FilesExpand file tree

 python3-evtx

/

extract_record.py

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

45 lines (34 loc) · 1.42 KB

 python3-evtx

/

extract_record.py

Top

File metadata and controls

• Code
• Blame

executable file

·

45 lines (34 loc) · 1.42 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

#!/usr/bin/env python3

"""

This file is part of python-evtx.

Copyright 2012, 2013

Willi Ballenthin <william.ballenthin@mandiant.com>

while at Mandiant <http://www.mandiant.com>

Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

"""

import sys

from Evtx.Evtx import Evtx

def main():

import argparse

parser = argparse.ArgumentParser(

description="Write the raw data for a EVTX record to STDOUT")

parser.add_argument("evtx", type=str,

help="Path to the Windows EVTX file")

parser.add_argument("record", type=int,

help="The record number of the record to extract")

args = parser.parse_args()

with Evtx(args.evtx) as evtx:

record = evtx.get_record(args.record)

if record is None:

raise RuntimeError("Cannot find the record specified.")

sys.stdout.write(record.data())

if __name__ == "__main__":

main()