Skip to main content

A library for fast import of Windows Prefetch into Elasticsearch.

Project description

prefetch2es

MIT License PyPI version Python Versions DockerHub Status

prefetch2es logo

Fast import of Windows Prefetch(.pf) into Elasticsearch.

prefetch2es uses C library libscca.

Usage

When using from the commandline interface:

$ prefetch2es /path/to/your/file.pf

When using from the python-script:

from prefetch2es.prefetch2es import prefetch2es

if __name__ == '__main__':
    filepath = '/path/to/your/file.pf'
    prefetch2es(filepath)

Arguments

prefetch2es supports importing from multiple files.

$ prefetch2es file1.pf file2.pf file3.pf

Also, possible to import recursively from a specific directory.

$ tree .
pffiles/
  ├── file1.pf
  ├── file2.pf
  ├── file3.pf
  └── subdirectory/
    ├── file4.pf
    └── subsubdirectory/
      ├── file5.pf
      └── file6.pf

$ prefetch2es /pffiles/ # The Path is recursively expanded to file1~6.pf.

Options

--host: 
    ElasticSearch host address
    (default: localhost)

--port: 
    ElasticSearch port number
    (default: 9200)

--index: 
    Index name
    (default: prefetch2es)

--scheme:
  Scheme to use (http, or https)
  (default: http)

--pipeline
  Elasticsearch Ingest Pipeline to use
  (default: )

--login:
  The login to use if Elastic Security is enable
  (default: )

--pwd:
  The password linked to the login provided
  (default: )

Examples

When using from the commandline interface:

$ prefetch2es /path/to/your/file.pf --host=localhost --port=9200 --index=foobar

When using from the python-script:

if __name__ == '__main__':
    prefetch2es('/path/to/your/file.pf', host=localhost, port=9200, index='foobar')

With the Amazon Elasticsearch Serivce (ES):

$ prefetch2es /path/to/your/file.pf --host=example.us-east-1.es.amazonaws.com --port=443 --scheme=https --index=foobar

With credentials for Elastic Security:

$ prefetch2es /path/to/your/file.pf --host=localhost --port=9200 --index=foobar --login=elastic --pwd=******

Note: The current version does not verify the certificate.

Supported Prefetch versions

  • Windows XP
  • Windows 2003
  • Windows Vista (SP0)
  • Windows 7 (SP0)
  • Windows 8.1
  • Windows 10 1809
  • Windows 10 1903

For more information, please visit libscca.

Appendix

prefetch2json

Extra feature. 🍣 🍣 🍣

Convert from Windows Prefetch to json file.

$ prefetch2json /path/to/your/file.pf /path/to/output/target.json

Convert from Windows Prefetch to Python dict object.

from prefetch2es import prefetch2json

if __name__ == '__main__':
  filepath = '/path/to/your/file.pf'
  result: dict = prefetch2json(filepath)

Output Format Example

Using the sample prefetch file of EricZimmerman/Prefetch as an example.

{
  "name": "CALC.EXE",
  "filenames": [
    "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
    ...
  ],
  "exec_count": 2,
  "last_exec_time": 130974496211967500,
  "format_version": 23,
  "prefetch_hash": 2013131135,
  "metrics": [
    {
      "filename": "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
      "file_reference": 281474976736310
    },
    ...
  ],
  "volumes": [
    {
      "path": "\\DEVICE\\HARDDISKVOLUME2",
      "creation_time": 130974525181093750,
      "serial_number": 2281737263
    }
  ]
}

Installation

via PyPI

$ pip install prefetch2es

via DockerHub

$ docker pull sumeshi/prefetch2es:latest

Run with Docker

https://hub.docker.com/r/sumeshi/prefetch2es

prefetch2es

# "host.docker.internal" is only available in mac and windows environments.
# For linux, use the --add-host option.
$ docker run -t --rm -v $(pwd):/app sumeshi/prefetch2es:latest prefetch2es SAMPLE.pf --host=host.docker.internal

prefetch2json

$ docker run -t --rm -v $(pwd):/app sumeshi/prefetch2es:latest prefetch2es SAMPLE.pf out.json

Do not use the "latest" image if at all possible.
The "latest" image is not a released version, but is built from the contents of the master branch.

Contributing

CONTRIBUTING

The source code for prefetch2es is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/prefetch2es). Please report issues and feature requests. :sushi: :sushi: :sushi:

License

prefetch2es is released under the MIT License.

Powered by libscca.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

prefetch2es-2.1.0.tar.gz (6.6 kB view details)

Uploaded Source

Built Distribution

prefetch2es-2.1.0-py3-none-any.whl (6.3 kB view details)

Uploaded Python 3

File details

Details for the file prefetch2es-2.1.0.tar.gz.

File metadata

  • Download URL: prefetch2es-2.1.0.tar.gz
  • Upload date:
  • Size: 6.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.5 CPython/3.7.0 Darwin/19.6.0

File hashes

Hashes for prefetch2es-2.1.0.tar.gz
Algorithm Hash digest
SHA256 c7a73345b8c028aa44bb3dbb0a846e063c43c192ecbe57646fa9e518fafb50df
MD5 8fecf30221e084d3e36ad53994a989cf
BLAKE2b-256 baa9b60a1fe75a7716259c44d6aa04e1f5229f24b4d77cb67a8ca67de60fba31

See more details on using hashes here.

File details

Details for the file prefetch2es-2.1.0-py3-none-any.whl.

File metadata

  • Download URL: prefetch2es-2.1.0-py3-none-any.whl
  • Upload date:
  • Size: 6.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.5 CPython/3.7.0 Darwin/19.6.0

File hashes

Hashes for prefetch2es-2.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1ed3d4e2867d837fed2278d7031cde44d8ed5541716778a8eaaf392b9322ddb1
MD5 5b0b6413f1302d7038b11a8023906ebb
BLAKE2b-256 ea4b4e317394d5674a08509c877d6f5c2ec5305ad3bef0be5f7f3a6ee7fd72e7

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page