Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/williballenthin/LfLe

Recover event log entries from an image by heurisitically looking for record structures.
https://github.com/williballenthin/LfLe

Last synced: 2 months ago
JSON representation

Recover event log entries from an image by heurisitically looking for record structures.

Host: GitHub
URL: https://github.com/williballenthin/LfLe
Owner: williballenthin
Created: 2012-09-06T20:46:20.000Z (over 12 years ago)
Default Branch: master
Last Pushed: 2015-10-09T17:31:14.000Z (over 9 years ago)
Last Synced: 2024-11-16T00:24:15.173Z (2 months ago)
Language: Python
Size: 198 KB
Stars: 27
Watchers: 10
Forks: 13
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-anti-forensic - Lfle

README

LfLe
====

Recover event log entries from an image by heurisitically looking for record structures.

Dependencies
------------
- argparse (http://pypi.python.org/pypi/argparse available via easy_install/pip)

Usage
-----
Use this tool to extract event log messages from an image file by looking for things
that appear to be records. Then, feed the resulting file into an event log viewer,
such as Event Log Explorer (http://www.eventlogxp.com/, use "direct" mode when opening).

usage: lfle.py [-h] [-v] [-s] input_path output_path

Recover event log entries from an image by heurisitically looking for record
structures.

positional arguments:
input_path Path to a raw (dd) image file.
output_path Path to write output file that contains recovered event log
entries.

optional arguments:
-h, --help show this help message and exit
-v Print debugging messages during scanning.
-s Disable status messages (percent complete) during scanning.

Sample Output
-------------
evt/LfLe - [master●] » python lfle.py "/media/truecrypt2/VM/Windows XP Professional - Service Pack 3 - TEMPLATE/Windows XP Professional - Service Pack 3-cl1.vmdk" recovered.evt
100% complete% done
Wrote 5413 records
Skipped 48 records with length greater than 0x10000
Skipped 12 records with length less than 0x30
Skipped 14 records with invalid structure
Skipped 1 records with invalid content

Limitations
-----------
This tool supports only EVT/WinXP style event log messages. It does not support recovering
EVTX/Win7 style event log messages.