Matthew Seyer forensicmatt
forensicmatt
/ install-l2tbinaries-win64.py
Created
April 8, 2020 02:51
Install all the win64 executables in the l2tbinaries github folder
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import requests | |
| import tempfile | |
| import subprocess | |
| import json | |
| def main(): | |
| win64_request = requests.get("https://api.github.com/repos/log2timeline/l2tbinaries/contents/win64") | |
| contents = json.loads(win64_request.text) |
forensicmatt
/ uninstall-all-python-things.ps1
Created
April 8, 2020 01:19
Uninstall ALL Python Things
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-WmiObject -Query "SELECT * FROM Win32_Product WHERE Name LIKE '%Python%'" | ForEach-Object { $_.Uninstall() } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Parse $O File | |
| # Copyright Matthew Seyer 2018 | |
| # Apache License Version 2 | |
| # | |
| # decode_objfile.py FILE [OUTPUT_TEMPLATE] | |
| # | |
| # Examples: | |
| # Output JSON lines: | |
| # python .\decode_objfile.py '$O' | |
| # |
forensicmatt
/ filetime_parsing.py
Created
October 3, 2018 06:04
Parse Windows FileTime with nanoseond resolution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import datetime | |
| import binascii | |
| FILETIME = b"\x19\x81\xE5\xB2\x1F\xDB\xD3\x01" | |
| class FileTime(datetime.datetime): | |
| """datetime.datetime object is immutable, so we will create a class to inherit | |
| datetime.datetime so we can set a custom nanosecond. |