructed = reconstruct_lost_records(state, templates, progress_class=args.progress_class) print("# Reconstructed %d records." % num_reconstructed) print("# Failed to reconstruct %d records." % num_unreconstructed)
def main(): args = do_common_argparse_config("Find valid EVTX chunks.") with State(args.project_json) as state: with Mmap(args.image) as buf: num_chunks_found = find_evtx_chunks(state, buf, progress_class=args.progress_class) print("# Found %d valid chunks." % num_chunks_found)
def main(): args = do_common_argparse_config("Find valid EVTX chunks.") with State(args.project_json) as state: with Mmap(args.image) as buf: num_chunks_found = find_evtx_chunks( state, buf, progress_class=args.progress_class) print("# Found %d valid chunks." % num_chunks_found)
def main(): args = do_common_argparse_config("Extract lost EVTX records") with State(args.project_json) as state: with Mmap(args.image) as buf: num_extracted, num_failures = extract_lost_evtx_records(state, buf, args.progress_class) print("# Extracted %d records." % num_extracted) print("# Failed to extract %d potential records." % num_failures)
def main(): args = do_common_argparse_config( "Reconstruct lost EVTX records using recovered templates.") with State(args.project_json) as state: with TemplateDatabase(args.templates_json) as templates: num_reconstructed, num_unreconstructed = reconstruct_lost_records( state, templates, progress_class=args.progress_class) print("# Reconstructed %d records." % num_reconstructed) print("# Failed to reconstruct %d records." % num_unreconstructed)
def main(): args = do_common_argparse_config("Extract lost EVTX records") with State(args.project_json) as state: with Mmap(args.image) as buf: num_extracted, num_failures = extract_lost_evtx_records( state, buf, args.progress_class) print("# Extracted %d records." % num_extracted) print("# Failed to extract %d potential records." % num_failures)
def main(): args = do_common_argparse_config("Extract valid EVTX records and templates.") with State(args.project_json) as state: if len(state.get_valid_chunk_offsets()) == 0: logger.warn("No valid chunk offsets recorded. Perhaps you haven't yet run find_evtx_chunks?") return with TemplateDatabase(args.templates_json) as templates: with Mmap(args.image) as buf: num_templates_before = templates.get_number_of_templates() num_valid_records_before = len(state.get_valid_records()) extract_valid_evtx_records_and_templates(state, templates, buf, progress_class=args.progress_class) num_templates_after = templates.get_number_of_templates() num_valid_records_after = len(state.get_valid_records()) print("# Found %d new templates." % (num_templates_after - num_templates_before)) print("# Found %d new valid records." % (num_valid_records_after - num_valid_records_before))
def main(): args = do_common_argparse_config("Find offsets of EVTX records.") with State(args.project_json) as state: ranges = [] range_start = 0 for chunk_offset in state.get_valid_chunk_offsets(): ranges.append((range_start, chunk_offset)) range_start = chunk_offset + 0x10000 ranges.append((range_start, os.stat(args.image).st_size)) # from here to end of file with Mmap(args.image) as buf: num_potential_records_before = len(state.get_potential_record_offsets()) for offset in find_lost_evtx_records(buf, ranges, progress_class=args.progress_class): state.add_potential_record_offset(offset) num_potential_records_after = len(state.get_potential_record_offsets()) print("# Found %d potential EVTX records." % (num_potential_records_after - num_potential_records_before))
def main(): args = do_common_argparse_config( "Extract valid EVTX records and templates.") with State(args.project_json) as state: if len(state.get_valid_chunk_offsets()) == 0: logger.warn( "No valid chunk offsets recorded. Perhaps you haven't yet run find_evtx_chunks?" ) return with TemplateDatabase(args.templates_json) as templates: with Mmap(args.image) as buf: num_templates_before = templates.get_number_of_templates() num_valid_records_before = len(state.get_valid_records()) extract_valid_evtx_records_and_templates( state, templates, buf, progress_class=args.progress_class) num_templates_after = templates.get_number_of_templates() num_valid_records_after = len(state.get_valid_records()) print("# Found %d new templates." % (num_templates_after - num_templates_before)) print("# Found %d new valid records." % (num_valid_records_after - num_valid_records_before))
def main(): args = do_common_argparse_config("Find offsets of EVTX records.") with State(args.project_json) as state: ranges = [] range_start = 0 for chunk_offset in state.get_valid_chunk_offsets(): ranges.append((range_start, chunk_offset)) range_start = chunk_offset + 0x10000 ranges.append( (range_start, os.stat(args.image).st_size)) # from here to end of file with Mmap(args.image) as buf: num_potential_records_before = len( state.get_potential_record_offsets()) for offset in find_lost_evtx_records( buf, ranges, progress_class=args.progress_class): state.add_potential_record_offset(offset) num_potential_records_after = len( state.get_potential_record_offsets()) print("# Found %d potential EVTX records." % (num_potential_records_after - num_potential_records_before))