Table of Contents
The goal of this project is to create a Python tool that can extract different types of artifacts from EWF (Expert Witness Compression Format) evidence files. This tool can be useful for forensic investigators who need to analyze digital evidence and extract relevant information from EWF files.
The tool provides various commands to extract different types of artifacts, such as automatic extraction, browser artifacts, logs artifacts, registries artifacts, and hives artifacts. The tool also supports commands to list partitions, list folders, copy files, and print files.
This tool use a Merkle proof to validate the extracted artifacts.
The tool is implemented using Python and uses libraries such as Pyewf, Pytsk3, and PyYAML to extract and parse data from EWF files. The tool can be run from the command line by executing the main.py script with the appropriate command and options.
├── cmds/
│ ├── cmd1.py
├── config/
│ └── config1.yml
├── utils/
│ ├── util1.py
└── main.py
This folder is used for all the subcommands
This folder is used for all the YAML config profile.
This folder is used for all the python utils.
This repository includes a default YAML configuration file located at config/default.yml that can be used to customize certain aspects of the program.
The following configuration options are available:
A binary-encoded string representing the data partition. This option is used to specify the location of the data partition.
The path to the configuration directory. This option is used to specify the path to the system configuration directory.
The path to the logs directory. This option is used to specify the path to the logs directory.
The path to the Master File Table (MFT). This option is used to specify the path to the MFT.
The path to the users directory. This option is used to specify the path to the users directory.
A list of log files to extract. This option is used to specify which log files should be extracted.
A list of registry files to extract. This option is used to specify which registry files should be extracted.
A list of user hives to extract. This option is used to specify which user hives should be extracted.
The prefix used for Microsoft Edge artifacts.
The prefix used for Chrome artifacts.
The prefix used for Firefox artifacts.
A list of prefixes used for Internet Explorer artifacts.
A list of prefixes used for Brave artifacts.
This is an example of how you may give instructions on setting up your project locally. To get a local copy up and running follow these simple example steps.
You will need to install the latest version of Python 3.10, which can be downloaded from the official Python website or installed using your system's package manager.
- Clone the repo
git clone https://github.com/MohammedBenhelli/EWFParser
- Install python packages
cd ./EWFParser pip install -r requirements.txt
This command extracts all available artifacts from the EWF file. It can be run using the following command:
python main.py extract --file <path-to-ewf-evidence> --dest <optional-path-to-destination> --config <optional-path-to-yaml-config>
This command extracts browser artifacts from the EWF file. It can be run using the following command:
python main.py browsers --file <path-to-ewf-evidence> --dest <optional-path-to-destination> --config <optional-path-to-yaml-config>
This command extracts logs artifacts from the EWF file. It can be run using the following command:
python main.py logs --file <path-to-ewf-evidence> --dest <optional-path-to-destination> --config <optional-path-to-yaml-config>
This command extracts registries artifacts from the EWF file. It can be run using the following command:
python main.py reg --file <path-to-ewf-evidence> --dest <optional-path-to-destination> --config <optional-path-to-yaml-config>
This command extracts hives artifacts from the EWF file. It can be run using the following command:
python main.py hives --file <path-to-ewf-evidence> --dest <optional-path-to-destination> --config <optional-path-to-yaml-config>
This command verify the proof of a folder. It can be run using the following command:
python main.py get-proof <path-to-artifacts-folder>
This command verify the proof of a folder. It can be run using the following command:
python main.py verify --directory <path-to-artifacts-folder> --proof <proof-hash>
This command lists the partitions in the EWF file. It can be run using the following command:
python main.py partition --file <path-to-ewf-evidence>
This command lists the contents of a folder in the EWF file. It can be run using the following command:
python main.py ls --file <path-to-ewf-evidence> <path-to-folder>
This command copies a file from the EWF file to a destination folder. It can be run using the following command:
python main.py cp --file <path-to-ewf-evidence> <path-to-file> <path-to-destination>
This command prints the contents of a file in the EWF file. It can be run using the following command:
python main.py cat --file <path-to-ewf-evidence> <path-to-file>
- Extracting system registries and users hives
- Convert to JSON
- Extracting logs
- Convert to XML
- Add subcommand
-
partition
command -
ls
command -
cp
command -
get-proof
command -
verify
command -
cat
command -
browsers
command -
logs
command -
hives
command -
reg
command
-
- Merkle proof for file signature check
- Extracting Browsers
- Edge
- Chrome
- Internet Explorer
- Firefox
- Brave
- Opera
- Puffin
- Extracting MFT
- Parsing MFT
- Refactor
- Clean code
- Add ruff linter
Distributed under the MIT License. See LICENSE.txt
for more information.