292 lines
11 KiB
HTML
292 lines
11 KiB
HTML
|
||
|
||
<!DOCTYPE html>
|
||
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
|
||
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
|
||
<head>
|
||
<meta charset="utf-8">
|
||
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||
|
||
<title>Section 3 - Windows Event Log Parsing — Python Forensics Handbook 20191126 documentation</title>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="_static/js/modernizr.min.js"></script>
|
||
|
||
|
||
<script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
|
||
<script type="text/javascript" src="_static/jquery.js"></script>
|
||
<script type="text/javascript" src="_static/underscore.js"></script>
|
||
<script type="text/javascript" src="_static/doctools.js"></script>
|
||
<script type="text/javascript" src="_static/language_data.js"></script>
|
||
|
||
<script type="text/javascript" src="_static/js/theme.js"></script>
|
||
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
|
||
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
|
||
<link rel="index" title="Index" href="genindex.html" />
|
||
<link rel="search" title="Search" href="search.html" />
|
||
<link rel="prev" title="Section 2 - Registry Parsing" href="section2.html" />
|
||
|
||
<!-- Global site tag (gtag.js) - Google Analytics -->
|
||
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-17386833-12"></script>
|
||
<script>
|
||
window.dataLayer = window.dataLayer || [];
|
||
function gtag(){dataLayer.push(arguments);}
|
||
gtag('js', new Date());
|
||
|
||
gtag('config', 'UA-17386833-12');
|
||
</script>
|
||
|
||
</head>
|
||
|
||
<body class="wy-body-for-nav">
|
||
|
||
|
||
<div class="wy-grid-for-nav">
|
||
|
||
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
|
||
<div class="wy-side-scroll">
|
||
<div class="wy-side-nav-search" >
|
||
|
||
|
||
|
||
<a href="index.html" class="icon icon-home"> Python Forensics Handbook
|
||
|
||
|
||
|
||
</a>
|
||
|
||
|
||
|
||
|
||
<div class="version">
|
||
20191126
|
||
</div>
|
||
|
||
|
||
|
||
|
||
<div role="search">
|
||
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
|
||
<input type="text" name="q" placeholder="Search docs" />
|
||
<input type="hidden" name="check_keywords" value="yes" />
|
||
<input type="hidden" name="area" value="default" />
|
||
</form>
|
||
</div>
|
||
|
||
|
||
</div>
|
||
|
||
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p class="caption"><span class="caption-text">Table of Contents:</span></p>
|
||
<ul class="current">
|
||
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
|
||
<li class="toctree-l1 current"><a class="current reference internal" href="#">Section 3 - Windows Event Log Parsing</a><ul>
|
||
<li class="toctree-l2"><a class="reference internal" href="#module-sections.section_03.open_evtx">Section 3.1 - Opening an Event Log</a><ul>
|
||
<li class="toctree-l3"><a class="reference internal" href="#open-windows-event-logs-evtx">Open Windows Event Logs (EVTX)</a></li>
|
||
<li class="toctree-l3"><a class="reference internal" href="#docstring-references">Docstring References</a></li>
|
||
</ul>
|
||
</li>
|
||
<li class="toctree-l2"><a class="reference internal" href="#indices-and-tables">Indices and tables</a></li>
|
||
</ul>
|
||
</li>
|
||
</ul>
|
||
|
||
|
||
|
||
</div>
|
||
</div>
|
||
</nav>
|
||
|
||
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
|
||
|
||
|
||
<nav class="wy-nav-top" aria-label="top navigation">
|
||
|
||
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
|
||
<a href="index.html">Python Forensics Handbook</a>
|
||
|
||
</nav>
|
||
|
||
|
||
<div class="wy-nav-content">
|
||
|
||
<div class="rst-content">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div role="navigation" aria-label="breadcrumbs navigation">
|
||
|
||
<ul class="wy-breadcrumbs">
|
||
|
||
<li><a href="index.html">Docs</a> »</li>
|
||
|
||
<li>Section 3 - Windows Event Log Parsing</li>
|
||
|
||
|
||
<li class="wy-breadcrumbs-aside">
|
||
|
||
|
||
<a href="_sources/section3.rst.txt" rel="nofollow"> View page source</a>
|
||
|
||
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
|
||
<hr/>
|
||
</div>
|
||
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
|
||
<div itemprop="articleBody">
|
||
|
||
<div class="section" id="section-3-windows-event-log-parsing">
|
||
<h1>Section 3 - Windows Event Log Parsing<a class="headerlink" href="#section-3-windows-event-log-parsing" title="Permalink to this headline">¶</a></h1>
|
||
<div class="toctree-wrapper compound">
|
||
</div>
|
||
<div class="section" id="module-sections.section_03.open_evtx">
|
||
<span id="section-3-1-opening-an-event-log"></span><h2>Section 3.1 - Opening an Event Log<a class="headerlink" href="#module-sections.section_03.open_evtx" title="Permalink to this headline">¶</a></h2>
|
||
<p>Example for opening EVTX files.</p>
|
||
<p>Demonstrates how to open an EVTX file and get basic details about the event log.
|
||
This section makes use of python-evtx, a python library for reading event log
|
||
files. To install, run <code class="docutils literal notranslate"><span class="pre">pip</span> <span class="pre">install</span> <span class="pre">python-evtx</span></code>.</p>
|
||
<p>Other libraries for parsing these event logs exist and we welcome others to
|
||
add snippets that showcase how to make use of them in reading EVTX files.</p>
|
||
<p>Example Usage:</p>
|
||
<blockquote>
|
||
<div><p><code class="docutils literal notranslate"><span class="pre">$</span> <span class="pre">python</span> <span class="pre">open_evtx.py</span> <span class="pre">System.evtx</span></code></p>
|
||
</div></blockquote>
|
||
<p>References:</p>
|
||
<ul class="simple">
|
||
<li><p><a class="reference external" href="https://github.com/williballenthin/python-evtx">https://github.com/williballenthin/python-evtx</a></p></li>
|
||
</ul>
|
||
<div class="section" id="open-windows-event-logs-evtx">
|
||
<h3>Open Windows Event Logs (EVTX)<a class="headerlink" href="#open-windows-event-logs-evtx" title="Permalink to this headline">¶</a></h3>
|
||
<p>This function shows an example of opening an EVTX file and parsing out several
|
||
common parameters about the file.</p>
|
||
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="k">def</span> <span class="nf">open_evtx</span><span class="p">(</span><span class="n">input_file</span><span class="p">):</span>
|
||
<span class="sd">"""Opens a Windows Event Log and displays common log parameters.</span>
|
||
|
||
<span class="sd"> Arguments:</span>
|
||
<span class="sd"> input_file (str): Path to evtx file to open</span>
|
||
<span class="sd"> """</span>
|
||
|
||
<span class="k">with</span> <span class="n">evtx</span><span class="o">.</span><span class="n">Evtx</span><span class="p">(</span><span class="n">input_file</span><span class="p">)</span> <span class="k">as</span> <span class="n">open_log</span><span class="p">:</span>
|
||
<span class="n">header</span> <span class="o">=</span> <span class="n">open_log</span><span class="o">.</span><span class="n">get_file_header</span><span class="p">()</span>
|
||
<span class="n">properties</span> <span class="o">=</span> <span class="n">OrderedDict</span><span class="p">([</span>
|
||
<span class="p">(</span><span class="s1">'major_version'</span><span class="p">,</span> <span class="s1">'File version (major)'</span><span class="p">),</span>
|
||
<span class="p">(</span><span class="s1">'minor_version'</span><span class="p">,</span> <span class="s1">'File version (minor)'</span><span class="p">),</span>
|
||
<span class="p">(</span><span class="s1">'is_dirty'</span><span class="p">,</span> <span class="s1">'File is ditry'</span><span class="p">),</span>
|
||
<span class="p">(</span><span class="s1">'is_full'</span><span class="p">,</span> <span class="s1">'File is full'</span><span class="p">),</span>
|
||
<span class="p">(</span><span class="s1">'next_record_number'</span><span class="p">,</span> <span class="s1">'Next record number'</span><span class="p">)</span>
|
||
<span class="p">])</span>
|
||
|
||
<span class="k">for</span> <span class="n">key</span><span class="p">,</span> <span class="n">value</span> <span class="ow">in</span> <span class="n">properties</span><span class="o">.</span><span class="n">items</span><span class="p">():</span>
|
||
<span class="nb">print</span><span class="p">(</span><span class="n">f</span><span class="s2">"</span><span class="si">{value}</span><span class="s2">: {getattr(header, key)()}"</span><span class="p">)</span>
|
||
</pre></div>
|
||
</div>
|
||
</div>
|
||
<div class="section" id="docstring-references">
|
||
<h3>Docstring References<a class="headerlink" href="#docstring-references" title="Permalink to this headline">¶</a></h3>
|
||
<dl class="function">
|
||
<dt id="sections.section_03.open_evtx.open_evtx">
|
||
<code class="descname">open_evtx</code><span class="sig-paren">(</span><em>input_file</em><span class="sig-paren">)</span><a class="headerlink" href="#sections.section_03.open_evtx.open_evtx" title="Permalink to this definition">¶</a></dt>
|
||
<dd><p>Opens a Windows Event Log and displays common log parameters.</p>
|
||
<dl class="field-list simple">
|
||
<dt class="field-odd">Parameters</dt>
|
||
<dd class="field-odd"><p><strong>input_file</strong> (<em>str</em>) – Path to evtx file to open</p>
|
||
</dd>
|
||
</dl>
|
||
</dd></dl>
|
||
|
||
</div>
|
||
</div>
|
||
<div class="section" id="indices-and-tables">
|
||
<h2>Indices and tables<a class="headerlink" href="#indices-and-tables" title="Permalink to this headline">¶</a></h2>
|
||
<ul class="simple">
|
||
<li><p><a class="reference internal" href="genindex.html"><span class="std std-ref">Index</span></a></p></li>
|
||
<li><p><a class="reference internal" href="py-modindex.html"><span class="std std-ref">Module Index</span></a></p></li>
|
||
<li><p><a class="reference internal" href="search.html"><span class="std std-ref">Search Page</span></a></p></li>
|
||
</ul>
|
||
</div>
|
||
</div>
|
||
|
||
|
||
</div>
|
||
|
||
</div>
|
||
<footer>
|
||
|
||
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
|
||
|
||
|
||
<a href="section2.html" class="btn btn-neutral float-left" title="Section 2 - Registry Parsing" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
|
||
|
||
</div>
|
||
|
||
|
||
<hr/>
|
||
|
||
<div role="contentinfo">
|
||
<p>
|
||
© Copyright 2019, Chapin Bryce
|
||
|
||
</p>
|
||
</div>
|
||
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
|
||
|
||
</footer>
|
||
|
||
</div>
|
||
</div>
|
||
|
||
</section>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<script type="text/javascript">
|
||
jQuery(function () {
|
||
SphinxRtdTheme.Navigation.enable(true);
|
||
});
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</body>
|
||
</html> |