python-forensics-handbook/searchindex.js

Search.setIndex({docnames:["index","section1","section2","section3","section6"],envversion:{"sphinx.domains.c":2,"sphinx.domains.changeset":1,"sphinx.domains.citation":1,"sphinx.domains.cpp":3,"sphinx.domains.index":1,"sphinx.domains.javascript":2,"sphinx.domains.math":2,"sphinx.domains.python":2,"sphinx.domains.rst":2,"sphinx.domains.std":1,sphinx:56},filenames:["index.rst","section1.rst","section2.rst","section3.rst","section6.rst"],objects:{"":{pyforhandbook:[0,0,0,"-"]},"pyforhandbook.section_01":{argparse_example:[1,0,0,"-"],csv_example:[1,0,0,"-"],logging_example:[1,0,0,"-"],open_files:[1,0,0,"-"],recursion_example:[1,0,0,"-"]},"pyforhandbook.section_01.csv_example":{write_csv_dicts:[1,1,1,""],write_csv_lists:[1,1,1,""]},"pyforhandbook.section_01.logging_example":{setup_logging:[1,1,1,""]},"pyforhandbook.section_01.open_files":{open_file:[1,1,1,""]},"pyforhandbook.section_01.recursion_example":{list_directory:[1,1,1,""]},"pyforhandbook.section_02":{yarp_base:[2,0,0,"-"],yarp_ntuser:[2,0,0,"-"]},"pyforhandbook.section_02.yarp_base":{RegistryBase:[2,2,1,""]},"pyforhandbook.section_02.yarp_base.RegistryBase":{close:[2,3,1,""]},"pyforhandbook.section_02.yarp_ntuser":{NTUSER:[2,2,1,""]},"pyforhandbook.section_02.yarp_ntuser.NTUSER":{parse_mountpoints2:[2,3,1,""],parse_office_versions:[2,3,1,""],parse_trustrecords:[2,3,1,""]},"pyforhandbook.section_03":{using_python_evtx:[3,0,0,"-"]},"pyforhandbook.section_03.using_python_evtx":{filter_events_json:[3,1,1,""],get_events:[3,1,1,""],open_evtx:[3,1,1,""]},"pyforhandbook.section_06":{opening_sqlite:[4,0,0,"-"]}},objnames:{"0":["py","module","Python module"],"1":["py","function","Python function"],"2":["py","class","Python class"],"3":["py","method","Python method"]},objtypes:{"0":"py:module","1":"py:function","2":"py:class","3":"py:method"},terms:{"10549":3,"1601":2,"2147483647":2,"4624":[0,3],"4625":3,"4672":0,"boolean":1,"byte":1,"case":2,"class":[0,2],"default":1,"function":[0,1,2,3,4],"new":[0,1],"return":[1,2,3,4],"short":0,"super":2,"true":3,"while":1,Adding:0,For:[0,1,2],IIS:0,NOT:1,SMS:0,The:1,These:2,Use:1,Uses:0,Using:[0,2],Will:2,With:2,__author__:1,__date__:1,__file__:1,__init__:2,__name__:1,_open_h:2,_recover_h:2,abil:1,about:[1,2,3],abspath:1,accept:1,access:[0,2,3],across:0,action:1,activ:0,add:[0,1,3],add_argu:1,addhandl:1,adding:1,addit:[0,1,2,4],addition:[1,2,3],adjust:1,advanc:1,after:1,all:[1,3],allow:[0,1,2],alreadi:0,also:2,analysi:3,andriod:0,ani:2,anyth:0,anywai:1,append:[2,4],appl:1,arg:1,argpars:[0,4],argument:[1,3],argumentdefaultshelpformatt:1,argumentpars:1,artifact:[0,2],asctim:1,assign:3,assist:0,associ:2,attempt:2,attrib:3,attribut:2,avail:[0,2,4],base64:3,base:[2,3],basic:3,begin:[2,3],below:1,best:1,better:0,binari:0,block:0,bom:1,bool:3,both:[1,2],build:[0,1,2],built:1,calcul:3,call:[1,3],caller:2,can:[0,1,2,3,4],cannot:1,chang:1,chapinb:0,chapter:0,check:1,child:3,chome:0,close:2,code:[0,2],collect:[1,3],column:1,com:[0,2,3],come:0,command:[0,1],common:[0,1,2,3],commonli:0,compris:1,conn:4,connect:4,consid:0,consist:1,consol:[0,1],contain:[0,1,2,3],content:[0,1],continu:[1,2],contribut:0,correct:0,could:[1,2],count:1,cover:0,creat:1,critic:1,csv:0,csv_exampl:1,csvfile:1,cur:4,current:1,currentvers:2,cursor:4,cursori:2,custom:0,dat:[0,2],data:[1,2],databas:4,dataset:1,date_v:2,datetim:2,debug:1,decod:3,def:[1,2,3,4],defin:1,demonstr:[1,2,3],descript:1,detail:[2,3],determin:1,dict:3,dictionari:3,dictwrit:1,differ:1,dir:1,directori:0,discoverlogfil:2,displai:[1,2,3],distinct:2,ditri:3,doc:[1,2,4],document:[1,2],doe:1,don:[1,2,3],drop:0,dt_date:2,dump:3,durat:3,e01:0,each:[0,1,2,3],easi:1,easili:[1,3],effect:1,effort:0,elect:2,element:[1,3],elif:1,els:3,empti:1,enabl:3,encod:0,end:1,entir:0,entri:1,enumer:[1,3],epilog:1,error:[0,1],etc:2,etre:3,even:[0,3],event_data:3,event_id:3,event_log:3,event_xml:3,eventdata:3,eventid:3,evt:3,evtx:0,exampl:[0,2,3,4],execut:4,exist:[0,3],expand:1,explor:[0,2,4],expos:[0,1,3],extend:[0,3],extract:[2,3],extrasact:1,fals:3,featur:1,feel:[0,1],feff:1,fentri:1,fetchal:4,few:2,fffe:1,field:[0,1,3],file:[0,2,3],file_encod:1,file_entri:1,file_handl:1,file_object:2,filehandl:1,filenam:1,filter:1,filter_events_json:3,filtered_login:3,find:[0,3],find_kei:2,first:1,fix:2,flexibl:[0,2],focu:1,folder:[0,1],fopen:1,form:1,format:[0,1,2,3,4],formatt:1,formatter_class:1,found:[1,2,3],free:[0,1],from:[0,1,2,3,4],full:[1,3],func:3,funcnam:1,further:[1,2,3],gener:[0,1,3],genertor:3,geoip:0,get:[2,3],get_ev:3,get_file_head:3,getattr:[2,3],getchildren:3,getlogg:1,github:[0,2,3],global:1,googl:0,hand:1,handl:[0,1,2],handler:1,has:[0,1],hash:0,have:[0,2,3],header:[1,3],help:1,here:[1,2],histori:0,history_db:4,hive_path:2,hive_typ:2,host:0,how:[1,2,3],html:[1,2,4],http:[0,1,2,3,4],hybridanalysi:0,idea:0,ident:1,identifi:[1,3],ids:3,ignor:1,impact:3,implement:0,includ:[0,1,2,3],indent:3,index:[0,1,2,3,4],individu:[1,3],info:1,inform:[1,2,3,4],input:1,input_fil:[1,3],inputdb:4,inspect:2,instal:3,instanc:1,instead:[1,2],instruct:1,integ:[2,3],integr:0,intend:0,interact:[1,3],interest:1,invent:0,investig:0,ipaddress:3,ipport:3,is_dirti:3,is_ful:3,isoformat:2,item:[1,3],iter:[0,1,2],iterate_fil:1,its:1,join:1,json:3,json_data:3,just:1,keep:1,kei:[0,1,2,3],key_path:2,knowledgec:0,known:2,last_written:2,last_written_timestamp:2,later:1,latter:1,launch:0,let:1,level:[0,1,3],levelnam:1,leverag:[2,3],libewf:0,librari:[1,2,3,4],like:3,line:[0,1],lineno:1,list:[0,3],list_directori:1,list_tabl:4,listdir:1,locat:[1,2],log1_path:2,log2_path:2,log:2,log_format:1,log_obj:2,log_path:2,logger:1,logging_exampl:1,logic:1,login:[0,3],logoff:3,look:0,low:[1,3],lxml:3,macro:2,macro_en:2,macro_enabled_v:2,magic:1,mai:1,main:0,major:3,major_vers:3,make:3,mani:1,manipul:0,manner:0,mark:[1,2],mbr:0,messag:[0,1],metadata:[2,3],method:[0,1,2,3],microsecond:2,microsoft:2,minim:0,minor:3,minor_vers:3,modifi:1,modul:[0,1,2,3,4],month:0,more:[0,1,2],most:1,mountpoints2:2,mp_data:2,msuhanov:2,multipl:1,multiprocess:0,multithread:0,must:[1,2],name:[1,2,3,4],need:[0,1,2],nest:[0,1],newli:3,newlin:1,next:3,next_record_numb:3,none:[1,2,3],now:3,nsmap:3,ntuser:[0,2],number:[1,2,3],object:[1,2,3],off:[0,1],offic:2,office_vers:2,offlin:2,onc:1,onli:[1,2,3],onlin:0,open_evtx:3,open_fil:1,open_log:3,open_sqlit:4,opening_sqlit:4,oper:3,option:1,orang:1,order:0,ordereddict:3,org:[1,2,4],other:[1,2,3],otherwis:[0,1,2,3],our:[0,1,2],out:[0,3],outfil:1,outlin:0,output:[1,3],output_fold:1,over:0,own:0,page:[0,1,2,3,4],parallel:0,paramet:[0,1,3],parent:1,pars:[0,1],parse_arg:1,parse_mountpoints2:2,parse_office_vers:2,parse_trustrecord:2,parse_xml:3,parser:1,path:[1,2,3],pathlib:1,pattern:0,per:3,perform:[0,2,3],permiss:2,permit:0,pip:3,pleas:0,point:0,portabl:[0,2],powershel:3,practic:0,prefer:[1,3],present:2,primari:2,print:[1,3,4],prior:[0,2],priv:0,process:[0,1,3],processnam:3,produc:1,project:0,properli:2,properti:3,provid:[0,1,2,3,4],pull:0,purepath:1,python:[1,2,4],pytsk:0,q12xi:2,quantiti:1,quick:[0,1],quickli:0,rare:1,raw:[0,3],raw_lin:1,read:[0,1,3],reason:1,rec:2,recognit:0,record:2,recov:[0,2],recover_auto:2,recoveri:2,recurs:[0,2],recursion_exampl:1,redirect:1,refer:[0,4],reg_fil:2,reg_path:2,regard:4,regardless:1,registry_fil:2,registrybas:2,registryh:2,registryhelp:2,releas:0,replac:2,report:0,request:0,requir:[1,3],reserv:1,resourc:3,respect:2,respons:2,result:3,retriev:2,root:1,row:1,rsplit:1,run:3,same:2,sampl:1,sample_funct:1,search:[0,1,2,3,4],secur:2,see:1,seen:4,select:4,self:2,sens:2,separ:1,session:3,set:[1,2],setformatt:1,setlevel:1,setup:1,setup_argpars:1,setup_log:1,sever:[0,3],share:1,shellcod:3,should:[1,3],show:[1,3,4],showcas:3,sig:0,signatur:1,similar:0,similarli:2,simpl:0,simplest:1,sinc:[1,2],singl:[0,1,2],snippet:[0,3],softwar:2,solid:0,some:3,sourc:1,specif:[0,1],specifi:[1,2,3],sqlite3:4,sqlite_mast:4,stai:0,statu:0,stderr:1,stderr_handl:1,stdout:1,store:[1,2],store_tru:1,str:[1,2,3],stream:1,streamhandl:1,string:[0,3],strip:1,strong:2,struct:2,structur:2,subdirectori:1,subjectdomainnam:3,subjectusernam:3,subjectusersid:3,subkei:2,submit:0,support:[1,3],sys:1,syslog:0,system:[2,3],system_tag:3,table_list:4,tailor:2,target:0,targetdomainnam:3,targetusernam:3,targetusersid:3,task:0,tech:1,test:1,test_encod:1,text:[1,3],thei:[1,2],them:[1,3],thi:[0,1,2,3,4],those:[2,3],though:[1,2,3],three:1,through:[0,1,2],time:0,timedelta:2,timestamp:2,tool:2,top:3,transact:[0,2],trust:2,trust_rec_kei:2,trust_record_path:2,trustrecord:2,tune:0,tweak:0,two:1,tx_log:2,tx_log_fil:2,tx_path:2,type:[0,2],uniform:0,uninterrupt:1,unlik:1,unpack:2,usag:[1,2,3,4],use:[0,1,3],usecas:1,used:[1,2],useful:[0,2],uses:1,using:2,using_python_evtx:3,utf:[0,1],util:1,valu:[0,1,3],vari:0,variabl:1,verbos:1,veri:[0,1,2],version:[2,3],virustot:0,wai:0,walk:1,warn:1,week:0,welcom:3,well:0,what:[1,2],wheel:0,where:3,whether:2,which:[1,3],williballenthin:3,window:[0,2],wish:[0,2],within:[1,2],without:0,word:[1,2],work:0,workstationnam:3,worri:1,wors:0,would:3,write:[0,1],write_csv_dict:1,write_csv_list:1,writehead:1,writer:1,writerow:1,written:1,yarp:2,yarp_bas:2,yarp_ntus:2,yield:[1,2,3],you:[0,1,3],your:[0,1]},titles:["The Python Forensics Handbook","Section 1 - Essential Scripts","Section 2 - Registry Parsing","Section 3 - Windows Event Log Parsing","Section 6 - Sqlite & MacOS/Mobile/Browsers"],titleterms:{The:0,Using:3,api:0,argpars:1,binari:2,browser:[0,4],call:0,configur:[1,4],creat:2,csv:1,data:[0,3],develop:0,dfir:0,dictionari:1,directori:1,docstr:[1,2,3],element:0,encod:1,essenti:[0,1],event:[0,3],evtx:3,exampl:1,file:1,filter:3,forens:0,guid:0,handbook:0,hive:[0,2],imag:0,indic:[0,1,2,3,4],iter:3,json:0,list:[1,4],log:[0,1,3],maco:[0,4],mobil:[0,4],open:[0,1,2,3,4],order:1,over:3,pars:[2,3],parser:2,proper:1,python:[0,3],read:2,record:3,recurs:1,refer:[1,2,3],registri:[0,2],script:[0,1],section:[0,1,2,3,4],specif:2,sqlite:[0,4],string:2,tabl:[0,1,2,3,4],text:0,valu:2,window:3,within:3,xml:3,yarp:0}})