File: evtx_record_template.py

package info (click to toggle)
python-evtx 0.6.1-1%2Bdeb10u1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 4,768 kB
  • sloc: python: 3,082; makefile: 6
file content (25 lines) | stat: -rwxr-xr-x 629 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
#!/usr/bin/env python


import Evtx.Evtx as evtx
import Evtx.Views as e_views


def main():
    import argparse

    parser = argparse.ArgumentParser(
        description="Print the structure of an EVTX record's template.")
    parser.add_argument("evtx", type=str,
                        help="Path to the Windows EVTX file")
    parser.add_argument("record", type=int,
                        help="Record number")
    args = parser.parse_args()

    with evtx.Evtx(args.evtx) as log:
        r = log.get_record(args.record)
        print(e_views.evtx_template_readable_view(r.root()))


if __name__ == "__main__":
    main()