python-forensics-handbook/searchindex.js

Search.setIndex({docnames:["ch01_essentials","ch02_registry","ch03_event_logs","ch06_databases","index"],envversion:{"sphinx.domains.c":2,"sphinx.domains.changeset":1,"sphinx.domains.citation":1,"sphinx.domains.cpp":3,"sphinx.domains.index":1,"sphinx.domains.javascript":2,"sphinx.domains.math":2,"sphinx.domains.python":2,"sphinx.domains.rst":2,"sphinx.domains.std":1,sphinx:56},filenames:["ch01_essentials.rst","ch02_registry.rst","ch03_event_logs.rst","ch06_databases.rst","index.rst"],objects:{"":{pyforhandbook:[4,0,0,"-"]},"pyforhandbook.ch01_essentials":{argparse_example:[0,0,0,"-"],csv_example:[0,0,0,"-"],logging_example:[0,0,0,"-"],open_files:[0,0,0,"-"],recursion_example:[0,0,0,"-"]},"pyforhandbook.ch01_essentials.csv_example":{write_csv_dicts:[0,1,1,""],write_csv_lists:[0,1,1,""]},"pyforhandbook.ch01_essentials.logging_example":{setup_logging:[0,1,1,""]},"pyforhandbook.ch01_essentials.open_files":{open_file:[0,1,1,""]},"pyforhandbook.ch01_essentials.recursion_example":{iterate_files:[0,1,1,""],list_directory:[0,1,1,""]},"pyforhandbook.ch02_registry":{yarp_base:[1,0,0,"-"],yarp_ntuser:[1,0,0,"-"]},"pyforhandbook.ch02_registry.yarp_base":{RegistryBase:[1,2,1,""]},"pyforhandbook.ch02_registry.yarp_base.RegistryBase":{close:[1,3,1,""]},"pyforhandbook.ch02_registry.yarp_ntuser":{NTUSER:[1,2,1,""]},"pyforhandbook.ch02_registry.yarp_ntuser.NTUSER":{parse_mount_points2:[1,3,1,""],parse_office_versions:[1,3,1,""],parse_trust_records:[1,3,1,""]},"pyforhandbook.ch03_event_logs":{using_python_evtx:[2,0,0,"-"]},"pyforhandbook.ch03_event_logs.using_python_evtx":{filter_events_json:[2,1,1,""],get_events:[2,1,1,""],open_evtx:[2,1,1,""]},"pyforhandbook.ch06_databases":{opening_sqlite:[3,0,0,"-"]},"pyforhandbook.ch06_databases.opening_sqlite":{list_tables:[3,1,1,""],open_sqlite:[3,1,1,""]}},objnames:{"0":["py","module","Python module"],"1":["py","function","Python function"],"2":["py","class","Python class"],"3":["py","method","Python method"]},objtypes:{"0":"py:module","1":"py:function","2":"py:class","3":"py:method"},terms:{"10549":2,"1601":1,"2147483647":1,"4624":[2,4],"4625":2,"4672":4,"boolean":0,"byte":0,"case":[0,1],"class":[1,4],"default":0,"function":[0,1,2,3,4],"new":[0,4],"return":[0,1,2,3],"short":4,"super":1,"true":[0,2],"while":0,Adding:4,For:[0,1,4],IIS:4,NOT:0,SMS:4,The:0,These:1,Use:0,Uses:4,Using:[1,4],Will:1,With:[1,4],__author__:0,__date__:0,__file__:0,__init__:1,__name__:0,_open_h:1,_recover_h:1,abil:[0,4],about:[0,1,2],absolut:0,abspath:0,accept:0,access:[1,2,4],acquisit:4,across:4,action:0,activ:4,add:[0,2,4],add_argu:0,addhandl:0,adding:0,addit:[0,1,3,4],addition:[0,1,2],adjust:0,advanc:0,after:0,all:[0,2,3],allow:[0,1,4],along:4,alreadi:4,also:1,analysi:[2,4],android:4,ani:1,anyth:4,anywai:0,append:1,appl:0,applic:4,arg:[0,3],argpars:[3,4],argument:[0,2],argumentdefaultshelpformatt:0,argumentpars:0,artifact:[1,4],asctim:0,assign:2,assist:4,associ:1,attempt:1,attrib:2,attribut:1,avail:[1,3,4],base64:2,base:[1,2],basic:2,begin:[1,2],below:0,best:0,better:4,binari:4,block:4,bom:0,bool:2,both:[0,1],browser:4,build:[0,1,4],built:[0,4],calcul:2,call:[0,2],caller:1,can:[0,1,2,3,4],cannot:0,chapinb:4,check:0,child:2,chrome:4,close:1,code:[1,4],collect:[0,2],column:0,com:[1,2,4],come:4,command:[0,4],common:[0,1,2,4],commonli:4,compris:0,conn:3,connect:3,consid:4,consist:[0,4],consol:[0,4],contain:[0,1,2,4],content:[0,4],continu:[0,1],contribut:4,correct:4,could:[0,1],count:0,cover:4,creat:0,critic:0,csv:4,csv_exampl:0,csv_file:0,cur:3,current:0,currentvers:1,cursor:3,cursori:1,custom:4,dat:[1,4],data:[0,1],databas:3,dataset:0,date_v:1,datetim:1,debug:0,decod:2,def:[0,1,2,3],defin:0,demonstr:[0,1,2,4],descript:0,detail:[1,2],determin:0,dict:2,dict_test:0,dictionari:2,dictwrit:0,differ:0,dir:0,directori:4,dirti:2,discoverlogfil:1,displai:[0,1,2],distinct:1,ditri:2,doc:[0,1,3],document:[0,1],doe:0,don:[0,1,2],drop:4,dt_date:1,dump:2,durat:2,e01:4,each:[0,1,2,4],easi:0,easili:[0,2],effect:0,effort:4,elect:1,element:[0,2],elif:0,els:[0,2],empti:0,enabl:[0,2],encod:4,end:0,endswith:0,entir:4,entri:0,enumer:[0,2],epilog:0,error:[0,4],etc:1,etre:2,even:[2,4],event_data:2,event_id:2,event_log:2,event_xml:2,eventdata:2,eventid:2,evt:2,evtx:4,examin:4,exampl:[1,2,3,4],execut:3,exist:[2,4],expand:0,explor:[1,3,4],expos:[0,2,4],extend:[2,4],extract:[1,2,4],extrasact:0,fals:[0,2],faster:4,featur:0,feel:[0,4],feff:0,fetchal:3,few:1,fffe:0,field:[0,2,4],file:[1,2,4],file_encod:0,file_entri:0,file_handl:0,file_nam:0,file_object:1,filehandl:0,filenam:0,filter:0,filter_events_json:2,filtered_login:2,find:[0,2,4],find_kei:1,first:0,fix:1,flexibl:[1,4],focu:0,folder:[0,4],form:0,format:[1,2,3,4],formatt:0,formatter_class:0,found:[0,1,2,3,4],free:[0,4],frequent:4,from:[0,1,2,3,4],full:[0,2],func:2,funcnam:0,further:[0,1,2,4],gener:[0,2,4],genertor:2,geoip:4,get:[1,2],get_ev:2,get_file_head:2,getattr:[1,2],getchildren:2,getlogg:0,github:[1,2,4],googl:4,hand:0,handl:[0,1,4],handler:0,has:0,hash:4,have:[1,2,4],header:[0,2],help:0,here:[0,1],highlight:4,histori:4,history_db:3,hive_path:1,hive_typ:1,host:4,how:[0,1,2,4],html:[0,1,3],http:[0,1,2,3,4],hybridanalysi:4,idea:4,ident:0,identifi:[0,2],ids:2,ignor:0,impact:2,implement:4,includ:[0,1,2,4],indent:2,index:[0,1,2,3,4],individu:[0,2],info:0,inform:[0,1,2,3,4],input:0,input_db:3,input_fil:[0,2],inspect:1,instal:2,instanc:0,instead:[0,1],instruct:0,integ:[1,2],integr:4,intend:4,interact:[0,2,4],interest:0,invent:4,investig:4,ipaddress:2,ipport:2,is_dirti:2,is_ful:2,isoformat:1,item:[0,2],iter:[0,1,4],iterate_fil:0,its:[0,4],join:0,json:2,json_data:2,just:0,keep:0,kei:[0,1,2,4],key_path:1,knowledgec:4,known:1,last_written:1,last_written_timestamp:1,latter:0,launch:4,lead:4,let:0,level:[0,2],levelnam:0,leverag:[1,2],libewf:4,librari:[0,1,2,3],like:2,line:[0,4],lineno:0,list:[2,4],list_directori:0,list_of_dict:0,list_of_list:0,list_tabl:3,list_test:0,listdir:0,locat:[0,1],log1_path:1,log2_path:1,log:1,log_fil:0,log_format:0,log_obj:1,log_path:[0,1],logging_exampl:0,logging_obj:0,logic:0,login:[2,4],logoff:2,look:4,low:[0,2],lxml:2,maco:4,macro:1,macro_en:1,macro_enabled_v:1,magic:0,mai:0,main:4,major:2,major_vers:2,make:2,mani:[0,4],manipul:4,manner:4,mark:[0,1],mbr:4,media:4,messag:[0,4],metadata:[1,2],method:[0,1,2,4],microsecond:1,microsoft:1,minim:4,minor:2,minor_vers:2,mobil:4,modifi:0,modul:[0,1,2,3,4],month:4,more:[0,1,4],most:0,mount:0,mountpoints2:1,msuhanov:1,multipl:0,multiprocess:4,multithread:4,must:[0,1],name:[0,1,2,3],navig:4,need:[0,1,4],nest:[0,4],newli:2,newlin:0,next:2,next_record_numb:2,none:[0,1,2],now:2,nsmap:2,ntuser:[1,4],number:[0,1,2],number_of_py_fil:0,object:[1,2],off:[0,4],offic:1,office_vers:1,offlin:1,onc:0,onli:[0,1,2],onlin:4,open_evtx:2,open_fil:0,open_input_fil:0,open_log:2,open_sqlit:3,opening_sqlit:3,oper:[2,4],option:0,orang:0,order:4,ordereddict:2,org:[0,1,3],other:[0,1,2,4],otherwis:[0,1,2,4],our:[0,1,4],out:[2,4],outfil:0,outlin:4,output:[0,2],output_fold:0,over:[0,4],own:4,page:[0,1,2,3,4],parallel:4,paramet:[0,2,3,4],parent:0,pars:[0,4],parse_arg:0,parse_mount_points2:1,parse_office_vers:1,parse_trust_record:1,parse_xml:2,parser:0,pass:4,path:[0,1,2,3],pathlib:0,pattern:4,per:2,perform:[1,2,4],permiss:1,permit:4,pip:2,pleas:4,point:4,portabl:[1,4],powershel:2,practic:4,prefer:[0,2],present:1,preserv:4,primari:1,print:[0,2,3],prior:[1,4],process:[0,2,4],processnam:2,produc:0,project:4,properli:1,properti:2,provid:[0,1,2,3,4],pull:4,purepath:0,purpos:4,python:[0,1,3],pytsk:4,q12xi:1,quantiti:0,quick:[0,4],quickli:4,rare:0,raw:[2,4],raw_lin:0,read:[0,2,4],reason:0,rec:1,recognit:4,record:[1,4],recov:[1,4],recover_auto:1,recoveri:1,recurs:[1,4],recursion_exampl:0,redirect:0,refer:3,reg_fil:1,reg_path:1,regard:3,regardless:0,registry_fil:1,registrybas:1,registryh:1,registryhelp:1,rel:0,releas:4,replac:1,report:4,request:4,requir:[0,2],reserv:0,resourc:2,respect:1,respons:1,result:2,retriev:1,root:0,row:0,rsplit:0,run:2,same:1,sampl:0,sample_logg:0,search:[0,1,2,3,4],secur:1,see:0,seen:[3,4],select:3,self:1,sens:1,separ:0,session:2,set:[0,1],setformatt:0,setlevel:0,setup:0,setup_argpars:0,setup_log:0,sever:[2,4],share:0,shellcod:2,should:[0,2],show:[0,2,3],showcas:[2,4],signatur:[0,4],similar:4,similarli:1,simpl:4,simplest:0,simplifi:4,sinc:[0,1],singl:[0,1,4],snippet:[2,4],softwar:1,solid:4,some:2,sourc:0,specif:[0,4],specifi:[0,1,2],sqlite3:3,sqlite:4,sqlite_mast:3,stai:4,statu:4,stderr:0,stderr_handl:0,stdout:0,store:[0,1],store_tru:0,str:[0,1,2],straight:4,stream:0,streamhandl:0,string:[2,4],strip:0,strong:1,struct:1,structur:1,sub:1,subdirectori:0,subjectdomainnam:2,subjectusernam:2,subjectusersid:2,subkei:1,submit:4,support:[0,2],sys:0,syslog:4,system:[0,1,2,4],system_tag:2,tailor:1,target:4,targetdomainnam:2,targetusernam:2,targetusersid:2,task:4,tech:0,test:0,test_encod:0,text:[0,2],thei:[0,1],them:[0,2,4],thi:[0,1,2,3,4],those:[1,2],though:[0,1,2],three:0,through:[0,1,4],time:4,timedelta:1,timestamp:1,tool:[1,4],top:2,transact:[1,4],trust:1,trust_rec_kei:1,trust_record_path:1,trustrecord:1,tune:4,tweak:4,two:0,tx_log:1,tx_log_fil:1,tx_path:1,type:[1,3],uniform:4,uninterrupt:0,unlik:0,unpack:1,usag:[0,1,2,3,4],use:[0,2,4],used:[0,1],useful:[1,4],using:1,using_python_evtx:2,utf:[0,4],util:[0,4],valu:[0,2,4],vari:4,variabl:0,verbos:0,veri:[0,1,4],version:[1,2],virustot:4,wai:4,walk:0,warn:0,week:4,welcom:2,well:4,what:[0,1],wheel:4,where:2,whether:[0,1],which:[0,2],williballenthin:2,window:[1,4],wish:[1,4],within:[0,1,4],without:4,word:[0,1],work:4,workstationnam:2,worri:0,wors:4,would:2,write:[0,4],write_csv_dict:0,write_csv_list:0,writehead:0,writer:0,writerow:0,written:0,yarp:[1,4],yarp_bas:1,yarp_ntus:1,yield:[0,1,2],you:[0,2,4],your:[0,4]},titles:["Chapter 1 - Essential Scripts","Chapter 2 - Registry Parsing","Chapter 3 - Windows Event Log Parsing","Chapter 6 - Sqlite & MacOS/Mobile/Browsers","The Python Forensics Handbook"],titleterms:{The:4,Using:2,api:4,argpars:0,binari:1,browser:3,call:4,chapter:[0,1,2,3,4],configur:[0,3],creat:1,csv:0,data:[2,4],databas:4,develop:4,dfir:4,dictionari:0,directori:0,docstr:[0,1,2],element:4,encod:0,essenti:[0,4],event:[2,4],evtx:2,exampl:0,file:0,filter:2,forens:4,guid:4,handbook:4,hive:[1,4],imag:4,indic:[0,1,2,3,4],iter:2,json:4,list:[0,3],log:[0,2,4],maco:3,mobil:3,open:[0,1,2,3,4],order:0,over:2,pars:[1,2],parser:1,proper:0,python:[2,4],read:1,record:2,recurs:0,refer:[0,1,2,4],registri:[1,4],script:[0,4],section:[0,1,2,3,4],specif:1,sqlite:3,string:1,tabl:[0,1,2,3,4],text:4,valu:1,window:2,within:2,xml:2}})