Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Silv3rHorn/ArtifactExtractor

Extract common Windows artifacts from source images and VSCs
https://github.com/Silv3rHorn/ArtifactExtractor

dfir forensics win4n6

Last synced: 29 days ago
JSON representation

Extract common Windows artifacts from source images and VSCs

Host: GitHub
URL: https://github.com/Silv3rHorn/ArtifactExtractor
Owner: Silv3rHorn
License: apache-2.0
Created: 2017-10-22T12:59:09.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2021-05-10T14:05:56.000Z (over 3 years ago)
Last Synced: 2024-02-14T19:31:23.829Z (10 months ago)
Topics: dfir, forensics, win4n6
Language: Python
Size: 80.1 KB
Stars: 60
Watchers: 8
Forks: 15
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

ForensicsTools - ArtifactExtractor - Extract common Windows artifacts from source images and VSCs (Challenges / Acquisition)
awesome-forensics - ArtifactExtractor - Extract common Windows artifacts from source images and VSCs (Tools / Acquisition)
Awesome-Forensics - ArtifactExtractor - Extract common Windows artifacts from source images and VSCs (Tools / Acquisition)

README

        # ArtifactExtractor

![](https://img.shields.io/badge/python-2.7-blue.svg)

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs.

Artifacts in VSCs will be checked (via hash) if they are different from a later VSC/image copy before extraction.

## Dependencies

None if using [release executable](https://github.com/Silv3rHorn/ArtifactExtractor/releases) on Windows.

Else:

1. Install backports.lzma

    * Windows: Use latest wheel file available from [here](https://www.lfd.uci.edu/~gohlke/pythonlibs/#backports.lzma)

    * Linux: Use a package manager, e.g. `sudo apt install liblzma-dev`

2. Install libewf

    * [libewf-legacy](https://github.com/libyal/libewf-legacy) should be installed rather than [libewf (experimental)](https://github.com/libyal/libewf) - Newer experimental releases have a [file corruption issue](https://github.com/log2timeline/dfvfs/issues/230). 

    * Windows: Use the MSI installer available from [here](https://mega.nz/#!qU9yUQCa!EWpwiZvjGtUIUxldKSGdQkdvLCwJ7t3PGinymU8TfQc)

    * Linux: Use [libewf-legacy build 20140806](https://github.com/libyal/libewf-legacy/releases/tag/20140806)

3. (Windows ONLY) Install pywin32: `pip install pywin32`

4. Install remaining requirements: use [requirements.txt](requirements.txt)

    * Use pip: `pip install -r requirements.txt`

## Usage

1. Create destination directory

2. `artifact_extractor.exe   [-a ]` or `artifact_extractor.exe -h` for more options

## Credits

Joachim Metz and his libraries

John Corcoran for Unix Compatibility