LfLe Logo

LfLe

0
Free
Visit Website

Recover event log entries from an image by heuristically looking for record structures. Dependencies: argparse (http://pypi.python.org/pypi/argparse available via easy_install/pip). Usage: Use this tool to extract event log messages from an image file by looking for things that appear to be records. Then, feed the resulting file into an event log viewer, such as Event Log Explorer (http://www.eventlogxp.com/, use 'direct' mode when opening). Sample Output: evt/LfLe - [master●] » python lfle.py '/media/truecrypt2/VM/Windows XP Professional - Service Pack 3 - TEMPLATE/Windows XP Professional - Service Pack 3-cl1.vmdk' recovered.evt 100% complete% done. Wrote 5413 records. Skipped 48 records with length greater than 0x10000. Skipped 12.

FEATURES

ALTERNATIVES

A binary analysis platform for analyzing binary programs

Python script to parse macOS MRU plist files into human-friendly format

Rekall is a discontinued project that aimed to improve memory analysis methodology but faced challenges due to the nature of in-memory structure and increasing security measures.

Review of various MFT parsers used in digital forensics for analyzing NTFS file systems.

Tool for live forensics acquisition on Windows systems, collecting artefacts for early compromise detection.

Forensic imaging program with full hash authentication and various acquisition options.

Magnet ACQUIRE offers robust data extraction capabilities for digital forensics investigations, supporting a wide range of devices.

A library to access and read QEMU Copy-On-Write (QCOW) image file formats with support for zlib compression and AES-CBC encryption.