python-forensics-handbook/docs/section3.html

292 lines
11 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Section 3 - Windows Event Log Parsing &mdash; Python Forensics Handbook 20191126 documentation</title>
<script type="text/javascript" src="_static/js/modernizr.min.js"></script>
<script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/language_data.js"></script>
<script type="text/javascript" src="_static/js/theme.js"></script>
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="prev" title="Section 2 - Registry Parsing" href="section2.html" />
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-17386833-12"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-17386833-12');
</script>
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home"> Python Forensics Handbook
</a>
<div class="version">
20191126
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<p class="caption"><span class="caption-text">Table of Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1"><a class="reference internal" href="section2.html">Section 2 - Registry Parsing</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Section 3 - Windows Event Log Parsing</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#module-sections.section_03.open_evtx">Section 3.1 - Opening an Event Log</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#open-windows-event-logs-evtx">Open Windows Event Logs (EVTX)</a></li>
<li class="toctree-l3"><a class="reference internal" href="#docstring-references">Docstring References</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#indices-and-tables">Indices and tables</a></li>
</ul>
</li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">Python Forensics Handbook</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html">Docs</a> &raquo;</li>
<li>Section 3 - Windows Event Log Parsing</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/section3.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="section-3-windows-event-log-parsing">
<h1>Section 3 - Windows Event Log Parsing<a class="headerlink" href="#section-3-windows-event-log-parsing" title="Permalink to this headline"></a></h1>
<div class="toctree-wrapper compound">
</div>
<div class="section" id="module-sections.section_03.open_evtx">
<span id="section-3-1-opening-an-event-log"></span><h2>Section 3.1 - Opening an Event Log<a class="headerlink" href="#module-sections.section_03.open_evtx" title="Permalink to this headline"></a></h2>
<p>Example for opening EVTX files.</p>
<p>Demonstrates how to open an EVTX file and get basic details about the event log.
This section makes use of python-evtx, a python library for reading event log
files. To install, run <code class="docutils literal notranslate"><span class="pre">pip</span> <span class="pre">install</span> <span class="pre">python-evtx</span></code>.</p>
<p>Other libraries for parsing these event logs exist and we welcome others to
add snippets that showcase how to make use of them in reading EVTX files.</p>
<p>Example Usage:</p>
<blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">$</span> <span class="pre">python</span> <span class="pre">open_evtx.py</span> <span class="pre">System.evtx</span></code></p>
</div></blockquote>
<p>References:</p>
<ul class="simple">
<li><p><a class="reference external" href="https://github.com/williballenthin/python-evtx">https://github.com/williballenthin/python-evtx</a></p></li>
</ul>
<div class="section" id="open-windows-event-logs-evtx">
<h3>Open Windows Event Logs (EVTX)<a class="headerlink" href="#open-windows-event-logs-evtx" title="Permalink to this headline"></a></h3>
<p>This function shows an example of opening an EVTX file and parsing out several
common parameters about the file.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="k">def</span> <span class="nf">open_evtx</span><span class="p">(</span><span class="n">input_file</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;Opens a Windows Event Log and displays common log parameters.</span>
<span class="sd"> Arguments:</span>
<span class="sd"> input_file (str): Path to evtx file to open</span>
<span class="sd"> &quot;&quot;&quot;</span>
<span class="k">with</span> <span class="n">evtx</span><span class="o">.</span><span class="n">Evtx</span><span class="p">(</span><span class="n">input_file</span><span class="p">)</span> <span class="k">as</span> <span class="n">open_log</span><span class="p">:</span>
<span class="n">header</span> <span class="o">=</span> <span class="n">open_log</span><span class="o">.</span><span class="n">get_file_header</span><span class="p">()</span>
<span class="n">properties</span> <span class="o">=</span> <span class="n">OrderedDict</span><span class="p">([</span>
<span class="p">(</span><span class="s1">&#39;major_version&#39;</span><span class="p">,</span> <span class="s1">&#39;File version (major)&#39;</span><span class="p">),</span>
<span class="p">(</span><span class="s1">&#39;minor_version&#39;</span><span class="p">,</span> <span class="s1">&#39;File version (minor)&#39;</span><span class="p">),</span>
<span class="p">(</span><span class="s1">&#39;is_dirty&#39;</span><span class="p">,</span> <span class="s1">&#39;File is ditry&#39;</span><span class="p">),</span>
<span class="p">(</span><span class="s1">&#39;is_full&#39;</span><span class="p">,</span> <span class="s1">&#39;File is full&#39;</span><span class="p">),</span>
<span class="p">(</span><span class="s1">&#39;next_record_number&#39;</span><span class="p">,</span> <span class="s1">&#39;Next record number&#39;</span><span class="p">)</span>
<span class="p">])</span>
<span class="k">for</span> <span class="n">key</span><span class="p">,</span> <span class="n">value</span> <span class="ow">in</span> <span class="n">properties</span><span class="o">.</span><span class="n">items</span><span class="p">():</span>
<span class="nb">print</span><span class="p">(</span><span class="n">f</span><span class="s2">&quot;</span><span class="si">{value}</span><span class="s2">: {getattr(header, key)()}&quot;</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="docstring-references">
<h3>Docstring References<a class="headerlink" href="#docstring-references" title="Permalink to this headline"></a></h3>
<dl class="function">
<dt id="sections.section_03.open_evtx.open_evtx">
<code class="descname">open_evtx</code><span class="sig-paren">(</span><em>input_file</em><span class="sig-paren">)</span><a class="headerlink" href="#sections.section_03.open_evtx.open_evtx" title="Permalink to this definition"></a></dt>
<dd><p>Opens a Windows Event Log and displays common log parameters.</p>
<dl class="field-list simple">
<dt class="field-odd">Parameters</dt>
<dd class="field-odd"><p><strong>input_file</strong> (<em>str</em>) Path to evtx file to open</p>
</dd>
</dl>
</dd></dl>
</div>
</div>
<div class="section" id="indices-and-tables">
<h2>Indices and tables<a class="headerlink" href="#indices-and-tables" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><p><a class="reference internal" href="genindex.html"><span class="std std-ref">Index</span></a></p></li>
<li><p><a class="reference internal" href="py-modindex.html"><span class="std std-ref">Module Index</span></a></p></li>
<li><p><a class="reference internal" href="search.html"><span class="std std-ref">Search Page</span></a></p></li>
</ul>
</div>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="section2.html" class="btn btn-neutral float-left" title="Section 2 - Registry Parsing" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
&copy; Copyright 2019, Chapin Bryce
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>