{"id":20269052,"url":"https://github.com/patatetom/4and6","last_synced_at":"2026-05-07T20:46:19.395Z","repository":{"id":256781103,"uuid":"438991081","full_name":"patatetom/4and6","owner":"patatetom","description":"small pieces of code dedicated to the digital investigation of Windows mainly from Linux","archived":false,"fork":false,"pushed_at":"2021-12-17T09:58:15.000Z","size":35,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-14T05:29:49.256Z","etag":null,"topics":["bash","dfir","forensics","pipe","python","scripts","sqlite3","tips"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patatetom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-16T13:01:55.000Z","updated_at":"2021-12-17T09:58:17.000Z","dependencies_parsed_at":"2024-09-13T02:51:42.629Z","dependency_job_id":"52f35885-09e7-4c1c-8c4a-c91e8dea72b6","html_url":"https://github.com/patatetom/4and6","commit_stats":null,"previous_names":["patatetom/4and6"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2F4and6","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2F4and6/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2F4and6/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2F4and6/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patatetom","download_url":"https://codeload.github.com/patatetom/4and6/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241753144,"owners_count":20014252,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","dfir","forensics","pipe","python","scripts","sqlite3","tips"],"created_at":"2024-11-14T12:23:03.888Z","updated_at":"2026-05-07T20:46:14.373Z","avatar_url":"https://github.com/patatetom.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 4and6\n\n_small pieces of code dedicated to the digital investigation of Windows mainly from Linux_\n\n\n## TIME\n\n\u003e times are usually stored in UTC format.\n\n- from UTC to locale time (time zone in which the following commands are executed) :\n\n```console\n$ # get locale time zone\n$ timedatectl -p Timezone show\nTimezone=Europe/Paris\n\n$ # Paris is UTC+1 on december (HNEC)\n$ date -d 2021-12-14T08:39:00.408109200Z\nTue Dec 14 09:39:00 CET 2021\n\n$ # Z and UTC are equivalent\n$ date -d \"2021-12-14 08:39:00 UTC\"\nTue Dec 14 09:39:00 CET 2021\n\n$ # input format must have a valid format\n$ date -d \"Tue Dec 14 08:39:00 UTC\"\nTue Dec 14 09:39:00 CET 2021\n\n$ # output format can be specified\n$ date -d \"2021-12-14 08:39 UTC\" +'%Y%m%d%H%M%S'\n20211214093900\n```\n\n- from UTC to specified time zone :\n\n```console\n$ # find/show time zones\n$ timedatectl list-timezones | grep -i asia/r\nAsia/Rangoon\nAsia/Riyadh\n\n$ TZ=\"Asia/Riyadh\" date -d ' Tue Dec 14 08:39:00 UTC'\nTue Dec 14 11:39:00 +03 2021\n```\n\n\n## EVTX\n\n- used tools :\n  - `evtxexport` and `evtxinfo` from https://github.com/libyal/libevtx\n\n- scripts :\n  - `evtx.toxml`\n\n```console\n$ # export in xml format\n$ evtx.toxml /mnt/Windows/System32/winevt/Logs/System.evtx 2\u003e /tmp/evtx.toxml.log\n\u003cEvents File=\"/mnt/Windows/System32/winevt/Logs/System.evtx\"\u003e\n\u003cEvent\u003e\n  \u003cSystem\u003e\n…\n  \u003c/System\u003e\n  \u003cEventData\u003e\n…\n  \u003c/EventData\u003e\n\u003c/Event\u003e\n…\n\u003c/Events\u003e\n```\n\n  - `evtx.totsv`\n\n\u003e `evtx.totsv` is based on `evtx.toxml` export\n\n```console\n$ # export in tsv format\n$ evtx.toxml /mnt/Windows/System32/winevt/Logs/Application.evtx 2\u003e /tmp/evtx.toxml.log | evtx.totsv\n/mnt/Windows/System32/winevt/Logs/Application.evtx\tMicrosoft-Windows-User Profiles Service\t1531\t2021-10-27T10:59:43.418663000Z\t1\t{…\n…\n\n$ # tsv lends itself easily to grep et cetera\n$ evtx.toxml /mnt/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx 2\u003e /tmp/evtx.toxml.log | evtx.totsv |\n\u003e cut -f 4,6 | grep 'VID_....\u0026PID_...' | sort -r\n2021-12-14T08:39:00.408109200Z\t{'DeviceInstanceId': 'USBSTOR\\\\Disk\u0026…\n2021-12-14T08:39:00.404377100Z\t{'DeviceInstanceId': 'USB\\\\VID_…\n2021-12-14T08:39:00.393581500Z\t{'DeviceInstanceId': 'USB\\\\VID_…\n…\n\n$ # tsv can also be easily integrated into a sqlite database\n$ sqlite3 /tmp/events.db 'CREATE TABLE IF NOT EXISTS \"events\" (file TEXT, provider TEXT, eventid INT, date TEXT, recordid INT, data TEXT);'\n$ sqlite3 -cmd '.mode tabs' /tmp/events.db '.import /dev/stdin events' \u003c \u003c(\n  for evtx in /mnt/Windows/System32/winevt/Logs/*.evtx\n  do\n    evtx.toxml \"${evtx}\" | evtx.totsv\n  done 2\u003e /tmp/evtx.toxml.log\n)\n$ sqlite3 /tmp/events.db 'SELECT … FROM events WHERE … ORDER BY date DESC;'\n```\n\n- other tools to look at :\n  - `evtx_dump` at https://github.com/omerbenamram/evtx\n  - python `python-evtx` module at https://github.com/williballenthin/python-evtx\n\n\u003e in the same way as for `evtxexport`, `evtx_dump` can be formatted with `sed '/^Record/d;/^\u003c?xml/d;s/ xmls=\"[^\"]*\"//g'`\n\n## REG\n\n\n## USB\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatatetom%2F4and6","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatatetom%2F4and6","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatatetom%2F4and6/lists"}