Experimental attempt at getting organized ...
Cheat sheet that covers tools, common commands, and other information for analyzing malicious documents, such as Word, OneNote and PDF:
When used from the command line, the xmllint tool doesn't accept namespaces in xpath expressions. This makes it difficult to process XML documents like the one below (file demo.xml):
<?xml version="1.0" standalone="yes"?>
<svrl:schematron-output xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" xmlns:sch="http://www.ascc.net/xml/schematron" xmlns:iso="http://purl.oclc.org
#! /usr/bin/env python | |
import os | |
import sys | |
import shutil | |
import sysconfig | |
import winreg | |
from win32com.client import Dispatch | |
def get_reg(name,path): | |
# Read variable from Windows Registry |
#! /usr/bin/env python | |
import time | |
import threading | |
import logging | |
try: | |
import tkinter as tk # Python 3.x | |
import tkinter.scrolledtext as ScrolledText | |
except ImportError: | |
import Tkinter as tk # Python 2.x | |
import ScrolledText |
#!/bin/bash | |
# Location of Kakadu binaries | |
kduPath=/Applications/kakadu | |
# Add Kakadu path to LD_LIBRARY_PATH | |
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$kduPath | |
# Create TIFF from existing JP2 | |
/Applications/kakadu/kdu_expand -i aware.jp2 -o aware.tif |
{ | |
"tweet" : { | |
"edit_info" : { | |
"initial" : { | |
"editTweetIds" : [ | |
"1588159317974319106" | |
], | |
"editableUntil" : "2022-11-03T13:51:02.000Z", | |
"editsRemaining" : "5", | |
"isEditEligible" : false |
<?xml version='1.0' encoding='UTF-8'?> | |
<jpylyzer xmlns="http://openpreservation.org/ns/jpylyzer/v2/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://openpreservation.org/ns/jpylyzer/v2/ http://jpylyzer.openpreservation.org/jpylyzer-v-2-0.xsd"> | |
<toolInfo> | |
<toolName>jpylyzer</toolName> | |
<toolVersion>2.0.0</toolVersion> | |
</toolInfo> | |
<file> | |
<fileInfo> | |
<fileName>6e3Gf8Mu</fileName> | |
<filePath>/home/johan/test/6e3Gf8Mu</filePath> |
The script that was originally included here is now superseded by:
https://github.com/KBNLresearch/detectStorageMediaType
See also my blog post:
Identification of physical storage media and devices with Python and the Windows API
<?xml version="1.0" ?> | |
<isolyzer xmlns="http://kb.nl/ns/isolyzer/v1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://kb.nl/ns/isolyzer/v1/ https://raw.githubusercontent.com/KBNLresearch/isolyzer/xsd/xsd/isolyzer-v-1-0.xsd"> | |
<toolInfo> | |
<toolName>cli.py</toolName> | |
<toolVersion>1.4.0a2</toolVersion> | |
</toolInfo> | |
<image> | |
<fileInfo> | |
<fileName>iso9660.iso</fileName> | |
<filePath>/home/johan/isolyzer/testFiles/iso9660.iso</filePath> |