y0ug/evtx_dump.py

## evtx_dump.py
import mmap
import contextlib

import argparse

from Evtx.Evtx import FileHeader
from Evtx.Views import evtx_file_xml_view


def main():
    parser = argparse.ArgumentParser(
        description="Dump a binary EVTX file into XML.")
    parser.add_argument("evtx", type=str,
                        help="Path to the Windows EVTX event log file")
    args = parser.parse_args()

    with open(args.evtx, 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            fh = FileHeader(buf, 0x0)
            print "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>"
            print "<Events>"
            for xml, record in evtx_file_xml_view(fh):
                print xml
            print "</Events>"

if __name__ == "__main__":
    main()
	import mmap
	import contextlib

	import argparse

	from Evtx.Evtx import FileHeader
	from Evtx.Views import evtx_file_xml_view


	def main():
	parser = argparse.ArgumentParser(
	description="Dump a binary EVTX file into XML.")
	parser.add_argument("evtx", type=str,
	help="Path to the Windows EVTX event log file")
	args = parser.parse_args()

	with open(args.evtx, 'r') as f:
	with contextlib.closing(mmap.mmap(f.fileno(), 0,
	access=mmap.ACCESS_READ)) as buf:
	fh = FileHeader(buf, 0x0)
	print "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>"
	print "<Events>"
	for xml, record in evtx_file_xml_view(fh):
	print xml
	print "</Events>"

	if __name__ == "__main__":
	main()