Merge pull request #82 from ajread4/add_json

Willi Ballenthin · web-flow · commit fc8ed9bf16bc · 2022-12-21T16:38:52.000+01:00
Add JSON dump functionality
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ python-evtx operates on event log files from Windows operating systems newer tha
 
 Examples
 --------
-Provided with the parsing module `Evtx` are three scripts that mimic the tools distributed with Parse-Evtx.  `evtx_info.py` prints metadata about the event log and verifies the checksums of each chunk.  `evtx_templates.py` builds and prints the templates used throughout the event log.  Finally, `evtx_dump.py` parses the event log and transforms the binary XML into a human readable ASCII XML format.
+Provided with the parsing module `Evtx` are four scripts that mimic the tools distributed with Parse-Evtx.  `evtx_info.py` prints metadata about the event log and verifies the checksums of each chunk.  `evtx_templates.py` builds and prints the templates used throughout the event log. `evtx_dump.py` parses the event log and transforms the binary XML into a human readable ASCII XML format. Finally, `evtx_dump_json.py` parses event logs, similar to `evtx_dump.py` and transforms the binary XML into JSON with the added capability to output the JSON array to a file. 
 
 Note the length of the `evtx_dump.py` script: its only 20 lines.  Now, review the contents and notice the complete implementation of the logic:
 
diff --git a/scripts/evtx_dump.py b/scripts/evtx_dump.py
@@ -20,7 +20,6 @@
 import Evtx.Evtx as evtx
 import Evtx.Views as e_views
 
-
 def main():
     import argparse
 
diff --git a/scripts/evtx_dump_json.py b/scripts/evtx_dump_json.py
@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+#   This file is part of python-evtx.
+#   Written by AJ Read (ajread4) with help/inspiration from the evtx_dump.py file written by Willi Ballenthin.
+#
+#   Purpose: User can dump evtx data into JSON format to either the command line or a JSON file in new line delimited format/JSON array.
+#   Details: The JSON object is created with only the EventRecordID from the System section of the evtx XML and all of the information within the EventData section.
+
+import Evtx.Evtx as evtx
+import Evtx.Views as e_views
+
+# Added packages
+import os
+import xmltodict
+import json
+
+
+def main():
+    import argparse
+    parser = argparse.ArgumentParser(
+        description="Dump a binary EVTX file into XML.")
+    parser.add_argument("evtx", type=str,action='store',
+                        help="Path to the Windows EVTX event log file")
+    parser.add_argument("-o","--output",type=str, action='store',
+                        help="Path of output JSON file")
+    args = parser.parse_args()
+
+    with evtx.Evtx(args.evtx) as log:
+
+        # Instantiate the final json object
+        final_json=[]
+
+        # Loop through each record in the evtx log
+        for record in log.records():
+
+            # Convert the record to a dictionary for ease of parsing
+            data_dict=xmltodict.parse(record.xml())
+
+            # Loop through each key,value pair of the System section of the evtx logs and extract the EventRecordID
+            for event_system_key, event_system_value in data_dict['Event']['System'].items():
+                if (event_system_key=="EventRecordID"):
+                    json_subline={}
+                    firstline={event_system_key:event_system_value}
+
+                    # Add information to the JSON object for this specific log
+                    json_subline.update(firstline) #add the event ID to JSON subline
+
+            # Loop through each key, value pair of the EventData section of the evtx logs
+            for event_data_key, event_data_value in data_dict['Event']['EventData'].items():
+                for values in event_data_value:
+
+                    # Loop through each subvalue within the EvenData section to extract necessary information
+                    for event_data_subkey,event_data_subvalue in values.items():
+                        if event_data_subkey=="@Name":
+                            data_name=event_data_subvalue
+                        else:
+                            data_value=event_data_subvalue
+
+                            # Add information to the JSON object for this specific log
+                            json_subline.update({data_name: data_value})
+
+            # Print the JSON object for the specific log if not requested to output to file
+            if not args.output:
+                print(json_subline)
+
+            # Add specific log JSON object to the final JSON object
+            if not final_json:
+                final_json=[json_subline]
+            else:
+                final_json.append(json_subline)
+
+        # If output is desired
+        if (args.output):
+
+            # Output the JSON data
+            if (os.path.splitext(args.output)[1] == ".json"):
+                json_file=args.output
+            else:
+                json_file=args.output +".json"
+
+            # Write to JSON file
+            with open(json_file,"w") as outfile:
+                json.dump(final_json,outfile)
+
+if __name__ == "__main__":
+    main()
diff --git a/setup.py b/setup.py
@@ -24,6 +24,7 @@
         install_requires=[
             'six',
             'hexdump==3.3',
+            'xmltodict==0.13.0', #added deps for evtx_dump_json.py script
                
             # pin deps for python 2, see #67
             'more_itertools==5.0.0',
@@ -40,6 +41,7 @@
             ]
         },
         scripts=['scripts/evtx_dump.py',
+                 'scripts/evtx_dump_json.py'
                  'scripts/evtx_dump_chunk_slack.py',
                  'scripts/evtx_eid_record_numbers.py',
                  'scripts/evtx_extract_record.py',
