Search.setIndex({docnames:["index","section1","section2","section3"],envversion:{"sphinx.domains.c":1,"sphinx.domains.changeset":1,"sphinx.domains.cpp":1,"sphinx.domains.javascript":1,"sphinx.domains.math":2,"sphinx.domains.python":1,"sphinx.domains.rst":1,"sphinx.domains.std":1,sphinx:56},filenames:["index.rst","section1.rst","section2.rst","section3.rst"],objects:{"":{sections:[0,0,0,"-"]},"sections.section_01":{argparse_example:[1,0,0,"-"],csv_example:[1,0,0,"-"],logging_example:[1,0,0,"-"],open_files:[1,0,0,"-"],recursion_example:[1,0,0,"-"]},"sections.section_01.csv_example":{write_csv_dicts:[1,1,1,""],write_csv_lists:[1,1,1,""]},"sections.section_01.logging_example":{setup_logging:[1,1,1,""]},"sections.section_01.open_files":{open_file:[1,1,1,""]},"sections.section_01.recursion_example":{list_directory:[1,1,1,""]},"sections.section_02":{yarp_base:[2,0,0,"-"],yarp_ntuser:[2,0,0,"-"]},"sections.section_02.yarp_base":{RegistryBase:[2,2,1,""]},"sections.section_02.yarp_base.RegistryBase":{close:[2,3,1,""]},"sections.section_02.yarp_ntuser":{NTUSER:[2,2,1,""]},"sections.section_02.yarp_ntuser.NTUSER":{parse_mountpoints2:[2,3,1,""],parse_office_versions:[2,3,1,""],parse_trustrecords:[2,3,1,""]},"sections.section_03":{open_evtx:[3,0,0,"-"]},"sections.section_03.open_evtx":{open_evtx:[3,1,1,""]}},objnames:{"0":["py","module","Python module"],"1":["py","function","Python function"],"2":["py","class","Python class"],"3":["py","method","Python method"]},objtypes:{"0":"py:module","1":"py:function","2":"py:class","3":"py:method"},terms:{"2fpe":[],"boolean":1,"byte":1,"case":2,"class":[0,2],"default":1,"function":[0,1,2,3],"import":[],"new":[0,1],"return":[1,2],"short":0,"super":2,"while":1,Adding:0,For:[0,1,2],IIS:0,NOT:1,SMS:0,The:1,These:2,Use:1,Uses:0,Using:[0,2],Will:2,With:2,__author__:1,__date__:1,__file__:1,__init__:2,__name__:1,_open_h:2,_recover_h:2,abil:1,about:[1,2,3],abspath:1,accept:1,access:[0,2],across:0,action:1,activ:0,add:[0,1,3],add_argu:1,addhandl:1,adding:1,addit:[0,1,2],addition:[1,2],adjust:1,advanc:1,after:1,all:1,allow:[0,1,2],alreadi:0,also:2,andriod:0,ani:2,anyth:0,anywai:1,append:2,appl:1,arg:1,argpars:0,argument:[1,3],argumentdefaultshelpformatt:1,argumentpars:1,artifact:[0,2],asctim:1,associ:2,attempt:2,attribut:2,avail:[0,2],base:2,basic:3,befor:[],begin:2,below:1,best:1,better:0,binari:0,block:0,bom:1,both:[1,2],build:[0,1,2],built:1,button:[],call:1,caller:2,can:[0,1,2],cannot:1,chang:1,chapinb:0,chapter:0,check:1,chome:0,click:[],close:2,code:[0,2],collect:1,column:1,com:[0,2,3],command:[0,1],common:[0,1,2,3],commonli:0,compris:1,concurr:[],configur:[],confirm:[],consid:0,consist:1,consol:[0,1],contain:[0,1,2],content:[0,1],continu:[1,2],contribut:0,control:[],correct:0,could:[1,2],count:1,cover:0,creat:1,critic:1,csv:0,csv_exampl:1,csvfile:1,current:1,currentvers:2,cursori:2,custom:0,dat:[0,2],data:[1,2],dataset:1,date_v:2,datetim:2,debug:1,decod:0,def:[1,2,3],defin:1,definit:[],demonstr:[1,2,3],descript:1,detail:[2,3],determin:1,dev:[],devic:[],dictionari:[],dictwrit:1,differ:1,dir:1,directori:0,discoverlogfil:2,displai:[1,2,3],distinct:2,ditri:3,doc:[1,2],docstr:[],document:[1,2],doe:1,don:[1,2],drop:0,dt_date:2,durat:0,e01:0,each:[0,1,2],easi:1,easili:1,effect:1,effort:0,elect:2,element:1,elif:1,empti:1,encod:0,end:1,endswith:[],entir:0,entri:1,enumer:1,epilog:1,error:[0,1],essenti:[],etc:2,even:0,evtx:0,exampl:[0,2,3],exist:[0,3],expand:1,explor:[0,2],expos:[0,1],extend:0,extract:2,extrasact:1,featur:1,feel:[0,1],feff:1,fentri:1,few:2,fffe:1,field:[0,1],file:[0,2,3],file_encod:1,file_entri:1,file_handl:1,file_object:2,filehandl:1,filenam:1,filter:1,find:0,find_kei:2,first:1,fix:2,flexibl:[0,2],focu:1,folder:[0,1],fopen:1,form:1,format:[0,1,2],formatt:1,formatter_class:1,found:[1,2],found_log:[],fragment:[],free:[0,1],from:[0,1,2],full:[1,3],funcnam:1,further:[1,2],futur:[],gener:[0,1],geoip:0,get:[0,2,3],get_file_head:3,getattr:[2,3],getlogg:1,github:[0,2,3],global:1,googl:0,hand:1,handl:[0,1,2],handler:1,has:[0,1],hash:0,have:[0,2],header:[1,3],help:1,here:[1,2],histori:0,hive_path:2,hive_typ:2,host:0,how:[1,2,3],html:[1,2],http:[0,1,2,3],hybridanalysi:0,ident:1,identifi:1,ignor:1,implement:0,includ:[0,1,2],index:[0,1,2,3],individu:1,info:1,inform:[0,1,2],input:1,input_fil:[1,3],inspect:2,instal:3,instanc:1,instead:[1,2],instruct:1,integ:2,integr:0,intend:0,interact:1,interest:1,invent:0,investig:0,is_dirti:3,is_ful:3,isoformat:2,item:[1,3],iter:[0,1,2],iterate_fil:1,its:1,join:1,just:1,keep:1,kei:[0,1,2,3],key_path:2,knowledgec:0,known:2,last_written:2,last_written_timestamp:2,later:1,latter:1,launch:0,len:[],let:1,level:[0,1],levelnam:1,leverag:2,libewf:0,librari:[1,2,3],line:[0,1],lineno:1,list:0,list_directori:1,listdir:1,literalinclud:[],locat:[1,2],log1_path:2,log2_path:2,log:2,log_format:1,log_obj:2,log_path:2,logger:1,logging_exampl:1,logic:1,login:0,logout:0,look:0,low:1,macro:2,macro_en:2,macro_enabled_v:2,magic:1,mai:1,main:0,major:3,major_vers:3,make:3,mani:1,manipul:0,manner:0,mark:[1,2],mbr:0,mean:[],messag:[0,1],metadata:2,method:[0,1,2],microsecond:2,microsoft:2,minim:0,minor:3,minor_vers:3,modifi:1,modul:[0,1,2,3],more:[1,2],most:1,mountpoints2:2,mp_data:2,msuhanov:2,multipl:1,multiprocess:0,multithread:0,must:[1,2],name:[1,2],need:[0,1,2],nest:[0,1],newlin:1,next:3,next_record_numb:3,none:[1,2],ntuser:[0,2],num_fil:[],num_fold:[],num_py_fil:[],number:[1,2,3],obj:[],object:[1,2],off:[0,1],offic:2,office_vers:2,offlin:2,onc:1,one:[],onli:[1,2],onlin:0,open:[],open_evtx:3,open_fil:1,open_log:3,option:1,orang:1,order:0,ordereddict:3,org:[1,2],other:[1,2,3],otherwis:[1,2],our:[0,1,2],out:[0,3],outfil:1,outlin:0,output:1,output_fold:1,over:[],own:0,page:[0,1,2,3],parallel:0,parallel_process:[],paramet:[0,1,3],parent:1,pars:[0,1],parse_arg:1,parse_mountpoints2:2,parse_office_vers:2,parse_trustrecord:2,parser:1,path:[1,2,3],pathlib:1,pattern:0,pdb:[],perform:[0,2],permiss:2,permit:0,pip:3,pleas:0,point:0,portabl:[0,2],possibl:[],powershel:0,practic:0,prefer:1,present:2,primari:2,print:[1,3],prior:[0,2],priv:0,process:[0,1],produc:1,project:0,properli:2,properti:3,provid:[0,1,2],pull:0,purepath:1,pyobject:[],python:[1,2,3],pytsk:0,q12xi:2,quantiti:1,quick:[0,1],quickli:0,rare:1,raw:0,raw_lin:1,read:[0,1,3],reason:1,reassembl:0,rec:2,recognit:0,record:[2,3],recov:[0,2],recover_auto:2,recoveri:2,recurs:[0,2],recursion_exampl:1,redirect:1,refer:0,reg_fil:2,reg_path:2,regardless:1,registry_fil:2,registry_yarp:[],registrybas:2,registryh:2,registryhelp:2,replac:2,report:0,request:0,requir:1,reserv:1,respect:2,respons:2,retriev:2,rhyme:[],right:[],root:1,root_kei:[],row:1,rsplit:1,run:3,same:2,sampl:1,sample_funct:1,script:[],search:[0,1,2,3],section_01:[],secur:2,see:1,self:2,sens:2,separ:1,session:0,set:[1,2],set_trac:[],setformatt:1,setlevel:1,setup:1,setup_argpars:1,setup_log:1,sever:[0,3],share:1,should:1,show:[1,3],showcas:3,sig:0,signatur:1,similar:0,similarli:2,simpl:0,simplest:1,sinc:[1,2],singl:[0,1,2],snippet:[0,3],softwar:2,solid:0,sourc:1,specif:[0,1],specifi:[1,2],statu:0,stderr:1,stderr_handl:1,stdout:1,store:[1,2],store_tru:1,str:[1,2,3],stream:1,streamhandl:1,string:0,strip:1,strong:2,struct:2,structur:2,subdirectori:1,subkei:2,submit:0,subpag:[],support:1,sys:1,syslog:0,system:[2,3],tailor:2,take:[],target:0,task:0,tech:1,test:1,test_encod:1,text:1,thei:[1,2],them:[1,3],thi:[0,1,2,3],those:2,though:[1,2],three:1,through:[0,1,2],time:0,timedelta:2,timestamp:2,tip:[],tool:2,transact:[0,2],trust:2,trust_rec_kei:2,trust_record_path:2,trustrecord:2,tweak:0,two:1,tx_log:2,tx_log_fil:2,tx_path:2,type:[0,2],uniform:0,uninterrupt:1,unlik:1,unpack:2,usag:[1,2,3],usb:[],use:[0,1,3],usecas:1,used:[1,2],useful:[0,2],user:0,uses:1,using:2,utf:[0,1],util:1,valu:[0,1,3],vari:0,variabl:1,verbos:1,veri:[0,1,2],version:[2,3],view:[],virustot:0,wai:0,walk:1,want:[],warn:1,welcom:3,well:0,what:[1,2],wheel:0,whether:2,which:1,williballenthin:3,window:[0,2],wish:[0,2],within:[1,2],without:0,word:[1,2],work:0,worri:1,wors:0,write:[0,1],write_csv_dict:1,write_csv_list:1,writehead:1,writer:1,writerow:1,written:1,yarp:2,yarp_bas:2,yarp_ntus:2,yield:[1,2],you:[0,1],your:[0,1]},titles:["The Python Forensics Handbook","Section 1 - Essential Scripts","Section 2 - Registry Parsing","Section 3 - Windows Event Log Parsing"],titleterms:{"function":[],The:0,api:0,argpars:1,binari:2,browser:0,call:0,configur:1,creat:2,csv:1,data:0,develop:0,dfir:0,dictionari:1,directori:1,docstr:[1,2,3],element:0,encod:1,essenti:[0,1],event:[0,3],evtx:3,exampl:1,file:1,forens:0,guid:0,handbook:0,hive:[0,2],imag:0,indic:[0,1,2,3],json:0,list:1,log:[0,1,3],maco:0,mobil:0,open:[0,1,2,3],order:1,parallel:[],pars:[2,3],parser:2,process:[],proper:1,python:0,read:2,recurs:1,refer:[1,2,3],registri:[0,2],script:[0,1],section:[0,1,2,3],specif:2,sqlite:0,string:2,tabl:[0,1,2,3],text:0,valu:2,window:3,yarp:0}})