").append( jQuery.parseHTML( responseText ) ).find( selector ) :
+
+ // Otherwise use the full result
+ responseText );
+
+ }).complete( callback && function( jqXHR, status ) {
+ self.each( callback, response || [ jqXHR.responseText, status, jqXHR ] );
+ });
+ }
+
+ return this;
+};
+
+// Attach a bunch of functions for handling common AJAX events
+jQuery.each( [ "ajaxStart", "ajaxStop", "ajaxComplete", "ajaxError", "ajaxSuccess", "ajaxSend" ], function( i, type ){
+ jQuery.fn[ type ] = function( fn ){
+ return this.on( type, fn );
+ };
+});
+
+jQuery.extend({
+
+ // Counter for holding the number of active queries
+ active: 0,
+
+ // Last-Modified header cache for next request
+ lastModified: {},
+ etag: {},
+
+ ajaxSettings: {
+ url: ajaxLocation,
+ type: "GET",
+ isLocal: rlocalProtocol.test( ajaxLocParts[ 1 ] ),
+ global: true,
+ processData: true,
+ async: true,
+ contentType: "application/x-www-form-urlencoded; charset=UTF-8",
+ /*
+ timeout: 0,
+ data: null,
+ dataType: null,
+ username: null,
+ password: null,
+ cache: null,
+ throws: false,
+ traditional: false,
+ headers: {},
+ */
+
+ accepts: {
+ "*": allTypes,
+ text: "text/plain",
+ html: "text/html",
+ xml: "application/xml, text/xml",
+ json: "application/json, text/javascript"
+ },
+
+ contents: {
+ xml: /xml/,
+ html: /html/,
+ json: /json/
+ },
+
+ responseFields: {
+ xml: "responseXML",
+ text: "responseText",
+ json: "responseJSON"
+ },
+
+ // Data converters
+ // Keys separate source (or catchall "*") and destination types with a single space
+ converters: {
+
+ // Convert anything to text
+ "* text": String,
+
+ // Text to html (true = no transformation)
+ "text html": true,
+
+ // Evaluate text as a json expression
+ "text json": jQuery.parseJSON,
+
+ // Parse text as xml
+ "text xml": jQuery.parseXML
+ },
+
+ // For options that shouldn't be deep extended:
+ // you can add your own custom options here if
+ // and when you create one that shouldn't be
+ // deep extended (see ajaxExtend)
+ flatOptions: {
+ url: true,
+ context: true
+ }
+ },
+
+ // Creates a full fledged settings object into target
+ // with both ajaxSettings and settings fields.
+ // If target is omitted, writes into ajaxSettings.
+ ajaxSetup: function( target, settings ) {
+ return settings ?
+
+ // Building a settings object
+ ajaxExtend( ajaxExtend( target, jQuery.ajaxSettings ), settings ) :
+
+ // Extending ajaxSettings
+ ajaxExtend( jQuery.ajaxSettings, target );
+ },
+
+ ajaxPrefilter: addToPrefiltersOrTransports( prefilters ),
+ ajaxTransport: addToPrefiltersOrTransports( transports ),
+
+ // Main method
+ ajax: function( url, options ) {
+
+ // If url is an object, simulate pre-1.5 signature
+ if ( typeof url === "object" ) {
+ options = url;
+ url = undefined;
+ }
+
+ // Force options to be an object
+ options = options || {};
+
+ var // Cross-domain detection vars
+ parts,
+ // Loop variable
+ i,
+ // URL without anti-cache param
+ cacheURL,
+ // Response headers as string
+ responseHeadersString,
+ // timeout handle
+ timeoutTimer,
+
+ // To know if global events are to be dispatched
+ fireGlobals,
+
+ transport,
+ // Response headers
+ responseHeaders,
+ // Create the final options object
+ s = jQuery.ajaxSetup( {}, options ),
+ // Callbacks context
+ callbackContext = s.context || s,
+ // Context for global events is callbackContext if it is a DOM node or jQuery collection
+ globalEventContext = s.context && ( callbackContext.nodeType || callbackContext.jquery ) ?
+ jQuery( callbackContext ) :
+ jQuery.event,
+ // Deferreds
+ deferred = jQuery.Deferred(),
+ completeDeferred = jQuery.Callbacks("once memory"),
+ // Status-dependent callbacks
+ statusCode = s.statusCode || {},
+ // Headers (they are sent all at once)
+ requestHeaders = {},
+ requestHeadersNames = {},
+ // The jqXHR state
+ state = 0,
+ // Default abort message
+ strAbort = "canceled",
+ // Fake xhr
+ jqXHR = {
+ readyState: 0,
+
+ // Builds headers hashtable if needed
+ getResponseHeader: function( key ) {
+ var match;
+ if ( state === 2 ) {
+ if ( !responseHeaders ) {
+ responseHeaders = {};
+ while ( (match = rheaders.exec( responseHeadersString )) ) {
+ responseHeaders[ match[1].toLowerCase() ] = match[ 2 ];
+ }
+ }
+ match = responseHeaders[ key.toLowerCase() ];
+ }
+ return match == null ? null : match;
+ },
+
+ // Raw string
+ getAllResponseHeaders: function() {
+ return state === 2 ? responseHeadersString : null;
+ },
+
+ // Caches the header
+ setRequestHeader: function( name, value ) {
+ var lname = name.toLowerCase();
+ if ( !state ) {
+ name = requestHeadersNames[ lname ] = requestHeadersNames[ lname ] || name;
+ requestHeaders[ name ] = value;
+ }
+ return this;
+ },
+
+ // Overrides response content-type header
+ overrideMimeType: function( type ) {
+ if ( !state ) {
+ s.mimeType = type;
+ }
+ return this;
+ },
+
+ // Status-dependent callbacks
+ statusCode: function( map ) {
+ var code;
+ if ( map ) {
+ if ( state < 2 ) {
+ for ( code in map ) {
+ // Lazy-add the new callback in a way that preserves old ones
+ statusCode[ code ] = [ statusCode[ code ], map[ code ] ];
+ }
+ } else {
+ // Execute the appropriate callbacks
+ jqXHR.always( map[ jqXHR.status ] );
+ }
+ }
+ return this;
+ },
+
+ // Cancel the request
+ abort: function( statusText ) {
+ var finalText = statusText || strAbort;
+ if ( transport ) {
+ transport.abort( finalText );
+ }
+ done( 0, finalText );
+ return this;
+ }
+ };
+
+ // Attach deferreds
+ deferred.promise( jqXHR ).complete = completeDeferred.add;
+ jqXHR.success = jqXHR.done;
+ jqXHR.error = jqXHR.fail;
+
+ // Remove hash character (#7531: and string promotion)
+ // Add protocol if not provided (#5866: IE7 issue with protocol-less urls)
+ // Handle falsy url in the settings object (#10093: consistency with old signature)
+ // We also use the url parameter if available
+ s.url = ( ( url || s.url || ajaxLocation ) + "" ).replace( rhash, "" ).replace( rprotocol, ajaxLocParts[ 1 ] + "//" );
+
+ // Alias method option to type as per ticket #12004
+ s.type = options.method || options.type || s.method || s.type;
+
+ // Extract dataTypes list
+ s.dataTypes = jQuery.trim( s.dataType || "*" ).toLowerCase().match( core_rnotwhite ) || [""];
+
+ // A cross-domain request is in order when we have a protocol:host:port mismatch
+ if ( s.crossDomain == null ) {
+ parts = rurl.exec( s.url.toLowerCase() );
+ s.crossDomain = !!( parts &&
+ ( parts[ 1 ] !== ajaxLocParts[ 1 ] || parts[ 2 ] !== ajaxLocParts[ 2 ] ||
+ ( parts[ 3 ] || ( parts[ 1 ] === "http:" ? "80" : "443" ) ) !==
+ ( ajaxLocParts[ 3 ] || ( ajaxLocParts[ 1 ] === "http:" ? "80" : "443" ) ) )
+ );
+ }
+
+ // Convert data if not already a string
+ if ( s.data && s.processData && typeof s.data !== "string" ) {
+ s.data = jQuery.param( s.data, s.traditional );
+ }
+
+ // Apply prefilters
+ inspectPrefiltersOrTransports( prefilters, s, options, jqXHR );
+
+ // If request was aborted inside a prefilter, stop there
+ if ( state === 2 ) {
+ return jqXHR;
+ }
+
+ // We can fire global events as of now if asked to
+ fireGlobals = s.global;
+
+ // Watch for a new set of requests
+ if ( fireGlobals && jQuery.active++ === 0 ) {
+ jQuery.event.trigger("ajaxStart");
+ }
+
+ // Uppercase the type
+ s.type = s.type.toUpperCase();
+
+ // Determine if request has content
+ s.hasContent = !rnoContent.test( s.type );
+
+ // Save the URL in case we're toying with the If-Modified-Since
+ // and/or If-None-Match header later on
+ cacheURL = s.url;
+
+ // More options handling for requests with no content
+ if ( !s.hasContent ) {
+
+ // If data is available, append data to url
+ if ( s.data ) {
+ cacheURL = ( s.url += ( ajax_rquery.test( cacheURL ) ? "&" : "?" ) + s.data );
+ // #9682: remove data so that it's not used in an eventual retry
+ delete s.data;
+ }
+
+ // Add anti-cache in url if needed
+ if ( s.cache === false ) {
+ s.url = rts.test( cacheURL ) ?
+
+ // If there is already a '_' parameter, set its value
+ cacheURL.replace( rts, "$1_=" + ajax_nonce++ ) :
+
+ // Otherwise add one to the end
+ cacheURL + ( ajax_rquery.test( cacheURL ) ? "&" : "?" ) + "_=" + ajax_nonce++;
+ }
+ }
+
+ // Set the If-Modified-Since and/or If-None-Match header, if in ifModified mode.
+ if ( s.ifModified ) {
+ if ( jQuery.lastModified[ cacheURL ] ) {
+ jqXHR.setRequestHeader( "If-Modified-Since", jQuery.lastModified[ cacheURL ] );
+ }
+ if ( jQuery.etag[ cacheURL ] ) {
+ jqXHR.setRequestHeader( "If-None-Match", jQuery.etag[ cacheURL ] );
+ }
+ }
+
+ // Set the correct header, if data is being sent
+ if ( s.data && s.hasContent && s.contentType !== false || options.contentType ) {
+ jqXHR.setRequestHeader( "Content-Type", s.contentType );
+ }
+
+ // Set the Accepts header for the server, depending on the dataType
+ jqXHR.setRequestHeader(
+ "Accept",
+ s.dataTypes[ 0 ] && s.accepts[ s.dataTypes[0] ] ?
+ s.accepts[ s.dataTypes[0] ] + ( s.dataTypes[ 0 ] !== "*" ? ", " + allTypes + "; q=0.01" : "" ) :
+ s.accepts[ "*" ]
+ );
+
+ // Check for headers option
+ for ( i in s.headers ) {
+ jqXHR.setRequestHeader( i, s.headers[ i ] );
+ }
+
+ // Allow custom headers/mimetypes and early abort
+ if ( s.beforeSend && ( s.beforeSend.call( callbackContext, jqXHR, s ) === false || state === 2 ) ) {
+ // Abort if not done already and return
+ return jqXHR.abort();
+ }
+
+ // aborting is no longer a cancellation
+ strAbort = "abort";
+
+ // Install callbacks on deferreds
+ for ( i in { success: 1, error: 1, complete: 1 } ) {
+ jqXHR[ i ]( s[ i ] );
+ }
+
+ // Get transport
+ transport = inspectPrefiltersOrTransports( transports, s, options, jqXHR );
+
+ // If no transport, we auto-abort
+ if ( !transport ) {
+ done( -1, "No Transport" );
+ } else {
+ jqXHR.readyState = 1;
+
+ // Send global event
+ if ( fireGlobals ) {
+ globalEventContext.trigger( "ajaxSend", [ jqXHR, s ] );
+ }
+ // Timeout
+ if ( s.async && s.timeout > 0 ) {
+ timeoutTimer = setTimeout(function() {
+ jqXHR.abort("timeout");
+ }, s.timeout );
+ }
+
+ try {
+ state = 1;
+ transport.send( requestHeaders, done );
+ } catch ( e ) {
+ // Propagate exception as error if not done
+ if ( state < 2 ) {
+ done( -1, e );
+ // Simply rethrow otherwise
+ } else {
+ throw e;
+ }
+ }
+ }
+
+ // Callback for when everything is done
+ function done( status, nativeStatusText, responses, headers ) {
+ var isSuccess, success, error, response, modified,
+ statusText = nativeStatusText;
+
+ // Called once
+ if ( state === 2 ) {
+ return;
+ }
+
+ // State is "done" now
+ state = 2;
+
+ // Clear timeout if it exists
+ if ( timeoutTimer ) {
+ clearTimeout( timeoutTimer );
+ }
+
+ // Dereference transport for early garbage collection
+ // (no matter how long the jqXHR object will be used)
+ transport = undefined;
+
+ // Cache response headers
+ responseHeadersString = headers || "";
+
+ // Set readyState
+ jqXHR.readyState = status > 0 ? 4 : 0;
+
+ // Determine if successful
+ isSuccess = status >= 200 && status < 300 || status === 304;
+
+ // Get response data
+ if ( responses ) {
+ response = ajaxHandleResponses( s, jqXHR, responses );
+ }
+
+ // Convert no matter what (that way responseXXX fields are always set)
+ response = ajaxConvert( s, response, jqXHR, isSuccess );
+
+ // If successful, handle type chaining
+ if ( isSuccess ) {
+
+ // Set the If-Modified-Since and/or If-None-Match header, if in ifModified mode.
+ if ( s.ifModified ) {
+ modified = jqXHR.getResponseHeader("Last-Modified");
+ if ( modified ) {
+ jQuery.lastModified[ cacheURL ] = modified;
+ }
+ modified = jqXHR.getResponseHeader("etag");
+ if ( modified ) {
+ jQuery.etag[ cacheURL ] = modified;
+ }
+ }
+
+ // if no content
+ if ( status === 204 || s.type === "HEAD" ) {
+ statusText = "nocontent";
+
+ // if not modified
+ } else if ( status === 304 ) {
+ statusText = "notmodified";
+
+ // If we have data, let's convert it
+ } else {
+ statusText = response.state;
+ success = response.data;
+ error = response.error;
+ isSuccess = !error;
+ }
+ } else {
+ // We extract error from statusText
+ // then normalize statusText and status for non-aborts
+ error = statusText;
+ if ( status || !statusText ) {
+ statusText = "error";
+ if ( status < 0 ) {
+ status = 0;
+ }
+ }
+ }
+
+ // Set data for the fake xhr object
+ jqXHR.status = status;
+ jqXHR.statusText = ( nativeStatusText || statusText ) + "";
+
+ // Success/Error
+ if ( isSuccess ) {
+ deferred.resolveWith( callbackContext, [ success, statusText, jqXHR ] );
+ } else {
+ deferred.rejectWith( callbackContext, [ jqXHR, statusText, error ] );
+ }
+
+ // Status-dependent callbacks
+ jqXHR.statusCode( statusCode );
+ statusCode = undefined;
+
+ if ( fireGlobals ) {
+ globalEventContext.trigger( isSuccess ? "ajaxSuccess" : "ajaxError",
+ [ jqXHR, s, isSuccess ? success : error ] );
+ }
+
+ // Complete
+ completeDeferred.fireWith( callbackContext, [ jqXHR, statusText ] );
+
+ if ( fireGlobals ) {
+ globalEventContext.trigger( "ajaxComplete", [ jqXHR, s ] );
+ // Handle the global AJAX counter
+ if ( !( --jQuery.active ) ) {
+ jQuery.event.trigger("ajaxStop");
+ }
+ }
+ }
+
+ return jqXHR;
+ },
+
+ getJSON: function( url, data, callback ) {
+ return jQuery.get( url, data, callback, "json" );
+ },
+
+ getScript: function( url, callback ) {
+ return jQuery.get( url, undefined, callback, "script" );
+ }
+});
+
+jQuery.each( [ "get", "post" ], function( i, method ) {
+ jQuery[ method ] = function( url, data, callback, type ) {
+ // shift arguments if data argument was omitted
+ if ( jQuery.isFunction( data ) ) {
+ type = type || callback;
+ callback = data;
+ data = undefined;
+ }
+
+ return jQuery.ajax({
+ url: url,
+ type: method,
+ dataType: type,
+ data: data,
+ success: callback
+ });
+ };
+});
+
+/* Handles responses to an ajax request:
+ * - finds the right dataType (mediates between content-type and expected dataType)
+ * - returns the corresponding response
+ */
+function ajaxHandleResponses( s, jqXHR, responses ) {
+ var firstDataType, ct, finalDataType, type,
+ contents = s.contents,
+ dataTypes = s.dataTypes;
+
+ // Remove auto dataType and get content-type in the process
+ while( dataTypes[ 0 ] === "*" ) {
+ dataTypes.shift();
+ if ( ct === undefined ) {
+ ct = s.mimeType || jqXHR.getResponseHeader("Content-Type");
+ }
+ }
+
+ // Check if we're dealing with a known content-type
+ if ( ct ) {
+ for ( type in contents ) {
+ if ( contents[ type ] && contents[ type ].test( ct ) ) {
+ dataTypes.unshift( type );
+ break;
+ }
+ }
+ }
+
+ // Check to see if we have a response for the expected dataType
+ if ( dataTypes[ 0 ] in responses ) {
+ finalDataType = dataTypes[ 0 ];
+ } else {
+ // Try convertible dataTypes
+ for ( type in responses ) {
+ if ( !dataTypes[ 0 ] || s.converters[ type + " " + dataTypes[0] ] ) {
+ finalDataType = type;
+ break;
+ }
+ if ( !firstDataType ) {
+ firstDataType = type;
+ }
+ }
+ // Or just use first one
+ finalDataType = finalDataType || firstDataType;
+ }
+
+ // If we found a dataType
+ // We add the dataType to the list if needed
+ // and return the corresponding response
+ if ( finalDataType ) {
+ if ( finalDataType !== dataTypes[ 0 ] ) {
+ dataTypes.unshift( finalDataType );
+ }
+ return responses[ finalDataType ];
+ }
+}
+
+/* Chain conversions given the request and the original response
+ * Also sets the responseXXX fields on the jqXHR instance
+ */
+function ajaxConvert( s, response, jqXHR, isSuccess ) {
+ var conv2, current, conv, tmp, prev,
+ converters = {},
+ // Work with a copy of dataTypes in case we need to modify it for conversion
+ dataTypes = s.dataTypes.slice();
+
+ // Create converters map with lowercased keys
+ if ( dataTypes[ 1 ] ) {
+ for ( conv in s.converters ) {
+ converters[ conv.toLowerCase() ] = s.converters[ conv ];
+ }
+ }
+
+ current = dataTypes.shift();
+
+ // Convert to each sequential dataType
+ while ( current ) {
+
+ if ( s.responseFields[ current ] ) {
+ jqXHR[ s.responseFields[ current ] ] = response;
+ }
+
+ // Apply the dataFilter if provided
+ if ( !prev && isSuccess && s.dataFilter ) {
+ response = s.dataFilter( response, s.dataType );
+ }
+
+ prev = current;
+ current = dataTypes.shift();
+
+ if ( current ) {
+
+ // There's only work to do if current dataType is non-auto
+ if ( current === "*" ) {
+
+ current = prev;
+
+ // Convert response if prev dataType is non-auto and differs from current
+ } else if ( prev !== "*" && prev !== current ) {
+
+ // Seek a direct converter
+ conv = converters[ prev + " " + current ] || converters[ "* " + current ];
+
+ // If none found, seek a pair
+ if ( !conv ) {
+ for ( conv2 in converters ) {
+
+ // If conv2 outputs current
+ tmp = conv2.split( " " );
+ if ( tmp[ 1 ] === current ) {
+
+ // If prev can be converted to accepted input
+ conv = converters[ prev + " " + tmp[ 0 ] ] ||
+ converters[ "* " + tmp[ 0 ] ];
+ if ( conv ) {
+ // Condense equivalence converters
+ if ( conv === true ) {
+ conv = converters[ conv2 ];
+
+ // Otherwise, insert the intermediate dataType
+ } else if ( converters[ conv2 ] !== true ) {
+ current = tmp[ 0 ];
+ dataTypes.unshift( tmp[ 1 ] );
+ }
+ break;
+ }
+ }
+ }
+ }
+
+ // Apply converter (if not an equivalence)
+ if ( conv !== true ) {
+
+ // Unless errors are allowed to bubble, catch and return them
+ if ( conv && s[ "throws" ] ) {
+ response = conv( response );
+ } else {
+ try {
+ response = conv( response );
+ } catch ( e ) {
+ return { state: "parsererror", error: conv ? e : "No conversion from " + prev + " to " + current };
+ }
+ }
+ }
+ }
+ }
+ }
+
+ return { state: "success", data: response };
+}
+// Install script dataType
+jQuery.ajaxSetup({
+ accepts: {
+ script: "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"
+ },
+ contents: {
+ script: /(?:java|ecma)script/
+ },
+ converters: {
+ "text script": function( text ) {
+ jQuery.globalEval( text );
+ return text;
+ }
+ }
+});
+
+// Handle cache's special case and global
+jQuery.ajaxPrefilter( "script", function( s ) {
+ if ( s.cache === undefined ) {
+ s.cache = false;
+ }
+ if ( s.crossDomain ) {
+ s.type = "GET";
+ s.global = false;
+ }
+});
+
+// Bind script tag hack transport
+jQuery.ajaxTransport( "script", function(s) {
+
+ // This transport only deals with cross domain requests
+ if ( s.crossDomain ) {
+
+ var script,
+ head = document.head || jQuery("head")[0] || document.documentElement;
+
+ return {
+
+ send: function( _, callback ) {
+
+ script = document.createElement("script");
+
+ script.async = true;
+
+ if ( s.scriptCharset ) {
+ script.charset = s.scriptCharset;
+ }
+
+ script.src = s.url;
+
+ // Attach handlers for all browsers
+ script.onload = script.onreadystatechange = function( _, isAbort ) {
+
+ if ( isAbort || !script.readyState || /loaded|complete/.test( script.readyState ) ) {
+
+ // Handle memory leak in IE
+ script.onload = script.onreadystatechange = null;
+
+ // Remove the script
+ if ( script.parentNode ) {
+ script.parentNode.removeChild( script );
+ }
+
+ // Dereference the script
+ script = null;
+
+ // Callback if not abort
+ if ( !isAbort ) {
+ callback( 200, "success" );
+ }
+ }
+ };
+
+ // Circumvent IE6 bugs with base elements (#2709 and #4378) by prepending
+ // Use native DOM manipulation to avoid our domManip AJAX trickery
+ head.insertBefore( script, head.firstChild );
+ },
+
+ abort: function() {
+ if ( script ) {
+ script.onload( undefined, true );
+ }
+ }
+ };
+ }
+});
+var oldCallbacks = [],
+ rjsonp = /(=)\?(?=&|$)|\?\?/;
+
+// Default jsonp settings
+jQuery.ajaxSetup({
+ jsonp: "callback",
+ jsonpCallback: function() {
+ var callback = oldCallbacks.pop() || ( jQuery.expando + "_" + ( ajax_nonce++ ) );
+ this[ callback ] = true;
+ return callback;
+ }
+});
+
+// Detect, normalize options and install callbacks for jsonp requests
+jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {
+
+ var callbackName, overwritten, responseContainer,
+ jsonProp = s.jsonp !== false && ( rjsonp.test( s.url ) ?
+ "url" :
+ typeof s.data === "string" && !( s.contentType || "" ).indexOf("application/x-www-form-urlencoded") && rjsonp.test( s.data ) && "data"
+ );
+
+ // Handle iff the expected data type is "jsonp" or we have a parameter to set
+ if ( jsonProp || s.dataTypes[ 0 ] === "jsonp" ) {
+
+ // Get callback name, remembering preexisting value associated with it
+ callbackName = s.jsonpCallback = jQuery.isFunction( s.jsonpCallback ) ?
+ s.jsonpCallback() :
+ s.jsonpCallback;
+
+ // Insert callback into url or form data
+ if ( jsonProp ) {
+ s[ jsonProp ] = s[ jsonProp ].replace( rjsonp, "$1" + callbackName );
+ } else if ( s.jsonp !== false ) {
+ s.url += ( ajax_rquery.test( s.url ) ? "&" : "?" ) + s.jsonp + "=" + callbackName;
+ }
+
+ // Use data converter to retrieve json after script execution
+ s.converters["script json"] = function() {
+ if ( !responseContainer ) {
+ jQuery.error( callbackName + " was not called" );
+ }
+ return responseContainer[ 0 ];
+ };
+
+ // force json dataType
+ s.dataTypes[ 0 ] = "json";
+
+ // Install callback
+ overwritten = window[ callbackName ];
+ window[ callbackName ] = function() {
+ responseContainer = arguments;
+ };
+
+ // Clean-up function (fires after converters)
+ jqXHR.always(function() {
+ // Restore preexisting value
+ window[ callbackName ] = overwritten;
+
+ // Save back as free
+ if ( s[ callbackName ] ) {
+ // make sure that re-using the options doesn't screw things around
+ s.jsonpCallback = originalSettings.jsonpCallback;
+
+ // save the callback name for future use
+ oldCallbacks.push( callbackName );
+ }
+
+ // Call if it was a function and we have a response
+ if ( responseContainer && jQuery.isFunction( overwritten ) ) {
+ overwritten( responseContainer[ 0 ] );
+ }
+
+ responseContainer = overwritten = undefined;
+ });
+
+ // Delegate to script
+ return "script";
+ }
+});
+var xhrCallbacks, xhrSupported,
+ xhrId = 0,
+ // #5280: Internet Explorer will keep connections alive if we don't abort on unload
+ xhrOnUnloadAbort = window.ActiveXObject && function() {
+ // Abort all pending requests
+ var key;
+ for ( key in xhrCallbacks ) {
+ xhrCallbacks[ key ]( undefined, true );
+ }
+ };
+
+// Functions to create xhrs
+function createStandardXHR() {
+ try {
+ return new window.XMLHttpRequest();
+ } catch( e ) {}
+}
+
+function createActiveXHR() {
+ try {
+ return new window.ActiveXObject("Microsoft.XMLHTTP");
+ } catch( e ) {}
+}
+
+// Create the request object
+// (This is still attached to ajaxSettings for backward compatibility)
+jQuery.ajaxSettings.xhr = window.ActiveXObject ?
+ /* Microsoft failed to properly
+ * implement the XMLHttpRequest in IE7 (can't request local files),
+ * so we use the ActiveXObject when it is available
+ * Additionally XMLHttpRequest can be disabled in IE7/IE8 so
+ * we need a fallback.
+ */
+ function() {
+ return !this.isLocal && createStandardXHR() || createActiveXHR();
+ } :
+ // For all other browsers, use the standard XMLHttpRequest object
+ createStandardXHR;
+
+// Determine support properties
+xhrSupported = jQuery.ajaxSettings.xhr();
+jQuery.support.cors = !!xhrSupported && ( "withCredentials" in xhrSupported );
+xhrSupported = jQuery.support.ajax = !!xhrSupported;
+
+// Create transport if the browser can provide an xhr
+if ( xhrSupported ) {
+
+ jQuery.ajaxTransport(function( s ) {
+ // Cross domain only allowed if supported through XMLHttpRequest
+ if ( !s.crossDomain || jQuery.support.cors ) {
+
+ var callback;
+
+ return {
+ send: function( headers, complete ) {
+
+ // Get a new xhr
+ var handle, i,
+ xhr = s.xhr();
+
+ // Open the socket
+ // Passing null username, generates a login popup on Opera (#2865)
+ if ( s.username ) {
+ xhr.open( s.type, s.url, s.async, s.username, s.password );
+ } else {
+ xhr.open( s.type, s.url, s.async );
+ }
+
+ // Apply custom fields if provided
+ if ( s.xhrFields ) {
+ for ( i in s.xhrFields ) {
+ xhr[ i ] = s.xhrFields[ i ];
+ }
+ }
+
+ // Override mime type if needed
+ if ( s.mimeType && xhr.overrideMimeType ) {
+ xhr.overrideMimeType( s.mimeType );
+ }
+
+ // X-Requested-With header
+ // For cross-domain requests, seeing as conditions for a preflight are
+ // akin to a jigsaw puzzle, we simply never set it to be sure.
+ // (it can always be set on a per-request basis or even using ajaxSetup)
+ // For same-domain requests, won't change header if already provided.
+ if ( !s.crossDomain && !headers["X-Requested-With"] ) {
+ headers["X-Requested-With"] = "XMLHttpRequest";
+ }
+
+ // Need an extra try/catch for cross domain requests in Firefox 3
+ try {
+ for ( i in headers ) {
+ xhr.setRequestHeader( i, headers[ i ] );
+ }
+ } catch( err ) {}
+
+ // Do send the request
+ // This may raise an exception which is actually
+ // handled in jQuery.ajax (so no try/catch here)
+ xhr.send( ( s.hasContent && s.data ) || null );
+
+ // Listener
+ callback = function( _, isAbort ) {
+ var status, responseHeaders, statusText, responses;
+
+ // Firefox throws exceptions when accessing properties
+ // of an xhr when a network error occurred
+ // http://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_AVAILABLE)
+ try {
+
+ // Was never called and is aborted or complete
+ if ( callback && ( isAbort || xhr.readyState === 4 ) ) {
+
+ // Only called once
+ callback = undefined;
+
+ // Do not keep as active anymore
+ if ( handle ) {
+ xhr.onreadystatechange = jQuery.noop;
+ if ( xhrOnUnloadAbort ) {
+ delete xhrCallbacks[ handle ];
+ }
+ }
+
+ // If it's an abort
+ if ( isAbort ) {
+ // Abort it manually if needed
+ if ( xhr.readyState !== 4 ) {
+ xhr.abort();
+ }
+ } else {
+ responses = {};
+ status = xhr.status;
+ responseHeaders = xhr.getAllResponseHeaders();
+
+ // When requesting binary data, IE6-9 will throw an exception
+ // on any attempt to access responseText (#11426)
+ if ( typeof xhr.responseText === "string" ) {
+ responses.text = xhr.responseText;
+ }
+
+ // Firefox throws an exception when accessing
+ // statusText for faulty cross-domain requests
+ try {
+ statusText = xhr.statusText;
+ } catch( e ) {
+ // We normalize with Webkit giving an empty statusText
+ statusText = "";
+ }
+
+ // Filter status for non standard behaviors
+
+ // If the request is local and we have data: assume a success
+ // (success with no data won't get notified, that's the best we
+ // can do given current implementations)
+ if ( !status && s.isLocal && !s.crossDomain ) {
+ status = responses.text ? 200 : 404;
+ // IE - #1450: sometimes returns 1223 when it should be 204
+ } else if ( status === 1223 ) {
+ status = 204;
+ }
+ }
+ }
+ } catch( firefoxAccessException ) {
+ if ( !isAbort ) {
+ complete( -1, firefoxAccessException );
+ }
+ }
+
+ // Call complete if needed
+ if ( responses ) {
+ complete( status, statusText, responses, responseHeaders );
+ }
+ };
+
+ if ( !s.async ) {
+ // if we're in sync mode we fire the callback
+ callback();
+ } else if ( xhr.readyState === 4 ) {
+ // (IE6 & IE7) if it's in cache and has been
+ // retrieved directly we need to fire the callback
+ setTimeout( callback );
+ } else {
+ handle = ++xhrId;
+ if ( xhrOnUnloadAbort ) {
+ // Create the active xhrs callbacks list if needed
+ // and attach the unload handler
+ if ( !xhrCallbacks ) {
+ xhrCallbacks = {};
+ jQuery( window ).unload( xhrOnUnloadAbort );
+ }
+ // Add to list of active xhrs callbacks
+ xhrCallbacks[ handle ] = callback;
+ }
+ xhr.onreadystatechange = callback;
+ }
+ },
+
+ abort: function() {
+ if ( callback ) {
+ callback( undefined, true );
+ }
+ }
+ };
+ }
+ });
+}
+var fxNow, timerId,
+ rfxtypes = /^(?:toggle|show|hide)$/,
+ rfxnum = new RegExp( "^(?:([+-])=|)(" + core_pnum + ")([a-z%]*)$", "i" ),
+ rrun = /queueHooks$/,
+ animationPrefilters = [ defaultPrefilter ],
+ tweeners = {
+ "*": [function( prop, value ) {
+ var tween = this.createTween( prop, value ),
+ target = tween.cur(),
+ parts = rfxnum.exec( value ),
+ unit = parts && parts[ 3 ] || ( jQuery.cssNumber[ prop ] ? "" : "px" ),
+
+ // Starting value computation is required for potential unit mismatches
+ start = ( jQuery.cssNumber[ prop ] || unit !== "px" && +target ) &&
+ rfxnum.exec( jQuery.css( tween.elem, prop ) ),
+ scale = 1,
+ maxIterations = 20;
+
+ if ( start && start[ 3 ] !== unit ) {
+ // Trust units reported by jQuery.css
+ unit = unit || start[ 3 ];
+
+ // Make sure we update the tween properties later on
+ parts = parts || [];
+
+ // Iteratively approximate from a nonzero starting point
+ start = +target || 1;
+
+ do {
+ // If previous iteration zeroed out, double until we get *something*
+ // Use a string for doubling factor so we don't accidentally see scale as unchanged below
+ scale = scale || ".5";
+
+ // Adjust and apply
+ start = start / scale;
+ jQuery.style( tween.elem, prop, start + unit );
+
+ // Update scale, tolerating zero or NaN from tween.cur()
+ // And breaking the loop if scale is unchanged or perfect, or if we've just had enough
+ } while ( scale !== (scale = tween.cur() / target) && scale !== 1 && --maxIterations );
+ }
+
+ // Update tween properties
+ if ( parts ) {
+ start = tween.start = +start || +target || 0;
+ tween.unit = unit;
+ // If a +=/-= token was provided, we're doing a relative animation
+ tween.end = parts[ 1 ] ?
+ start + ( parts[ 1 ] + 1 ) * parts[ 2 ] :
+ +parts[ 2 ];
+ }
+
+ return tween;
+ }]
+ };
+
+// Animations created synchronously will run synchronously
+function createFxNow() {
+ setTimeout(function() {
+ fxNow = undefined;
+ });
+ return ( fxNow = jQuery.now() );
+}
+
+function createTween( value, prop, animation ) {
+ var tween,
+ collection = ( tweeners[ prop ] || [] ).concat( tweeners[ "*" ] ),
+ index = 0,
+ length = collection.length;
+ for ( ; index < length; index++ ) {
+ if ( (tween = collection[ index ].call( animation, prop, value )) ) {
+
+ // we're done with this property
+ return tween;
+ }
+ }
+}
+
+function Animation( elem, properties, options ) {
+ var result,
+ stopped,
+ index = 0,
+ length = animationPrefilters.length,
+ deferred = jQuery.Deferred().always( function() {
+ // don't match elem in the :animated selector
+ delete tick.elem;
+ }),
+ tick = function() {
+ if ( stopped ) {
+ return false;
+ }
+ var currentTime = fxNow || createFxNow(),
+ remaining = Math.max( 0, animation.startTime + animation.duration - currentTime ),
+ // archaic crash bug won't allow us to use 1 - ( 0.5 || 0 ) (#12497)
+ temp = remaining / animation.duration || 0,
+ percent = 1 - temp,
+ index = 0,
+ length = animation.tweens.length;
+
+ for ( ; index < length ; index++ ) {
+ animation.tweens[ index ].run( percent );
+ }
+
+ deferred.notifyWith( elem, [ animation, percent, remaining ]);
+
+ if ( percent < 1 && length ) {
+ return remaining;
+ } else {
+ deferred.resolveWith( elem, [ animation ] );
+ return false;
+ }
+ },
+ animation = deferred.promise({
+ elem: elem,
+ props: jQuery.extend( {}, properties ),
+ opts: jQuery.extend( true, { specialEasing: {} }, options ),
+ originalProperties: properties,
+ originalOptions: options,
+ startTime: fxNow || createFxNow(),
+ duration: options.duration,
+ tweens: [],
+ createTween: function( prop, end ) {
+ var tween = jQuery.Tween( elem, animation.opts, prop, end,
+ animation.opts.specialEasing[ prop ] || animation.opts.easing );
+ animation.tweens.push( tween );
+ return tween;
+ },
+ stop: function( gotoEnd ) {
+ var index = 0,
+ // if we are going to the end, we want to run all the tweens
+ // otherwise we skip this part
+ length = gotoEnd ? animation.tweens.length : 0;
+ if ( stopped ) {
+ return this;
+ }
+ stopped = true;
+ for ( ; index < length ; index++ ) {
+ animation.tweens[ index ].run( 1 );
+ }
+
+ // resolve when we played the last frame
+ // otherwise, reject
+ if ( gotoEnd ) {
+ deferred.resolveWith( elem, [ animation, gotoEnd ] );
+ } else {
+ deferred.rejectWith( elem, [ animation, gotoEnd ] );
+ }
+ return this;
+ }
+ }),
+ props = animation.props;
+
+ propFilter( props, animation.opts.specialEasing );
+
+ for ( ; index < length ; index++ ) {
+ result = animationPrefilters[ index ].call( animation, elem, props, animation.opts );
+ if ( result ) {
+ return result;
+ }
+ }
+
+ jQuery.map( props, createTween, animation );
+
+ if ( jQuery.isFunction( animation.opts.start ) ) {
+ animation.opts.start.call( elem, animation );
+ }
+
+ jQuery.fx.timer(
+ jQuery.extend( tick, {
+ elem: elem,
+ anim: animation,
+ queue: animation.opts.queue
+ })
+ );
+
+ // attach callbacks from options
+ return animation.progress( animation.opts.progress )
+ .done( animation.opts.done, animation.opts.complete )
+ .fail( animation.opts.fail )
+ .always( animation.opts.always );
+}
+
+function propFilter( props, specialEasing ) {
+ var index, name, easing, value, hooks;
+
+ // camelCase, specialEasing and expand cssHook pass
+ for ( index in props ) {
+ name = jQuery.camelCase( index );
+ easing = specialEasing[ name ];
+ value = props[ index ];
+ if ( jQuery.isArray( value ) ) {
+ easing = value[ 1 ];
+ value = props[ index ] = value[ 0 ];
+ }
+
+ if ( index !== name ) {
+ props[ name ] = value;
+ delete props[ index ];
+ }
+
+ hooks = jQuery.cssHooks[ name ];
+ if ( hooks && "expand" in hooks ) {
+ value = hooks.expand( value );
+ delete props[ name ];
+
+ // not quite $.extend, this wont overwrite keys already present.
+ // also - reusing 'index' from above because we have the correct "name"
+ for ( index in value ) {
+ if ( !( index in props ) ) {
+ props[ index ] = value[ index ];
+ specialEasing[ index ] = easing;
+ }
+ }
+ } else {
+ specialEasing[ name ] = easing;
+ }
+ }
+}
+
+jQuery.Animation = jQuery.extend( Animation, {
+
+ tweener: function( props, callback ) {
+ if ( jQuery.isFunction( props ) ) {
+ callback = props;
+ props = [ "*" ];
+ } else {
+ props = props.split(" ");
+ }
+
+ var prop,
+ index = 0,
+ length = props.length;
+
+ for ( ; index < length ; index++ ) {
+ prop = props[ index ];
+ tweeners[ prop ] = tweeners[ prop ] || [];
+ tweeners[ prop ].unshift( callback );
+ }
+ },
+
+ prefilter: function( callback, prepend ) {
+ if ( prepend ) {
+ animationPrefilters.unshift( callback );
+ } else {
+ animationPrefilters.push( callback );
+ }
+ }
+});
+
+function defaultPrefilter( elem, props, opts ) {
+ /* jshint validthis: true */
+ var prop, value, toggle, tween, hooks, oldfire,
+ anim = this,
+ orig = {},
+ style = elem.style,
+ hidden = elem.nodeType && isHidden( elem ),
+ dataShow = jQuery._data( elem, "fxshow" );
+
+ // handle queue: false promises
+ if ( !opts.queue ) {
+ hooks = jQuery._queueHooks( elem, "fx" );
+ if ( hooks.unqueued == null ) {
+ hooks.unqueued = 0;
+ oldfire = hooks.empty.fire;
+ hooks.empty.fire = function() {
+ if ( !hooks.unqueued ) {
+ oldfire();
+ }
+ };
+ }
+ hooks.unqueued++;
+
+ anim.always(function() {
+ // doing this makes sure that the complete handler will be called
+ // before this completes
+ anim.always(function() {
+ hooks.unqueued--;
+ if ( !jQuery.queue( elem, "fx" ).length ) {
+ hooks.empty.fire();
+ }
+ });
+ });
+ }
+
+ // height/width overflow pass
+ if ( elem.nodeType === 1 && ( "height" in props || "width" in props ) ) {
+ // Make sure that nothing sneaks out
+ // Record all 3 overflow attributes because IE does not
+ // change the overflow attribute when overflowX and
+ // overflowY are set to the same value
+ opts.overflow = [ style.overflow, style.overflowX, style.overflowY ];
+
+ // Set display property to inline-block for height/width
+ // animations on inline elements that are having width/height animated
+ if ( jQuery.css( elem, "display" ) === "inline" &&
+ jQuery.css( elem, "float" ) === "none" ) {
+
+ // inline-level elements accept inline-block;
+ // block-level elements need to be inline with layout
+ if ( !jQuery.support.inlineBlockNeedsLayout || css_defaultDisplay( elem.nodeName ) === "inline" ) {
+ style.display = "inline-block";
+
+ } else {
+ style.zoom = 1;
+ }
+ }
+ }
+
+ if ( opts.overflow ) {
+ style.overflow = "hidden";
+ if ( !jQuery.support.shrinkWrapBlocks ) {
+ anim.always(function() {
+ style.overflow = opts.overflow[ 0 ];
+ style.overflowX = opts.overflow[ 1 ];
+ style.overflowY = opts.overflow[ 2 ];
+ });
+ }
+ }
+
+
+ // show/hide pass
+ for ( prop in props ) {
+ value = props[ prop ];
+ if ( rfxtypes.exec( value ) ) {
+ delete props[ prop ];
+ toggle = toggle || value === "toggle";
+ if ( value === ( hidden ? "hide" : "show" ) ) {
+ continue;
+ }
+ orig[ prop ] = dataShow && dataShow[ prop ] || jQuery.style( elem, prop );
+ }
+ }
+
+ if ( !jQuery.isEmptyObject( orig ) ) {
+ if ( dataShow ) {
+ if ( "hidden" in dataShow ) {
+ hidden = dataShow.hidden;
+ }
+ } else {
+ dataShow = jQuery._data( elem, "fxshow", {} );
+ }
+
+ // store state if its toggle - enables .stop().toggle() to "reverse"
+ if ( toggle ) {
+ dataShow.hidden = !hidden;
+ }
+ if ( hidden ) {
+ jQuery( elem ).show();
+ } else {
+ anim.done(function() {
+ jQuery( elem ).hide();
+ });
+ }
+ anim.done(function() {
+ var prop;
+ jQuery._removeData( elem, "fxshow" );
+ for ( prop in orig ) {
+ jQuery.style( elem, prop, orig[ prop ] );
+ }
+ });
+ for ( prop in orig ) {
+ tween = createTween( hidden ? dataShow[ prop ] : 0, prop, anim );
+
+ if ( !( prop in dataShow ) ) {
+ dataShow[ prop ] = tween.start;
+ if ( hidden ) {
+ tween.end = tween.start;
+ tween.start = prop === "width" || prop === "height" ? 1 : 0;
+ }
+ }
+ }
+ }
+}
+
+function Tween( elem, options, prop, end, easing ) {
+ return new Tween.prototype.init( elem, options, prop, end, easing );
+}
+jQuery.Tween = Tween;
+
+Tween.prototype = {
+ constructor: Tween,
+ init: function( elem, options, prop, end, easing, unit ) {
+ this.elem = elem;
+ this.prop = prop;
+ this.easing = easing || "swing";
+ this.options = options;
+ this.start = this.now = this.cur();
+ this.end = end;
+ this.unit = unit || ( jQuery.cssNumber[ prop ] ? "" : "px" );
+ },
+ cur: function() {
+ var hooks = Tween.propHooks[ this.prop ];
+
+ return hooks && hooks.get ?
+ hooks.get( this ) :
+ Tween.propHooks._default.get( this );
+ },
+ run: function( percent ) {
+ var eased,
+ hooks = Tween.propHooks[ this.prop ];
+
+ if ( this.options.duration ) {
+ this.pos = eased = jQuery.easing[ this.easing ](
+ percent, this.options.duration * percent, 0, 1, this.options.duration
+ );
+ } else {
+ this.pos = eased = percent;
+ }
+ this.now = ( this.end - this.start ) * eased + this.start;
+
+ if ( this.options.step ) {
+ this.options.step.call( this.elem, this.now, this );
+ }
+
+ if ( hooks && hooks.set ) {
+ hooks.set( this );
+ } else {
+ Tween.propHooks._default.set( this );
+ }
+ return this;
+ }
+};
+
+Tween.prototype.init.prototype = Tween.prototype;
+
+Tween.propHooks = {
+ _default: {
+ get: function( tween ) {
+ var result;
+
+ if ( tween.elem[ tween.prop ] != null &&
+ (!tween.elem.style || tween.elem.style[ tween.prop ] == null) ) {
+ return tween.elem[ tween.prop ];
+ }
+
+ // passing an empty string as a 3rd parameter to .css will automatically
+ // attempt a parseFloat and fallback to a string if the parse fails
+ // so, simple values such as "10px" are parsed to Float.
+ // complex values such as "rotate(1rad)" are returned as is.
+ result = jQuery.css( tween.elem, tween.prop, "" );
+ // Empty strings, null, undefined and "auto" are converted to 0.
+ return !result || result === "auto" ? 0 : result;
+ },
+ set: function( tween ) {
+ // use step hook for back compat - use cssHook if its there - use .style if its
+ // available and use plain properties where available
+ if ( jQuery.fx.step[ tween.prop ] ) {
+ jQuery.fx.step[ tween.prop ]( tween );
+ } else if ( tween.elem.style && ( tween.elem.style[ jQuery.cssProps[ tween.prop ] ] != null || jQuery.cssHooks[ tween.prop ] ) ) {
+ jQuery.style( tween.elem, tween.prop, tween.now + tween.unit );
+ } else {
+ tween.elem[ tween.prop ] = tween.now;
+ }
+ }
+ }
+};
+
+// Support: IE <=9
+// Panic based approach to setting things on disconnected nodes
+
+Tween.propHooks.scrollTop = Tween.propHooks.scrollLeft = {
+ set: function( tween ) {
+ if ( tween.elem.nodeType && tween.elem.parentNode ) {
+ tween.elem[ tween.prop ] = tween.now;
+ }
+ }
+};
+
+jQuery.each([ "toggle", "show", "hide" ], function( i, name ) {
+ var cssFn = jQuery.fn[ name ];
+ jQuery.fn[ name ] = function( speed, easing, callback ) {
+ return speed == null || typeof speed === "boolean" ?
+ cssFn.apply( this, arguments ) :
+ this.animate( genFx( name, true ), speed, easing, callback );
+ };
+});
+
+jQuery.fn.extend({
+ fadeTo: function( speed, to, easing, callback ) {
+
+ // show any hidden elements after setting opacity to 0
+ return this.filter( isHidden ).css( "opacity", 0 ).show()
+
+ // animate to the value specified
+ .end().animate({ opacity: to }, speed, easing, callback );
+ },
+ animate: function( prop, speed, easing, callback ) {
+ var empty = jQuery.isEmptyObject( prop ),
+ optall = jQuery.speed( speed, easing, callback ),
+ doAnimation = function() {
+ // Operate on a copy of prop so per-property easing won't be lost
+ var anim = Animation( this, jQuery.extend( {}, prop ), optall );
+
+ // Empty animations, or finishing resolves immediately
+ if ( empty || jQuery._data( this, "finish" ) ) {
+ anim.stop( true );
+ }
+ };
+ doAnimation.finish = doAnimation;
+
+ return empty || optall.queue === false ?
+ this.each( doAnimation ) :
+ this.queue( optall.queue, doAnimation );
+ },
+ stop: function( type, clearQueue, gotoEnd ) {
+ var stopQueue = function( hooks ) {
+ var stop = hooks.stop;
+ delete hooks.stop;
+ stop( gotoEnd );
+ };
+
+ if ( typeof type !== "string" ) {
+ gotoEnd = clearQueue;
+ clearQueue = type;
+ type = undefined;
+ }
+ if ( clearQueue && type !== false ) {
+ this.queue( type || "fx", [] );
+ }
+
+ return this.each(function() {
+ var dequeue = true,
+ index = type != null && type + "queueHooks",
+ timers = jQuery.timers,
+ data = jQuery._data( this );
+
+ if ( index ) {
+ if ( data[ index ] && data[ index ].stop ) {
+ stopQueue( data[ index ] );
+ }
+ } else {
+ for ( index in data ) {
+ if ( data[ index ] && data[ index ].stop && rrun.test( index ) ) {
+ stopQueue( data[ index ] );
+ }
+ }
+ }
+
+ for ( index = timers.length; index--; ) {
+ if ( timers[ index ].elem === this && (type == null || timers[ index ].queue === type) ) {
+ timers[ index ].anim.stop( gotoEnd );
+ dequeue = false;
+ timers.splice( index, 1 );
+ }
+ }
+
+ // start the next in the queue if the last step wasn't forced
+ // timers currently will call their complete callbacks, which will dequeue
+ // but only if they were gotoEnd
+ if ( dequeue || !gotoEnd ) {
+ jQuery.dequeue( this, type );
+ }
+ });
+ },
+ finish: function( type ) {
+ if ( type !== false ) {
+ type = type || "fx";
+ }
+ return this.each(function() {
+ var index,
+ data = jQuery._data( this ),
+ queue = data[ type + "queue" ],
+ hooks = data[ type + "queueHooks" ],
+ timers = jQuery.timers,
+ length = queue ? queue.length : 0;
+
+ // enable finishing flag on private data
+ data.finish = true;
+
+ // empty the queue first
+ jQuery.queue( this, type, [] );
+
+ if ( hooks && hooks.stop ) {
+ hooks.stop.call( this, true );
+ }
+
+ // look for any active animations, and finish them
+ for ( index = timers.length; index--; ) {
+ if ( timers[ index ].elem === this && timers[ index ].queue === type ) {
+ timers[ index ].anim.stop( true );
+ timers.splice( index, 1 );
+ }
+ }
+
+ // look for any animations in the old queue and finish them
+ for ( index = 0; index < length; index++ ) {
+ if ( queue[ index ] && queue[ index ].finish ) {
+ queue[ index ].finish.call( this );
+ }
+ }
+
+ // turn off finishing flag
+ delete data.finish;
+ });
+ }
+});
+
+// Generate parameters to create a standard animation
+function genFx( type, includeWidth ) {
+ var which,
+ attrs = { height: type },
+ i = 0;
+
+ // if we include width, step value is 1 to do all cssExpand values,
+ // if we don't include width, step value is 2 to skip over Left and Right
+ includeWidth = includeWidth? 1 : 0;
+ for( ; i < 4 ; i += 2 - includeWidth ) {
+ which = cssExpand[ i ];
+ attrs[ "margin" + which ] = attrs[ "padding" + which ] = type;
+ }
+
+ if ( includeWidth ) {
+ attrs.opacity = attrs.width = type;
+ }
+
+ return attrs;
+}
+
+// Generate shortcuts for custom animations
+jQuery.each({
+ slideDown: genFx("show"),
+ slideUp: genFx("hide"),
+ slideToggle: genFx("toggle"),
+ fadeIn: { opacity: "show" },
+ fadeOut: { opacity: "hide" },
+ fadeToggle: { opacity: "toggle" }
+}, function( name, props ) {
+ jQuery.fn[ name ] = function( speed, easing, callback ) {
+ return this.animate( props, speed, easing, callback );
+ };
+});
+
+jQuery.speed = function( speed, easing, fn ) {
+ var opt = speed && typeof speed === "object" ? jQuery.extend( {}, speed ) : {
+ complete: fn || !fn && easing ||
+ jQuery.isFunction( speed ) && speed,
+ duration: speed,
+ easing: fn && easing || easing && !jQuery.isFunction( easing ) && easing
+ };
+
+ opt.duration = jQuery.fx.off ? 0 : typeof opt.duration === "number" ? opt.duration :
+ opt.duration in jQuery.fx.speeds ? jQuery.fx.speeds[ opt.duration ] : jQuery.fx.speeds._default;
+
+ // normalize opt.queue - true/undefined/null -> "fx"
+ if ( opt.queue == null || opt.queue === true ) {
+ opt.queue = "fx";
+ }
+
+ // Queueing
+ opt.old = opt.complete;
+
+ opt.complete = function() {
+ if ( jQuery.isFunction( opt.old ) ) {
+ opt.old.call( this );
+ }
+
+ if ( opt.queue ) {
+ jQuery.dequeue( this, opt.queue );
+ }
+ };
+
+ return opt;
+};
+
+jQuery.easing = {
+ linear: function( p ) {
+ return p;
+ },
+ swing: function( p ) {
+ return 0.5 - Math.cos( p*Math.PI ) / 2;
+ }
+};
+
+jQuery.timers = [];
+jQuery.fx = Tween.prototype.init;
+jQuery.fx.tick = function() {
+ var timer,
+ timers = jQuery.timers,
+ i = 0;
+
+ fxNow = jQuery.now();
+
+ for ( ; i < timers.length; i++ ) {
+ timer = timers[ i ];
+ // Checks the timer has not already been removed
+ if ( !timer() && timers[ i ] === timer ) {
+ timers.splice( i--, 1 );
+ }
+ }
+
+ if ( !timers.length ) {
+ jQuery.fx.stop();
+ }
+ fxNow = undefined;
+};
+
+jQuery.fx.timer = function( timer ) {
+ if ( timer() && jQuery.timers.push( timer ) ) {
+ jQuery.fx.start();
+ }
+};
+
+jQuery.fx.interval = 13;
+
+jQuery.fx.start = function() {
+ if ( !timerId ) {
+ timerId = setInterval( jQuery.fx.tick, jQuery.fx.interval );
+ }
+};
+
+jQuery.fx.stop = function() {
+ clearInterval( timerId );
+ timerId = null;
+};
+
+jQuery.fx.speeds = {
+ slow: 600,
+ fast: 200,
+ // Default speed
+ _default: 400
+};
+
+// Back Compat <1.8 extension point
+jQuery.fx.step = {};
+
+if ( jQuery.expr && jQuery.expr.filters ) {
+ jQuery.expr.filters.animated = function( elem ) {
+ return jQuery.grep(jQuery.timers, function( fn ) {
+ return elem === fn.elem;
+ }).length;
+ };
+}
+jQuery.fn.offset = function( options ) {
+ if ( arguments.length ) {
+ return options === undefined ?
+ this :
+ this.each(function( i ) {
+ jQuery.offset.setOffset( this, options, i );
+ });
+ }
+
+ var docElem, win,
+ box = { top: 0, left: 0 },
+ elem = this[ 0 ],
+ doc = elem && elem.ownerDocument;
+
+ if ( !doc ) {
+ return;
+ }
+
+ docElem = doc.documentElement;
+
+ // Make sure it's not a disconnected DOM node
+ if ( !jQuery.contains( docElem, elem ) ) {
+ return box;
+ }
+
+ // If we don't have gBCR, just use 0,0 rather than error
+ // BlackBerry 5, iOS 3 (original iPhone)
+ if ( typeof elem.getBoundingClientRect !== core_strundefined ) {
+ box = elem.getBoundingClientRect();
+ }
+ win = getWindow( doc );
+ return {
+ top: box.top + ( win.pageYOffset || docElem.scrollTop ) - ( docElem.clientTop || 0 ),
+ left: box.left + ( win.pageXOffset || docElem.scrollLeft ) - ( docElem.clientLeft || 0 )
+ };
+};
+
+jQuery.offset = {
+
+ setOffset: function( elem, options, i ) {
+ var position = jQuery.css( elem, "position" );
+
+ // set position first, in-case top/left are set even on static elem
+ if ( position === "static" ) {
+ elem.style.position = "relative";
+ }
+
+ var curElem = jQuery( elem ),
+ curOffset = curElem.offset(),
+ curCSSTop = jQuery.css( elem, "top" ),
+ curCSSLeft = jQuery.css( elem, "left" ),
+ calculatePosition = ( position === "absolute" || position === "fixed" ) && jQuery.inArray("auto", [curCSSTop, curCSSLeft]) > -1,
+ props = {}, curPosition = {}, curTop, curLeft;
+
+ // need to be able to calculate position if either top or left is auto and position is either absolute or fixed
+ if ( calculatePosition ) {
+ curPosition = curElem.position();
+ curTop = curPosition.top;
+ curLeft = curPosition.left;
+ } else {
+ curTop = parseFloat( curCSSTop ) || 0;
+ curLeft = parseFloat( curCSSLeft ) || 0;
+ }
+
+ if ( jQuery.isFunction( options ) ) {
+ options = options.call( elem, i, curOffset );
+ }
+
+ if ( options.top != null ) {
+ props.top = ( options.top - curOffset.top ) + curTop;
+ }
+ if ( options.left != null ) {
+ props.left = ( options.left - curOffset.left ) + curLeft;
+ }
+
+ if ( "using" in options ) {
+ options.using.call( elem, props );
+ } else {
+ curElem.css( props );
+ }
+ }
+};
+
+
+jQuery.fn.extend({
+
+ position: function() {
+ if ( !this[ 0 ] ) {
+ return;
+ }
+
+ var offsetParent, offset,
+ parentOffset = { top: 0, left: 0 },
+ elem = this[ 0 ];
+
+ // fixed elements are offset from window (parentOffset = {top:0, left: 0}, because it is it's only offset parent
+ if ( jQuery.css( elem, "position" ) === "fixed" ) {
+ // we assume that getBoundingClientRect is available when computed position is fixed
+ offset = elem.getBoundingClientRect();
+ } else {
+ // Get *real* offsetParent
+ offsetParent = this.offsetParent();
+
+ // Get correct offsets
+ offset = this.offset();
+ if ( !jQuery.nodeName( offsetParent[ 0 ], "html" ) ) {
+ parentOffset = offsetParent.offset();
+ }
+
+ // Add offsetParent borders
+ parentOffset.top += jQuery.css( offsetParent[ 0 ], "borderTopWidth", true );
+ parentOffset.left += jQuery.css( offsetParent[ 0 ], "borderLeftWidth", true );
+ }
+
+ // Subtract parent offsets and element margins
+ // note: when an element has margin: auto the offsetLeft and marginLeft
+ // are the same in Safari causing offset.left to incorrectly be 0
+ return {
+ top: offset.top - parentOffset.top - jQuery.css( elem, "marginTop", true ),
+ left: offset.left - parentOffset.left - jQuery.css( elem, "marginLeft", true)
+ };
+ },
+
+ offsetParent: function() {
+ return this.map(function() {
+ var offsetParent = this.offsetParent || docElem;
+ while ( offsetParent && ( !jQuery.nodeName( offsetParent, "html" ) && jQuery.css( offsetParent, "position") === "static" ) ) {
+ offsetParent = offsetParent.offsetParent;
+ }
+ return offsetParent || docElem;
+ });
+ }
+});
+
+
+// Create scrollLeft and scrollTop methods
+jQuery.each( {scrollLeft: "pageXOffset", scrollTop: "pageYOffset"}, function( method, prop ) {
+ var top = /Y/.test( prop );
+
+ jQuery.fn[ method ] = function( val ) {
+ return jQuery.access( this, function( elem, method, val ) {
+ var win = getWindow( elem );
+
+ if ( val === undefined ) {
+ return win ? (prop in win) ? win[ prop ] :
+ win.document.documentElement[ method ] :
+ elem[ method ];
+ }
+
+ if ( win ) {
+ win.scrollTo(
+ !top ? val : jQuery( win ).scrollLeft(),
+ top ? val : jQuery( win ).scrollTop()
+ );
+
+ } else {
+ elem[ method ] = val;
+ }
+ }, method, val, arguments.length, null );
+ };
+});
+
+function getWindow( elem ) {
+ return jQuery.isWindow( elem ) ?
+ elem :
+ elem.nodeType === 9 ?
+ elem.defaultView || elem.parentWindow :
+ false;
+}
+// Create innerHeight, innerWidth, height, width, outerHeight and outerWidth methods
+jQuery.each( { Height: "height", Width: "width" }, function( name, type ) {
+ jQuery.each( { padding: "inner" + name, content: type, "": "outer" + name }, function( defaultExtra, funcName ) {
+ // margin is only for outerHeight, outerWidth
+ jQuery.fn[ funcName ] = function( margin, value ) {
+ var chainable = arguments.length && ( defaultExtra || typeof margin !== "boolean" ),
+ extra = defaultExtra || ( margin === true || value === true ? "margin" : "border" );
+
+ return jQuery.access( this, function( elem, type, value ) {
+ var doc;
+
+ if ( jQuery.isWindow( elem ) ) {
+ // As of 5/8/2012 this will yield incorrect results for Mobile Safari, but there
+ // isn't a whole lot we can do. See pull request at this URL for discussion:
+ // https://github.com/jquery/jquery/pull/764
+ return elem.document.documentElement[ "client" + name ];
+ }
+
+ // Get document width or height
+ if ( elem.nodeType === 9 ) {
+ doc = elem.documentElement;
+
+ // Either scroll[Width/Height] or offset[Width/Height] or client[Width/Height], whichever is greatest
+ // unfortunately, this causes bug #3838 in IE6/8 only, but there is currently no good, small way to fix it.
+ return Math.max(
+ elem.body[ "scroll" + name ], doc[ "scroll" + name ],
+ elem.body[ "offset" + name ], doc[ "offset" + name ],
+ doc[ "client" + name ]
+ );
+ }
+
+ return value === undefined ?
+ // Get width or height on the element, requesting but not forcing parseFloat
+ jQuery.css( elem, type, extra ) :
+
+ // Set width or height on the element
+ jQuery.style( elem, type, value, extra );
+ }, type, chainable ? margin : undefined, chainable, null );
+ };
+ });
+});
+// Limit scope pollution from any deprecated API
+// (function() {
+
+// The number of elements contained in the matched element set
+jQuery.fn.size = function() {
+ return this.length;
+};
+
+jQuery.fn.andSelf = jQuery.fn.addBack;
+
+// })();
+if ( typeof module === "object" && module && typeof module.exports === "object" ) {
+ // Expose jQuery as module.exports in loaders that implement the Node
+ // module pattern (including browserify). Do not create the global, since
+ // the user will be storing it themselves locally, and globals are frowned
+ // upon in the Node module world.
+ module.exports = jQuery;
+} else {
+ // Otherwise expose jQuery to the global object as usual
+ window.jQuery = window.$ = jQuery;
+
+ // Register as a named AMD module, since jQuery can be concatenated with other
+ // files that may use define, but not via a proper concatenation script that
+ // understands anonymous AMD modules. A named AMD is safest and most robust
+ // way to register. Lowercase jquery is used because AMD module names are
+ // derived from file names, and jQuery is normally delivered in a lowercase
+ // file name. Do this after creating the global so that if an AMD module wants
+ // to call noConflict to hide this version of jQuery, it will work.
+ if ( typeof define === "function" && define.amd ) {
+ define( "jquery", [], function () { return jQuery; } );
+ }
+}
+
+})( window );
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/js/light-bootstrap-dashboard.js b/Chapter02/light-bootstrap-dashboard/assets/js/light-bootstrap-dashboard.js
new file mode 100644
index 0000000..9d37f60
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/js/light-bootstrap-dashboard.js
@@ -0,0 +1,182 @@
+/*!
+
+ =========================================================
+ * Light Bootstrap Dashboard - v1.3.1.0
+ =========================================================
+
+ * Product Page: http://www.creative-tim.com/product/light-bootstrap-dashboard
+ * Copyright 2017 Creative Tim (http://www.creative-tim.com)
+ * Licensed under MIT (https://github.com/creativetimofficial/light-bootstrap-dashboard/blob/master/LICENSE.md)
+
+ =========================================================
+
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+ */
+
+var searchVisible = 0;
+var transparent = true;
+
+var transparentDemo = true;
+var fixedTop = false;
+
+var navbar_initialized = false;
+
+$(document).ready(function(){
+ window_width = $(window).width();
+
+ // check if there is an image set for the sidebar's background
+ lbd.checkSidebarImage();
+
+ // Init navigation toggle for small screens
+ if(window_width <= 991){
+ lbd.initRightMenu();
+ }
+
+ // Activate the tooltips
+ $('[rel="tooltip"]').tooltip();
+
+ // Activate the switches with icons
+ if($('.switch').length != 0){
+ $('.switch')['bootstrapSwitch']();
+ }
+ // Activate regular switches
+ if($("[data-toggle='switch']").length != 0){
+ $("[data-toggle='switch']").wrap('
').parent().bootstrapSwitch();
+ }
+
+ $('.form-control').on("focus", function(){
+ $(this).parent('.input-group').addClass("input-group-focus");
+ }).on("blur", function(){
+ $(this).parent(".input-group").removeClass("input-group-focus");
+ });
+
+ // Fixes sub-nav not working as expected on IOS
+$('body').on('touchstart.dropdown', '.dropdown-menu', function (e) { e.stopPropagation(); });
+});
+
+// activate collapse right menu when the windows is resized
+$(window).resize(function(){
+ if($(window).width() <= 991){
+ lbd.initRightMenu();
+ }
+});
+
+lbd = {
+ misc:{
+ navbar_menu_visible: 0
+ },
+
+ checkSidebarImage: function(){
+ $sidebar = $('.sidebar');
+ image_src = $sidebar.data('image');
+
+ if(image_src !== undefined){
+ sidebar_container = ''
+ $sidebar.append(sidebar_container);
+ }
+ },
+ initRightMenu: function(){
+ if(!navbar_initialized){
+ $navbar = $('nav').find('.navbar-collapse').first().clone(true);
+
+ $sidebar = $('.sidebar');
+ sidebar_color = $sidebar.data('color');
+
+ $logo = $sidebar.find('.logo').first();
+ logo_content = $logo[0].outerHTML;
+
+ ul_content = '';
+
+ $navbar.attr('data-color',sidebar_color);
+
+ //add the content from the regular header to the right menu
+ $navbar.children('ul').each(function(){
+ content_buff = $(this).html();
+ ul_content = ul_content + content_buff;
+ });
+
+ // add the content from the sidebar to the right menu
+ content_buff = $sidebar.find('.nav').html();
+ ul_content = ul_content + content_buff;
+
+
+ ul_content = '';
+
+ navbar_content = logo_content + ul_content;
+
+ $navbar.html(navbar_content);
+
+ $('body').append($navbar);
+
+ background_image = $sidebar.data('image');
+ if(background_image != undefined){
+ $navbar.css('background',"url('" + background_image + "')")
+ .removeAttr('data-nav-image')
+ .addClass('has-image');
+ }
+
+
+ $toggle = $('.navbar-toggle');
+
+ $navbar.find('a').removeClass('btn btn-round btn-default');
+ $navbar.find('button').removeClass('btn-round btn-fill btn-info btn-primary btn-success btn-danger btn-warning btn-neutral');
+ $navbar.find('button').addClass('btn-simple btn-block');
+
+ $toggle.click(function (){
+ if(lbd.misc.navbar_menu_visible == 1) {
+ $('html').removeClass('nav-open');
+ lbd.misc.navbar_menu_visible = 0;
+ $('#bodyClick').remove();
+ setTimeout(function(){
+ $toggle.removeClass('toggled');
+ }, 400);
+
+ } else {
+ setTimeout(function(){
+ $toggle.addClass('toggled');
+ }, 430);
+
+ div = '
';
+ $(div).appendTo("body").click(function() {
+ $('html').removeClass('nav-open');
+ lbd.misc.navbar_menu_visible = 0;
+ $('#bodyClick').remove();
+ setTimeout(function(){
+ $toggle.removeClass('toggled');
+ }, 400);
+ });
+
+ $('html').addClass('nav-open');
+ lbd.misc.navbar_menu_visible = 1;
+
+ }
+ });
+ navbar_initialized = true;
+ }
+
+ }
+}
+
+
+// Returns a function, that, as long as it continues to be invoked, will not
+// be triggered. The function will be called after it stops being called for
+// N milliseconds. If `immediate` is passed, trigger the function on the
+// leading edge, instead of the trailing.
+
+function debounce(func, wait, immediate) {
+ var timeout;
+ return function() {
+ var context = this, args = arguments;
+ clearTimeout(timeout);
+ timeout = setTimeout(function() {
+ timeout = null;
+ if (!immediate) func.apply(context, args);
+ }, wait);
+ if (immediate && !timeout) func.apply(context, args);
+ };
+};
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_alerts.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_alerts.scss
new file mode 100644
index 0000000..3fbc267
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_alerts.scss
@@ -0,0 +1,82 @@
+.alert{
+ border: 0;
+ border-radius: 0;
+ color: #FFFFFF;
+ padding: 10px 15px;
+ font-size: 14px;
+
+ .container &{
+ border-radius: 4px;
+
+ }
+ .navbar &{
+ border-radius: 0;
+ left: 0;
+ position: absolute;
+ right: 0;
+ top: 85px;
+ width: 100%;
+ z-index: 3;
+ }
+ .navbar:not(.navbar-transparent) &{
+ top: 70px;
+ }
+
+ span[data-notify="icon"]{
+ font-size: 30px;
+ display: block;
+ left: 15px;
+ position: absolute;
+ top: 50%;
+ margin-top: -15px;
+ }
+
+ button.close{
+ position: absolute;
+ right: 10px;
+ top: 50%;
+ margin-top: -13px;
+ z-index: 1033;
+ background-color: #FFFFFF;
+ display: block;
+ border-radius: 50%;
+ opacity: .4;
+ line-height: 11px;
+ width: 25px;
+ height: 25px;
+ outline: 0 !important;
+ text-align: center;
+ padding: 3px;
+ font-weight: 300;
+
+ &:hover{
+ opacity: .55;
+ }
+ }
+
+ .close ~ span{
+ display: block;
+ max-width: 89%;
+ }
+
+ &[data-notify="container"]{
+ padding: 10px 10px 10px 20px;
+ border-radius: $border-radius-base;
+ }
+
+ &.alert-with-icon{
+ padding-left: 65px;
+ }
+}
+.alert-info{
+ background-color: $azure-navbar;
+}
+.alert-success {
+ background-color: $green-navbar;
+}
+.alert-warning {
+ background-color: $orange-navbar;
+}
+.alert-danger {
+ background-color: $red-navbar;
+}
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_buttons.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_buttons.scss
new file mode 100644
index 0000000..1b3bc69
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_buttons.scss
@@ -0,0 +1,108 @@
+.btn{
+ border-width: $border-thick;
+ background-color: $transparent-bg;
+ font-weight: $font-weight-normal;
+
+ @include opacity(.8);
+ padding: $padding-base-vertical $padding-base-horizontal;
+
+ @include btn-styles($default-color, $default-states-color);
+
+ &:hover,
+ &:focus{
+ @include opacity(1);
+ outline: 0 !important;
+ }
+ &:active,
+ &.active,
+ .open > &.dropdown-toggle {
+ @include box-shadow(none);
+ outline: 0 !important;
+ }
+
+ &.btn-icon{
+ padding: $padding-base-vertical;
+ }
+
+}
+
+// Apply the mixin to the buttons
+//.btn-default { @include btn-styles($default-color, $default-states-color); }
+.btn-primary { @include btn-styles($primary-color, $primary-states-color); }
+.btn-success { @include btn-styles($success-color, $success-states-color); }
+.btn-info { @include btn-styles($info-color, $info-states-color); }
+.btn-warning { @include btn-styles($warning-color, $warning-states-color); }
+.btn-danger { @include btn-styles($danger-color, $danger-states-color); }
+.btn-neutral {
+ @include btn-styles($white-color, $white-color);
+
+ &:active,
+ &.active,
+ .open > &.dropdown-toggle{
+ background-color: $white-color;
+ color: $default-color;
+ }
+
+ &.btn-fill,
+ &.btn-fill:hover,
+ &.btn-fill:focus{
+ color: $default-color;
+ }
+
+ &.btn-simple:active,
+ &.btn-simple.active{
+ background-color: transparent;
+ }
+}
+
+.btn{
+ &:disabled,
+ &[disabled],
+ &.disabled{
+ @include opacity(.5);
+ }
+}
+.btn-round{
+ border-width: $border-thin;
+ border-radius: $btn-round-radius !important;
+ padding: $padding-round-vertical $padding-round-horizontal;
+
+ &.btn-icon{
+ padding: $padding-round-vertical;
+ }
+}
+.btn-simple{
+ border: $none;
+ font-size: $font-size-medium;
+ padding: $padding-base-vertical $padding-base-horizontal;
+
+ &.btn-icon{
+ padding: $padding-base-vertical;
+ }
+}
+.btn-lg{
+ @include btn-size($padding-large-vertical, $padding-large-horizontal, $font-size-large, $border-radius-large);
+ font-weight: $font-weight-normal;
+}
+.btn-sm{
+ @include btn-size($padding-small-vertical, $padding-small-horizontal, $font-size-small, $border-radius-small);
+}
+.btn-xs {
+ @include btn-size($padding-xs-vertical, $padding-xs-horizontal, $font-size-small, $border-radius-small);
+}
+.btn-wd {
+ min-width: 140px;
+}
+
+.btn-group.select{
+ width: 100%;
+}
+.btn-group.select .btn{
+ text-align: left;
+}
+.btn-group.select .caret{
+ position: absolute;
+ top: 50%;
+ margin-top: -1px;
+ right: 8px;
+}
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_cards.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_cards.scss
new file mode 100644
index 0000000..4b25fcc
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_cards.scss
@@ -0,0 +1,207 @@
+.card{
+ border-radius: $border-radius-base;
+ box-shadow: 0 1px 2px rgba(0,0,0,.05),0 0 0 1px rgba(63,63,68,.1);
+ background-color: #FFFFFF;
+ margin-bottom: 30px;
+
+ .image{
+ width: 100%;
+ overflow: hidden;
+ height: 260px;
+ border-radius: $border-radius-base $border-radius-base 0 0;
+ position: relative;
+ -webkit-transform-style: preserve-3d;
+ -moz-transform-style: preserve-3d;
+ transform-style: preserve-3d;
+
+ img {
+ width: 100%;
+ }
+ }
+ .filter{
+ position: absolute;
+ z-index: 2;
+ background-color: rgba(0,0,0,.68);
+ top: 0;
+ left: 0;
+ width: 100%;
+ height: 100%;
+ text-align: center;
+
+ @include opacity(0);
+
+ .btn{
+ @include vertical-align();
+ }
+ }
+ &:hover .filter{
+ @include opacity(1);
+ }
+ .btn-hover{
+ @include opacity(0);
+ }
+ &:hover .btn-hover{
+ @include opacity(1);
+ }
+ .content{
+ padding: 15px 15px 10px 15px;
+ }
+ .header{
+ padding: 15px 15px 0;
+ }
+ .category,
+ label{
+ font-size: $font-size-base;
+ font-weight: $font-weight-normal;
+ color: $dark-gray;
+ margin-bottom: 0px;
+
+ i{
+ font-size: $font-paragraph;
+ }
+ }
+
+ label{
+ font-size: $font-size-small;
+ margin-bottom: 5px;
+ text-transform: uppercase;
+ }
+
+ .title{
+ margin: $none;
+ color: $black-color;
+ font-weight: $font-weight-light;
+ }
+ .avatar{
+ width: 30px;
+ height: 30px;
+ overflow: hidden;
+ border-radius: 50%;
+ margin-right: 5px;
+ }
+ .description{
+ font-size: $font-size-base;
+ color: #333;
+ }
+ .footer{
+ padding: 0;
+ background-color: $transparent-bg;
+ line-height: 30px;
+
+ .legend{
+ padding: 5px 0;
+ }
+
+ hr{
+ margin-top: 5px;
+ margin-bottom: 5px;
+ }
+ }
+ .stats{
+ color: #a9a9a9;
+ }
+ .footer div{
+ display: inline-block;
+ }
+
+ .author{
+ font-size: $font-size-small;
+ font-weight: $font-weight-bold;
+ text-transform: uppercase;
+ }
+ .author i{
+ font-size: $font-size-base;
+ }
+ h6{
+ font-size: $font-size-small;
+ margin: 0;
+ }
+ &.card-separator:after{
+ height: 100%;
+ right: -15px;
+ top: 0;
+ width: 1px;
+ background-color: $medium-gray;
+ content: "";
+ position: absolute;
+ }
+
+ .ct-chart{
+ margin: 30px 0 30px;
+ height: 245px;
+ }
+
+ .table{
+ tbody td:first-child,
+ thead th:first-child{
+ padding-left: 15px;
+ }
+
+ tbody td:last-child,
+ thead th:last-child{
+ padding-right: 15px;
+ }
+ }
+
+ .alert{
+ border-radius: $border-radius-base;
+ position: relative;
+
+ &.alert-with-icon{
+ padding-left: 65px;
+ }
+ }
+}
+.card-user{
+ .image{
+ height: 110px;
+ }
+ .image-plain{
+ height: 0;
+ margin-top: 110px;
+ }
+ .author{
+ text-align: center;
+ text-transform: none;
+ margin-top: -70px;
+ }
+ .avatar{
+ width: 124px;
+ height: 124px;
+ border: 5px solid #FFFFFF;
+ position: relative;
+ margin-bottom: 15px;
+
+ &.border-gray{
+ border-color: #EEEEEE;
+ }
+ }
+ .title{
+ line-height: 24px;
+ }
+ .content{
+ min-height: 240px;
+ }
+}
+
+.card-user,
+.card-price{
+ .footer{
+ padding: 5px 15px 10px;
+ }
+ hr{
+ margin: 5px 15px;
+ }
+}
+.card-plain{
+ background-color: transparent;
+ box-shadow: none;
+ border-radius: 0;
+
+ .image{
+ border-radius: 4px;
+ }
+}
+
+
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_chartist.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_chartist.scss
new file mode 100644
index 0000000..021f0a3
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_chartist.scss
@@ -0,0 +1,230 @@
+@mixin ct-responsive-svg-container($width: 100%, $ratio: $ct-container-ratio) {
+ display: block;
+ position: relative;
+ width: $width;
+
+ &:before {
+ display: block;
+ float: left;
+ content: "";
+ width: 0;
+ height: 0;
+ padding-bottom: $ratio * 100%;
+ }
+
+ &:after {
+ content: "";
+ display: table;
+ clear: both;
+ }
+
+ > svg {
+ display: block;
+ position: absolute;
+ top: 0;
+ left: 0;
+ }
+}
+
+@mixin ct-align-justify($ct-text-align: $ct-text-align, $ct-text-justify: $ct-text-justify) {
+ -webkit-box-align: $ct-text-align;
+ -webkit-align-items: $ct-text-align;
+ -ms-flex-align: $ct-text-align;
+ align-items: $ct-text-align;
+ -webkit-box-pack: $ct-text-justify;
+ -webkit-justify-content: $ct-text-justify;
+ -ms-flex-pack: $ct-text-justify;
+ justify-content: $ct-text-justify;
+ // Fallback to text-align for non-flex browsers
+ @if($ct-text-justify == 'flex-start') {
+ text-align: left;
+ } @else if ($ct-text-justify == 'flex-end') {
+ text-align: right;
+ } @else {
+ text-align: center;
+ }
+}
+
+@mixin ct-flex() {
+ // Fallback to block
+ display: block;
+ display: -webkit-box;
+ display: -moz-box;
+ display: -ms-flexbox;
+ display: -webkit-flex;
+ display: flex;
+}
+
+@mixin ct-chart-label($ct-text-color: $ct-text-color, $ct-text-size: $ct-text-size, $ct-text-line-height: $ct-text-line-height) {
+ fill: $ct-text-color;
+ color: $ct-text-color;
+ font-size: $ct-text-size;
+ line-height: $ct-text-line-height;
+}
+
+@mixin ct-chart-grid($ct-grid-color: $ct-grid-color, $ct-grid-width: $ct-grid-width, $ct-grid-dasharray: $ct-grid-dasharray) {
+ stroke: $ct-grid-color;
+ stroke-width: $ct-grid-width;
+
+ @if ($ct-grid-dasharray) {
+ stroke-dasharray: $ct-grid-dasharray;
+ }
+}
+
+@mixin ct-chart-point($ct-point-size: $ct-point-size, $ct-point-shape: $ct-point-shape) {
+ stroke-width: $ct-point-size;
+ stroke-linecap: $ct-point-shape;
+}
+
+@mixin ct-chart-line($ct-line-width: $ct-line-width, $ct-line-dasharray: $ct-line-dasharray) {
+ fill: none;
+ stroke-width: $ct-line-width;
+
+ @if ($ct-line-dasharray) {
+ stroke-dasharray: $ct-line-dasharray;
+ }
+}
+
+@mixin ct-chart-area($ct-area-opacity: $ct-area-opacity) {
+ stroke: none;
+ fill-opacity: $ct-area-opacity;
+}
+
+@mixin ct-chart-bar($ct-bar-width: $ct-bar-width) {
+ fill: none;
+ stroke-width: $ct-bar-width;
+}
+
+@mixin ct-chart-donut($ct-donut-width: $ct-donut-width) {
+ fill: none;
+ stroke-width: $ct-donut-width;
+}
+
+@mixin ct-chart-series-color($color) {
+ .#{$ct-class-point}, .#{$ct-class-line}, .#{$ct-class-bar}, .#{$ct-class-slice-donut} {
+ stroke: $color;
+ }
+
+ .#{$ct-class-slice-pie}, .#{$ct-class-area} {
+ fill: $color;
+ }
+}
+
+@mixin ct-chart($ct-container-ratio: $ct-container-ratio, $ct-text-color: $ct-text-color, $ct-text-size: $ct-text-size, $ct-grid-color: $ct-grid-color, $ct-grid-width: $ct-grid-width, $ct-grid-dasharray: $ct-grid-dasharray, $ct-point-size: $ct-point-size, $ct-point-shape: $ct-point-shape, $ct-line-width: $ct-line-width, $ct-bar-width: $ct-bar-width, $ct-donut-width: $ct-donut-width, $ct-series-names: $ct-series-names, $ct-series-colors: $ct-series-colors) {
+
+ .#{$ct-class-label} {
+ @include ct-chart-label($ct-text-color, $ct-text-size);
+ }
+
+ .#{$ct-class-chart-line} .#{$ct-class-label},
+ .#{$ct-class-chart-bar} .#{$ct-class-label} {
+ @include ct-flex();
+ }
+
+ .#{$ct-class-label}.#{$ct-class-horizontal}.#{$ct-class-start} {
+ @include ct-align-justify(flex-end, flex-start);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: start;
+ }
+
+ .#{$ct-class-label}.#{$ct-class-horizontal}.#{$ct-class-end} {
+ @include ct-align-justify(flex-start, flex-start);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: start;
+ }
+
+ .#{$ct-class-label}.#{$ct-class-vertical}.#{$ct-class-start} {
+ @include ct-align-justify(flex-end, flex-end);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: end;
+ }
+
+ .#{$ct-class-label}.#{$ct-class-vertical}.#{$ct-class-end} {
+ @include ct-align-justify(flex-end, flex-start);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: start;
+ }
+
+ .#{$ct-class-chart-bar} .#{$ct-class-label}.#{$ct-class-horizontal}.#{$ct-class-start} {
+ @include ct-align-justify(flex-end, center);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: start;
+ }
+
+ .#{$ct-class-chart-bar} .#{$ct-class-label}.#{$ct-class-horizontal}.#{$ct-class-end} {
+ @include ct-align-justify(flex-start, center);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: start;
+ }
+
+ .#{$ct-class-chart-bar}.#{$ct-class-horizontal-bars} .#{$ct-class-label}.#{$ct-class-horizontal}.#{$ct-class-start} {
+ @include ct-align-justify(flex-end, flex-start);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: start;
+ }
+
+ .#{$ct-class-chart-bar}.#{$ct-class-horizontal-bars} .#{$ct-class-label}.#{$ct-class-horizontal}.#{$ct-class-end} {
+ @include ct-align-justify(flex-start, flex-start);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: start;
+ }
+
+ .#{$ct-class-chart-bar}.#{$ct-class-horizontal-bars} .#{$ct-class-label}.#{$ct-class-vertical}.#{$ct-class-start} {
+ //@include ct-chart-label($ct-text-color, $ct-text-size, center, $ct-vertical-text-justify);
+ @include ct-align-justify(center, flex-end);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: end;
+ }
+
+ .#{$ct-class-chart-bar}.#{$ct-class-horizontal-bars} .#{$ct-class-label}.#{$ct-class-vertical}.#{$ct-class-end} {
+ @include ct-align-justify(center, flex-start);
+ // Fallback for browsers that don't support foreignObjects
+ text-anchor: end;
+ }
+
+ .#{$ct-class-grid} {
+ @include ct-chart-grid($ct-grid-color, $ct-grid-width, $ct-grid-dasharray);
+ }
+
+ .#{$ct-class-point} {
+ @include ct-chart-point($ct-point-size, $ct-point-shape);
+ }
+
+ .#{$ct-class-line} {
+ @include ct-chart-line($ct-line-width);
+ }
+
+ .#{$ct-class-area} {
+ @include ct-chart-area();
+ }
+
+ .#{$ct-class-bar} {
+ @include ct-chart-bar($ct-bar-width);
+ }
+
+ .#{$ct-class-slice-donut} {
+ @include ct-chart-donut($ct-donut-width);
+ }
+
+ @if $ct-include-colored-series {
+ @for $i from 0 to length($ct-series-names) {
+ .#{$ct-class-series}-#{nth($ct-series-names, $i + 1)} {
+ $color: nth($ct-series-colors, $i + 1);
+
+ @include ct-chart-series-color($color);
+ }
+ }
+ }
+}
+
+@if $ct-include-classes {
+ @include ct-chart();
+
+ @if $ct-include-alternative-responsive-containers {
+ @for $i from 0 to length($ct-scales-names) {
+ .#{nth($ct-scales-names, $i + 1)} {
+ @include ct-responsive-svg-container($ratio: nth($ct-scales, $i + 1));
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_checkbox-radio-switch.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_checkbox-radio-switch.scss
new file mode 100644
index 0000000..4783a73
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_checkbox-radio-switch.scss
@@ -0,0 +1,246 @@
+/* Checkbox and radio */
+.checkbox,
+.radio {
+ margin-bottom: 12px;
+ padding-left: 32px;
+ position: relative;
+ -webkit-transition: color 0.25s linear;
+ transition: color 0.25s linear;
+ font-size: 14px;
+ font-weight: normal;
+ line-height: 1.5;
+ color: #333333;
+}
+.checkbox input,
+.radio input {
+ outline: none !important;
+ display: none;
+}
+.checkbox .icons,
+.radio .icons {
+ color: $medium-gray;
+ display: block;
+ height: 20px;
+ left: 0;
+ position: absolute;
+ top: 0;
+ width: 20px;
+ text-align: center;
+ line-height: 21px;
+ font-size: 20px;
+ cursor: pointer;
+ -webkit-transition: color 0.2s linear;
+ transition: color 0.2s linear;
+}
+
+
+.checkbox .icons .first-icon,
+.radio .icons .first-icon,
+.checkbox .icons .second-icon,
+.radio .icons .second-icon {
+ display: inline-table;
+ position: absolute;
+ left: 0;
+ top: 0;
+ background-color: transparent;
+ margin: 0;
+ @include opacity(1);
+}
+.checkbox .icons .second-icon,
+.radio .icons .second-icon {
+ @include opacity(0);
+}
+.checkbox:hover,
+.radio:hover {
+ -webkit-transition: color 0.2s linear;
+ transition: color 0.2s linear;
+}
+.checkbox:hover .first-icon,
+.radio:hover .first-icon {
+ @include opacity(0);
+}
+.checkbox:hover .second-icon,
+.radio:hover .second-icon {
+ @include opacity (1);
+}
+.checkbox.checked,
+.radio.checked {
+ color: $info-color;
+}
+.checkbox.checked .first-icon,
+.radio.checked .first-icon {
+ opacity: 0;
+ filter: alpha(opacity=0);
+}
+.checkbox.checked .second-icon,
+.radio.checked .second-icon {
+ opacity: 1;
+ filter: alpha(opacity=100);
+ color: $info-color;
+ -webkit-transition: color 0.2s linear;
+ transition: color 0.2s linear;
+}
+.checkbox.disabled,
+.radio.disabled {
+ cursor: default;
+ color: $medium-gray !important;
+}
+.checkbox.disabled .icons,
+.radio.disabled .icons {
+ color: $medium-gray !important;
+}
+.checkbox.disabled .first-icon,
+.radio.disabled .first-icon {
+ opacity: 1;
+ filter: alpha(opacity=100);
+}
+.checkbox.disabled .second-icon,
+.radio.disabled .second-icon {
+ opacity: 0;
+ filter: alpha(opacity=0);
+}
+.checkbox.disabled.checked .icons,
+.radio.disabled.checked .icons {
+ color: $medium-gray;
+}
+.checkbox.disabled.checked .first-icon,
+.radio.disabled.checked .first-icon {
+ opacity: 0;
+ filter: alpha(opacity=0);
+}
+.checkbox.disabled.checked .second-icon,
+.radio.disabled.checked .second-icon {
+ opacity: 1;
+ filter: alpha(opacity=100);
+ color: #D9D9D9;
+}
+
+
+
+/* ============================================================
+ * bootstrapSwitch v1.3 by Larentis Mattia @spiritualGuru
+ * http://www.larentis.eu/switch/
+ * ============================================================
+ * Licensed under the Apache License, Version 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * ============================================================ */
+.has-switch {
+ border-radius: 30px;
+ cursor: pointer;
+ display: inline-block;
+ line-height: 1.72222;
+ overflow: hidden;
+ position: relative;
+ text-align: left;
+ width: 60px;
+
+ -webkit-user-select: none;
+ -moz-user-select: none;
+ -ms-user-select: none;
+ -o-user-select: none;
+ user-select: none;
+
+ /* this code is for fixing safari bug with hidden overflow for border-radius */
+ -webkit-mask: url('../img/mask.png') 0 0 no-repeat;
+ -webkit-mask-size: 60px 24px;
+ mask: url('../img/mask.png') 0 0 no-repeat;
+}
+.has-switch.deactivate {
+ opacity: 0.5;
+ filter: alpha(opacity=50);
+ cursor: default !important;
+}
+.has-switch.deactivate label,
+.has-switch.deactivate span {
+ cursor: default !important;
+}
+.has-switch > div {
+ position: relative;
+ top: 0;
+ width: 100px;
+}
+.has-switch > div.switch-animate {
+ -webkit-transition: left 0.25s ease-out;
+ transition: left 0.25s ease-out;
+}
+.has-switch > div.switch-off {
+ left: -35px;
+}
+
+.has-switch > div.switch-on {
+ left: 0;
+}
+.has-switch > div label {
+ background-color: #FFFFFF;
+ @include icon-gradient (rgba(255,255,255,1), rgba(241,241,242,1));
+
+ box-shadow: 0 1px 1px #FFFFFF inset, 0 1px 1px rgba(0, 0, 0, 0.25);
+ cursor: pointer;
+}
+.has-switch input[type=checkbox] {
+ display: none;
+}
+.has-switch span {
+/* box-shadow: 0 1px 3px rgba(0, 0, 0, 0.2) inset; */
+ cursor: pointer;
+ float: left;
+ font-size: 11px;
+ font-weight: 400;
+ height: 24px;
+ line-height: 15px;
+ margin: 0;
+ padding-bottom: 6px;
+ padding-top: 5px;
+ position: relative;
+ text-align: center;
+ text-indent: -10px;
+ width: 50%;
+ z-index: 1;
+ -webkit-transition: 0.25s ease-out;
+ transition: 0.25s ease-out;
+}
+.has-switch span.switch-left {
+ background-color: $info-color;
+ border-left: 1px solid rgba(0, 0, 0, 0);
+ border-radius: 30px 0 0 30px;
+ color: #FFFFFF;
+}
+.has-switch .switch-off span.switch-left{
+ background-color: $medium-gray;
+}
+.has-switch span.switch-right {
+ border-radius: 0 30px 30px 0;
+ background-color: $info-color;
+ color: #ffffff;
+ text-indent: 1px;
+}
+.has-switch .switch-off span.switch-right{
+ background-color: $medium-gray;
+}
+
+.has-switch label {
+ border-radius: 12px;
+ float: left;
+ height: 22px;
+ margin: 1px -13px;
+ padding: 0;
+ position: relative;
+ transition: all 0.25s ease-out 0s;
+ vertical-align: middle;
+ width: 22px;
+ z-index: 100;
+ -webkit-transition: 0.25s ease-out;
+ transition: 0.25s ease-out;
+}
+.has-switch .switch-on .fa-check:before{
+ margin-left: 10px;
+}
+.has-switch:hover .switch-on label{
+ margin: 1px -17px;
+ width: 26px;
+}
+.has-switch:hover .switch-off label{
+ margin: 1px -13px;
+ width: 26px;
+}
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_dropdown.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_dropdown.scss
new file mode 100644
index 0000000..c1c5f93
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_dropdown.scss
@@ -0,0 +1,120 @@
+.dropdown-menu{
+ visibility: hidden;
+ margin: 0;
+ padding: 0;
+ border-radius: $border-radius-extreme;
+ display: block;
+ z-index: 9000;
+ position: absolute;
+
+ @include opacity(0);
+ @include box-shadow($dropdown-shadow);
+
+ .open &{
+ @include opacity(1);
+ visibility: visible;
+ }
+ .select &{
+ border-radius: $border-radius-bottom;
+ @include box-shadow(none);
+ @include transform-origin($select-coordinates);
+ @include transform-scale(1);
+ @include transition($fast-transition-time, $transition-linear);
+ margin-top: -20px;
+ }
+ .select.open &{
+ margin-top: -1px;
+ }
+
+ > li > a {
+ padding: $padding-base-vertical $padding-base-horizontal;
+ color: #333333;
+
+ img{
+ margin-top: -3px;
+ }
+ }
+ > li > a:focus{
+ outline: 0 !important;
+ }
+
+ .btn-group.select &{
+ min-width: 100%;
+ }
+
+ > li:first-child > a{
+ border-top-left-radius: $border-radius-extreme;
+ border-top-right-radius: $border-radius-extreme;
+ }
+
+ > li:last-child > a{
+ border-bottom-left-radius: $border-radius-extreme;
+ border-bottom-right-radius: $border-radius-extreme;
+ }
+
+ .select & > li:first-child > a{
+ border-radius: 0;
+ border-bottom: 0 none;
+ }
+
+ > li > a:hover,
+ > li > a:focus {
+ background-color: $smoke-bg;
+ color: #333333;
+ opacity: 1;
+ text-decoration: none;
+ }
+
+ &.dropdown-blue > li > a:hover,
+ &.dropdown-blue > li > a:focus{
+ background-color: $light-blue;
+ }
+ &.dropdown-azure > li > a:hover,
+ &.dropdown-azure > li > a:focus{
+ background-color: $light-azure;
+ }
+ &.ct-green > li > a:hover,
+ &.ct-green > li > a:focus{
+ background-color: $light-green;
+ }
+ &.dropdown-orange > li > a:hover,
+ &.dropdown-orange > li > a:focus{
+ background-color: $light-orange;
+ }
+ &.dropdown-red > li > a:hover,
+ &.dropdown-red > li > a:focus{
+ background-color: $light-red;
+ }
+
+}
+
+.dropdown-with-icons{
+ > li > a{
+ padding-left: 0px;
+ line-height: 28px;
+ }
+ i{
+ text-align: center;
+ line-height: 28px;
+ float: left;
+
+ &[class^="pe-"]{
+ font-size: 24px;
+ width: 46px;
+ }
+ &[class^="fa"]{
+ font-size: 14px;
+ width: 38px;
+ }
+ }
+}
+
+//fix bug for the select items in btn-group
+.btn-group.select{
+ overflow: hidden;
+}
+.btn-group.select.open{
+ overflow: visible;
+}
+
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_footers.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_footers.scss
new file mode 100644
index 0000000..6e6682d
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_footers.scss
@@ -0,0 +1,77 @@
+.footer{
+ background-color: $white-color;
+ line-height: $line-height;
+
+ nav > ul{
+ list-style: none;
+ margin: 0;
+ padding: 0;
+ font-weight: normal;
+
+ a:not(.btn){
+ color: $dark-gray;
+ display: block;
+ margin-bottom: 3px;
+ &:hover,
+ &:focus{
+ color: $default-states-color;
+ }
+ }
+ }
+ .social-area{
+ padding: 15px 0;
+ h5{
+ padding-bottom: 15px;
+ }
+ }
+ .social-area > a:not(.btn){
+ color: $dark-gray;
+ display: inline-block;
+ vertical-align: top;
+ padding: $padding-social-a;
+ font-size: $font-size-large-navbar;
+ font-weight: normal;
+ line-height: $line-height;
+ text-align: center;
+ &:hover,
+ &:focus{
+ color: $default-states-color;
+ }
+ }
+ .copyright{
+ color: $default-states-color;
+ padding: 10px 15px;
+ margin: 10px 3px;
+ line-height: 20px;
+ font-size: $font-size-base;
+ }
+ hr{
+ border-color: $medium-gray;
+ }
+ .title{
+ color: $default-states-color;
+ }
+}
+
+.footer-default{
+ background-color: $smoke-bg;
+}
+
+.footer:not(.footer-big){
+ nav > ul{
+ font-size: $font-size-base;
+ li{
+ margin-left: 20px;
+ float: left;
+ }
+ a{
+ padding: 10px 0px;
+ margin: 10px 10px 10px 0px;
+ }
+ }
+}
+
+
+
+
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_inputs.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_inputs.scss
new file mode 100644
index 0000000..2b9820a
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_inputs.scss
@@ -0,0 +1,141 @@
+.form-control::-moz-placeholder{
+ @include placeholder($medium-gray,1);
+}
+.form-control:-moz-placeholder{
+ @include placeholder($medium-gray,1);
+}
+.form-control::-webkit-input-placeholder{
+ @include placeholder($medium-gray,1);
+}
+.form-control:-ms-input-placeholder{
+ @include placeholder($medium-gray,1);
+}
+
+.form-control {
+ background-color: $white-bg;
+ border: 1px solid $light-gray;
+ border-radius: $border-radius-base;
+ color: #565656;
+ @include input-size($padding-base-vertical, $padding-base-horizontal - 4, $height-base);
+ @include box-shadow(none);
+
+ &:focus{
+ background-color: $white-bg;
+ border: 1px solid $medium-dark-gray;
+ @include box-shadow(none);
+ outline: 0 !important;
+ color: #333333;
+ }
+
+ .has-success &,
+ .has-error &,
+ .has-success &:focus,
+ .has-error &:focus{
+ border-color: $light-gray;
+ @include box-shadow(none);
+ }
+
+ .has-success &{
+ color: $success-color;
+ }
+ .has-success &:focus{
+ border-color: $success-color;
+ }
+ .has-error &{
+ color: $danger-color;
+ }
+ .has-error &:focus{
+ border-color: $danger-color;
+ }
+
+ & + .form-control-feedback{
+ border-radius: $border-radius-large;
+ font-size: $font-size-base;
+ margin-top: -7px;
+ position: absolute;
+ right: 10px;
+ top: 50%;
+ vertical-align: middle;
+ }
+
+ .open &{
+ border-radius: $border-radius-base $border-radius-base 0 0;
+ border-bottom-color: transparent;
+ }
+}
+
+.input-lg{
+ height: 55px;
+ padding: $padding-large-vertical $padding-large-horizontal;
+}
+
+.has-error{
+ .form-control-feedback{
+ color: $danger-color;
+ }
+}
+.has-success{
+ .form-control-feedback{
+ color: $success-color
+ }
+}
+
+
+.input-group-addon {
+ background-color: $white-color;
+ border: 1px solid $light-gray;
+ border-radius: $border-radius-base;
+
+ .has-success &,
+ .has-error &{
+ background-color: $white-color;
+ border: 1px solid $light-gray;
+ }
+ .has-error .form-control:focus + &{
+ border-color: $danger-color;
+ color: $danger-color;
+ }
+ .has-success .form-control:focus + &{
+ border-color: $success-color;
+ color: $success-color;
+ }
+ .form-control:focus + &,
+ .form-control:focus ~ &{
+ background-color: $white-color;
+ border-color: $dark-gray;
+ }
+}
+
+.input-group .form-control:first-child,
+.input-group-addon:first-child,
+.input-group-btn:first-child > .dropdown-toggle,
+.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle) {
+ border-right: 0 none;
+}
+.input-group .form-control:last-child,
+.input-group-addon:last-child,
+.input-group-btn:last-child > .dropdown-toggle,
+.input-group-btn:first-child > .btn:not(:first-child) {
+ border-left: 0 none;
+}
+.form-control[disabled], .form-control[readonly], fieldset[disabled] .form-control {
+ background-color: $smoke-bg;
+ color: $default-color;
+ cursor: not-allowed;
+}
+
+.input-group-btn .btn{
+ border-width: $border-thin;
+ padding: $padding-round-vertical $padding-base-horizontal;
+}
+.input-group-btn .btn-default:not(.btn-fill){
+ border-color: $medium-gray;
+}
+
+.input-group-btn:last-child > .btn{
+ margin-left: 0;
+}
+
+.input-group-focus .input-group-addon{
+ border-color: $dark-gray;
+}
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_misc.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_misc.scss
new file mode 100644
index 0000000..47e229d
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_misc.scss
@@ -0,0 +1,62 @@
+/* General overwrite */
+body,
+.wrapper{
+ min-height: 100vh;
+ position: relative;
+}
+a{
+ color: $info-color;
+
+ &:hover, &:focus{
+ color: $info-states-color;
+ text-decoration: none;
+ }
+}
+
+a:focus, a:active,
+button::-moz-focus-inner,
+input::-moz-focus-inner,
+input[type="reset"]::-moz-focus-inner,
+input[type="button"]::-moz-focus-inner,
+input[type="submit"]::-moz-focus-inner,
+select::-moz-focus-inner,
+input[type="file"] > input[type="button"]::-moz-focus-inner{
+ outline:0;
+}
+.ui-slider-handle:focus,
+.navbar-toggle,
+input:focus {
+ outline : 0 !important;
+}
+
+/* Animations */
+.form-control,
+.input-group-addon,
+.tagsinput,
+.navbar,
+.navbar .alert{
+ @include transition($general-transition-time, $transition-linear);
+}
+
+.sidebar .nav a,
+.table > tbody > tr .td-actions .btn{
+ @include transition($fast-transition-time, $transition-ease-in);
+}
+
+.btn{
+ @include transition($ultra-fast-transition-time, $transition-ease-in);
+}
+.fa{
+ width: 18px;
+ text-align: center;
+}
+.margin-top{
+ margin-top: 50px;
+}
+
+.wrapper{
+ position: relative;
+ top: 0;
+ height: 100vh;
+}
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_mixins.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_mixins.scss
new file mode 100644
index 0000000..33a9fff
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_mixins.scss
@@ -0,0 +1,22 @@
+//Utilities
+
+@import "mixins/transparency";
+@import "mixins/vendor-prefixes";
+
+
+//Components
+
+@import "mixins/buttons";
+@import "mixins/inputs";
+@import "mixins/labels";
+@import "mixins/tabs";
+
+@import "mixins/navbars";
+@import "mixins/icons";
+@import "mixins/social-buttons";
+
+@import "mixins/morphing-buttons";
+
+@import "mixins/cards";
+
+@import "mixins/chartist";
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_navbars.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_navbars.scss
new file mode 100644
index 0000000..4024445
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_navbars.scss
@@ -0,0 +1,293 @@
+.nav {
+ > li{
+ > a:hover,
+ > a:focus{
+ background-color: transparent;
+ }
+ }
+}
+.navbar{
+ border: $none;
+ font-size: $font-size-navbar;
+ border-radius: 0;
+
+ .navbar-brand {
+ font-weight: $font-weight-normal;
+ margin: $navbar-margin-brand;
+ padding: $navbar-padding-brand;
+ font-size: $font-size-large-navbar;
+ }
+ .navbar-nav{
+ > li > a {
+ padding: $navbar-padding-a;
+ margin: $navbar-margin-a;
+ position: relative;
+ }
+ > li > a.btn{
+ margin: $navbar-margin-a-btn;
+ padding: $padding-base-vertical $padding-base-horizontal;
+ }
+ > li > a.btn-round{
+ margin: $navbar-margin-a-btn-round;
+ }
+ > li > a [class^="fa"]{
+ font-size: $font-size-large + 1;
+ position: relative;
+ line-height: 16px;
+ top: 1px;
+ }
+
+ .notification{
+ position: absolute;
+ background-color: #FB404B;
+ text-align: center;
+ border-radius: 10px;
+ min-width: 18px;
+ padding: 0 5px;
+ height: 18px;
+ font-size: 12px;
+ color: #FFFFFF;
+ font-weight: bold;
+ line-height: 18px;
+ top: 0px;
+ left: 7px;
+ }
+ }
+ .btn{
+ margin: $navbar-margin-btn;
+ font-size: $font-size-base;
+ }
+ .btn-simple{
+ font-size: $font-size-medium;
+ }
+ .caret{
+ // @include center-item();
+ }
+
+ &.fixed{
+ width: calc(100% - $sidebar-width);
+ right: 0;
+ left: auto;
+ border-radius: 0;
+ }
+
+}
+
+.navbar-nav > li > .dropdown-menu{
+ border-radius: $border-radius-extreme;
+ margin-top: -5px;
+}
+
+.navbar-transparent, [class*="navbar-ct"]{
+ .navbar-brand{
+ color: $white-color;
+ @include opacity(.9);
+
+ &:focus,
+ &:hover{
+ background-color: transparent;
+ @include opacity(1);
+ }
+ }
+
+ .navbar-nav{
+ > li > a:not(.btn){
+ color: $white-color;
+ border-color: $white-color;
+ @include opacity(0.8);
+ }
+ > .active > a:not(.btn),
+ > .active > a:hover:not(.btn),
+ > .active > a:focus:not(.btn),
+ > li > a:hover:not(.btn),
+ > li > a:focus:not(.btn){
+ background-color: transparent;
+ border-radius: 3px;
+ color: $white-color;
+ @include opacity(1);
+ }
+ .nav > li > a.btn:hover{
+ background-color: transparent;
+ }
+
+ > .dropdown > a .caret,
+ > .dropdown > a:hover .caret,
+ > .dropdown > a:focus .caret{
+ border-bottom-color: $white-color;
+ border-top-color: $white-color;
+ }
+
+ > .open > a,
+ > .open > a:hover,
+ > .open > a:focus {
+ background-color: transparent;
+ color: $white-color;
+ @include opacity(1);
+ }
+ }
+
+ .btn-default{
+ color: $white-color;
+ border-color: $white-color;
+ }
+ .btn-default.btn-fill{
+ color: $dark-gray;
+ background-color: $white-color;
+ @include opacity(.9);
+ }
+ .btn-default.btn-fill:hover,
+ .btn-default.btn-fill:focus,
+ .btn-default.btn-fill:active,
+ .btn-default.btn-fill.active,
+ .open .dropdown-toggle.btn-fill.btn-default{
+ border-color: $white-color;
+ @include opacity(1);
+ }
+
+}
+.navbar-transparent{
+ .dropdown-menu .divider{
+ background-color: rgba($white-color,.2);
+ }
+}
+
+.nav-open .nav .caret{
+ border-bottom-color: $white-color;
+ border-top-color: $white-color;
+}
+
+.navbar-default {
+ background-color: $white-navbar;
+ border-bottom: 1px solid rgba(0, 0, 0, 0.1);
+
+ .navbar-nav{
+ > li > a:not(.btn){
+ color: $dark-gray;
+ }
+
+ > .active > a,
+ > .active > a:not(.btn):hover,
+ > .active > a:not(.btn):focus,
+ > li > a:not(.btn):hover,
+ > li > a:not(.btn):focus {
+ background-color: transparent;
+ border-radius: 3px;
+ color: $info-color;
+ @include opacity(1);
+ }
+
+ > .dropdown > a:hover .caret,
+ > .dropdown > a:focus .caret {
+ border-bottom-color: $info-color;
+ border-top-color: $info-color;
+
+ }
+
+ > .open > a,
+ > .open > a:hover,
+ > .open > a:focus{
+ background-color: transparent;
+ color: $info-color;
+ }
+
+ .navbar-toggle:hover,.navbar-toggle:focus {
+ background-color: transparent;
+ }
+
+ }
+
+ &:not(.navbar-transparent) .btn-default:hover{
+ color: $info-color;
+ border-color: $info-color;
+ }
+ &:not(.navbar-transparent) .btn-neutral,
+ &:not(.navbar-transparent) .btn-neutral:hover,
+ &:not(.navbar-transparent) .btn-neutral:active{
+ color: $dark-gray;
+ }
+}
+
+/* Navbar with icons */
+
+.navbar-icons{
+ &.navbar .navbar-brand{
+ margin-top: 12px;
+ margin-bottom: 12px;
+ }
+ .navbar-nav{
+ > li > a{
+ text-align: center;
+ padding: $navbar-padding-a-icons;
+ margin: $navbar-margin-a-icons;
+ }
+
+ [class^="pe"] {
+ font-size: 30px;
+ position: relative;
+ }
+ p {
+ margin: 3px 0 0;
+ }
+ }
+}
+
+.navbar-form{
+ @include box-shadow(none);
+ .form-control{
+ @include light-form();
+ height: 22px;
+ font-size: $font-size-navbar;
+ line-height: $line-height-general;
+ color: $light-gray;
+ }
+ .navbar-transparent & .form-control,
+ [class*="navbar-ct"] & .form-control{
+ color: $white-color;
+ border: $none;
+ border-bottom: 1px solid rgba($white-color,.6);
+ }
+
+}
+
+.navbar-ct-blue{
+ @include navbar-color($blue-navbar);
+}
+.navbar-ct-azure{
+ @include navbar-color($azure-navbar);
+}
+.navbar-ct-green{
+ @include navbar-color($green-navbar);
+}
+.navbar-ct-orange{
+ @include navbar-color($orange-navbar);
+}
+.navbar-ct-red{
+ @include navbar-color($red-navbar);
+}
+
+.navbar-transparent{
+ padding-top: 15px;
+ background-color: transparent;
+ border-bottom: 1px solid transparent;
+}
+
+.navbar-toggle{
+ margin-top: 19px;
+ margin-bottom: 19px;
+ border: $none;
+
+ .icon-bar {
+ background-color: $white-color;
+ }
+ .navbar-collapse,
+ .navbar-form {
+ border-color: transparent;
+ }
+
+ &.navbar-default .navbar-toggle:hover,
+ &.navbar-default .navbar-toggle:focus {
+ background-color: transparent;
+ }
+}
+
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_responsive.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_responsive.scss
new file mode 100644
index 0000000..9c3425d
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_responsive.scss
@@ -0,0 +1,414 @@
+@media (min-width: 992px){
+ .navbar-form {
+ margin-top: 21px;
+ margin-bottom: 21px;
+ padding-left: 5px;
+ padding-right: 5px;
+ }
+ .navbar-nav > li > .dropdown-menu, .dropdown .dropdown-menu{
+ @include transform-scale(0);
+ @include transition($slow-transition-time, $transition-bezier);
+ }
+ .navbar-nav > li.open > .dropdown-menu, .dropdown.open .dropdown-menu{
+ @include transform-scale(1);
+ @include transform-origin($dropdown-coordinates);
+
+ }
+
+ .navbar-nav > li > .dropdown-menu:before{
+ border-bottom: 11px solid rgba(0, 0, 0, 0.2);
+ border-left: 11px solid rgba(0, 0, 0, 0);
+ border-right: 11px solid rgba(0, 0, 0, 0);
+ content: "";
+ display: inline-block;
+ position: absolute;
+ left: 12px;
+ top: -11px;
+ }
+ .navbar-nav > li > .dropdown-menu:after {
+ border-bottom: 11px solid #FFFFFF;
+ border-left: 11px solid rgba(0, 0, 0, 0);
+ border-right: 11px solid rgba(0, 0, 0, 0);
+ content: "";
+ display: inline-block;
+ position: absolute;
+ left: 12px;
+ top: -10px;
+ }
+
+ .navbar-nav.navbar-right > li > .dropdown-menu:before{
+ left: auto;
+ right: 12px;
+ }
+
+ .navbar-nav.navbar-right > li > .dropdown-menu:after{
+ left: auto;
+ right: 12px;
+ }
+
+ .footer:not(.footer-big){
+ nav > ul{
+ li:first-child{
+ margin-left: 0;
+ }
+ }
+ }
+
+ body > .navbar-collapse.collapse{
+ display: none !important;
+ }
+
+ .card{
+ form{
+ [class*="col-"]{
+ padding: 6px;
+ }
+ [class*="col-"]:first-child{
+ padding-left: 15px;
+ }
+ [class*="col-"]:last-child{
+ padding-right: 15px;
+ }
+ }
+ }
+}
+
+/* Changes for small display */
+
+@media (max-width: 991px){
+ .sidebar{
+ display: none;
+ }
+
+ .main-panel{
+ width: 100%;
+ }
+ .navbar-transparent{
+ padding-top: 15px;
+ background-color: rgba(0, 0, 0, 0.45);
+ }
+ body {
+ position: relative;
+ }
+ .wrapper{
+ @include transform-translate-x(0px);
+ @include transition (0.33s, cubic-bezier(0.685, 0.0473, 0.346, 1));
+ left: 0;
+ background-color: white;
+ }
+ .navbar .container{
+ left: 0;
+ width: 100%;
+ @include transition (0.33s, cubic-bezier(0.685, 0.0473, 0.346, 1));
+ position: relative;
+ }
+ .navbar .navbar-collapse.collapse,
+ .navbar .navbar-collapse.collapse.in,
+ .navbar .navbar-collapse.collapsing{
+ display: none !important;
+ }
+
+ .navbar-nav > li{
+ float: none;
+ position: relative;
+ display: block;
+ }
+
+ body > .navbar-collapse {
+ position: fixed;
+ display: block;
+ top: 0;
+ height: 100%;
+ right: 0;
+ left: auto;
+ z-index: 1032;
+ visibility: visible;
+ background-color: #999;
+ overflow-y: visible;
+ border-top: none;
+ text-align: left;
+ padding: 0;
+
+ @include transform-translate-x(260px);
+ @include transition (0.33s, cubic-bezier(0.685, 0.0473, 0.346, 1));
+ > ul {
+ position: relative;
+ z-index: 4;
+ overflow-y:scroll;
+ height: calc(100vh - 61px);
+ width: 100%;
+ }
+
+ &::before{
+ top: 0;
+ left: 0;
+ height: 100%;
+ width: 100%;
+ position: absolute;
+ background-color: #282828;
+ display: block;
+ content: "";
+ z-index: 1;
+ }
+
+ .logo{
+ position: relative;
+ z-index: 4;
+ }
+
+ .nav li > a{
+ padding: 10px 15px;
+ }
+ }
+ .nav-open .navbar-collapse{
+ @include transform-translate-x(0px);
+ }
+ .nav-open .navbar .container{
+ left: -250px;
+ }
+ .nav-open .wrapper{
+ left: 0;
+ @include transform-translate-x(-260px);
+ }
+ .navbar-toggle .icon-bar {
+ display: block;
+ position: relative;
+ background: #fff;
+ width: 24px;
+ height: 2px;
+ border-radius: 1px;
+ margin: 0 auto;
+ }
+
+ .navbar-header .navbar-toggle {
+ margin: 10px 15px 10px 0;
+ width: 40px;
+ height: 40px;
+ }
+ .bar1,
+ .bar2,
+ .bar3 {
+ outline: 1px solid transparent;
+ }
+ .bar1 {
+ top: 0px;
+ @include bar-animation($topbar-back);
+ }
+ .bar2 {
+ opacity: 1;
+ }
+ .bar3 {
+ bottom: 0px;
+ @include bar-animation($bottombar-back);
+ }
+ .toggled .bar1 {
+ top: 6px;
+ @include bar-animation($topbar-x);
+ }
+ .toggled .bar2 {
+ opacity: 0;
+ }
+ .toggled .bar3 {
+ bottom: 6px;
+ @include bar-animation($bottombar-x);
+ }
+
+ @include topbar-x-rotation();
+ @include topbar-back-rotation();
+ @include bottombar-x-rotation();
+ @include bottombar-back-rotation();
+
+ @-webkit-keyframes fadeIn {
+ 0% {opacity: 0;}
+ 100% {opacity: 1;}
+ }
+ @-moz-keyframes fadeIn {
+ 0% {opacity: 0;}
+ 100% {opacity: 1;}
+ }
+ @keyframes fadeIn {
+ 0% {opacity: 0;}
+ 100% {opacity: 1;}
+ }
+
+ .dropdown-menu .divider{
+ background-color: rgba(229, 229, 229, 0.15);
+ }
+
+ .navbar-nav {
+ margin: 1px 0;
+
+ .open .dropdown-menu > li {
+ & > a{
+ padding: 10px 15px 10px 60px;
+ }
+ }
+ }
+
+ [class*="navbar-"] .navbar-nav {
+ & > li > a,
+ > li > a:hover,
+ > li > a:focus,
+ .active > a,
+ .active > a:hover,
+ .active > a:focus,
+ .open .dropdown-menu > li > a,
+ .open .dropdown-menu > li > a:hover,
+ .open .dropdown-menu > li > a:focus,
+ .open .dropdown-menu > li > a:active {
+ color: white;
+ }
+
+ & > li > a,
+ > li > a:hover,
+ > li > a:focus{
+ opacity: .7;
+ background-color: transparent;
+ outline: none;
+ }
+
+ .open .dropdown-menu > li > a:hover,
+ .open .dropdown-menu > li > a:focus{
+ background-color: rgba(255,255,255, .1);
+ }
+
+
+
+ &.navbar-nav .open .dropdown-menu > li > a:active {
+ opacity: 1;
+ }
+
+ & .dropdown > a{
+ &:hover .caret {
+ border-bottom-color: #fff;
+ border-top-color: #fff;
+ }
+ &:active .caret {
+ border-bottom-color: white;
+ border-top-color: white;
+ }
+ }
+
+ }
+
+ .dropdown-menu {
+ display: none;
+ }
+ .navbar-fixed-top {
+ -webkit-backface-visibility: hidden;
+ }
+ #bodyClick {
+ height: 100%;
+ width: 100%;
+ position: fixed;
+ opacity: 0;
+ top: 0;
+ left: auto;
+ right: 250px;
+ content: "";
+ z-index: 9999;
+ overflow-x: hidden;
+ }
+
+ .social-line .btn{
+ margin: $margin-bottom;
+ }
+ .subscribe-line .form-control{
+ margin: $margin-bottom;
+ }
+ .social-line.pull-right{
+ float: none;
+ }
+ .footer nav.pull-left{
+ float: none !important;
+ }
+ .footer:not(.footer-big) nav > ul li{
+ float: none;
+ }
+ .social-area.pull-right{
+ float: none !important;
+ }
+ .form-control + .form-control-feedback{
+ margin-top: -8px;
+ }
+ .navbar-toggle:hover,.navbar-toggle:focus {
+ background-color: transparent !important;
+ }
+ .btn.dropdown-toggle{
+ margin-bottom: 0;
+ }
+ .media-post .author{
+ width: 20%;
+ float: none !important;
+ display: block;
+ margin: 0 auto 10px;
+ }
+ .media-post .media-body{
+ width: 100%;
+ }
+
+ .navbar-collapse.collapse{
+ height: 100% !important;
+ }
+ .navbar-collapse.collapse.in {
+ display: block;
+ }
+ .navbar-header .collapse, .navbar-toggle {
+ display:block !important;
+ }
+ .navbar-header {
+ float:none;
+ }
+ .navbar-nav .open .dropdown-menu {
+ position: static;
+ float: none;
+ width: auto;
+ margin-top: 0;
+ background-color: transparent;
+ border: 0;
+ -webkit-box-shadow: none;
+ box-shadow: none;
+ }
+ .navbar-collapse{
+ .nav p{
+ font-size: $font-size-base;
+ margin: 0;
+ }
+
+ [class^="pe-7s-"]{
+ float: left;
+ font-size: 20px;
+ margin-right: 10px;
+ }
+ }
+}
+
+//overwrite table responsive for 768px screens
+
+@media (min-width: 992px){
+ .table-full-width{
+ margin-left: -15px;
+ margin-right: -15px;
+ }
+ .table-responsive{
+ overflow: visible;
+ }
+
+ .navbar-nav p{
+ line-height: normal;
+ margin: 0;
+ }
+
+}
+
+@media (max-width: 991px){
+ .table-responsive {
+ width: 100%;
+ margin-bottom: 15px;
+ overflow-x: scroll;
+ overflow-y: hidden;
+ -ms-overflow-style: -ms-autohiding-scrollbar;
+ -webkit-overflow-scrolling: touch;
+ }
+
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_sidebar-and-main-panel.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_sidebar-and-main-panel.scss
new file mode 100644
index 0000000..1630602
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_sidebar-and-main-panel.scss
@@ -0,0 +1,261 @@
+.sidebar,
+body > .navbar-collapse{
+ position: absolute;
+ top: 0;
+ bottom: 0;
+ left: 0;
+ width: 260px;
+ display: block;
+ z-index: 1;
+ color: #fff;
+ font-weight: 200;
+ background-size: cover;
+ background-position: center center;
+
+ .sidebar-wrapper{
+ position: relative;
+ max-height: calc(100vh - 75px);
+ min-height: 100%;
+ overflow: auto;
+ width: 260px;
+ z-index: 4;
+
+ padding-bottom: 100px;
+ }
+
+ .sidebar-background{
+ position: absolute;
+ z-index: 1;
+ height: 100%;
+ width: 100%;
+ display: block;
+ top: 0;
+ left: 0;
+ background-size: cover;
+ background-position: center center;
+ }
+
+ .logo{
+ padding: $navbar-padding-a;
+ border-bottom: 1px solid rgba(255, 255, 255, 0.2);
+
+ p{
+ float: left;
+ font-size: 20px;
+ margin: 10px 10px;
+ color: $white-color;
+ line-height: 20px;
+ font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+ }
+
+ .simple-text{
+ text-transform: uppercase;
+ padding: $padding-small-vertical $padding-zero;
+ display: block;
+ font-size: $font-size-large;
+ color: $white-color;
+ text-align: center;
+ font-weight: $font-weight-normal;
+ line-height: 30px;
+ }
+ }
+
+ .logo-tim{
+ border-radius: 50%;
+ border: 1px solid #333;
+ display: block;
+ height: 61px;
+ width: 61px;
+ float: left;
+ overflow: hidden;
+
+ img{
+ width: 60px;
+ height: 60px;
+ }
+ }
+
+ .nav{
+ margin-top: 20px;
+ float: none;
+
+ li{
+ > a{
+ color: #FFFFFF;
+ margin: 5px 15px;
+ opacity: .86;
+ border-radius: 4px;
+ display: block;
+ }
+
+ &:hover > a{
+ background: rgba(255,255,255,0.13);
+ opacity: 1;
+ }
+
+ &.active > a{
+ color: #FFFFFF;
+ opacity: 1;
+ background: rgba(255,255,255,0.23);
+
+ }
+
+ &.separator{
+ margin: 15px 0;
+ border-bottom: 1px solid rgba(255, 255, 255, 0.2);
+
+ & + li {
+ margin-top: 31px;
+ }
+ }
+ }
+
+ p{
+ margin: 0;
+ line-height: 30px;
+ font-size: 12px;
+ font-weight: 600;
+ text-transform: uppercase;
+ margin-left: 45px;
+ }
+
+ i{
+ font-size: 28px;
+ float: left;
+ margin-right: 15px;
+ line-height: 30px;
+ width: 30px;
+ text-align: center;
+ }
+
+ .caret{
+ margin-top: 13px;
+ position: absolute;
+ right: 30px;
+ }
+ }
+
+ .logo{
+ padding: $navbar-padding-a;
+ border-bottom: 1px solid rgba(255, 255, 255, 0.2);
+
+ p{
+ float: left;
+ font-size: 20px;
+ margin: 10px 10px;
+ color: $white-color;
+ line-height: 20px;
+ font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+ }
+
+ .simple-text{
+ text-transform: uppercase;
+ padding: $padding-small-vertical $padding-zero;
+ display: block;
+ font-size: $font-size-large;
+ color: $white-color;
+ text-align: center;
+ font-weight: $font-weight-normal;
+ line-height: 30px;
+ }
+ }
+
+ .logo-tim{
+ border-radius: 50%;
+ border: 1px solid #333;
+ display: block;
+ height: 61px;
+ width: 61px;
+ float: left;
+ overflow: hidden;
+
+ img{
+ width: 60px;
+ height: 60px;
+ }
+ }
+
+ &:after,
+ &:before{
+ display: block;
+ content: "";
+ position: absolute;
+ width: 100%;
+ height: 100%;
+ top: 0;
+ left: 0;
+ z-index: 2;
+ }
+
+ &:before{
+ opacity: .33;
+ background: #000000;
+ }
+
+ &:after{
+ @include icon-gradient($black-color-top, $black-color-bottom);
+ z-index: 3;
+ opacity: 1;
+ }
+
+ &[data-image]:after,
+ &.has-image:after{
+ opacity: .77;
+ }
+
+ &[data-color="blue"]:after{
+ @include icon-gradient($new-dark-blue, $blue-color-bottom);
+ }
+ &[data-color="azure"]:after{
+ @include icon-gradient($new-blue, $azure-color-bottom);
+ }
+ &[data-color="green"]:after{
+ @include icon-gradient($new-green, $green-color-bottom);
+ }
+ &[data-color="orange"]:after{
+ @include icon-gradient($new-orange, $orange-color-bottom);
+ }
+ &[data-color="red"]:after{
+ @include icon-gradient($new-red, $red-color-bottom);
+ }
+ &[data-color="purple"]:after{
+ @include icon-gradient($new-purple, $purple-color-bottom);
+ }
+}
+
+
+.main-panel{
+ background: rgba(203,203,210,.15);
+ position: relative;
+ z-index: 2;
+ float: right;
+ width: $sidebar-width;
+ min-height: 100%;
+
+ > .content{
+ padding: 30px 15px;
+ min-height: calc(100% - 123px);
+ }
+
+ > .footer{
+ border-top: 1px solid #e7e7e7;
+ }
+
+ .navbar{
+ margin-bottom: 0;
+ }
+}
+
+.sidebar,
+.main-panel{
+ overflow: auto;
+ max-height: 100%;
+ height: 100%;
+ -webkit-transition-property: top,bottom;
+ transition-property: top,bottom;
+ -webkit-transition-duration: .2s,.2s;
+ transition-duration: .2s,.2s;
+ -webkit-transition-timing-function: linear,linear;
+ transition-timing-function: linear,linear;
+ -webkit-overflow-scrolling: touch;
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_tables.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_tables.scss
new file mode 100644
index 0000000..6d35ed8
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_tables.scss
@@ -0,0 +1,57 @@
+.table{
+
+ .radio,
+ .checkbox{
+ position: relative;
+ height: 20px;
+ display: block;
+ width: 20px;
+ padding: 0px 0px;
+ margin: 0px 5px;
+ text-align: center;
+
+ .icons{
+ left: 5px;
+ }
+ }
+ > thead > tr > th,
+ > tbody > tr > th,
+ > tfoot > tr > th,
+ > thead > tr > td,
+ > tbody > tr > td,
+ > tfoot > tr > td{
+ padding: 12px 8px;
+ vertical-align: middle;
+ }
+
+ > thead > tr > th{
+ border-bottom-width: 1px;
+ font-size: $font-size-small;
+ text-transform: uppercase;
+ color: $dark-gray;
+ font-weight: $font-weight-normal;
+ padding-bottom: 5px;
+ }
+
+ .td-actions .btn{
+ @include opacity(0.36);
+
+ &.btn-xs{
+ padding-left: 3px;
+ padding-right: 3px;
+ }
+ }
+ .td-actions{
+ min-width: 90px;
+ }
+
+ > tbody > tr{
+ position: relative;
+
+ &:hover{
+ .td-actions .btn{
+ @include opacity(1);
+ }
+ }
+ }
+}
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_typography.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_typography.scss
new file mode 100644
index 0000000..a79f7da
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_typography.scss
@@ -0,0 +1,90 @@
+/* Font Smoothing */
+body,
+h1, .h1,
+h2, .h2,
+h3, .h3,
+h4, .h4,
+h5, .h5,
+h6, .h6,
+p,
+.navbar,
+.brand,
+.btn-simple,
+.alert,
+a,
+.td-name,
+td,
+button.close{
+ -moz-osx-font-smoothing: grayscale;
+ -webkit-font-smoothing: antialiased;
+ font-family: "Roboto","Helvetica Neue",Arial,sans-serif;
+ font-weight: $font-weight-normal;
+}
+
+h1, .h1, h2, .h2, h3, .h3, h4, .h4{
+ font-weight: $font-weight-light;
+ margin: $margin-large-vertical 0 $margin-base-vertical;
+}
+
+h1, .h1 {
+ font-size: $font-size-h1;
+}
+h2, .h2{
+ font-size: $font-size-h2;
+}
+h3, .h3{
+ font-size: $font-size-h3;
+ margin: 20px 0 10px;
+}
+h4, .h4{
+ font-size: $font-size-h4;
+ line-height: 30px;
+}
+h5, .h5 {
+ font-size: $font-size-h5;
+ margin-bottom: 15px;
+}
+h6, .h6{
+ font-size: $font-size-h6;
+ font-weight: $font-weight-bold;
+ text-transform: uppercase;
+}
+p{
+ font-size: $font-paragraph;
+ line-height: $line-height-general;
+}
+
+h1 small, h2 small, h3 small, h4 small, h5 small, h6 small, .h1 small, .h2 small, .h3 small, .h4 small, .h5 small, .h6 small, h1 .small, h2 .small, h3 .small, h4 .small, h5 .small, h6 .small, .h1 .small, .h2 .small, .h3 .small, .h4 .small, .h5 .small, .h6 .small {
+ color: $dark-gray;
+ font-weight: $font-weight-light;
+ line-height: $line-height-general;
+}
+
+h1 small, h2 small, h3 small, h1 .small, h2 .small, h3 .small {
+ font-size: 60%;
+}
+
+h1 .subtitle{
+ display: block;
+ margin: 0 0 $margin-large-vertical;
+}
+
+.text-muted{
+ color: #9A9A9A;
+}
+.text-primary, .text-primary:hover{
+ color: #1D62F0 !important;
+}
+.text-info, .text-info:hover{
+ color: $info-color !important;
+}
+.text-success, .text-success:hover{
+ color: $success-color !important;
+}
+.text-warning, .text-warning:hover{
+ color: $warning-color !important;
+}
+.text-danger, .text-danger:hover{
+ color: $danger-color !important;
+}
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_variables.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_variables.scss
new file mode 100644
index 0000000..99332ee
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/_variables.scss
@@ -0,0 +1,265 @@
+//== Buttons
+//
+//## For each of Bootstrap's buttons, define text, background and border color.
+
+$none: 0 !default;
+$border-thin: 1px !default;
+$border-thick: 2px !default;
+
+$white-color: #FFFFFF !default;
+$white-bg: #FFFFFF !default;
+
+$smoke-bg: #F5F5F5 !default;
+
+$black-bg: rgba(30,30,30,.97) !default;
+
+$black-color: #333333 !default;
+$black-hr: #444444 !default;
+
+$light-gray: #E3E3E3 !default;
+$medium-gray: #DDDDDD !default;
+$medium-dark-gray: #AAAAAA !default;
+$dark-gray: #9A9A9A !default;
+
+$transparent-bg: transparent !default;
+
+$default-color: #888888 !default;
+$default-bg: #888888 !default;
+$default-states-color: #777777 !default;
+
+$primary-color: #3472F7 !default;
+$primary-bg: #3472F7 !default;
+$primary-states-color: #1D62F0 !default;
+
+$success-color: #87CB16 !default;
+$success-bg: #87CB16 !default;
+$success-states-color: #049F0C !default;
+
+$info-color: #1DC7EA !default;
+$info-bg: #1DC7EA !default;
+$info-states-color: lighten($info-color, 8%) !default;
+
+$warning-color: #FF9500 !default;
+$warning-bg: #FF9500 !default;
+$warning-states-color: #ED8D00 !default;
+
+
+$danger-color: #FF4A55 !default;
+$danger-bg: #FF4A55 !default;
+$danger-states-color: #EE2D20 !default;
+
+
+
+$link-disabled-color: #666666 !default;
+
+
+/* light colors */
+$light-blue: rgba($primary-color, .2);
+$light-azure: rgba($info-color, .2);
+$light-green: rgba($success-color, .2);
+$light-orange: rgba($warning-color, .2);
+$light-red: rgba($danger-color, .2);
+
+
+//== Components
+//
+
+$padding-base-vertical: 8px !default;
+$padding-base-horizontal: 16px !default;
+
+$padding-round-vertical: 9px !default;
+$padding-round-horizontal: 18px !default;
+
+$padding-simple-vertical: 10px !default;
+$padding-simple-horizontal: 18px !default;
+
+$padding-large-vertical: 14px !default;
+$padding-large-horizontal: 30px !default;
+
+$padding-small-vertical: 5px !default;
+$padding-small-horizontal: 10px !default;
+
+$padding-xs-vertical: 1px !default;
+$padding-xs-horizontal: 5px !default;
+
+$padding-label-vertical: 2px !default;
+$padding-label-horizontal: 12px !default;
+
+$margin-large-vertical: 30px !default;
+$margin-base-vertical: 15px !default;
+
+$padding-zero: 0px !default;
+
+$margin-bottom: 0 0 10px 0 !default;
+$border-radius-small: 3px !default;
+$border-radius-base: 4px !default;
+$border-radius-large: 6px !default;
+$border-radius-extreme: 10px !default;
+
+$border-radius-large-top: $border-radius-large $border-radius-large 0 0 !default;
+$border-radius-large-bottom: 0 0 $border-radius-large $border-radius-large !default;
+
+$btn-round-radius: 30px !default;
+
+$height-base: 40px !default;
+
+$font-size-base: 14px !default;
+$font-size-small: 12px !default;
+$font-size-medium: 16px !default;
+$font-size-large: 18px !default;
+$font-size-large-navbar: 20px !default;
+
+$font-size-h1: 52px !default;
+$font-size-h2: 36px !default;
+$font-size-h3: 28px !default;
+$font-size-h4: 22px !default;
+$font-size-h5: 16px !default;
+$font-size-h6: 14px !default;
+$font-paragraph: 16px !default;
+$font-size-navbar: 16px !default;
+$font-size-small: 12px !default;
+
+$font-weight-light: 300 !default;
+$font-weight-normal: 400 !default;
+$font-weight-semi: 500 !default;
+$font-weight-bold: 600 !default;
+
+$line-height-general: 1.5 !default;
+$line-height: 20px !default;
+$line-height-lg: 54px !default;
+
+$sidebar-width: calc(100% - 260px) !default;
+
+
+$border-radius-top: 10px 10px 0 0 !default;
+$border-radius-bottom: 0 0 10px 10px !default;
+
+$dropdown-shadow: 1px 2px 3px rgba(0, 0, 0, 0.125);
+
+$general-transition-time: 300ms !default;
+
+$slow-transition-time: 370ms !default;
+$dropdown-coordinates: 29px -50px !default;
+
+$fast-transition-time: 150ms !default;
+
+$ultra-fast-transition-time: 100ms !default;
+
+$select-coordinates: 50% -40px !default;
+
+$transition-linear: linear !default;
+$transition-bezier: cubic-bezier(0.34, 1.61, 0.7, 1) !default;
+$transition-ease: ease 0s;
+$transition-ease-in: ease-in !default;
+$transition-ease-out: ease-out !default;
+
+
+$navbar-padding-a: 10px 15px;
+$navbar-margin-a: 10px 3px;
+
+$padding-social-a: 10px 5px;
+
+$navbar-margin-a-btn: 15px 3px;
+$navbar-margin-a-btn-round: 16px 3px;
+
+$navbar-padding-a-icons: 6px 15px;
+$navbar-margin-a-icons: 6px 3px;
+
+$navbar-padding-brand: 15px 15px;
+$navbar-margin-brand: 5px 0px;
+
+$navbar-margin-brand-icons: 12px auto;
+
+$navbar-margin-btn: 15px 3px;
+
+$height-icon: 64px !default;
+$width-icon: 64px !default;
+$padding-icon: 12px !default;
+$border-radius-icon: 15px !default;
+
+$size-icon: 64px;
+$size-icon-sm: 32px;
+
+
+$height-icon-sm: 32px;
+$width-icon-sm: 32px;
+$padding-icon-sm: 4px;
+$border-radius-icon-sm: 7px;
+
+$height-icon-message: 40px;
+$width-icon-message: 40px;
+
+$height-icon-message-sm: 20px;
+$width-icon-message-sm: 20px;
+
+$default-color-top: #d9d9d9 !default;
+$default-color-bottom: #909297 !default;
+
+$blue-color-top: #4087ea;
+$blue-color-bottom: #533ce1;
+
+$azure-color-top: #45c0fd;
+$azure-color-bottom: #4091ff;
+
+$green-color-top: #a1eb3a;
+$green-color-bottom: #6dc030;
+
+$orange-color-top: #ffb33b;
+$orange-color-bottom: #ff5221;
+
+$red-color-top: #ff3b30;
+$red-color-bottom: #bb0502;
+
+$purple-color-top: #df55e1;
+$purple-color-bottom: #943bea;
+
+$pink-color-top: #ff2a63;
+$pink-color-bottom: #ff2e2e;
+
+$black-color-top: #787878;
+$black-color-bottom: #343434;
+
+$social-facebook: #3b5998;
+$social-twitter: #55acee;
+$social-pinterest: #cc2127;
+$social-google: #dd4b39;
+$social-linkedin: #0976b4;
+$social-dribbble: #ea4c89;
+$social-github: #333333;
+$social-youtube: #e52d27;
+$social-stumbleupon: #eb4924;
+$social-reddit: #ff4500;
+$social-tumblr: #35465c;
+$social-behance: #1769ff;
+
+
+$filter-blue: darken($primary-color, 10%);
+$filter-azure: darken($info-color, 10%);
+$filter-green: darken($success-color, 10%);
+$filter-orange: darken($warning-color, 10%);
+$filter-red: darken($danger-color, 10%);
+
+
+$new-blue: #1DC7EA;
+$new-purple: #9368E9;
+$new-red: #FB404B;
+$new-green: #87CB16;
+$new-orange: #FFA534;
+$new-dark-blue: #1F77D0;
+$new-black: #5e5e5e;
+
+
+$topbar-x: topbar-x !default;
+$topbar-back: topbar-back !default;
+$bottombar-x: bottombar-x !default;
+$bottombar-back: bottombar-back !default;
+
+
+$white-navbar: rgba(#FFFFFF, .96);
+$blue-navbar: lighten($new-dark-blue, 10%);
+$azure-navbar: lighten($new-blue, 15%);
+$green-navbar: lighten($new-green, 10%);
+$orange-navbar: lighten($new-orange, 10%);
+$red-navbar: lighten($new-red, 10%);
+
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_buttons.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_buttons.scss
new file mode 100644
index 0000000..8322b05
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_buttons.scss
@@ -0,0 +1,70 @@
+// Mixin for generating new styles
+@mixin btn-styles($btn-color, $btn-states-color) {
+ border-color: $btn-color;
+ color: $btn-color;
+
+ &:hover,
+ &:focus,
+ &:active,
+ &.active,
+ .open > &.dropdown-toggle {
+ background-color: $transparent-bg;
+ color: $btn-states-color;
+ border-color: $btn-states-color;
+ }
+
+ &.disabled,
+ &:disabled,
+ &[disabled],
+ fieldset[disabled] & {
+ &,
+ &:hover,
+ &:focus,
+ &.focus,
+ &:active,
+ &.active {
+ background-color: $transparent-bg;
+ border-color: $btn-color;
+ }
+ }
+
+
+ &.btn-fill {
+ color: $white-color;
+ background-color: $btn-color;
+ @include opacity(1);
+
+ &:hover,
+ &:focus,
+ &:active,
+ &.active,
+ .open > &.dropdown-toggle{
+ background-color: $btn-states-color;
+ color: $white-color;
+ }
+
+ .caret{
+ border-top-color: $white-color;
+ }
+ }
+
+ .caret{
+ border-top-color: $btn-color;
+ }
+}
+
+
+@mixin btn-size($padding-vertical, $padding-horizontal, $font-size, $border){
+ font-size: $font-size;
+ border-radius: $border;
+ padding: $padding-vertical $padding-horizontal;
+
+ &.btn-round{
+ padding: $padding-vertical + 1 $padding-horizontal;
+ }
+
+ &.btn-simple{
+ padding: $padding-vertical + 2 $padding-horizontal;
+ }
+
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_cards.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_cards.scss
new file mode 100644
index 0000000..af1f955
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_cards.scss
@@ -0,0 +1,8 @@
+@mixin filter($color){
+ @if $color == #FFFFFF{
+ background-color: rgba($color,.91);
+ } @else {
+ background-color: rgba($color,.69);
+ }
+}
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_chartist.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_chartist.scss
new file mode 100644
index 0000000..cc83d5d
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_chartist.scss
@@ -0,0 +1,85 @@
+// Scales for responsive SVG containers
+$ct-scales: ((1), (15/16), (8/9), (5/6), (4/5), (3/4), (2/3), (5/8), (1/1.618), (3/5), (9/16), (8/15), (1/2), (2/5), (3/8), (1/3), (1/4)) !default;
+$ct-scales-names: (ct-square, ct-minor-second, ct-major-second, ct-minor-third, ct-major-third, ct-perfect-fourth, ct-perfect-fifth, ct-minor-sixth, ct-golden-section, ct-major-sixth, ct-minor-seventh, ct-major-seventh, ct-octave, ct-major-tenth, ct-major-eleventh, ct-major-twelfth, ct-double-octave) !default;
+
+// Class names to be used when generating CSS
+$ct-class-chart: ct-chart !default;
+$ct-class-chart-line: ct-chart-line !default;
+$ct-class-chart-bar: ct-chart-bar !default;
+$ct-class-horizontal-bars: ct-horizontal-bars !default;
+$ct-class-chart-pie: ct-chart-pie !default;
+$ct-class-chart-donut: ct-chart-donut !default;
+$ct-class-label: ct-label !default;
+$ct-class-series: ct-series !default;
+$ct-class-line: ct-line !default;
+$ct-class-point: ct-point !default;
+$ct-class-area: ct-area !default;
+$ct-class-bar: ct-bar !default;
+$ct-class-slice-pie: ct-slice-pie !default;
+$ct-class-slice-donut: ct-slice-donut !default;
+$ct-class-grid: ct-grid !default;
+$ct-class-vertical: ct-vertical !default;
+$ct-class-horizontal: ct-horizontal !default;
+$ct-class-start: ct-start !default;
+$ct-class-end: ct-end !default;
+
+// Container ratio
+$ct-container-ratio: (1/1.618) !default;
+
+// Text styles for labels
+$ct-text-color: rgba(0, 0, 0, 0.4) !default;
+$ct-text-size: 1.3rem !default;
+$ct-text-align: flex-start !default;
+$ct-text-justify: flex-start !default;
+$ct-text-line-height: 1;
+
+// Grid styles
+$ct-grid-color: rgba(0, 0, 0, 0.2) !default;
+$ct-grid-dasharray: 2px !default;
+$ct-grid-width: 1px !default;
+
+// Line chart properties
+$ct-line-width: 3px !default;
+$ct-line-dasharray: false !default;
+$ct-point-size: 8px !default;
+// Line chart point, can be either round or square
+$ct-point-shape: round !default;
+// Area fill transparency between 0 and 1
+$ct-area-opacity: 0.8 !default;
+
+// Bar chart bar width
+$ct-bar-width: 10px !default;
+
+// Donut width (If donut width is to big it can cause issues where the shape gets distorted)
+$ct-donut-width: 60px !default;
+
+// If set to true it will include the default classes and generate CSS output. If you're planning to use the mixins you
+// should set this property to false
+$ct-include-classes: true !default;
+
+// If this is set to true the CSS will contain colored series. You can extend or change the color with the
+// properties below
+$ct-include-colored-series: $ct-include-classes !default;
+
+// If set to true this will include all responsive container variations using the scales defined at the top of the script
+$ct-include-alternative-responsive-containers: $ct-include-classes !default;
+
+// Series names and colors. This can be extended or customized as desired. Just add more series and colors.
+$ct-series-names: (a, b, c, d, e, f, g, h, i, j, k, l, m, n, o) !default;
+$ct-series-colors: (
+ $new-blue,
+ $new-red,
+ $new-orange,
+ $new-purple,
+ $new-green,
+ $new-dark-blue,
+ $new-black,
+ $social-google,
+ $social-tumblr,
+ $social-youtube,
+ $social-twitter,
+ $social-pinterest,
+ $social-behance,
+ #6188e2,
+ #a748ca
+) !default;
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_icons.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_icons.scss
new file mode 100644
index 0000000..80df4df
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_icons.scss
@@ -0,0 +1,13 @@
+@mixin icon-background ($icon-url){
+ background-image : url($icon-url);
+
+}
+
+@mixin icon-shape ($size, $padding, $border-radius) {
+ height: $size;
+ width: $size;
+ padding: $padding;
+ border-radius: $border-radius;
+ display: inline-table;
+
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_inputs.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_inputs.scss
new file mode 100644
index 0000000..870c918
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_inputs.scss
@@ -0,0 +1,17 @@
+@mixin input-size($padding-vertical, $padding-horizontal, $height){
+ padding: $padding-vertical $padding-horizontal;
+ height: $height;
+}
+
+@mixin placeholder($color, $opacity){
+ color: $color;
+ @include opacity(1);
+}
+
+@mixin light-form(){
+ border-radius: 0;
+ border:0;
+ padding: 0;
+ background-color: transparent;
+
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_labels.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_labels.scss
new file mode 100644
index 0000000..8a2bdd5
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_labels.scss
@@ -0,0 +1,21 @@
+@mixin label-style(){
+ padding: $padding-label-vertical $padding-label-horizontal;
+ border: 1px solid $default-color;
+ border-radius: $border-radius-small;
+ color: $default-color;
+ font-weight: $font-weight-semi;
+ font-size: $font-size-small;
+ text-transform: uppercase;
+ display: inline-block;
+ vertical-align: middle;
+}
+
+@mixin label-color($color){
+ border-color: $color;
+ color: $color;
+}
+@mixin label-color-fill($color){
+ border-color: $color;
+ color: $white-color;
+ background-color: $color;
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_morphing-buttons.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_morphing-buttons.scss
new file mode 100644
index 0000000..1a4e986
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_morphing-buttons.scss
@@ -0,0 +1,34 @@
+$prefixes: ('', '-moz-', '-webkit-', '-ms-') !default;
+
+@mixin circle-animation(){
+ @for $i from 0 to length($prefixes) {
+ @include circle-animation-details(nth($prefixes, $i + 1));
+ }
+}
+
+@mixin circle-animation-details($name){
+ #{$name}animation-name: spin;
+ #{$name}animation-duration: 1250ms;
+ #{$name}animation-iteration-count: infinite;
+ #{$name}animation-timing-function: linear;
+
+}
+@keyframes spin {
+ from { transform:rotate(0deg); }
+ to { transform:rotate(360deg); }
+}
+
+@-webkit-keyframes spin {
+ from { -webkit-transform: rotate(0deg); }
+ to { -webkit-transform: rotate(360deg); }
+}
+
+@-moz-keyframes spin {
+ from { -moz-transform: rotate(0deg); }
+ to { -moz-transform: rotate(360deg); }
+}
+
+@-ms-keyframes spin {
+ from { -ms-transform: rotate(0deg); }
+ to { -ms-transform: rotate(360deg); }
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_navbars.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_navbars.scss
new file mode 100644
index 0000000..6f50046
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_navbars.scss
@@ -0,0 +1,11 @@
+@mixin navbar-color($color){
+ background-color: $color;
+}
+
+@mixin center-item(){
+ left: 0;
+ right: 0;
+ margin-right: auto;
+ margin-left: auto;
+ position: absolute;
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_social-buttons.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_social-buttons.scss
new file mode 100644
index 0000000..38a7d4b
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_social-buttons.scss
@@ -0,0 +1,43 @@
+@mixin social-buttons-color ($color){
+
+ border-color: $color;
+ color: $color;
+
+ &:hover,
+ &:focus,
+ &:active,
+ &.active,
+ .open > &.dropdown-toggle {
+ background-color: $transparent-bg;
+ color: $color;
+ border-color: $color;
+ opacity: 1;
+ }
+
+ &:disabled,
+ &[disabled],
+ &.disabled {
+ background-color: $transparent-bg;
+ border-color: $color;
+ }
+
+ &.btn-fill {
+ color: $white-color;
+ background-color: $color;
+ opacity: 0.9;
+
+ &:hover,
+ &:focus,
+ &:active,
+ &.active,
+ .open > &.dropdown-toggle{
+ background-color: $color;
+ color: $white-color;
+ opacity: 1;
+ }
+
+ }
+
+
+}
+
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_tabs.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_tabs.scss
new file mode 100644
index 0000000..edf6f58
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_tabs.scss
@@ -0,0 +1,4 @@
+@mixin pill-style($color){
+ border: 1px solid $color;
+ color: $color;
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_transparency.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_transparency.scss
new file mode 100644
index 0000000..da32b74
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_transparency.scss
@@ -0,0 +1,20 @@
+// Opacity
+
+@mixin opacity($opacity) {
+ opacity: $opacity;
+ // IE8 filter
+ $opacity-ie: ($opacity * 100);
+ filter: #{alpha(opacity=$opacity-ie)};
+}
+
+@mixin black-filter($opacity){
+ top: 0;
+ left: 0;
+ height: 100%;
+ width: 100%;
+ position: absolute;
+ background-color: rgba(17,17,17,$opacity);
+ display: block;
+ content: "";
+ z-index: 1;
+}
\ No newline at end of file
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_vendor-prefixes.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_vendor-prefixes.scss
new file mode 100644
index 0000000..c9830d6
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/lbd/mixins/_vendor-prefixes.scss
@@ -0,0 +1,189 @@
+// User select
+// For selecting text on the page
+
+@mixin user-select($select) {
+ -webkit-user-select: $select;
+ -moz-user-select: $select;
+ -ms-user-select: $select; // IE10+
+ user-select: $select;
+}
+
+@mixin box-shadow($shadow...) {
+ -webkit-box-shadow: $shadow; // iOS <4.3 & Android <4.1
+ box-shadow: $shadow;
+}
+
+// Box sizing
+@mixin box-sizing($boxmodel) {
+ -webkit-box-sizing: $boxmodel;
+ -moz-box-sizing: $boxmodel;
+ box-sizing: $boxmodel;
+}
+
+
+@mixin transition($time, $type){
+ -webkit-transition: all $time $type;
+ -moz-transition: all $time $type;
+ -o-transition: all $time $type;
+ -ms-transition: all $time $type;
+ transition: all $time $type;
+}
+
+@mixin transform-scale($value){
+ -webkit-transform: scale($value);
+ -moz-transform: scale($value);
+ -o-transform: scale($value);
+ -ms-transform: scale($value);
+ transform: scale($value);
+}
+
+@mixin transform-translate-x($value){
+ -webkit-transform: translate3d($value, 0, 0);
+ -moz-transform: translate3d($value, 0, 0);
+ -o-transform: translate3d($value, 0, 0);
+ -ms-transform: translate3d($value, 0, 0);
+ transform: translate3d($value, 0, 0);
+}
+
+@mixin transform-origin($coordinates){
+ -webkit-transform-origin: $coordinates;
+ -moz-transform-origin: $coordinates;
+ -o-transform-origin: $coordinates;
+ -ms-transform-origin: $coordinates;
+ transform-origin: $coordinates;
+}
+
+@mixin icon-gradient ($top-color, $bottom-color){
+ background: $top-color;
+ background: -moz-linear-gradient(top, $top-color 0%, $bottom-color 100%);
+ background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,$top-color), color-stop(100%,$bottom-color));
+ background: -webkit-linear-gradient(top, $top-color 0%,$bottom-color 100%);
+ background: -o-linear-gradient(top, $top-color 0%,$bottom-color 100%);
+ background: -ms-linear-gradient(top, $top-color 0%,$bottom-color 100%);
+ background: linear-gradient(to bottom, $top-color 0%,$bottom-color 100%);
+ background-size: 150% 150%;
+}
+
+@mixin radial-gradient($extern-color, $center-color){
+ background: $extern-color;
+ background: -moz-radial-gradient(center, ellipse cover, $center-color 0%, $extern-color 100%); /* FF3.6+ */
+ background: -webkit-gradient(radial, center center, 0px, center center, 100%, color-stop(0%,$center-color), color-stop(100%,$extern-color)); /* Chrome,Safari4+ */
+ background: -webkit-radial-gradient(center, ellipse cover, $center-color 0%,$extern-color 100%); /* Chrome10+,Safari5.1+ */
+ background: -o-radial-gradient(center, ellipse cover, $center-color 0%,$extern-color 100%); /* Opera 12+ */
+ background: -ms-radial-gradient(center, ellipse cover, $center-color 0%,$extern-color 100%); /* IE10+ */
+ background: radial-gradient(ellipse at center, $center-color 0%,$extern-color 100%); /* W3C */
+ background-size: 550% 450%;
+}
+
+@mixin vertical-align {
+ position: relative;
+ top: 50%;
+ -webkit-transform: translateY(-50%);
+ -ms-transform: translateY(-50%);
+ transform: translateY(-50%);
+}
+
+@mixin rotate-180(){
+ filter: progid:DXImageTransform.Microsoft.BasicImage(rotation=2);
+ -webkit-transform: rotate(180deg);
+ -ms-transform: rotate(180deg);
+ transform: rotate(180deg);
+}
+
+@mixin bar-animation($type){
+ -webkit-animation: $type 500ms linear 0s;
+ -moz-animation: $type 500ms linear 0s;
+ animation: $type 500ms 0s;
+ -webkit-animation-fill-mode: forwards;
+ -moz-animation-fill-mode: forwards;
+ animation-fill-mode: forwards;
+}
+
+@mixin topbar-x-rotation(){
+ @keyframes topbar-x {
+ 0% {top: 0px; transform: rotate(0deg); }
+ 45% {top: 6px; transform: rotate(145deg); }
+ 75% {transform: rotate(130deg); }
+ 100% {transform: rotate(135deg); }
+ }
+ @-webkit-keyframes topbar-x {
+ 0% {top: 0px; -webkit-transform: rotate(0deg); }
+ 45% {top: 6px; -webkit-transform: rotate(145deg); }
+ 75% {-webkit-transform: rotate(130deg); }
+ 100% { -webkit-transform: rotate(135deg); }
+ }
+ @-moz-keyframes topbar-x {
+ 0% {top: 0px; -moz-transform: rotate(0deg); }
+ 45% {top: 6px; -moz-transform: rotate(145deg); }
+ 75% {-moz-transform: rotate(130deg); }
+ 100% { -moz-transform: rotate(135deg); }
+ }
+}
+
+@mixin topbar-back-rotation(){
+ @keyframes topbar-back {
+ 0% { top: 6px; transform: rotate(135deg); }
+ 45% { transform: rotate(-10deg); }
+ 75% { transform: rotate(5deg); }
+ 100% { top: 0px; transform: rotate(0); }
+ }
+
+ @-webkit-keyframes topbar-back {
+ 0% { top: 6px; -webkit-transform: rotate(135deg); }
+ 45% { -webkit-transform: rotate(-10deg); }
+ 75% { -webkit-transform: rotate(5deg); }
+ 100% { top: 0px; -webkit-transform: rotate(0); }
+ }
+
+ @-moz-keyframes topbar-back {
+ 0% { top: 6px; -moz-transform: rotate(135deg); }
+ 45% { -moz-transform: rotate(-10deg); }
+ 75% { -moz-transform: rotate(5deg); }
+ 100% { top: 0px; -moz-transform: rotate(0); }
+ }
+}
+
+@mixin bottombar-x-rotation(){
+ @keyframes bottombar-x {
+ 0% {bottom: 0px; transform: rotate(0deg);}
+ 45% {bottom: 6px; transform: rotate(-145deg);}
+ 75% {transform: rotate(-130deg);}
+ 100% {transform: rotate(-135deg);}
+ }
+ @-webkit-keyframes bottombar-x {
+ 0% {bottom: 0px; -webkit-transform: rotate(0deg);}
+ 45% {bottom: 6px; -webkit-transform: rotate(-145deg);}
+ 75% {-webkit-transform: rotate(-130deg);}
+ 100% {-webkit-transform: rotate(-135deg);}
+ }
+ @-moz-keyframes bottombar-x {
+ 0% {bottom: 0px; -moz-transform: rotate(0deg);}
+ 45% {bottom: 6px; -moz-transform: rotate(-145deg);}
+ 75% {-moz-transform: rotate(-130deg);}
+ 100% {-moz-transform: rotate(-135deg);}
+ }
+}
+
+@mixin bottombar-back-rotation{
+ @keyframes bottombar-back {
+ 0% { bottom: 6px;transform: rotate(-135deg);}
+ 45% { transform: rotate(10deg);}
+ 75% { transform: rotate(-5deg);}
+ 100% { bottom: 0px;transform: rotate(0);}
+ }
+ @-webkit-keyframes bottombar-back {
+ 0% {bottom: 6px;-webkit-transform: rotate(-135deg);}
+ 45% {-webkit-transform: rotate(10deg);}
+ 75% {-webkit-transform: rotate(-5deg);}
+ 100% {bottom: 0px;-webkit-transform: rotate(0);}
+ }
+ @-moz-keyframes bottombar-back {
+ 0% {bottom: 6px;-moz-transform: rotate(-135deg);}
+ 45% {-moz-transform: rotate(10deg);}
+ 75% {-moz-transform: rotate(-5deg);}
+ 100% {bottom: 0px;-moz-transform: rotate(0);}
+ }
+
+}
+
+
diff --git a/Chapter02/light-bootstrap-dashboard/assets/sass/light-bootstrap-dashboard.scss b/Chapter02/light-bootstrap-dashboard/assets/sass/light-bootstrap-dashboard.scss
new file mode 100644
index 0000000..2151b6b
--- /dev/null
+++ b/Chapter02/light-bootstrap-dashboard/assets/sass/light-bootstrap-dashboard.scss
@@ -0,0 +1,40 @@
+
+/*!
+
+ =========================================================
+ * Light Bootstrap Dashboard - v1.3.1.0
+ =========================================================
+
+ * Product Page: http://www.creative-tim.com/product/light-bootstrap-dashboard
+ * Copyright 2017 Creative Tim (http://www.creative-tim.com)
+ * Licensed under MIT (https://github.com/creativetimofficial/light-bootstrap-dashboard/blob/master/LICENSE.md)
+
+ =========================================================
+
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+ */
+
+@import "lbd/variables";
+@import "lbd/mixins";
+
+@import "lbd/typography";
+
+// Core CSS
+@import "lbd/misc";
+@import "lbd/sidebar-and-main-panel";
+@import "lbd/buttons";
+@import "lbd/inputs";
+
+@import "lbd/alerts";
+@import "lbd/tables";
+
+@import "lbd/checkbox-radio-switch";
+@import "lbd/navbars";
+@import "lbd/footers";
+
+// Fancy Stuff
+@import "lbd/dropdown";
+@import "lbd/cards";
+@import "lbd/chartist";
+@import "lbd/responsive";
diff --git a/Chapter02/output_writer.py b/Chapter02/output_writer.py
new file mode 100644
index 0000000..111e12e
--- /dev/null
+++ b/Chapter02/output_writer.py
@@ -0,0 +1,98 @@
+from __future__ import print_function
+import csv
+import os
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+TEST_DATA_LIST = [["Bill", 53, 0], ["Alice", 42, 5],
+ ["Zane", 33, -1], ["Theodore", 72, 9001]]
+
+TEST_DATA_DICT = [{"Name": "Bill", "Age": 53, "Cool Factor": 0},
+ {"Name": "Alice", "Age": 42, "Cool Factor": 5},
+ {"Name": "Zane", "Age": 33, "Cool Factor": -1},
+ {"Name": "Theodore", "Age": 72, "Cool Factor": 9001}]
+
+
+def csv_writer_py2(data, header, output_directory, name=None):
+ if name is None:
+ name = "output.csv"
+
+ print("[+] Writing {} to {}".format(name, output_directory))
+
+ with open(os.path.join(output_directory, name), "wb") as csvfile:
+ writer = csv.writer(csvfile)
+ writer.writerow(header)
+
+ writer.writerows(data)
+
+
+def csv_writer_py3(data, header, output_directory, name=None):
+ if name is None:
+ name = "output.csv"
+
+ print("[+] Writing {} to {}".format(name, output_directory))
+
+ with open(os.path.join(output_directory, name), "w", newline="") as \
+ csvfile:
+ writer = csv.writer(csvfile)
+ writer.writerow(header)
+
+ writer.writerows(data)
+
+
+def unicode_csv_dict_writer_py2(data, header, output_directory, name=None):
+ try:
+ import unicodecsv
+ except ImportError:
+ print("[+] Install unicodecsv module before executing this"
+ " function")
+ sys.exit(1)
+
+ if name is None:
+ name = "output.csv"
+
+ print("[+] Writing {} to {}".format(name, output_directory))
+ with open(os.path.join(output_directory, name), "wb") as csvfile:
+ writer = unicodecsv.DictWriter(csvfile, fieldnames=header)
+ writer.writeheader()
+
+ writer.writerows(data)
+
+
+if sys.version_info < (3, 0):
+ csv_writer_py2(TEST_DATA_LIST, ["Name", "Age", "Cool Factor"],
+ os.getcwd())
+ unicode_csv_dict_writer_py2(
+ TEST_DATA_DICT, ["Name", "Age", "Cool Factor"], os.getcwd(),
+ "dict_output.csv")
+
+elif sys.version_info >= (3, 0):
+ csv_writer_py3(TEST_DATA_LIST, ["Name", "Age", "Cool Factor"],
+ os.getcwd())
diff --git a/Chapter02/redacted_sample_event_log.csv b/Chapter02/redacted_sample_event_log.csv
new file mode 100644
index 0000000..1c2e7bd
--- /dev/null
+++ b/Chapter02/redacted_sample_event_log.csv
@@ -0,0 +1,1000 @@
+196,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:30 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+52,Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:52 PM,4,Microsoft-Windows-ShellCommon-StartLayoutPopulation,20,/Windows/System32/winevt/Logs/Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
+5217,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:30 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+194,Application.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:25 PM,4,Software Protection Platform Service,1003,/Windows/System32/winevt/Logs/Application.evtx
+37,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:07 PM,4,Microsoft-Windows-GroupPolicy,5311,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+80,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:18 PM,5,Microsoft-Windows-AppXDeployment-Server,472,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2227,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:30 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5174,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:18 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+100,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:27 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+1971,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:15 PM,5,Microsoft-Windows-AppXDeployment-Server,827,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3868,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+339,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:03:00 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+2523,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+228,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:21 PM,4,Microsoft-Client-Licensing-Platform,117,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+100,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:50 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+640,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:10 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+2731,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:05 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+147,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:35 PM,4,Microsoft-Windows-GroupPolicy,5117,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+5559,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:00 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2910,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:20 PM,4,Windows-ApplicationModel-Store-SDK,4,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+418,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:09 PM,4,Microsoft-Windows-AppReadiness,223,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1410,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:19 PM,5,Microsoft-Windows-AppXDeployment-Server,827,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+8,Microsoft-Windows-NetworkProfile%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:18 PM,4,Microsoft-Windows-NetworkProfile,4002,/Windows/System32/winevt/Logs/Microsoft-Windows-NetworkProfile%4Operational.evtx
+2003,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+454,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:10 PM,0,Microsoft-Windows-Security-Auditing,4688,/Windows/System32/winevt/Logs/Security.evtx
+2826,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:09 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+493,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:18 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+284,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:09 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+4061,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:21 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+38,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62171,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+385,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:38 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+150,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:35 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+904,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:33 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+219,Microsoft-Windows-International%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:05 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+356,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:37 PM,4,Microsoft-Windows-AppReadiness,207,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+237,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:54 PM,0,Microsoft-Windows-Security-Auditing,4672,/Windows/System32/winevt/Logs/Security.evtx
+6,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:19 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+73,Microsoft-Windows-DeviceSetupManager%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:03 PM,4,Microsoft-Windows-DeviceSetupManager,112,/Windows/System32/winevt/Logs/Microsoft-Windows-DeviceSetupManager%4Admin.evtx
+4056,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:40 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4113,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:13 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5558,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:00 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4772,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:43 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+155,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:14 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+4371,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:06 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6671,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:38 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5077,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:51 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4863,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:50 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+597,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:28 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1693,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:38 PM,5,Microsoft-Windows-AppXDeployment-Server,8101,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+462,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:25 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4,Microsoft-Windows-AppXDeployment%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:13 PM,2,Microsoft-Windows-AppXDeployment,302,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeployment%4Operational.evtx
+100,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:19 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+243,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:17 PM,4,Microsoft-Client-Licensing-Platform,159,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+5475,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:51 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1506,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:40 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+666,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:11 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+124,Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx,DESKTOP-M3M6D5D,08/05/2017 07:00:55 PM,4,Microsoft-Windows-Application-Experience,505,/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
+2553,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1750,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:54 PM,5,Microsoft-Windows-AppXDeployment-Server,761,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2934,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:14 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+476,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:33 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+3520,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:04 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+84,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:19 PM,4,Microsoft-Client-Licensing-Platform,157,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+4778,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:43 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+109,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:15 PM,4,Microsoft-Windows-AppReadiness,237,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+3303,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:15 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+83,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:10 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+954,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:20 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+243,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:26 PM,4,Service Control Manager,7045,/Windows/System32/winevt/Logs/System.evtx
+316,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:59 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+5207,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:30 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5644,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:04 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3893,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:20 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+378,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:04 PM,4,Microsoft-Windows-WindowsUpdateClient,19,/Windows/System32/winevt/Logs/System.evtx
+161,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:00 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+6311,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:14:41 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+355,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:37 PM,4,Microsoft-Windows-AppReadiness,300,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+380,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:21 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+370,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:38 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1551,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:47:07 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+2992,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:16 PM,4,Microsoft-Windows-AppXDeployment-Server,573,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+94,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:55 PM,4,Microsoft-Windows-Kernel-PnP,410,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+0,Microsoft-Windows-Diagnostics-Performance%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:14 PM,1,Microsoft-Windows-Diagnostics-Performance,100,/Windows/System32/winevt/Logs/Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
+4453,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:22 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+104,Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:01 PM,4,Microsoft-Windows-ShellCommon-StartLayoutPopulation,1106,/Windows/System32/winevt/Logs/Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
+319,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:36 PM,4,Microsoft-Windows-AppReadiness,201,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+104,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:48:38 PM,3,Microsoft-Windows-StateRepository,104,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+23,Microsoft-Windows-Kernel-Boot%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 08:51:26 PM,4,Microsoft-Windows-Kernel-Boot,157,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-Boot%4Operational.evtx
+3,Microsoft-Windows-ReadyBoost%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:23 PM,4,Microsoft-Windows-ReadyBoost,1016,/Windows/System32/winevt/Logs/Microsoft-Windows-ReadyBoost%4Operational.evtx
+6602,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:44 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+389,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:45 PM,4,Microsoft-Windows-WindowsUpdateClient,44,/Windows/System32/winevt/Logs/System.evtx
+844,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:15 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+989,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:02 PM,4,Microsoft-Windows-AppReadiness,201,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+3228,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:19:37 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1303,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:14 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+356,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:59:06 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+467,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:37 PM,4,Microsoft-Windows-WindowsUpdateClient,44,/Windows/System32/winevt/Logs/System.evtx
+3328,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:33 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5777,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:08 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5458,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:51 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3936,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:03 PM,5,Microsoft-Windows-AppXDeployment-Server,5506,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1201,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:12 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+0,Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:10 PM,4,Microsoft-Windows-TerminalServices-LocalSessionManager,32,/Windows/System32/winevt/Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
+353,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:13 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+831,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:14 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1199,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:55 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+1124,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:38 PM,4,Microsoft-Windows-AppXDeployment-Server,633,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1064,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:01:09 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+32,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:09 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+121,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:59 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+72,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:21 PM,0,Microsoft-Windows-Security-Auditing,4799,/Windows/System32/winevt/Logs/Security.evtx
+3962,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:25:44 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+21,Microsoft-Windows-Wcmsvc%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:10 PM,4,Microsoft-Windows-Wcmsvc,10003,/Windows/System32/winevt/Logs/Microsoft-Windows-Wcmsvc%4Operational.evtx
+1293,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:12 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+267,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+390,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:11 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+429,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 06:08:28 PM,0,Microsoft-Windows-Security-Auditing,4799,/Windows/System32/winevt/Logs/Security.evtx
+6504,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:18:16 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+957,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:45 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+6373,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:15:37 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1610,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:36 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4440,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:16 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+128,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:17 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+980,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:02 PM,4,Microsoft-Windows-AppReadiness,314,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+460,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:21 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+196,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+1807,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:58 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+112,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:16 PM,4,Microsoft-Windows-AppReadiness,229,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+2003,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:17 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3714,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:03 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4301,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:07 PM,5,Microsoft-Windows-AppXDeployment-Server,813,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+808,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:29 PM,4,Microsoft-Windows-AppReadiness,207,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+311,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:35 PM,5,Microsoft-Windows-AppXDeployment-Server,813,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3267,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:31 PM,5,Microsoft-Windows-AppXDeployment-Server,614,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+53,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:12 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+62,Microsoft-Windows-Winlogon%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:45 PM,4,Microsoft-Windows-Winlogon,811,/Windows/System32/winevt/Logs/Microsoft-Windows-Winlogon%4Operational.evtx
+147,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:48:38 PM,3,Microsoft-Windows-StateRepository,104,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+3460,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:42 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+9,Microsoft-Windows-Windows Defender%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:43 PM,4,Microsoft-Windows-Windows Defender,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Defender%4Operational.evtx
+63,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:18 PM,4,Microsoft-Windows-StateRepository,221,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+173,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:48:38 PM,3,Microsoft-Windows-StateRepository,104,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+104,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:15 PM,4,Microsoft-Windows-AppReadiness,209,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+1724,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:36 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+106,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-AppReadiness,201,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+48,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-AppReadiness,317,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1964,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:15 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+56,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:38 PM,4,BTHUSB,18,/Windows/System32/winevt/Logs/System.evtx
+14,Microsoft-Windows-Wcmsvc%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:54 PM,4,Microsoft-Windows-Wcmsvc,1026,/Windows/System32/winevt/Logs/Microsoft-Windows-Wcmsvc%4Operational.evtx
+309,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:56 PM,4,Microsoft-Windows-PushNotifications-Platform,2414,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+546,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:46 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+1977,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+104,Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx,DESKTOP-M3M6D5D,08/05/2017 06:27:20 PM,4,Microsoft-Windows-Application-Experience,505,/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
+46,Microsoft-Windows-SmbClient%4Connectivity.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:31 PM,4,Microsoft-Windows-SMBClient,30810,/Windows/System32/winevt/Logs/Microsoft-Windows-SmbClient%4Connectivity.evtx
+489,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:37 PM,4,Microsoft-Windows-Shell-Core,62171,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+1308,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,3,Microsoft-Windows-Install-Agent,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+726,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:04 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+509,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:29 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+4014,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:31 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+915,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:31 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3746,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:04 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1036,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,4,Microsoft-Windows-AppReadiness,301,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+690,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:29 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+995,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:34 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1204,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:55 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+6628,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:35 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+87,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:19 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1619,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:26 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+110,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:55 PM,4,Microsoft-Windows-Kernel-PnP,410,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+5478,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:51 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+249,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:31 PM,4,Microsoft-Windows-GroupPolicy,6339,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+4828,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:48 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+672,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:35 PM,4,Microsoft-Windows-AppxPackagingOM,164,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+323,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:00:35 PM,5,Microsoft-Windows-PushNotifications-Platform,1223,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+2116,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2981,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:27 PM,4,Windows-ApplicationModel-Store-SDK,4,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+182,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:41 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+6323,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:14:48 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+964,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:26 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4064,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:41 PM,5,Microsoft-Windows-AppXDeployment-Server,472,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4884,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:51 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+742,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:42 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6519,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:18:38 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4632,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:28 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+916,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:30 PM,4,Microsoft-Windows-AppxPackagingOM,170,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+1,Microsoft-Windows-DeviceSetupManager%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:49 PM,4,Microsoft-Windows-DeviceSetupManager,109,/Windows/System32/winevt/Logs/Microsoft-Windows-DeviceSetupManager%4Admin.evtx
+50,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:12 PM,4,Microsoft-Client-Licensing-Platform,157,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+226,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:00 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+2729,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:09 PM,4,Microsoft-Windows-AppXDeployment-Server,603,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5229,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:30 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+305,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:21 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+139,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:26 PM,4,Microsoft-Client-Licensing-Platform,117,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+5905,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:06 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3505,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:43 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+265,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:23 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+107,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:25 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+5244,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:31 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:07 PM,0,Microsoft-Windows-Security-Auditing,4688,/Windows/System32/winevt/Logs/Security.evtx
+1976,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:15 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1001,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:27 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5133,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:18 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3,Microsoft-Windows-Crypto-DPAPI%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:43 PM,4,Microsoft-Windows-Crypto-DPAPI,1,/Windows/System32/winevt/Logs/Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
+4053,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:40 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3058,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:23 PM,5,Microsoft-Windows-AppXDeployment-Server,813,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5898,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:10:59 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3270,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1919,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3745,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:04 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+61,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:37 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+380,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:48:57 PM,4,Microsoft-Windows-PushNotifications-Platform,3004,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+1483,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:34 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+203,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:07 PM,4,Microsoft-Windows-Shell-Core,62171,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+117,Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx,DESKTOP-M3M6D5D,08/05/2017 06:35:52 PM,4,Microsoft-Windows-Application-Experience,505,/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
+1237,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-AppXDeployment-Server,633,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+406,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:18:59 PM,4,Microsoft-Windows-UserModePowerService,22,/Windows/System32/winevt/Logs/System.evtx
+3702,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:34 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6396,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:15:56 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+54,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-AppReadiness,317,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+177,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:27 PM,4,Microsoft-Windows-PushNotifications-Platform,2413,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+4019,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:33 PM,5,Microsoft-Windows-AppXDeployment-Server,614,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+115,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:23 PM,4,Microsoft-Client-Licensing-Platform,117,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+332,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:23 PM,4,Microsoft-Windows-Shell-Core,62144,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+104,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:27 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+645,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:28 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2214,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:29 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5427,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:50 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+57,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:18 PM,5,Microsoft-Windows-AppXDeployment-Server,5028,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1462,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:40 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1,Microsoft-Windows-Fault-Tolerant-Heap%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:52 PM,4,Microsoft-Windows-Fault-Tolerant-Heap,1002,/Windows/System32/winevt/Logs/Microsoft-Windows-Fault-Tolerant-Heap%4Operational.evtx
+427,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:03:00 PM,4,Microsoft-Windows-Shell-Core,28017,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+5616,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:01 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+384,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+172,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:44 PM,4,Microsoft-Windows-GroupPolicy,4117,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+24,Microsoft-Windows-Diagnosis-DPS%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:48:59 PM,2,Microsoft-Windows-Diagnosis-DPS,135,/Windows/System32/winevt/Logs/Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
+2172,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1315,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:17 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+5263,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:31 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+21,Microsoft-Windows-SmbClient%4Connectivity.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:06 PM,4,Microsoft-Windows-SMBClient,30810,/Windows/System32/winevt/Logs/Microsoft-Windows-SmbClient%4Connectivity.evtx
+2371,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:54 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3367,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:20 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+72,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:40 PM,4,Service Control Manager,7045,/Windows/System32/winevt/Logs/System.evtx
+83,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:23 PM,4,Microsoft-Windows-AppReadiness,305,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+660,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:28 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5096,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:17 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1495,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:40 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6398,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:15:56 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+28,Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:56 PM,4,Microsoft-Windows-Application-Experience,505,/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
+198,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:42 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+97,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:50 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+307,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:58 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+215,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:43 PM,5,Microsoft-Windows-AppXDeployment-Server,478,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+26,Microsoft-Windows-AppXDeployment%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:13 PM,2,Microsoft-Windows-AppXDeployment,302,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeployment%4Operational.evtx
+4425,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:19 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+57,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:07 PM,4,Microsoft-Windows-StateRepository,221,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+242,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:26 PM,4,Service Control Manager,7045,/Windows/System32/winevt/Logs/System.evtx
+2569,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+213,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:05 PM,4,Microsoft-Client-Licensing-Platform,117,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+1004,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:27 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1079,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:22 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+2565,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+785,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:17 PM,4,Microsoft-Windows-AppxPackagingOM,164,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+151,Microsoft-Windows-International%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:12 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+3224,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:30 PM,4,Microsoft-Windows-AppXDeployment-Server,603,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+785,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:11 PM,5,Microsoft-Windows-AppXDeployment-Server,8101,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+197,System.evtx,DESKTOP-M3M6D5D,08/05/2017 08:51:36 PM,4,Microsoft-Windows-Directory-Services-SAM,16962,/Windows/System32/winevt/Logs/System.evtx
+41,Microsoft-Windows-Wcmsvc%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:17 PM,4,Microsoft-Windows-Wcmsvc,1003,/Windows/System32/winevt/Logs/Microsoft-Windows-Wcmsvc%4Operational.evtx
+806,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:32 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+244,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:03:14 PM,5,Microsoft-Windows-PushNotifications-Platform,1268,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+2917,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:13 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+400,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:06 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1518,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:28 PM,5,Microsoft-Windows-AppXDeployment-Server,5504,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+79,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:18 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1082,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:08 PM,4,Microsoft-Windows-AppReadiness,301,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+402,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:31 PM,4,Microsoft-Windows-Shell-Core,62144,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+2290,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:41 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+102,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:22 PM,4,Microsoft-Client-Licensing-Platform,159,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+3138,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:24 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+368,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,4,Microsoft-Windows-Shell-Core,62144,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+216,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 06:27:07 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+4034,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:39 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+55,Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 06:18:55 PM,4,Microsoft-Windows-Provisioning-Diagnostics-Provider,20,/Windows/System32/winevt/Logs/Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx
+3697,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:34 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+142,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:28 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4201,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:04 PM,5,Microsoft-Windows-AppXDeployment-Server,8100,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1313,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2404,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:01 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1178,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:11 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+5107,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:17 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+802,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:12 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+517,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:07 PM,5,Microsoft-Windows-AppXDeployment-Server,8100,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+45,Microsoft-Windows-AppxPackaging%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:38 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+3,Microsoft-Windows-Audio%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:37 PM,4,Microsoft-Windows-Audio,65,/Windows/System32/winevt/Logs/Microsoft-Windows-Audio%4Operational.evtx
+422,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:37 PM,4,Microsoft-Windows-WindowsUpdateClient,43,/Windows/System32/winevt/Logs/System.evtx
+810,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:23 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3826,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+296,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:34 PM,4,Microsoft-Windows-Shell-Core,9705,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+376,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:26 PM,2,Microsoft-Windows-AppModel-Runtime,37,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+4338,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:09 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+6,Microsoft-Windows-ReadyBoost%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:57 PM,4,Microsoft-Windows-ReadyBoost,1016,/Windows/System32/winevt/Logs/Microsoft-Windows-ReadyBoost%4Operational.evtx
+1008,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,4,Microsoft-Windows-AppReadiness,206,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+5341,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:09 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1374,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:18 PM,5,Microsoft-Windows-AppXDeployment-Server,541,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+323,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:31 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+765,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:10 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1360,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3747,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:52 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1189,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:41 PM,5,Microsoft-Windows-AppXDeployment-Server,540,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+350,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:57 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+50,Application.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:37 PM,4,Software Protection Platform Service,16384,/Windows/System32/winevt/Logs/Application.evtx
+255,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:01 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+1888,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4727,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:42 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+12,Application.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:16 PM,4,Microsoft-Windows-CAPI2,4097,/Windows/System32/winevt/Logs/Application.evtx
+11,Microsoft-Windows-Known Folders API Service.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:53 PM,3,Microsoft-Windows-KnownFolders,1002,/Windows/System32/winevt/Logs/Microsoft-Windows-Known Folders API Service.evtx
+1825,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:06 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1241,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:16 PM,4,Microsoft-Windows-AppReadiness,206,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+34,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:09 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+3969,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:06 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+29,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-AppReadiness,318,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+4266,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:27:11 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+78,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:19 PM,4,Microsoft-Client-Licensing-Platform,159,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+6066,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:08 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1056,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:42 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+3,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:41 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1740,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:38 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+427,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:40 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+183,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:21 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+380,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:22 PM,4,Microsoft-Windows-Kernel-PnP,400,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+86,Microsoft-Windows-DeviceSetupManager%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:11 PM,4,Microsoft-Windows-DeviceSetupManager,112,/Windows/System32/winevt/Logs/Microsoft-Windows-DeviceSetupManager%4Admin.evtx
+5651,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:04 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2820,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:09 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3026,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:17 PM,4,Microsoft-Windows-AppXDeployment-Server,573,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2898,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:12 PM,4,Microsoft-Windows-AppXDeployment-Server,573,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+918,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:49 PM,4,Microsoft-Windows-AppReadiness,314,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1288,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1448,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:26 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+344,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:09 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+12,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:08 PM,0,Microsoft-Windows-Security-Auditing,4608,/Windows/System32/winevt/Logs/Security.evtx
+44,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:12 PM,4,Microsoft-Client-Licensing-Platform,157,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+120,Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:13 PM,4,Microsoft-Windows-ShellCommon-StartLayoutPopulation,1104,/Windows/System32/winevt/Logs/Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
+32,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:17 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+262,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:40 PM,4,Microsoft-Windows-AppModel-Runtime,39,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+674,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:38 PM,4,Microsoft-Windows-AppxPackagingOM,157,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+1933,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+582,System.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:12 PM,4,Microsoft-Windows-Directory-Services-SAM,16962,/Windows/System32/winevt/Logs/System.evtx
+2053,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:21 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+840,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:27:08 PM,4,Microsoft-Windows-AppxPackagingOM,170,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+4211,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:04 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1640,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:32 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2524,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,4,Microsoft-Windows-AppXDeployment-Server,492,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+93,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:00:51 PM,4,Microsoft-Windows-Bits-Client,60,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+163,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+1367,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+522,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:58 PM,4,Microsoft-Windows-AppReadiness,303,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+2838,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:09 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+494,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:18 PM,0,Microsoft-Windows-Security-Auditing,4672,/Windows/System32/winevt/Logs/Security.evtx
+3053,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:33 PM,3,Windows-ApplicationModel-Store-SDK,3,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+56,Microsoft-Windows-DeviceSetupManager%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:03 PM,3,Microsoft-Windows-DeviceSetupManager,202,/Windows/System32/winevt/Logs/Microsoft-Windows-DeviceSetupManager%4Admin.evtx
+3833,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:09 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2650,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:51 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1056,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:08 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+42,Microsoft-Windows-TWinUI%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:48 PM,4,Microsoft-Windows-Immersive-Shell,5950,/Windows/System32/winevt/Logs/Microsoft-Windows-TWinUI%4Operational.evtx
+3409,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:21:30 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+31,Microsoft-Windows-TWinUI%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:20 PM,4,Microsoft-Windows-Immersive-Shell,5950,/Windows/System32/winevt/Logs/Microsoft-Windows-TWinUI%4Operational.evtx
+281,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:01 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+15,Microsoft-Windows-Wcmsvc%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:54 PM,4,Microsoft-Windows-Wcmsvc,1009,/Windows/System32/winevt/Logs/Microsoft-Windows-Wcmsvc%4Operational.evtx
+5973,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:06 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1132,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:54 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+222,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:59:11 PM,5,Microsoft-Windows-PushNotifications-Platform,1268,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+326,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:03 PM,4,Microsoft-Windows-Kernel-PnP,400,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+17,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:09 PM,0,Microsoft-Windows-Security-Auditing,4731,/Windows/System32/winevt/Logs/Security.evtx
+860,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:32 PM,5,Microsoft-Windows-AppXDeployment-Server,317,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5316,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:08 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+601,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:52 PM,5,Microsoft-Windows-AppXDeployment-Server,813,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+94,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:13 PM,5,Microsoft-Windows-PushNotifications-Platform,1225,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+2461,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:02 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+275,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:31 PM,4,Microsoft-Windows-AppReadiness,229,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+22,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:09 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+261,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:23 PM,4,Microsoft-Windows-AppReadiness,201,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+764,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:37:49 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1237,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:03 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+866,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:15 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+9,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-AppReadiness,232,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+434,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:39 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+61,Microsoft-Windows-LiveId%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:21 PM,4,Microsoft-Windows-LiveId,6115,/Windows/System32/winevt/Logs/Microsoft-Windows-LiveId%4Operational.evtx
+380,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:04 PM,4,Microsoft-Windows-WindowsUpdateClient,19,/Windows/System32/winevt/Logs/System.evtx
+2587,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:42 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+348,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:42 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+6320,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:14:45 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1457,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:26 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+453,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:21:50 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1330,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:24 PM,4,Microsoft-Windows-AppReadiness,201,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+71,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:36:31 PM,4,Microsoft-Windows-Bits-Client,4,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+141,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+3765,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:52 PM,2,Windows-ApplicationModel-Store-SDK,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+157,Application.evtx,DESKTOP-M3M6D5D,08/05/2017 06:03:43 PM,4,MsiInstaller,1033,/Windows/System32/winevt/Logs/Application.evtx
+3948,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:04 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+338,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:33 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+257,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:35 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+2514,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+78,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:11 PM,4,Microsoft-Windows-Shell-Core,28115,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+5588,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:00 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+181,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:56 PM,4,Microsoft-Windows-Kernel-PnP,400,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+1132,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:39 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+382,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:48:57 PM,4,Microsoft-Windows-PushNotifications-Platform,3049,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+181,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:16 PM,4,Microsoft-Windows-AppReadiness,207,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1107,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:10 PM,4,Microsoft-Windows-AppReadiness,207,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+2514,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:06 PM,4,Microsoft-Windows-AppXDeployment-Server,492,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+679,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:20 PM,4,Microsoft-Windows-AppReadiness,314,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1562,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:46 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+68,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:21 PM,0,Microsoft-Windows-Security-Auditing,4717,/Windows/System32/winevt/Logs/Security.evtx
+115,Microsoft-Windows-WMI-Activity%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:11:14 PM,2,Microsoft-Windows-WMI-Activity,5858,/Windows/System32/winevt/Logs/Microsoft-Windows-WMI-Activity%4Operational.evtx
+510,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:26 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+250,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:48 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+235,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:27 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+731,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:06 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+239,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+0,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:49 PM,4,Microsoft-Windows-AppReadiness,104,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+4802,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:48 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1421,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:35:44 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+108,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:15 PM,4,Microsoft-Windows-AppReadiness,236,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+4334,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:09 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2274,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:40 PM,4,Microsoft-Windows-AppXDeployment-Server,492,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2603,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:42 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+270,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:41 PM,4,Microsoft-Windows-AppModel-Runtime,39,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+3188,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:42 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+299,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:35 PM,4,Microsoft-Windows-Shell-Core,9706,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+6430,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:16:37 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:32 PM,4,Microsoft-Windows-Bits-Client,3,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+925,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:11 PM,4,Windows-ApplicationModel-Store-SDK,4,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+138,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:13 PM,4,Microsoft-Windows-PushNotifications-Platform,1258,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+3389,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:21 PM,2,Microsoft-Windows-Install-Agent,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+578,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:49 PM,5,Microsoft-Windows-AppXDeployment-Server,8101,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1112,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:34 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+783,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:28 PM,4,Microsoft-Windows-AppReadiness,302,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+120,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:48:38 PM,3,Microsoft-Windows-StateRepository,104,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+493,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:56 PM,4,Microsoft-Windows-AppReadiness,207,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+188,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:01 PM,4,Microsoft-Windows-PushNotifications-Platform,2413,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+75,Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx,DESKTOP-M3M6D5D,08/05/2017 06:05:49 PM,4,Microsoft-Windows-Application-Experience,505,/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
+127,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:57 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+3806,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:05 PM,5,Microsoft-Windows-AppXDeployment-Server,5025,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3,Microsoft-Windows-TWinUI%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:07 PM,4,Microsoft-Windows-Immersive-Shell,5950,/Windows/System32/winevt/Logs/Microsoft-Windows-TWinUI%4Operational.evtx
+338,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:52 PM,0,Microsoft-Windows-Security-Auditing,4648,/Windows/System32/winevt/Logs/Security.evtx
+3112,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:24 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3,Microsoft-Windows-NCSI%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:55 PM,4,Microsoft-Windows-NCSI,4042,/Windows/System32/winevt/Logs/Microsoft-Windows-NCSI%4Operational.evtx
+795,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:08 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+373,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:24 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5523,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:59 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+63,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:09 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+97,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:56 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1454,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:33 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1779,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:02 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+87,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:37:27 PM,4,Microsoft-Windows-Bits-Client,4,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+5063,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:39 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+226,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:12 PM,5,Microsoft-Windows-PushNotifications-Platform,1223,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+1108,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:10 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+4013,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:25:45 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+48,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:19 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+3003,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:28 PM,4,Windows-ApplicationModel-Store-SDK,4,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2350,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:53 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+435,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:39 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+4484,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:17 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5303,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:08 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+387,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:16 PM,4,Microsoft-Windows-Shell-Core,62144,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+1265,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,3,Microsoft-Windows-Install-Agent,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+417,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:28 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2730,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:05 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+239,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:41 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+100,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:55 PM,4,Microsoft-Windows-Kernel-PnP,410,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+2848,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:11 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+229,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:22 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+342,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:18 PM,2,Service Control Manager,7034,/Windows/System32/winevt/Logs/System.evtx
+1057,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:08 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1950,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+336,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:33 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+215,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:00 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+1277,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:12 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+3251,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:10 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4226,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:38 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4090,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:12 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+254,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:32 PM,4,Service Control Manager,7040,/Windows/System32/winevt/Logs/System.evtx
+203,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+1431,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:22 PM,5,Microsoft-Windows-AppXDeployment-Server,761,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4147,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:21:49 PM,4,Microsoft-Windows-AppXDeployment-Server,603,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+106,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:25 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+839,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:24 PM,5,Microsoft-Windows-AppXDeployment-Server,8101,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+294,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:46 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+1966,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6104,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:08 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+88,Microsoft-Windows-DeviceSetupManager%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:12 PM,4,Microsoft-Windows-DeviceSetupManager,112,/Windows/System32/winevt/Logs/Microsoft-Windows-DeviceSetupManager%4Admin.evtx
+1353,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:16 PM,5,Microsoft-Windows-AppXDeployment-Server,541,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+231,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:00 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+327,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:21 PM,4,Microsoft-Windows-Shell-Core,62144,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+6261,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:45 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3878,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:20 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3699,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:02 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4279,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:43 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+23,Microsoft-Windows-WMI-Activity%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:52 PM,2,Microsoft-Windows-WMI-Activity,5858,/Windows/System32/winevt/Logs/Microsoft-Windows-WMI-Activity%4Operational.evtx
+4033,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:25:45 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3749,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:04 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+16,Microsoft-Windows-International%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:41 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+239,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:57 PM,4,Microsoft-Windows-Kernel-PnP,410,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+2079,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4647,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:28 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5597,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:00 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+600,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:14 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+2952,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:15 PM,5,Microsoft-Windows-AppXDeployment-Server,5505,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+84,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:10 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+2118,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1423,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:35:44 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+392,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:24 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4249,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:38 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4574,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:19 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4228,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:32 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+147,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+600,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:52 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+8,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:13 PM,5,Microsoft-Windows-AppXDeployment-Server,10000,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+230,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:09 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+2139,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:16 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1,Microsoft-Windows-HelloForBusiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:40 PM,4,Microsoft-Windows-HelloForBusiness,3054,/Windows/System32/winevt/Logs/Microsoft-Windows-HelloForBusiness%4Operational.evtx
+1675,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:37 PM,5,Microsoft-Windows-AppXDeployment-Server,8106,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1436,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:23 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1432,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:40 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3582,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:31 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+279,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:34 PM,5,Microsoft-Windows-AppXDeployment-Server,813,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4204,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:04 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+304,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:55 PM,2,Microsoft-Windows-ApplicationResourceManagementSystem,240,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+99,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:55 PM,4,Microsoft-Windows-Kernel-PnP,410,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+261,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:21 PM,4,Microsoft-Windows-Shell-Core,62171,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+663,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:16 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1471,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:41 PM,4,Microsoft-Windows-AppReadiness,206,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+112,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:55 PM,4,Microsoft-Windows-Kernel-PnP,410,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+1315,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3004,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:17 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+43,Microsoft-Windows-WMI-Activity%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:52 PM,2,Microsoft-Windows-WMI-Activity,5858,/Windows/System32/winevt/Logs/Microsoft-Windows-WMI-Activity%4Operational.evtx
+5934,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:06 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+70,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:57 PM,4,Microsoft-Windows-GroupPolicy,5257,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+254,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:49 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+322,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:36 PM,4,Microsoft-Windows-AppReadiness,206,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+170,Microsoft-Windows-International%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:04 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+430,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,2,Microsoft-Windows-AppModel-Runtime,69,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+110,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:38 PM,4,Microsoft-Windows-Bits-Client,3,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+2256,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:34 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+63,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-AppReadiness,318,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1446,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:26 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3352,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:33 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1062,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:01:09 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+49,Microsoft-Windows-DeviceSetupManager%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:03 PM,3,Microsoft-Windows-DeviceSetupManager,202,/Windows/System32/winevt/Logs/Microsoft-Windows-DeviceSetupManager%4Admin.evtx
+4310,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:08 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+91,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:55 PM,4,Microsoft-Windows-Kernel-PnP,410,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+3927,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:25:21 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3698,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:34 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4114,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:29 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3263,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:31 PM,4,Microsoft-Windows-AppXDeployment-Server,603,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1203,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+65,Microsoft-Windows-TWinUI%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:18 PM,2,Microsoft-Windows-Immersive-Shell,5951,/Windows/System32/winevt/Logs/Microsoft-Windows-TWinUI%4Operational.evtx
+97,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:13 PM,4,Microsoft-Windows-Shell-Core,9707,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+311,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:06 PM,4,Microsoft-Windows-PushNotifications-Platform,2414,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+191,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+5051,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:39 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+610,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:21:56 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+887,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:20 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+3558,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:23 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+376,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:48:57 PM,4,Microsoft-Windows-PushNotifications-Platform,2415,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+606,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:21:22 PM,4,Microsoft-Windows-AppxPackagingOM,170,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+2681,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:04 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1657,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:33 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+174,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:14 PM,4,Microsoft-Windows-AppReadiness,302,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+952,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:01 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+525,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:12 PM,4,Microsoft-Windows-AppModel-Runtime,40,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+681,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:29 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+134,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:48:38 PM,3,Microsoft-Windows-StateRepository,104,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+1105,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:10:34 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3033,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:29 PM,4,Windows-ApplicationModel-Store-SDK,4,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+167,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+2091,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:23 PM,5,Microsoft-Windows-AppXDeployment-Server,541,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5563,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:00 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+71,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:37 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+65,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:50 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+74,Microsoft-Windows-LiveId%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:48:01 PM,4,Microsoft-Windows-LiveId,6116,/Windows/System32/winevt/Logs/Microsoft-Windows-LiveId%4Operational.evtx
+80,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:40 PM,4,Service Control Manager,7045,/Windows/System32/winevt/Logs/System.evtx
+1531,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:47:02 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+1986,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2431,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+133,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:27 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3864,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4611,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:28 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5150,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:18 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3111,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:24 PM,4,Microsoft-Windows-AppXDeployment-Server,573,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1470,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:40 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2634,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:08 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3852,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:10 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1337,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:15 PM,5,Microsoft-Windows-AppXDeployment-Server,541,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+55,Microsoft-Windows-WindowsUpdateClient%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:18:42 PM,4,Microsoft-Windows-WindowsUpdateClient,41,/Windows/System32/winevt/Logs/Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
+4194,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:35 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+21,Microsoft-Windows-AppxPackaging%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:59 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+30,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-AppReadiness,317,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1959,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2036,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+108,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:00 PM,4,Microsoft-Windows-PushNotifications-Platform,2413,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+337,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:23 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1299,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:14 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+47,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:06 PM,4,Microsoft-Windows-StateRepository,221,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+6081,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:08 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2864,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:11 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+34,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:07 PM,4,Microsoft-Windows-GroupPolicy,4117,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+620,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:28 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+357,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:37 PM,4,Microsoft-Windows-AppReadiness,301,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+5407,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:50 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4649,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:28 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+518,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:25:44 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+252,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:31 PM,4,Microsoft-Windows-UserPnp,20001,/Windows/System32/winevt/Logs/System.evtx
+4919,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:29:11 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4191,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:03 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+135,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+1479,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:34 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+17,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:14 PM,4,Microsoft-Windows-Bits-Client,59,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+1146,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:10:35 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+520,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:58 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+318,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:01 PM,4,Microsoft-Windows-Kernel-PnP,400,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+470,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:04 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1090,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:09 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+23,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:09 PM,0,Microsoft-Windows-Security-Auditing,4731,/Windows/System32/winevt/Logs/Security.evtx
+2160,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1234,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:03 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+3850,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-AppXDeployment-Server,492,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+84,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:51 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+4607,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:00 PM,5,Microsoft-Windows-AppXDeployment-Server,614,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+54,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:12 PM,4,Microsoft-Windows-StateRepository,221,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+313,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:42 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+1878,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:55 PM,4,Microsoft-Windows-Kernel-Boot,27,/Windows/System32/winevt/Logs/System.evtx
+195,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+6207,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:09 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+50,Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:44 PM,4,Microsoft-Windows-Application-Experience,505,/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
+322,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:50 PM,3,BTHUSB,28,/Windows/System32/winevt/Logs/System.evtx
+2902,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:12 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+277,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:21 PM,5,Microsoft-Windows-PushNotifications-Platform,1225,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+4467,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:25 PM,5,Microsoft-Windows-AppXDeployment-Server,5506,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+121,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:48:38 PM,3,Microsoft-Windows-StateRepository,104,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+2300,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:41 PM,5,Microsoft-Windows-AppXDeployment-Server,541,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1313,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:17 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+139,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:15 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+1664,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:35 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4213,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:04 PM,5,Microsoft-Windows-AppXDeployment-Server,813,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3482,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:42 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3508,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:21:51 PM,2,Microsoft-Windows-Install-Agent,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3366,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:33 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+52,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:23 PM,4,Microsoft-Windows-AppReadiness,305,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+3156,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:25 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2811,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:07 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+252,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:59 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+160,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:29 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1025,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:28 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5116,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:17 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+129,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:57 PM,4,Microsoft-Windows-AppReadiness,213,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+551,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:05 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+2120,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+886,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:21 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+265,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:09 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+267,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:34 PM,5,Microsoft-Windows-AppXDeployment-Server,447,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2965,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:16 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+90,Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:21 PM,4,Microsoft-Windows-Application-Experience,505,/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
+56,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:24 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+4313,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:08 PM,4,Microsoft-Windows-AppXDeployment-Server,439,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+6267,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:48 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3209,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:28 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+120,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:24 PM,4,Microsoft-Client-Licensing-Platform,157,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+4126,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:15 PM,5,Microsoft-Windows-AppXDeployment-Server,472,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+6632,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:35 PM,4,Microsoft-Windows-Store,8000,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1580,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:04 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+105,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:52 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+3226,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:19:37 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3322,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:33 PM,5,Microsoft-Windows-AppXDeployment-Server,8106,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1270,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+774,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:28 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+47,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:24 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+6547,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:27 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+340,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:37 PM,4,Microsoft-Windows-AppReadiness,314,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+373,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:02 PM,4,Microsoft-Windows-Kernel-PnP,410,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+3569,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:16 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4108,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:29 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+38,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:55 PM,4,Microsoft-Windows-Kernel-PnP,400,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+2442,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2054,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2752,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:05 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5,Microsoft-Windows-TaskScheduler%4Maintenance.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:05 PM,3,Microsoft-Windows-TaskScheduler,808,/Windows/System32/winevt/Logs/Microsoft-Windows-TaskScheduler%4Maintenance.evtx
+16,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:42 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+4451,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:16 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4553,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:19 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4609,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:03 PM,4,Microsoft-Windows-AppXDeployment-Server,492,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+169,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:14 PM,4,Microsoft-Windows-AppReadiness,314,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1071,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:22 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+8,Microsoft-Windows-Windows Defender%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:43 PM,4,Microsoft-Windows-Windows Defender,2000,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Defender%4Operational.evtx
+338,System.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:09 PM,4,Microsoft-Windows-Kernel-General,15,/Windows/System32/winevt/Logs/System.evtx
+169,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+789,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:11 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1207,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+106,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:00 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+2795,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:10 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+81,Application.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:00 PM,4,VMTools,105,/Windows/System32/winevt/Logs/Application.evtx
+3775,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:23:14 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4434,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:21 PM,5,Microsoft-Windows-AppXDeployment-Server,447,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3225,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:30 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+435,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 06:18:55 PM,0,Microsoft-Windows-Security-Auditing,4672,/Windows/System32/winevt/Logs/Security.evtx
+214,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:43 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+19,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:12 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+22,Microsoft-Windows-Wcmsvc%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:10 PM,4,Microsoft-Windows-Wcmsvc,4028,/Windows/System32/winevt/Logs/Microsoft-Windows-Wcmsvc%4Operational.evtx
+6272,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:54 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+386,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+6102,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:08 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2387,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:01 PM,5,Microsoft-Windows-AppXDeployment-Server,317,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3104,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+726,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:29 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+401,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:41 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+2231,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+40,Microsoft-Windows-TWinUI%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:47 PM,4,Microsoft-Windows-Immersive-Shell,5950,/Windows/System32/winevt/Logs/Microsoft-Windows-TWinUI%4Operational.evtx
+193,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+570,System.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:05 PM,4,Microsoft-Windows-FilterManager,6,/Windows/System32/winevt/Logs/System.evtx
+4800,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:48 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6583,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:36 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4005,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:25:45 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2829,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:11 PM,5,Microsoft-Windows-AppXDeployment-Server,8101,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5586,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:00 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+351,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:23 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1357,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:29 PM,4,Microsoft-Windows-AppReadiness,301,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+3505,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:21:51 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+305,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:35 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+307,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:35 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+292,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:18 PM,0,Microsoft-Windows-Security-Auditing,5061,/Windows/System32/winevt/Logs/Security.evtx
+5938,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:06 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+512,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:33 PM,4,Microsoft-Windows-AppModel-Runtime,41,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+1006,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:34 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+184,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:53 PM,0,Microsoft-Windows-Security-Auditing,4735,/Windows/System32/winevt/Logs/Security.evtx
+2142,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:26 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+117,Microsoft-Windows-WMI-Activity%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:23 PM,0,Microsoft-Windows-WMI-Activity,5857,/Windows/System32/winevt/Logs/Microsoft-Windows-WMI-Activity%4Operational.evtx
+116,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:21 PM,4,Microsoft-Windows-AppReadiness,209,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+304,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:40 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+70,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:18 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+59,Microsoft-Windows-DeviceSetupManager%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:03 PM,3,Microsoft-Windows-DeviceSetupManager,201,/Windows/System32/winevt/Logs/Microsoft-Windows-DeviceSetupManager%4Admin.evtx
+261,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:51 PM,0,Microsoft-Windows-Security-Auditing,4907,/Windows/System32/winevt/Logs/Security.evtx
+2334,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+739,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:24 PM,4,Microsoft-Windows-AppReadiness,314,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+2521,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3896,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:20 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3424,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:40 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+23,Microsoft-Windows-AppXDeployment%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:13 PM,2,Microsoft-Windows-AppXDeployment,302,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeployment%4Operational.evtx
+490,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:07 PM,4,Microsoft-Windows-AppModel-Runtime,42,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+4241,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:33 PM,4,Microsoft-Windows-AppXDeployment-Server,492,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+382,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:21 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+88,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:24 PM,5,Microsoft-Windows-AppXDeployment-Server,813,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5561,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:00 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3533,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+59,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-AppReadiness,318,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+168,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:50 PM,4,Microsoft-Windows-Shell-Core,28018,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+282,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:17 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+2657,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:08 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2784,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:10 PM,5,Microsoft-Windows-AppXDeployment-Server,8106,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+115,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:48:38 PM,3,Microsoft-Windows-StateRepository,104,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+4741,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:43 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1702,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:36 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3260,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:31 PM,4,Microsoft-Windows-AppXDeployment-Server,573,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4422,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:14 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:32 PM,4,Microsoft-Windows-Bits-Client,209,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+2598,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:08 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+428,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:15 PM,4,Microsoft-Windows-AppReadiness,1018,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1487,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:27 PM,5,Microsoft-Windows-AppXDeployment-Server,10000,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2562,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+526,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:26 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+137,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-AppReadiness,206,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+251,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:22 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+178,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:21 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+222,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:53 PM,0,Microsoft-Windows-Security-Auditing,4781,/Windows/System32/winevt/Logs/Security.evtx
+1050,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:57 PM,2,Microsoft-Windows-AppXDeployment-Server,712,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5240,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:31 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1979,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2484,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1455,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:40 PM,2,Microsoft-Windows-Install-Agent,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+19,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:48 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+610,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:56 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1614,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:36 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4936,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:10 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2341,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:42 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1296,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:12 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+4284,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:27:20 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:42 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+6578,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:33 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+179,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:16 PM,4,Microsoft-Windows-AppReadiness,314,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+6316,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:14:44 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+347,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:23 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2447,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+44,Microsoft-Windows-International%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:41 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+0,Microsoft-Windows-SMBServer%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:32 PM,4,Microsoft-Windows-SMBServer,1027,/Windows/System32/winevt/Logs/Microsoft-Windows-SMBServer%4Operational.evtx
+185,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:44 PM,4,Microsoft-Windows-GroupPolicy,4126,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+422,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:28 PM,4,Microsoft-Windows-AppXDeployment-Server,492,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+214,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:54 PM,4,Microsoft-Windows-AppReadiness,227,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+389,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:32 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+375,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:16 PM,5,Microsoft-Windows-AppXDeployment-Server,317,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1726,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:15 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+404,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:28 PM,5,Microsoft-Windows-AppXDeployment-Server,8100,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+424,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:30 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+1953,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:14 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+41,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:18 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2056,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:21 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1183,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:12 PM,4,Microsoft-Windows-AppReadiness,207,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+167,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:19 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+250,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+6145,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:08 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1095,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:38 PM,5,Microsoft-Windows-AppXDeployment-Server,447,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2274,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:41 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+36,Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:53 PM,4,Microsoft-Windows-TerminalServices-LocalSessionManager,32,/Windows/System32/winevt/Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
+296,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:24 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+200,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:42 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:14 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+5357,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:09 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3109,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:24 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3009,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:28 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2395,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3258,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:31 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1430,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:21 PM,5,Microsoft-Windows-AppXDeployment-Server,761,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+57,Microsoft-Windows-International%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:42 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+57,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:41 PM,4,Microsoft-Windows-Bits-Client,59,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+22,Microsoft-Windows-Kernel-Boot%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 08:51:26 PM,4,Microsoft-Windows-Kernel-Boot,157,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-Boot%4Operational.evtx
+1901,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:10 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+624,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:42 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+680,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:20 PM,4,Microsoft-Windows-AppReadiness,206,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1092,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:38 PM,5,Microsoft-Windows-AppXDeployment-Server,614,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+6295,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:13:52 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+915,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:30 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+479,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:13 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+6,Microsoft-Windows-Wcmsvc%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:35 PM,4,Microsoft-Windows-Wcmsvc,1009,/Windows/System32/winevt/Logs/Microsoft-Windows-Wcmsvc%4Operational.evtx
+2647,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:49 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1056,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:01:09 PM,4,Microsoft-Windows-Install-Agent,2000,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1011,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:07 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+6176,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:08 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6523,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:18:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+8,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:07 PM,0,Microsoft-Windows-Security-Auditing,4688,/Windows/System32/winevt/Logs/Security.evtx
+110,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:26 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+104,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:09 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+6032,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:07 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+32,Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:57 PM,4,Microsoft-Windows-Provisioning-Diagnostics-Provider,20,/Windows/System32/winevt/Logs/Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx
+3548,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:21 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5419,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:50 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+277,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:44 PM,4,Microsoft-Windows-AppModel-Runtime,39,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+4706,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:42 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+13,Microsoft-Windows-Diagnosis-DPS%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:06:00 PM,4,Microsoft-Windows-Diagnosis-DPS,115,/Windows/System32/winevt/Logs/Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
+3526,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:50 PM,4,Microsoft-Windows-AppXDeployment-Server,492,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2694,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:09 PM,5,Microsoft-Windows-AppXDeployment-Server,5507,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+31,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:55 PM,4,Microsoft-Windows-StateRepository,231,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+1122,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:38 PM,5,Microsoft-Windows-AppXDeployment-Server,478,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+470,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:27 PM,4,Microsoft-Windows-AppModel-Runtime,42,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+145,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:38 PM,4,Microsoft-Windows-Shell-Core,62144,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+24,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:12 PM,4,Microsoft-Client-Licensing-Platform,157,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+168,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:48 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+193,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+645,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:35 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1355,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:29 PM,4,Microsoft-Windows-AppReadiness,314,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+1725,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:15 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3869,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:20 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3912,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:01 PM,5,Microsoft-Windows-AppXDeployment-Server,447,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+48,Microsoft-Windows-DeviceSetupManager%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:03 PM,4,Microsoft-Windows-DeviceSetupManager,112,/Windows/System32/winevt/Logs/Microsoft-Windows-DeviceSetupManager%4Admin.evtx
+2306,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:41 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3023,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:17 PM,5,Microsoft-Windows-AppXDeployment-Server,614,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4529,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:32 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1876,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:06 PM,5,Microsoft-Windows-AppXDeployment-Server,8101,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+19,Microsoft-Windows-Diagnosis-DPS%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:48:03 PM,4,Microsoft-Windows-Diagnosis-DPS,105,/Windows/System32/winevt/Logs/Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
+574,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:10 PM,4,Microsoft-Windows-AppReadiness,302,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+52,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:24 PM,4,Microsoft-Windows-AppModel-Runtime,70,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+3510,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:43 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+148,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:14 PM,4,Microsoft-Windows-AppReadiness,227,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+81,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:22 PM,0,Microsoft-Windows-Security-Auditing,4672,/Windows/System32/winevt/Logs/Security.evtx
+1366,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:17 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+500,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:10 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+3249,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:09 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:50 PM,4,Microsoft-Windows-AppReadiness,104,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+4263,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:34 PM,5,Microsoft-Windows-AppXDeployment-Server,813,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+204,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+891,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:20 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+361,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:46 PM,4,Microsoft-Windows-WindowsUpdateClient,44,/Windows/System32/winevt/Logs/System.evtx
+5181,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:28 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+61,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:18 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2190,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:29 PM,5,Microsoft-Windows-AppXDeployment-Server,617,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5965,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:06 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1438,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:33 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+428,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 06:08:28 PM,0,Microsoft-Windows-Security-Auditing,4799,/Windows/System32/winevt/Logs/Security.evtx
+111,System.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:52 PM,4,Microsoft-Windows-Kernel-General,16,/Windows/System32/winevt/Logs/System.evtx
+221,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:37 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+1181,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:55 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+2816,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:09 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1234,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-AppXDeployment-Server,635,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+190,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:48:56 PM,4,Microsoft-Windows-Kernel-PnP,400,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+266,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:00:12 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+2838,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:11 PM,5,Microsoft-Windows-AppXDeployment-Server,10001,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+3218,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:29 PM,5,Microsoft-Windows-AppXDeployment-Server,614,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1615,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:36 PM,5,Microsoft-Windows-AppXDeployment-Server,827,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1209,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:14 PM,4,Microsoft-Windows-AppReadiness,201,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+6509,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:18:28 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+549,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:46 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+153,Microsoft-Windows-International%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:12 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+6287,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:13:11 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+160,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:34 PM,4,Microsoft-Windows-AppXDeployment-Server,339,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4690,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:37 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5750,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:07 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+86,Microsoft-Windows-International%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:42 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+1598,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:36 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+292,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:23 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2986,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:27 PM,4,Windows-ApplicationModel-Store-SDK,4,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+73,Microsoft-Windows-International%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:42 PM,1,Microsoft-Windows-International,1001,/Windows/System32/winevt/Logs/Microsoft-Windows-International%4Operational.evtx
+256,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:21 PM,4,Microsoft-Windows-Shell-Core,62171,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+2224,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:30 PM,5,Microsoft-Windows-AppXDeployment-Server,541,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1408,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:35:44 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+387,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+1387,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1297,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:13:39 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+177,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 06:21:22 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+3973,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:06 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+28,Microsoft-Windows-Bits-Client%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:05:41 PM,4,Microsoft-Windows-Bits-Client,209,/Windows/System32/winevt/Logs/Microsoft-Windows-Bits-Client%4Operational.evtx
+1632,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:15:31 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+205,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:41 PM,4,Microsoft-Windows-AppReadiness,227,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+3232,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:30 PM,5,Microsoft-Windows-AppXDeployment-Server,10000,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+5149,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:18 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3029,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:17 PM,4,Microsoft-Windows-AppXDeployment-Server,603,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+6461,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:17:07 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+175,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:13 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+4,Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:35:58 PM,4,Microsoft-Windows-Resource-Exhaustion-Detector,1002,/Windows/System32/winevt/Logs/Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
+6266,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:47 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2769,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:05 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6211,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:09 PM,2,Microsoft-Windows-Install-Agent,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2169,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+1399,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:19 PM,4,Microsoft-Windows-AppXDeployment-Server,400,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+15,Microsoft-Windows-PriResources-Deployment%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:21 PM,4,Microsoft-Windows-PriResources-Deployment,1000,/Windows/System32/winevt/Logs/Microsoft-Windows-PriResources-Deployment%4Operational.evtx
+1213,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:14 PM,4,Microsoft-Windows-AppReadiness,205,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+44,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:42 PM,4,Microsoft-Windows-CloudStore,2003,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+575,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:19 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+52,Microsoft-Windows-StateRepository%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:07 PM,4,Microsoft-Windows-StateRepository,221,/Windows/System32/winevt/Logs/Microsoft-Windows-StateRepository%4Operational.evtx
+5003,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:36 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6563,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:19:28 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5764,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:07 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+275,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:01 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+5001,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:36 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+6260,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:11:43 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+5649,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:33:04 PM,5,Microsoft-Windows-Store,8012,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+460,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:30 PM,5,Microsoft-Windows-AppXDeployment-Server,8106,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+4811,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:48 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+171,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:20 PM,3,Microsoft-Windows-Store,8002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+583,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:27 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+22,Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:46 PM,4,Microsoft-Windows-Application-Experience,505,/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
+23,Microsoft-Windows-SettingSync%4Debug.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:31 PM,2,Microsoft-Windows-SettingSync-Desktop,6509,/Windows/System32/winevt/Logs/Microsoft-Windows-SettingSync%4Debug.evtx
+3325,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:20:18 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+993,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:05 PM,4,Microsoft-Windows-AppReadiness,200,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+348,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:23 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+3857,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,5,Microsoft-Windows-AppXDeployment-Server,8100,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+102,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:24 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+2065,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:15 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+4955,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:30:33 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+170,Microsoft-Client-Licensing-Platform%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:28 PM,4,Microsoft-Client-Licensing-Platform,159,/Windows/System32/winevt/Logs/Microsoft-Client-Licensing-Platform%4Admin.evtx
+1193,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:55 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+390,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:45 PM,4,Microsoft-Windows-WindowsUpdateClient,44,/Windows/System32/winevt/Logs/System.evtx
+5144,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:18 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+612,Microsoft-Windows-AppReadiness%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:15 PM,4,Microsoft-Windows-AppReadiness,303,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Operational.evtx
+5237,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:31 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2799,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:17:06 PM,5,Microsoft-Windows-Store,8011,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2163,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+158,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+665,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:22:11 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+117,Microsoft-Windows-AppReadiness%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:56:21 PM,4,Microsoft-Windows-AppReadiness,209,/Windows/System32/winevt/Logs/Microsoft-Windows-AppReadiness%4Admin.evtx
+3030,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:17 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+2344,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:41 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+79,Microsoft-Windows-CloudStore%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:00 PM,4,Microsoft-Windows-CloudStore,2005,/Windows/System32/winevt/Logs/Microsoft-Windows-CloudStore%4Operational.evtx
+41,Security.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:49:09 PM,0,Microsoft-Windows-Security-Auditing,4624,/Windows/System32/winevt/Logs/Security.evtx
+4091,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:29 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+335,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:15 PM,4,Microsoft-Windows-AppXDeployment-Server,607,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1612,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:36 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+217,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:46:14 PM,4,Microsoft-Windows-GroupPolicy,5320,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+4896,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:28:51 PM,2,Microsoft-Windows-Install-Agent,2004,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+2230,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:30 PM,5,Microsoft-Windows-AppXDeployment-Server,821,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+175,Microsoft-Windows-Shell-Core%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:55:06 PM,4,Microsoft-Windows-Shell-Core,62170,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4Operational.evtx
+14,Microsoft-Windows-Known Folders API Service.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:09 PM,3,Microsoft-Windows-KnownFolders,1002,/Windows/System32/winevt/Logs/Microsoft-Windows-Known Folders API Service.evtx
+6,Microsoft-Windows-Storage-ClassPnP%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:48:03 PM,2,Microsoft-Windows-StorDiag,504,/Windows/System32/winevt/Logs/Microsoft-Windows-Storage-ClassPnP%4Operational.evtx
+171,Microsoft-Windows-GroupPolicy%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:39:44 PM,4,Microsoft-Windows-GroupPolicy,5351,/Windows/System32/winevt/Logs/Microsoft-Windows-GroupPolicy%4Operational.evtx
+253,Microsoft-Windows-Shell-Core%4AppDefaults.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:10 PM,4,Microsoft-Windows-Shell-Core,62443,/Windows/System32/winevt/Logs/Microsoft-Windows-Shell-Core%4AppDefaults.evtx
+385,Microsoft-Windows-Kernel-PnP%4Configuration.evtx,DESKTOP-M3M6D5D,08/05/2017 05:54:31 PM,2,Microsoft-Windows-Kernel-PnP,411,/Windows/System32/winevt/Logs/Microsoft-Windows-Kernel-PnP%4Configuration.evtx
+51,Microsoft-Windows-WMI-Activity%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:53:06 PM,0,Microsoft-Windows-WMI-Activity,5857,/Windows/System32/winevt/Logs/Microsoft-Windows-WMI-Activity%4Operational.evtx
+3531,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:14:35 PM,4,Microsoft-Windows-AppXDeployment-Server,613,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+1101,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:31:34 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+1466,Microsoft-Windows-AppxPackaging%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 07:18:53 PM,3,Microsoft-Windows-AppxPackagingOM,216,/Windows/System32/winevt/Logs/Microsoft-Windows-AppxPackaging%4Operational.evtx
+4420,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:26:17 PM,5,Microsoft-Windows-AppXDeployment-Server,10002,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+357,Microsoft-Windows-AppModel-Runtime%4Admin.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:17 PM,4,Microsoft-Windows-AppModel-Runtime,39,/Windows/System32/winevt/Logs/Microsoft-Windows-AppModel-Runtime%4Admin.evtx
+232,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+1796,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:16:04 PM,4,Microsoft-Windows-Install-Agent,2002,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+57,Microsoft-Windows-AppLocker%4MSI and Script.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:41 PM,3,Microsoft-Windows-AppLocker,8009,/Windows/System32/winevt/Logs/Microsoft-Windows-AppLocker%4MSI and Script.evtx
+133,Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:51:56 PM,4,Microsoft-Windows-ApplicationResourceManagementSystem,375,/Windows/System32/winevt/Logs/Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
+3809,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:09 PM,5,Microsoft-Windows-Install-Agent,2001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
+506,System.evtx,DESKTOP-M3M6D5D,08/05/2017 06:32:57 PM,4,Microsoft-Windows-WindowsUpdateClient,43,/Windows/System32/winevt/Logs/System.evtx
+128,Microsoft-Windows-PushNotification-Platform%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:57:13 PM,4,Microsoft-Windows-PushNotifications-Platform,1257,/Windows/System32/winevt/Logs/Microsoft-Windows-PushNotification-Platform%4Operational.evtx
+1188,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,WIN-R1F8H6CSVA3,08/05/2017 08:50:41 PM,5,Microsoft-Windows-AppXDeployment-Server,540,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+426,Security.evtx,DESKTOP-M3M6D5D,08/05/2017 06:08:28 PM,0,Microsoft-Windows-Security-Auditing,4799,/Windows/System32/winevt/Logs/Security.evtx
+498,Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx,DESKTOP-M3M6D5D,08/05/2017 06:24:08 PM,4,Microsoft-Windows-Windows Firewall With Advanced Security,2006,/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
+3147,Microsoft-Windows-AppXDeploymentServer%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:58:24 PM,5,Microsoft-Windows-AppXDeployment-Server,822,/Windows/System32/winevt/Logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
+174,Microsoft-Windows-Store%4Operational.evtx,DESKTOP-M3M6D5D,08/05/2017 05:52:21 PM,4,Microsoft-Windows-Store,8001,/Windows/System32/winevt/Logs/Microsoft-Windows-Store%4Operational.evtx
diff --git a/Chapter02/screenshotter.py b/Chapter02/screenshotter.py
new file mode 100644
index 0000000..d30766d
--- /dev/null
+++ b/Chapter02/screenshotter.py
@@ -0,0 +1,81 @@
+from __future__ import print_function
+import argparse
+from multiprocessing import freeze_support
+import os
+import sys
+import time
+
+try:
+ import pyscreenshot
+ import wx
+except ImportError:
+ print("[-] Install wx and pyscreenshot to use this script")
+ sys.exit(1)
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Capture incremental screenshots"
+
+
+def main(output_dir, interval, total):
+ i = 0
+ while True:
+ i += 1
+ time.sleep(interval)
+ image = pyscreenshot.grab()
+ output = os.path.join(output_dir, "screenshot_{}.png").format(i)
+ image.save(output)
+ print("[+] Took screenshot {} and saved it to {}".format(
+ i, output_dir))
+ if total is not None and i == total:
+ print("[+] Finished taking {} screenshots every {} "
+ "seconds".format(total, interval))
+ sys.exit(0)
+
+
+if __name__ == "__main__":
+ # Command-line Argument Parser
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("OUTPUT_DIR", help="Desired Output Path")
+ parser.add_argument(
+ "INTERVAL", help="Screenshot interval (seconds)", type=int)
+ parser.add_argument(
+ "-total", help="Total number of screenshots to take", type=int)
+ args = parser.parse_args()
+
+ if not os.path.exists(args.OUTPUT_DIR):
+ os.makedirs(args.OUTPUT_DIR)
+
+ main(args.OUTPUT_DIR, args.INTERVAL, args.total)
diff --git a/Chapter02/utility/__init__.py b/Chapter02/utility/__init__.py
new file mode 100644
index 0000000..51f36ed
--- /dev/null
+++ b/Chapter02/utility/__init__.py
@@ -0,0 +1 @@
+import utilcsv
diff --git a/Chapter02/utility/utilcsv.py b/Chapter02/utility/utilcsv.py
new file mode 100644
index 0000000..11316cd
--- /dev/null
+++ b/Chapter02/utility/utilcsv.py
@@ -0,0 +1,81 @@
+from __future__ import print_function
+import csv
+import os
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+
+def csv_writer(data, header, output_directory, name=None):
+ if name is None:
+ name = "output.csv"
+
+ if sys.version_info < (3, 0):
+ with open(os.path.join(output_directory, name), "wb") as csvfile:
+ writer = csv.writer(csvfile)
+ writer.writerow(header)
+
+ writer.writerows(data)
+ else:
+ with open(os.path.join(output_directory, name), "w", newline="") as csvfile:
+ writer = csv.writer(csvfile)
+ writer.writerow(header)
+
+ writer.writerows(data)
+
+
+def csv_reader(f_path):
+ if sys.version_info < (3, 0):
+ with open(f_path, "rb") as csvfile:
+ reader = csv.reader(csvfile)
+
+ return list(reader)
+ else:
+ with open(f_path, newline="") as csvfile:
+ reader = csv.reader(csvfile)
+
+ return list(reader)
+
+
+def unicode_csv_dict_writer(data, header, output_directory, name=None):
+ try:
+ import unicodecsv
+ except ImportError:
+ print("[+] Install unicodecsv module before executing this function")
+ sys.exit(1)
+
+ if name is None:
+ name = "output.csv"
+
+ print("[+] Writing {} to {}".format(name, output_directory))
+ with open(os.path.join(output_directory, name), "wb") as csvfile:
+ writer = unicodecsv.DictWriter(csvfile, fieldnames=header)
+ writer.writeheader()
+
+ writer.writerows(data)
diff --git a/Chapter02/xlsx_writer.py b/Chapter02/xlsx_writer.py
new file mode 100644
index 0000000..b40b39b
--- /dev/null
+++ b/Chapter02/xlsx_writer.py
@@ -0,0 +1,134 @@
+from __future__ import print_function
+import argparse
+from collections import Counter
+from datetime import datetime
+import os
+import sys
+from utility import utilcsv
+
+try:
+ import xlsxwriter
+except ImportError:
+ print("[-] Install required third-party module xlsxwriter")
+ sys.exit(1)
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Create charts in XLSX files"
+
+
+def main(output_directory):
+ print("[+] Reading in sample data set")
+ # Skip first row of headers
+ data = utilcsv.csv_reader("redacted_sample_event_log.csv")[1:]
+ xlsx_writer(data, output_directory)
+
+
+def xlsx_writer(data, output_directory):
+ print("[+] Writing output.xlsx file to {}".format(output_directory))
+ workbook = xlsxwriter.Workbook(
+ os.path.join(output_directory, "output.xlsx"))
+ dashboard = workbook.add_worksheet("Dashboard")
+ data_sheet = workbook.add_worksheet("Data")
+
+ title_format = workbook.add_format({
+ 'bold': True, 'font_color': 'white', 'bg_color': 'black',
+ 'font_size': 30, 'font_name': 'Calibri', 'align': 'center'
+ })
+ date_format = workbook.add_format(
+ {'num_format': 'mm/dd/yy hh:mm:ss AM/PM'})
+
+ # Write CSV data to Data worksheet
+ for i, record in enumerate(data):
+ data_sheet.write_number(i, 0, int(record[0]))
+ data_sheet.write(i, 1, record[1])
+ data_sheet.write(i, 2, record[2])
+ dt = datetime.strptime(record[3], "%m/%d/%Y %H:%M:%S %p")
+ data_sheet.write_datetime(i, 3, dt, date_format)
+ data_sheet.write_number(i, 4, int(record[4]))
+ data_sheet.write(i, 5, record[5])
+ data_sheet.write_number(i, 6, int(record[6]))
+ data_sheet.write(i, 7, record[7])
+
+ data_length = len(data) + 1
+ data_sheet.add_table(
+ "A1:H{}".format(data_length),
+ {"columns": [
+ {"header": "Index"},
+ {"header": "File Name"},
+ {"header": "Computer Name"},
+ {"header": "Written Date"},
+ {"header": "Event Level"},
+ {"header": "Event Source"},
+ {"header": "Event ID"},
+ {"header": "File Path"}
+ ]}
+ )
+
+ event_ids = Counter([x[6] for x in data])
+ dashboard.merge_range('A1:Q1', 'Event Log Dashboard', title_format)
+ for i, record in enumerate(event_ids):
+ dashboard.write(100 + i, 0, record)
+ dashboard.write(100 + i, 1, event_ids[record])
+
+ dashboard.add_table("A100:B{}".format(
+ 100 + len(event_ids)),
+ {"columns": [{"header": "Event ID"}, {"header": "Occurrence"}]}
+ )
+
+ event_chart = workbook.add_chart({'type': 'bar'})
+ event_chart.set_title({'name': 'Event ID Breakdown'})
+ event_chart.set_size({'x_scale': 2, 'y_scale': 5})
+
+ event_chart.add_series(
+ {'categories': '=Dashboard!$A$101:$A${}'.format(
+ 100 + len(event_ids)),
+ 'values': '=Dashboard!$B$101:$B${}'.format(
+ 100 + len(event_ids))})
+ dashboard.insert_chart('C5', event_chart)
+
+ workbook.close()
+
+
+if __name__ == "__main__":
+ # Command-line Argument Parser
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("OUTPUT_DIR", help="Desired Output Path")
+ args = parser.parse_args()
+
+ if not os.path.exists(args.OUTPUT_DIR):
+ os.makedirs(args.OUTPUT_DIR)
+
+ main(args.OUTPUT_DIR)
diff --git a/Chapter03/iBackup.py b/Chapter03/iBackup.py
new file mode 100644
index 0000000..a9ca747
--- /dev/null
+++ b/Chapter03/iBackup.py
@@ -0,0 +1,199 @@
+from __future__ import print_function
+import argparse
+import logging
+import os
+from shutil import copyfile
+import sqlite3
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "iOS 10 Backup Parser"
+
+logger = logging.getLogger(__name__)
+
+
+def main(in_dir, out_dir):
+ backups = backup_summary(in_dir)
+
+ print("Backup Summary")
+ print("=" * 20)
+ if len(backups) > 0:
+ for i, b in enumerate(backups):
+ print("Backup No.: {} \n"
+ "Backup Dev. Name: {} \n"
+ "# Files: {} \n"
+ "Backup Size (Bytes): {}\n".format(
+ i, b, backups[b][1], backups[b][2])
+ )
+ try:
+ db_items = process_manifest(backups[b][0])
+ except IOError:
+ logger.warn("Non-iOS 10 backup encountered or "
+ "invalid backup. Continuing to next backup.")
+ continue
+
+ create_files(in_dir, out_dir, b, db_items)
+ print("=" * 20)
+
+ else:
+ logger.warning(
+ "No valid backups found. The input directory should be "
+ "the parent-directory immediately above the SHA-1 hash "
+ "iOS device backups")
+ sys.exit(2)
+
+
+def backup_summary(in_dir):
+ logger.info("Identifying all iOS backups in {}".format(in_dir))
+ root = os.listdir(in_dir)
+ backups = {}
+ for x in root:
+ temp_dir = os.path.join(in_dir, x)
+ if os.path.isdir(temp_dir) and len(x) == 40:
+ num_files = 0
+ size = 0
+
+ for root, subdir, files in os.walk(temp_dir):
+ num_files += len(files)
+ size += sum(os.path.getsize(os.path.join(root, name))
+ for name in files)
+
+ backups[x] = [temp_dir, num_files, size]
+
+ return backups
+
+
+def process_manifest(backup):
+ manifest = os.path.join(backup, "Manifest.db")
+
+ if not os.path.exists(manifest):
+ logger.error("Manifest DB not found in {}".format(manifest))
+ raise IOError
+
+ conn = sqlite3.connect(manifest)
+ c = conn.cursor()
+ items = {}
+ for row in c.execute("SELECT * from Files;"):
+ items[row[0]] = [row[2], row[1], row[3]]
+
+ return items
+
+
+def create_files(in_dir, out_dir, b, db_items):
+ msg = "Copying Files for backup {} to {}".format(
+ b, os.path.join(out_dir, b))
+ logger.info(msg)
+ files_not_found = 0
+ for x, key in enumerate(db_items):
+ if db_items[key][0] is None or db_items[key][0] == "":
+ continue
+
+ else:
+ dirpath = os.path.join(
+ out_dir, b, os.path.dirname(db_items[key][0]))
+ filepath = os.path.join(out_dir, b, db_items[key][0])
+ if not os.path.exists(dirpath):
+ os.makedirs(dirpath)
+
+ original_dir = b + "/" + key[0:2] + "/" + key
+ path = os.path.join(in_dir, original_dir)
+
+ if os.path.exists(filepath):
+ filepath = filepath + "_{}".format(x)
+ try:
+ copyfile(path, filepath)
+ except IOError:
+ logger.debug("File not found in backup: {}".format(path))
+ files_not_found += 1
+
+ if files_not_found > 0:
+ logger.warning("{} files listed in the Manifest.db not"
+ "found in backup".format(files_not_found))
+
+ copyfile(os.path.join(in_dir, b, "Info.plist"),
+ os.path.join(out_dir, b, "Info.plist"))
+ copyfile(os.path.join(in_dir, b, "Manifest.db"),
+ os.path.join(out_dir, b, "Manifest.db"))
+ copyfile(os.path.join(in_dir, b, "Manifest.plist"),
+ os.path.join(out_dir, b, "Manifest.plist"))
+ copyfile(os.path.join(in_dir, b, "Status.plist"),
+ os.path.join(out_dir, b, "Status.plist"))
+
+
+if __name__ == "__main__":
+ # Command-line Argument Parser
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument(
+ "INPUT_DIR",
+ help="Location of folder containing iOS backups, "
+ "e.g. ~\Library\Application Support\MobileSync\Backup folder"
+ )
+ parser.add_argument("OUTPUT_DIR", help="Output Directory")
+ parser.add_argument("-l", help="Log file path",
+ default=__file__[:-2] + "log")
+ parser.add_argument("-v", help="Increase verbosity",
+ action="store_true")
+ args = parser.parse_args()
+
+ if args.v:
+ logger.setLevel(logging.DEBUG)
+ else:
+ logger.setLevel(logging.INFO)
+
+ msg_fmt = logging.Formatter("%(asctime)-15s %(funcName)-13s"
+ "%(levelname)-8s %(message)s")
+ strhndl = logging.StreamHandler(sys.stderr)
+ strhndl.setFormatter(fmt=msg_fmt)
+ fhndl = logging.FileHandler(args.l, mode='a')
+ fhndl.setFormatter(fmt=msg_fmt)
+
+ logger.addHandler(strhndl)
+ logger.addHandler(fhndl)
+
+ logger.info("Starting iBackup Visualizer")
+ logger.debug("Supplied arguments: {}".format(" ".join(sys.argv[1:])))
+ logger.debug("System: " + sys.platform)
+ logger.debug("Python Version: " + sys.version)
+
+ if not os.path.exists(args.OUTPUT_DIR):
+ os.makedirs(args.OUTPUT_DIR)
+
+ if os.path.exists(args.INPUT_DIR) and os.path.isdir(args.INPUT_DIR):
+ main(args.INPUT_DIR, args.OUTPUT_DIR)
+ else:
+ logger.error("Supplied input directory does not exist or is not "
+ "a directory")
+ sys.exit(1)
diff --git a/Chapter03/plist_parser.py b/Chapter03/plist_parser.py
new file mode 100644
index 0000000..ac47d91
--- /dev/null
+++ b/Chapter03/plist_parser.py
@@ -0,0 +1,71 @@
+from __future__ import print_function
+import argparse
+import biplist
+import os
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Property List Parser"
+
+
+def main(plist):
+ print("[+] Opening {} file".format(plist))
+ try:
+ plist_data = biplist.readPlist(plist)
+ except (biplist.InvalidPlistException,
+ biplist.NotBinaryPlistException) as e:
+ print("[-] Invalid PLIST file - unable to be opened by biplist")
+ sys.exit(2)
+
+ print("[+] Printing Info.plist Device "
+ "and User Information to Console\n")
+ for k in plist_data:
+ if k != 'Applications' and k != 'iTunes Files':
+ print("{:<25s} - {}".format(k, plist_data[k]))
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("PLIST_FILE", help="Input PList File")
+ args = parser.parse_args()
+
+ if not os.path.exists(args.PLIST_FILE) or \
+ not os.path.isfile(args.PLIST_FILE):
+ print("[-] {} does not exist or is not a file".format(
+ args.PLIST_FILE))
+ sys.exit(1)
+
+ main(args.PLIST_FILE)
diff --git a/Chapter03/sqlite_carver.py b/Chapter03/sqlite_carver.py
new file mode 100644
index 0000000..15c3ea0
--- /dev/null
+++ b/Chapter03/sqlite_carver.py
@@ -0,0 +1,200 @@
+from __future__ import print_function
+import argparse
+import binascii
+import csv
+from itertools import product
+import os
+import re
+import sqlite3
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "SQLite carving utility"
+
+
+def main(database, table, out_csv, **kwargs):
+ print("[+] Attempting connection to {} database".format(database))
+ if not os.path.exists(database) or not os.path.isfile(database):
+ print("[-] Database does not exist or is not a file")
+ sys.exit(1)
+
+ # Connect to SQLite Database
+ conn = sqlite3.connect(database)
+ c = conn.cursor()
+
+ # Query Table for Primary Key
+ c.execute("pragma table_info({})".format(table))
+ table_data = c.fetchall()
+ if table_data == []:
+ print("[-] Check spelling of table name - '{}' did not return "
+ "any results".format(table))
+ sys.exit(2)
+
+ if "col" in kwargs:
+ gaps = find_gaps(c, table, kwargs["col"])
+
+ else:
+ # Add Primary Keys to List
+ potential_pks = []
+ for row in table_data:
+ if row[-1] == 1:
+ potential_pks.append(row[1])
+
+ if len(potential_pks) <= 0 or len(potential_pks) >= 2:
+ print("[-] None or multiple primary keys found -- please check "
+ "if there is a primary key or specify a specific key "
+ "using the --column argument")
+ sys.exit(3)
+
+ gaps = find_gaps(c, table, potential_pks[0])
+ conn.close()
+
+ print("[+] Carving for missing ROWIDs")
+ varints = varint_converter(list(gaps))
+ search_results = find_candidates(database, varints)
+ if search_results != []:
+ print("[+] Writing {} potential candidates to {}".format(
+ len(search_results), out_csv))
+ write_csv(out_csv, ["ROWID", "Search Term", "Offset"],
+ search_results)
+ else:
+ print("[-] No search results found for missing ROWIDs")
+
+
+def find_gaps(db_conn, table, pk):
+ print("[+] Identifying missing ROWIDs for {} column".format(pk))
+ try:
+ db_conn.execute("select {} from {}".format(pk, table))
+ except sqlite3.OperationalError:
+ print("[-] '{}' column does not exist -- "
+ "please check spelling".format(pk))
+ sys.exit(4)
+ results = db_conn.fetchall()
+ rowids = sorted([x[0] for x in results])
+ total_missing = rowids[-1] - len(rowids)
+
+ if total_missing == 0:
+ print("[*] No missing ROWIDs from {} column".format(pk))
+ sys.exit(0)
+ else:
+ print("[+] {} missing ROWID(s) from {} column".format(
+ total_missing, pk))
+
+ # Find Missing ROWIDs
+ gaps = set(range(rowids[0], rowids[-1] + 1)).difference(rowids)
+ return gaps
+
+
+def varint_converter(rows):
+ varints = {}
+ varint_combos = []
+ for i, row in enumerate(rows):
+ if row <= 127:
+ varints[hex(row)[2:]] = row
+
+ else:
+ combos = [x for x in range(0, 256)]
+ counter = 1
+ while True:
+ counter += 1
+ print("[+] Generating and finding all {} byte "
+ "varints..".format(counter))
+ varint_combos = list(product(combos, repeat=counter))
+ varint_combos = [x for x in varint_combos if x[0] >= 128]
+ for varint_combo in varint_combos:
+ varint = integer_converter(varint_combo)
+ if varint == row:
+ varints["".join([hex(v)[2:].zfill(2) for v in
+ varint_combo])] = row
+ i += 1
+ try:
+ row = rows[i]
+ except IndexError:
+ return varints
+
+
+def integer_converter(numbs):
+ binary = ""
+ for numb in numbs:
+ binary += bin(numb)[2:].zfill(8)[1:]
+ binvar = binary.lstrip("0")
+ if binvar != '':
+ return int(binvar, 2)
+ else:
+ return 0
+
+
+def find_candidates(database, varints):
+ results = []
+ candidate_a = "350055"
+ candidate_b = "360055"
+
+ with open(database, "rb") as infile:
+ hex_data = str(binascii.hexlify(infile.read()))
+ for varint in varints:
+ search_a = varint + candidate_a
+ search_b = varint + candidate_b
+
+ for result in re.finditer(search_a, hex_data):
+ results.append([varints[varint], search_a, result.start() / 2])
+
+ for result in re.finditer(search_b, hex_data):
+ results.append([varints[varint], search_b, result.start() / 2])
+
+ return results
+
+
+def write_csv(output, cols, msgs):
+ with open(output, "w", newline="") as csvfile:
+ csv_writer = csv.writer(csvfile)
+ csv_writer.writerow(cols)
+ csv_writer.writerows(msgs)
+
+
+if __name__ == "__main__":
+ # Command-line Argument Parser
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("SQLITE_DATABASE", help="Input SQLite database")
+ parser.add_argument("TABLE", help="Table to query from")
+ parser.add_argument("OUTPUT_CSV", help="Output CSV File")
+ parser.add_argument("--column", help="Optional column argument")
+ args = parser.parse_args()
+
+ if args.column is not None:
+ main(args.SQLITE_DATABASE, args.TABLE,
+ args.OUTPUT_CSV, col=args.column)
+ else:
+ main(args.SQLITE_DATABASE, args.TABLE, args.OUTPUT_CSV)
diff --git a/Chapter03/sqlite_gaps.py b/Chapter03/sqlite_gaps.py
new file mode 100644
index 0000000..4982944
--- /dev/null
+++ b/Chapter03/sqlite_gaps.py
@@ -0,0 +1,116 @@
+from __future__ import print_function
+import argparse
+import os
+import sqlite3
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "SQLite gap analysis utility"
+
+
+def main(database, table, **kwargs):
+ print("[+] Attempting connection to {} database".format(database))
+ if not os.path.exists(database) or not os.path.isfile(database):
+ print("[-] Database does not exist or is not a file")
+ sys.exit(1)
+
+ # Connect to SQLite Database
+ conn = sqlite3.connect(database)
+ c = conn.cursor()
+
+ # Query Table for Primary Key
+ c.execute("pragma table_info({})".format(table))
+ table_data = c.fetchall()
+ if table_data == []:
+ print("[-] Check spelling of table name - '{}' did not return "
+ "any results".format(table))
+ sys.exit(2)
+
+ if "col" in kwargs:
+ find_gaps(c, table, kwargs["col"])
+
+ else:
+ # Add Primary Keys to List
+ potential_pks = []
+ for row in table_data:
+ if row[-1] == 1:
+ potential_pks.append(row[1])
+
+ if len(potential_pks) != 1:
+ print("[-] None or multiple primary keys found -- please "
+ "check if there is a primary key or specify a specific "
+ "key using the --column argument")
+ sys.exit(3)
+
+ find_gaps(c, table, potential_pks[0])
+
+
+def find_gaps(db_conn, table, pk):
+ print("[+] Identifying missing ROWIDs for {} column".format(pk))
+ try:
+ db_conn.execute("select {} from {}".format(pk, table))
+ except sqlite3.OperationalError:
+ print("[-] '{}' column does not exist -- "
+ "please check spelling".format(pk))
+ sys.exit(4)
+ results = db_conn.fetchall()
+ rowids = sorted([x[0] for x in results])
+ total_missing = rowids[-1] - len(rowids)
+
+ if total_missing == 0:
+ print("[*] No missing ROWIDs from {} column".format(pk))
+ sys.exit(0)
+ else:
+ print("[+] {} missing ROWID(s) from {} column".format(
+ total_missing, pk))
+
+ # Find Missing ROWIDs
+ gaps = set(range(rowids[0], rowids[-1] + 1)).difference(rowids)
+ print("[*] Missing ROWIDS: {}".format(gaps))
+
+
+if __name__ == "__main__":
+ # Command-line Argument Parser
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("SQLITE_DATABASE", help="Input SQLite database")
+ parser.add_argument("TABLE", help="Table to query from")
+ parser.add_argument("--column", help="Optional column argument")
+ args = parser.parse_args()
+
+ if args.column is not None:
+ main(args.SQLITE_DATABASE, args.TABLE, col=args.column)
+ else:
+ main(args.SQLITE_DATABASE, args.TABLE)
diff --git a/Chapter03/sqlite_sms.py b/Chapter03/sqlite_sms.py
new file mode 100644
index 0000000..cc398aa
--- /dev/null
+++ b/Chapter03/sqlite_sms.py
@@ -0,0 +1,85 @@
+from __future__ import print_function
+import argparse
+import csv
+import os
+import sqlite3
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "SQLite SMS analysis utility"
+
+
+def main(database, out_csv):
+ print("[+] Attempting connection to {} database".format(database))
+ if not os.path.exists(database) or not os.path.isfile(database):
+ print("[-] Database does not exist or is not a file")
+ sys.exit(1)
+
+ # Connect to SQLite Database
+ conn = sqlite3.connect(database)
+ c = conn.cursor()
+
+ # Query DB for Column Names and Data of Message Table
+ c.execute("pragma table_info(message)")
+ table_data = c.fetchall()
+ columns = [x[1] for x in table_data]
+
+ c.execute("select * from message")
+ message_data = c.fetchall()
+
+ print("[+] Writing Message Content to {}".format(out_csv))
+ write_csv(out_csv, columns, message_data)
+
+
+def write_csv(output, cols, msgs):
+ with open(output, "w", newline="") as csvfile:
+ csv_writer = csv.writer(csvfile)
+ csv_writer.writerow(cols)
+ csv_writer.writerows(msgs)
+
+
+if __name__ == '__main__':
+ # Command-line Argument Parser
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("SQLITE_DATABASE", help="Input SQLite database")
+ parser.add_argument("OUTPUT_CSV", help="Output CSV File")
+ args = parser.parse_args()
+
+ directory = os.path.dirname(args.OUTPUT_CSV)
+ if directory != '' and not os.path.exists(directory):
+ os.makedirs(directory)
+
+ main(args.SQLITE_DATABASE, args.OUTPUT_CSV)
diff --git a/Chapter03/wifi_lookup.py b/Chapter03/wifi_lookup.py
new file mode 100644
index 0000000..faaf975
--- /dev/null
+++ b/Chapter03/wifi_lookup.py
@@ -0,0 +1,195 @@
+from __future__ import print_function
+import argparse
+import csv
+import os
+import sys
+import xml.etree.ElementTree as ET
+import requests
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Wifi MAC Address lookup utility"
+
+
+def main(in_file, out_csv, type, api_key):
+ if type == 'xml':
+ wifi = parse_xml(in_file)
+ else:
+ wifi = parse_txt(in_file)
+
+ query_wigle(wifi, out_csv, api_key)
+
+
+def parse_xml(xml_file):
+ wifi = {}
+ xmlns = "{http://pa.cellebrite.com/report/2.0}"
+ print("[+] Opening {} report".format(xml_file))
+ xml_tree = ET.parse(xml_file)
+ print("[+] Parsing report for all connected WiFi addresses")
+ root = xml_tree.getroot()
+ for child in root.iter():
+ if child.tag == xmlns + "model":
+ if child.get("type") == "Location":
+ for field in child.findall(xmlns + "field"):
+ if field.get("name") == "TimeStamp":
+ ts_value = field.find(xmlns + "value")
+ try:
+ ts = ts_value.text
+ except AttributeError:
+ continue
+ if field.get("name") == "Description":
+ value = field.find(xmlns + "value")
+ try:
+ value_text = value.text
+ except AttributeError:
+ continue
+ if "SSID" in value.text:
+ bssid, ssid = value.text.split("\t")
+ bssid = bssid[7:]
+ ssid = ssid[6:]
+ if bssid in wifi.keys():
+ wifi[bssid]["Timestamps"].append(ts)
+ wifi[bssid]["SSID"].append(ssid)
+ else:
+ wifi[bssid] = {
+ "Timestamps": [ts], "SSID": [ssid],
+ "Wigle": {}}
+ return wifi
+
+
+def parse_txt(txt_file):
+ wifi = {}
+ print("[+] Extracting MAC addresses from {}".format(txt_file))
+ with open(txt_file) as mac_file:
+ for line in mac_file:
+ wifi[line.strip()] = {"Timestamps": ["N/A"], "SSID": ["N/A"],
+ "Wigle": {}}
+ return wifi
+
+
+def query_mac_addr(mac_addr, api_key):
+ query_url = "https://api.wigle.net/api/v2/network/search?" \
+ "onlymine=false&freenet=false&paynet=false" \
+ "&netid={}".format(mac_addr)
+ req = requests.get(query_url, auth=(api_key[0], api_key[1]))
+ return req.json()
+
+
+def query_wigle(wifi_dictionary, out_csv, api_key):
+ print("[+] Querying Wigle.net through Python API for {} "
+ "APs".format(len(wifi_dictionary)))
+ for mac in wifi_dictionary:
+ wigle_results = query_mac_addr(mac, api_key)
+ try:
+ if wigle_results["resultCount"] == 0:
+ wifi_dictionary[mac]["Wigle"]["results"] = []
+ continue
+ else:
+ wifi_dictionary[mac]["Wigle"] = wigle_results
+ except KeyError:
+ if wigle_results["error"] == "too many queries today":
+ print("[-] Wigle daily query limit exceeded")
+ wifi_dictionary[mac]["Wigle"]["results"] = []
+ continue
+ else:
+ print("[-] Other error encountered for "
+ "address {}: {}".format(mac, wigle_results['error']))
+ wifi_dictionary[mac]["Wigle"]["results"] = []
+ continue
+ prep_output(out_csv, wifi_dictionary)
+
+
+def prep_output(output, data):
+ csv_data = {}
+ google_map = "https://www.google.com/maps/search/"
+ for x, mac in enumerate(data):
+ for y, ts in enumerate(data[mac]["Timestamps"]):
+ for z, result in enumerate(data[mac]["Wigle"]["results"]):
+ shortres = data[mac]["Wigle"]["results"][z]
+ g_map_url = "{}{},{}".format(
+ google_map, shortres["trilat"], shortres["trilong"])
+ csv_data["{}-{}-{}".format(x, y, z)] = {
+ **{
+ "BSSID": mac, "SSID": data[mac]["SSID"][y],
+ "Cellebrite Connection Time": ts,
+ "Google Map URL": g_map_url},
+ **shortres
+ }
+
+ write_csv(output, csv_data)
+
+
+def write_csv(output, data):
+ print("[+] Writing data to {}".format(output))
+ field_list = set()
+ for row in data:
+ for field in data[row]:
+ field_list.add(field)
+
+ with open(output, "w", newline="") as csvfile:
+ csv_writer = csv.DictWriter(csvfile, fieldnames=sorted(
+ field_list), extrasaction='ignore')
+ csv_writer.writeheader()
+ for csv_row in data:
+ csv_writer.writerow(data[csv_row])
+
+
+if __name__ == "__main__":
+ # Command-line Argument Parser
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__),
+ formatter_class=argparse.ArgumentDefaultsHelpFormatter
+ )
+ parser.add_argument("INPUT_FILE", help="INPUT FILE with MAC Addresses")
+ parser.add_argument("OUTPUT_CSV", help="Output CSV File")
+ parser.add_argument(
+ "-t", help="Input type: Cellebrite XML report or TXT file",
+ choices=('xml', 'txt'), default="xml")
+ parser.add_argument('--api', help="Path to API key file",
+ default=os.path.expanduser("~/.wigle_api"),
+ type=argparse.FileType('r'))
+ args = parser.parse_args()
+
+ if not os.path.exists(args.INPUT_FILE) or \
+ not os.path.isfile(args.INPUT_FILE):
+ print("[-] {} does not exist or is not a file".format(
+ args.INPUT_FILE))
+ sys.exit(1)
+
+ directory = os.path.dirname(args.OUTPUT_CSV)
+ if directory != '' and not os.path.exists(directory):
+ os.makedirs(directory)
+
+ api_key = args.api.readline().strip().split(":")
+
+ main(args.INPUT_FILE, args.OUTPUT_CSV, args.t, api_key)
diff --git a/Chapter04/apple_genres.json b/Chapter04/apple_genres.json
new file mode 100644
index 0000000..85c83d0
--- /dev/null
+++ b/Chapter04/apple_genres.json
@@ -0,0 +1 @@
+{"2":"Music|Blues","3":"Music|Comedy","4":"Music|Children's Music","5":"Music|Classical","6":"Music|Country","7":"Music|Electronic","8":"Music|Holiday","9":"Music|Classical|Opera","10":"Music|Singer/Songwriter","11":"Music|Jazz","12":"Music|Latino","13":"Music|New Age","14":"Music|Pop","15":"Music|R&B/Soul","16":"Music|Soundtrack","17":"Music|Dance","18":"Music|Hip-Hop/Rap","19":"Music|World","20":"Music|Alternative","21":"Music|Rock","22":"Music|Christian & Gospel","23":"Music|Vocal","24":"Music|Reggae","25":"Music|Easy Listening","26":"Podcasts","27":"Music|J-Pop","28":"Music|Enka","29":"Music|Anime","30":"Music|Kayokyoku","31":"Music Videos","32":"TV Shows","33":"Movies","34":"Music","35":"iPod Games","36":"App Store","37":"Tones","38":"Books","39":"Mac App Store","40":"Textbooks","50":"Music|Fitness & Workout","51":"Music|Pop|K-Pop","52":"Music|Karaoke","53":"Music|Instrumental","74":"Audiobooks|News","75":"Audiobooks|Programs & Performances","1001":"Music|Alternative|College Rock","1002":"Music|Alternative|Goth Rock","1003":"Music|Alternative|Grunge","1004":"Music|Alternative|Indie Rock","1005":"Music|Alternative|New Wave","1006":"Music|Alternative|Punk","1007":"Music|Blues|Chicago Blues","1009":"Music|Blues|Classic Blues","1010":"Music|Blues|Contemporary Blues","1011":"Music|Blues|Country Blues","1012":"Music|Blues|Delta Blues","1013":"Music|Blues|Electric Blues","1014":"Music|Children's Music|Lullabies","1015":"Music|Children's Music|Sing-Along","1016":"Music|Children's Music|Stories","1017":"Music|Classical|Avant-Garde","1018":"Music|Classical|Baroque Era","1019":"Music|Classical|Chamber Music","1020":"Music|Classical|Chant","1021":"Music|Classical|Choral","1022":"Music|Classical|Classical Crossover","1023":"Music|Classical|Early Music","1024":"Music|Classical|Impressionist","1025":"Music|Classical|Medieval Era","1026":"Music|Classical|Minimalism","1027":"Music|Classical|Modern Era","1028":"Music|Classical|Opera","1029":"Music|Classical|Orchestral","1030":"Music|Classical|Renaissance","1031":"Music|Classical|Romantic Era","1032":"Music|Classical|Wedding Music","1033":"Music|Country|Alternative Country","1034":"Music|Country|Americana","1035":"Music|Country|Bluegrass","1036":"Music|Country|Contemporary Bluegrass","1037":"Music|Country|Contemporary Country","1038":"Music|Country|Country Gospel","1039":"Music|Country|Honky Tonk","1040":"Music|Country|Outlaw Country","1041":"Music|Country|Traditional Bluegrass","1042":"Music|Country|Traditional Country","1043":"Music|Country|Urban Cowboy","1044":"Music|Dance|Breakbeat","1045":"Music|Dance|Exercise","1046":"Music|Dance|Garage","1047":"Music|Dance|Hardcore","1048":"Music|Dance|House","1049":"Music|Dance|Jungle/Drum'n'bass","1050":"Music|Dance|Techno","1051":"Music|Dance|Trance","1052":"Music|Jazz|Big Band","1053":"Music|Jazz|Bop","1054":"Music|Easy Listening|Lounge","1055":"Music|Easy Listening|Swing","1056":"Music|Electronic|Ambient","1057":"Music|Electronic|Downtempo","1058":"Music|Electronic|Electronica","1060":"Music|Electronic|IDM/Experimental","1061":"Music|Electronic|Industrial","1062":"Music|Singer/Songwriter|Alternative Folk","1063":"Music|Singer/Songwriter|Contemporary Folk","1064":"Music|Singer/Songwriter|Contemporary Singer/Songwriter","1065":"Music|Singer/Songwriter|Folk-Rock","1066":"Music|Singer/Songwriter|New Acoustic","1067":"Music|Singer/Songwriter|Traditional Folk","1068":"Music|Hip-Hop/Rap|Alternative Rap","1069":"Music|Hip-Hop/Rap|Dirty South","1070":"Music|Hip-Hop/Rap|East Coast Rap","1071":"Music|Hip-Hop/Rap|Gangsta Rap","1072":"Music|Hip-Hop/Rap|Hardcore Rap","1073":"Music|Hip-Hop/Rap|Hip-Hop","1074":"Music|Hip-Hop/Rap|Latin Rap","1075":"Music|Hip-Hop/Rap|Old School Rap","1076":"Music|Hip-Hop/Rap|Rap","1077":"Music|Hip-Hop/Rap|Underground Rap","1078":"Music|Hip-Hop/Rap|West Coast Rap","1079":"Music|Holiday|Chanukah","1080":"Music|Holiday|Christmas","1081":"Music|Holiday|Christmas: Children's","1082":"Music|Holiday|Christmas: Classic","1083":"Music|Holiday|Christmas: Classical","1084":"Music|Holiday|Christmas: Jazz","1085":"Music|Holiday|Christmas: Modern","1086":"Music|Holiday|Christmas: Pop","1087":"Music|Holiday|Christmas: R&B","1088":"Music|Holiday|Christmas: Religious","1089":"Music|Holiday|Christmas: Rock","1090":"Music|Holiday|Easter","1091":"Music|Holiday|Halloween","1092":"Music|Holiday|Holiday: Other","1093":"Music|Holiday|Thanksgiving","1094":"Music|Christian & Gospel|CCM","1095":"Music|Christian & Gospel|Christian Metal","1096":"Music|Christian & Gospel|Christian Pop","1097":"Music|Christian & Gospel|Christian Rap","1098":"Music|Christian & Gospel|Christian Rock","1099":"Music|Christian & Gospel|Classic Christian","1100":"Music|Christian & Gospel|Contemporary Gospel","1101":"Music|Christian & Gospel|Gospel","1103":"Music|Christian & Gospel|Praise & Worship","1104":"Music|Christian & Gospel|Southern Gospel","1105":"Music|Christian & Gospel|Traditional Gospel","1106":"Music|Jazz|Avant-Garde Jazz","1107":"Music|Jazz|Contemporary Jazz","1108":"Music|Jazz|Crossover Jazz","1109":"Music|Jazz|Dixieland","1110":"Music|Jazz|Fusion","1111":"Music|Jazz|Latin Jazz","1112":"Music|Jazz|Mainstream Jazz","1113":"Music|Jazz|Ragtime","1114":"Music|Jazz|Smooth Jazz","1115":"Music|Latino|Latin Jazz","1116":"Music|Latino|Contemporary Latin","1117":"Music|Latino|Pop Latino","1118":"Music|Latino|Raices","1119":"Music|Latino|Latin Urban","1120":"Music|Latino|Baladas y Boleros","1121":"Music|Latino|Rock y Alternativo","1122":"Music|Brazilian","1123":"Music|Latino|Musica Mexicana","1124":"Music|Latino|Salsa y Tropical","1125":"Music|New Age|Environmental","1126":"Music|New Age|Healing","1127":"Music|New Age|Meditation","1128":"Music|New Age|Nature","1129":"Music|New Age|Relaxation","1130":"Music|New Age|Travel","1131":"Music|Pop|Adult Contemporary","1132":"Music|Pop|Britpop","1133":"Music|Pop|Pop/Rock","1134":"Music|Pop|Soft Rock","1135":"Music|Pop|Teen Pop","1136":"Music|R&B/Soul|Contemporary R&B","1137":"Music|R&B/Soul|Disco","1138":"Music|R&B/Soul|Doo Wop","1139":"Music|R&B/Soul|Funk","1140":"Music|R&B/Soul|Motown","1141":"Music|R&B/Soul|Neo-Soul","1142":"Music|R&B/Soul|Quiet Storm","1143":"Music|R&B/Soul|Soul","1144":"Music|Rock|Adult Alternative","1145":"Music|Rock|American Trad Rock","1146":"Music|Rock|Arena Rock","1147":"Music|Rock|Blues-Rock","1148":"Music|Rock|British Invasion","1149":"Music|Rock|Death Metal/Black Metal","1150":"Music|Rock|Glam Rock","1151":"Music|Rock|Hair Metal","1152":"Music|Rock|Hard Rock","1153":"Music|Rock|Metal","1154":"Music|Rock|Jam Bands","1155":"Music|Rock|Prog-Rock/Art Rock","1156":"Music|Rock|Psychedelic","1157":"Music|Rock|Rock & Roll","1158":"Music|Rock|Rockabilly","1159":"Music|Rock|Roots Rock","1160":"Music|Rock|Singer/Songwriter","1161":"Music|Rock|Southern Rock","1162":"Music|Rock|Surf","1163":"Music|Rock|Tex-Mex","1165":"Music|Soundtrack|Foreign Cinema","1166":"Music|Soundtrack|Musicals","1167":"Music|Comedy|Novelty","1168":"Music|Soundtrack|Original Score","1169":"Music|Soundtrack|Soundtrack","1171":"Music|Comedy|Standup Comedy","1172":"Music|Soundtrack|TV Soundtrack","1173":"Music|Vocal|Standards","1174":"Music|Vocal|Traditional Pop","1175":"Music|Jazz|Vocal Jazz","1176":"Music|Vocal|Vocal Pop","1177":"Music|World|Afro-Beat","1178":"Music|World|Afro-Pop","1179":"Music|World|Cajun","1180":"Music|World|Celtic","1181":"Music|World|Celtic Folk","1182":"Music|World|Contemporary Celtic","1183":"Music|Reggae|Modern Dancehall","1184":"Music|World|Drinking Songs","1185":"Music|Indian|Indian Pop","1186":"Music|World|Japanese Pop","1187":"Music|World|Klezmer","1188":"Music|World|Polka","1189":"Music|World|Traditional Celtic","1190":"Music|World|Worldbeat","1191":"Music|World|Zydeco","1192":"Music|Reggae|Roots Reggae","1193":"Music|Reggae|Dub","1194":"Music|Reggae|Ska","1195":"Music|World|Caribbean","1196":"Music|World|South America","1197":"Music|Arabic","1198":"Music|World|North America","1199":"Music|World|Hawaii","1200":"Music|World|Australia","1201":"Music|World|Japan","1202":"Music|World|France","1203":"Music|World|Africa","1204":"Music|World|Asia","1205":"Music|World|Europe","1206":"Music|World|South Africa","1207":"Music|Jazz|Hard Bop","1208":"Music|Jazz|Trad Jazz","1209":"Music|Jazz|Cool Jazz","1210":"Music|Blues|Acoustic Blues","1211":"Music|Classical|High Classical","1220":"Music|Brazilian|Axe","1221":"Music|Brazilian|Bossa Nova","1222":"Music|Brazilian|Choro","1223":"Music|Brazilian|Forro","1224":"Music|Brazilian|Frevo","1225":"Music|Brazilian|MPB","1226":"Music|Brazilian|Pagode","1227":"Music|Brazilian|Samba","1228":"Music|Brazilian|Sertanejo","1229":"Music|Brazilian|Baile Funk","1230":"Music|Alternative|Chinese Alt","1231":"Music|Alternative|Korean Indie","1232":"Music|Chinese","1233":"Music|Chinese|Chinese Classical","1234":"Music|Chinese|Chinese Flute","1235":"Music|Chinese|Chinese Opera","1236":"Music|Chinese|Chinese Orchestral","1237":"Music|Chinese|Chinese Regional Folk","1238":"Music|Chinese|Chinese Strings","1239":"Music|Chinese|Taiwanese Folk","1240":"Music|Chinese|Tibetan Native Music","1241":"Music|Hip-Hop/Rap|Chinese Hip-Hop","1242":"Music|Hip-Hop/Rap|Korean Hip-Hop","1243":"Music|Korean","1244":"Music|Korean|Korean Classical","1245":"Music|Korean|Korean Trad Song","1246":"Music|Korean|Korean Trad Instrumental","1247":"Music|Korean|Korean Trad Theater","1248":"Music|Rock|Chinese Rock","1249":"Music|Rock|Korean Rock","1250":"Music|Pop|C-Pop","1251":"Music|Pop|Cantopop/HK-Pop","1252":"Music|Pop|Korean Folk-Pop","1253":"Music|Pop|Mandopop","1254":"Music|Pop|Tai-Pop","1255":"Music|Pop|Malaysian Pop","1256":"Music|Pop|Pinoy Pop","1257":"Music|Pop|Original Pilipino Music","1258":"Music|Pop|Manilla Sound","1259":"Music|Pop|Indo Pop","1260":"Music|Pop|Thai Pop","1261":"Music|Vocal|Trot","1262":"Music|Indian","1263":"Music|Indian|Bollywood","1264":"Music|Indian|Tamil","1265":"Music|Indian|Telugu","1266":"Music|Indian|Regional Indian","1267":"Music|Indian|Devotional & Spiritual","1268":"Music|Indian|Sufi","1269":"Music|Indian|Indian Classical","1270":"Music|World|Russian Chanson","1271":"Music|World|Dini","1272":"Music|World|Halk","1273":"Music|World|Sanat","1274":"Music|World|Dangdut","1275":"Music|World|Indonesian Religious","1276":"Music|World|Calypso","1277":"Music|World|Soca","1278":"Music|Indian|Ghazals","1279":"Music|Indian|Indian Folk","1280":"Music|World|Arabesque","1281":"Music|World|Afrikaans","1282":"Music|World|Farsi","1283":"Music|World|Israeli","1284":"Music|Arabic|Khaleeji","1285":"Music|Arabic|North African","1286":"Music|Arabic|Arabic Pop","1287":"Music|Arabic|Islamic","1288":"Music|Soundtrack|Sound Effects","1289":"Music|Folk","1290":"Music|Orchestral","1291":"Music|Marching","1293":"Music|Pop|Oldies","1294":"Music|Country|Thai Country","1295":"Music|World|Flamenco","1296":"Music|World|Tango","1297":"Music|World|Fado","1298":"Music|World|Iberia","1299":"Music|World|Russian","1300":"Music|World|Turkish","1301":"Podcasts|Arts","1302":"Podcasts|Society & Culture|Personal Journals","1303":"Podcasts|Comedy","1304":"Podcasts|Education","1305":"Podcasts|Kids & Family","1306":"Podcasts|Arts|Food","1307":"Podcasts|Health","1309":"Podcasts|TV & Film","1310":"Podcasts|Music","1311":"Podcasts|News & Politics","1314":"Podcasts|Religion & Spirituality","1315":"Podcasts|Science & Medicine","1316":"Podcasts|Sports & Recreation","1318":"Podcasts|Technology","1320":"Podcasts|Society & Culture|Places & Travel","1321":"Podcasts|Business","1323":"Podcasts|Games & Hobbies","1324":"Podcasts|Society & Culture","1325":"Podcasts|Government & Organizations","1337":"Music Videos|Classical|Piano","1401":"Podcasts|Arts|Literature","1402":"Podcasts|Arts|Design","1404":"Podcasts|Games & Hobbies|Video Games","1405":"Podcasts|Arts|Performing Arts","1406":"Podcasts|Arts|Visual Arts","1410":"Podcasts|Business|Careers","1412":"Podcasts|Business|Investing","1413":"Podcasts|Business|Management & Marketing","1415":"Podcasts|Education|K-12","1416":"Podcasts|Education|Higher Education","1417":"Podcasts|Health|Fitness & Nutrition","1420":"Podcasts|Health|Self-Help","1421":"Podcasts|Health|Sexuality","1438":"Podcasts|Religion & Spirituality|Buddhism","1439":"Podcasts|Religion & Spirituality|Christianity","1440":"Podcasts|Religion & Spirituality|Islam","1441":"Podcasts|Religion & Spirituality|Judaism","1443":"Podcasts|Society & Culture|Philosophy","1444":"Podcasts|Religion & Spirituality|Spirituality","1446":"Podcasts|Technology|Gadgets","1448":"Podcasts|Technology|Tech News","1450":"Podcasts|Technology|Podcasting","1454":"Podcasts|Games & Hobbies|Automotive","1455":"Podcasts|Games & Hobbies|Aviation","1456":"Podcasts|Sports & Recreation|Outdoor","1459":"Podcasts|Arts|Fashion & Beauty","1460":"Podcasts|Games & Hobbies|Hobbies","1461":"Podcasts|Games & Hobbies|Other Games","1462":"Podcasts|Society & Culture|History","1463":"Podcasts|Religion & Spirituality|Hinduism","1464":"Podcasts|Religion & Spirituality|Other","1465":"Podcasts|Sports & Recreation|Professional","1466":"Podcasts|Sports & Recreation|College & High School","1467":"Podcasts|Sports & Recreation|Amateur","1468":"Podcasts|Education|Educational Technology","1469":"Podcasts|Education|Language Courses","1470":"Podcasts|Education|Training","1471":"Podcasts|Business|Business News","1472":"Podcasts|Business|Shopping","1473":"Podcasts|Government & Organizations|National","1474":"Podcasts|Government & Organizations|Regional","1475":"Podcasts|Government & Organizations|Local","1476":"Podcasts|Government & Organizations|Non-Profit","1477":"Podcasts|Science & Medicine|Natural Sciences","1478":"Podcasts|Science & Medicine|Medicine","1479":"Podcasts|Science & Medicine|Social Sciences","1480":"Podcasts|Technology|Software How-To","1481":"Podcasts|Health|Alternative Health","1602":"Music Videos|Blues","1603":"Music Videos|Comedy","1604":"Music Videos|Children's Music","1605":"Music Videos|Classical","1606":"Music Videos|Country","1607":"Music Videos|Electronic","1608":"Music Videos|Holiday","1609":"Music Videos|Classical|Opera","1610":"Music Videos|Singer/Songwriter","1611":"Music Videos|Jazz","1612":"Music Videos|Latin","1613":"Music Videos|New Age","1614":"Music Videos|Pop","1615":"Music Videos|R&B/Soul","1616":"Music Videos|Soundtrack","1617":"Music Videos|Dance","1618":"Music Videos|Hip-Hop/Rap","1619":"Music Videos|World","1620":"Music Videos|Alternative","1621":"Music Videos|Rock","1622":"Music Videos|Christian & Gospel","1623":"Music Videos|Vocal","1624":"Music Videos|Reggae","1625":"Music Videos|Easy Listening","1626":"Music Videos|Podcasts","1627":"Music Videos|J-Pop","1628":"Music Videos|Enka","1629":"Music Videos|Anime","1630":"Music Videos|Kayokyoku","1631":"Music Videos|Disney","1632":"Music Videos|French Pop","1633":"Music Videos|German Pop","1634":"Music Videos|German Folk","1635":"Music Videos|Alternative|Chinese Alt","1636":"Music Videos|Alternative|Korean Indie","1637":"Music Videos|Chinese","1638":"Music Videos|Chinese|Chinese Classical","1639":"Music Videos|Chinese|Chinese Flute","1640":"Music Videos|Chinese|Chinese Opera","1641":"Music Videos|Chinese|Chinese Orchestral","1642":"Music Videos|Chinese|Chinese Regional Folk","1643":"Music Videos|Chinese|Chinese Strings","1644":"Music Videos|Chinese|Taiwanese Folk","1645":"Music Videos|Chinese|Tibetan Native Music","1646":"Music Videos|Hip-Hop/Rap|Chinese Hip-Hop","1647":"Music Videos|Hip-Hop/Rap|Korean Hip-Hop","1648":"Music Videos|Korean","1649":"Music Videos|Korean|Korean Classical","1650":"Music Videos|Korean|Korean Trad Song","1651":"Music Videos|Korean|Korean Trad Instrumental","1652":"Music Videos|Korean|Korean Trad Theater","1653":"Music Videos|Rock|Chinese Rock","1654":"Music Videos|Rock|Korean Rock","1655":"Music Videos|Pop|C-Pop","1656":"Music Videos|Pop|Cantopop/HK-Pop","1657":"Music Videos|Pop|Korean Folk-Pop","1658":"Music Videos|Pop|Mandopop","1659":"Music Videos|Pop|Tai-Pop","1660":"Music Videos|Pop|Malaysian Pop","1661":"Music Videos|Pop|Pinoy Pop","1662":"Music Videos|Pop|Original Pilipino Music","1663":"Music Videos|Pop|Manilla Sound","1664":"Music Videos|Pop|Indo Pop","1665":"Music Videos|Pop|Thai Pop","1666":"Music Videos|Vocal|Trot","1671":"Music Videos|Brazilian","1672":"Music Videos|Brazilian|Axe","1673":"Music Videos|Brazilian|Baile Funk","1674":"Music Videos|Brazilian|Bossa Nova","1675":"Music Videos|Brazilian|Choro","1676":"Music Videos|Brazilian|Forro","1677":"Music Videos|Brazilian|Frevo","1678":"Music Videos|Brazilian|MPB","1679":"Music Videos|Brazilian|Pagode","1680":"Music Videos|Brazilian|Samba","1681":"Music Videos|Brazilian|Sertanejo","1682":"Music Videos|Classical|High Classical","1683":"Music Videos|Fitness & Workout","1684":"Music Videos|Instrumental","1685":"Music Videos|Jazz|Big Band","1686":"Music Videos|Pop|K-Pop","1687":"Music Videos|Karaoke","1688":"Music Videos|Rock|Heavy Metal","1689":"Music Videos|Spoken Word","1690":"Music Videos|Indian","1691":"Music Videos|Indian|Bollywood","1692":"Music Videos|Indian|Tamil","1693":"Music Videos|Indian|Telugu","1694":"Music Videos|Indian|Regional Indian","1695":"Music Videos|Indian|Devotional & Spiritual","1696":"Music Videos|Indian|Sufi","1697":"Music Videos|Indian|Indian Classical","1698":"Music Videos|World|Russian Chanson","1699":"Music Videos|World|Dini","1700":"Music Videos|World|Halk","1701":"Music Videos|World|Sanat","1702":"Music Videos|World|Dangdut","1703":"Music Videos|World|Indonesian Religious","1704":"Music Videos|Indian|Indian Pop","1705":"Music Videos|World|Calypso","1706":"Music Videos|World|Soca","1707":"Music Videos|Indian|Ghazals","1708":"Music Videos|Indian|Indian Folk","1709":"Music Videos|World|Arabesque","1710":"Music Videos|World|Afrikaans","1711":"Music Videos|World|Farsi","1712":"Music Videos|World|Israeli","1713":"Music Videos|Arabic","1714":"Music Videos|Arabic|Khaleeji","1715":"Music Videos|Arabic|North African","1716":"Music Videos|Arabic|Arabic Pop","1717":"Music Videos|Arabic|Islamic","1718":"Music Videos|Soundtrack|Sound Effects","1719":"Music Videos|Folk","1720":"Music Videos|Orchestral","1721":"Music Videos|Marching","1723":"Music Videos|Pop|Oldies","1724":"Music Videos|Country|Thai Country","1725":"Music Videos|World|Flamenco","1726":"Music Videos|World|Tango","1727":"Music Videos|World|Fado","1728":"Music Videos|World|Iberia","1729":"Music Videos|World|Russian","1730":"Music Videos|World|Turkish","1731":"Music Videos|Alternative|College Rock","1732":"Music Videos|Alternative|Goth Rock","1733":"Music Videos|Alternative|Grunge","1734":"Music Videos|Alternative|Indie Rock","1735":"Music Videos|Alternative|New Wave","1736":"Music Videos|Alternative|Punk","1737":"Music Videos|Blues|Acoustic Blues","1738":"Music Videos|Blues|Chicago Blues","1739":"Music Videos|Blues|Classic Blues","1740":"Music Videos|Blues|Contemporary Blues","1741":"Music Videos|Blues|Country Blues","1742":"Music Videos|Blues|Delta Blues","1743":"Music Videos|Blues|Electric Blues","1744":"Music Videos|Children's Music|Lullabies","1745":"Music Videos|Children's Music|Sing-Along","1746":"Music Videos|Children's Music|Stories","1747":"Music Videos|Christian & Gospel|CCM","1748":"Music Videos|Christian & Gospel|Christian Metal","1749":"Music Videos|Christian & Gospel|Christian Pop","1750":"Music Videos|Christian & Gospel|Christian Rap","1751":"Music Videos|Christian & Gospel|Christian Rock","1752":"Music Videos|Christian & Gospel|Classic Christian","1753":"Music Videos|Christian & Gospel|Contemporary Gospel","1754":"Music Videos|Christian & Gospel|Gospel","1755":"Music Videos|Christian & Gospel|Praise & Worship","1756":"Music Videos|Christian & Gospel|Southern Gospel","1757":"Music Videos|Christian & Gospel|Traditional Gospel","1758":"Music Videos|Classical|Avant-Garde","1759":"Music Videos|Classical|Baroque Era","1760":"Music Videos|Classical|Chamber Music","1761":"Music Videos|Classical|Chant","1762":"Music Videos|Classical|Choral","1763":"Music Videos|Classical|Classical Crossover","1764":"Music Videos|Classical|Early Music","1765":"Music Videos|Classical|Impressionist","1766":"Music Videos|Classical|Medieval Era","1767":"Music Videos|Classical|Minimalism","1768":"Music Videos|Classical|Modern Era","1769":"Music Videos|Classical|Orchestral","1770":"Music Videos|Classical|Renaissance","1771":"Music Videos|Classical|Romantic Era","1772":"Music Videos|Classical|Wedding Music","1773":"Music Videos|Comedy|Novelty","1774":"Music Videos|Comedy|Standup Comedy","1775":"Music Videos|Country|Alternative Country","1776":"Music Videos|Country|Americana","1777":"Music Videos|Country|Bluegrass","1778":"Music Videos|Country|Contemporary Bluegrass","1779":"Music Videos|Country|Contemporary Country","1780":"Music Videos|Country|Country Gospel","1781":"Music Videos|Country|Honky Tonk","1782":"Music Videos|Country|Outlaw Country","1783":"Music Videos|Country|Traditional Bluegrass","1784":"Music Videos|Country|Traditional Country","1785":"Music Videos|Country|Urban Cowboy","1786":"Music Videos|Dance|Breakbeat","1787":"Music Videos|Dance|Exercise","1788":"Music Videos|Dance|Garage","1789":"Music Videos|Dance|Hardcore","1790":"Music Videos|Dance|House","1791":"Music Videos|Dance|Jungle/Drum'n'bass","1792":"Music Videos|Dance|Techno","1793":"Music Videos|Dance|Trance","1794":"Music Videos|Easy Listening|Lounge","1795":"Music Videos|Easy Listening|Swing","1796":"Music Videos|Electronic|Ambient","1797":"Music Videos|Electronic|Downtempo","1798":"Music Videos|Electronic|Electronica","1799":"Music Videos|Electronic|IDM/Experimental","1800":"Music Videos|Electronic|Industrial","1801":"Music Videos|Hip-Hop/Rap|Alternative Rap","1802":"Music Videos|Hip-Hop/Rap|Dirty South","1803":"Music Videos|Hip-Hop/Rap|East Coast Rap","1804":"Music Videos|Hip-Hop/Rap|Gangsta Rap","1805":"Music Videos|Hip-Hop/Rap|Hardcore Rap","1806":"Music Videos|Hip-Hop/Rap|Hip-Hop","1807":"Music Videos|Hip-Hop/Rap|Latin Rap","1808":"Music Videos|Hip-Hop/Rap|Old School Rap","1809":"Music Videos|Hip-Hop/Rap|Rap","1810":"Music Videos|Hip-Hop/Rap|Underground Rap","1811":"Music Videos|Hip-Hop/Rap|West Coast Rap","1812":"Music Videos|Holiday|Chanukah","1813":"Music Videos|Holiday|Christmas","1814":"Music Videos|Holiday|Christmas: Children's","1815":"Music Videos|Holiday|Christmas: Classic","1816":"Music Videos|Holiday|Christmas: Classical","1817":"Music Videos|Holiday|Christmas: Jazz","1818":"Music Videos|Holiday|Christmas: Modern","1819":"Music Videos|Holiday|Christmas: Pop","1820":"Music Videos|Holiday|Christmas: R&B","1821":"Music Videos|Holiday|Christmas: Religious","1822":"Music Videos|Holiday|Christmas: Rock","1823":"Music Videos|Holiday|Easter","1824":"Music Videos|Holiday|Halloween","1825":"Music Videos|Holiday|Thanksgiving","1826":"Music Videos|Jazz|Avant-Garde Jazz","1828":"Music Videos|Jazz|Bop","1829":"Music Videos|Jazz|Contemporary Jazz","1830":"Music Videos|Jazz|Cool Jazz","1831":"Music Videos|Jazz|Crossover Jazz","1832":"Music Videos|Jazz|Dixieland","1833":"Music Videos|Jazz|Fusion","1834":"Music Videos|Jazz|Hard Bop","1835":"Music Videos|Jazz|Latin Jazz","1836":"Music Videos|Jazz|Mainstream Jazz","1837":"Music Videos|Jazz|Ragtime","1838":"Music Videos|Jazz|Smooth Jazz","1839":"Music Videos|Jazz|Trad Jazz","1840":"Music Videos|Latin|Alternative & Rock in Spanish","1841":"Music Videos|Latin|Baladas y Boleros","1842":"Music Videos|Latin|Contemporary Latin","1843":"Music Videos|Latin|Latin Jazz","1844":"Music Videos|Latin|Latin Urban","1845":"Music Videos|Latin|Pop in Spanish","1846":"Music Videos|Latin|Raices","1847":"Music Videos|Latin|Musica Mexicana","1848":"Music Videos|Latin|Salsa y Tropical","1849":"Music Videos|New Age|Healing","1850":"Music Videos|New Age|Meditation","1851":"Music Videos|New Age|Nature","1852":"Music Videos|New Age|Relaxation","1853":"Music Videos|New Age|Travel","1854":"Music Videos|Pop|Adult Contemporary","1855":"Music Videos|Pop|Britpop","1856":"Music Videos|Pop|Pop/Rock","1857":"Music Videos|Pop|Soft Rock","1858":"Music Videos|Pop|Teen Pop","1859":"Music Videos|R&B/Soul|Contemporary R&B","1860":"Music Videos|R&B/Soul|Disco","1861":"Music Videos|R&B/Soul|Doo Wop","1862":"Music Videos|R&B/Soul|Funk","1863":"Music Videos|R&B/Soul|Motown","1864":"Music Videos|R&B/Soul|Neo-Soul","1865":"Music Videos|R&B/Soul|Soul","1866":"Music Videos|Reggae|Modern Dancehall","1867":"Music Videos|Reggae|Dub","1868":"Music Videos|Reggae|Roots Reggae","1869":"Music Videos|Reggae|Ska","1870":"Music Videos|Rock|Adult Alternative","1871":"Music Videos|Rock|American Trad Rock","1872":"Music Videos|Rock|Arena Rock","1873":"Music Videos|Rock|Blues-Rock","1874":"Music Videos|Rock|British Invasion","1875":"Music Videos|Rock|Death Metal/Black Metal","1876":"Music Videos|Rock|Glam Rock","1877":"Music Videos|Rock|Hair Metal","1878":"Music Videos|Rock|Hard Rock","1879":"Music Videos|Rock|Jam Bands","1880":"Music Videos|Rock|Prog-Rock/Art Rock","1881":"Music Videos|Rock|Psychedelic","1882":"Music Videos|Rock|Rock & Roll","1883":"Music Videos|Rock|Rockabilly","1884":"Music Videos|Rock|Roots Rock","1885":"Music Videos|Rock|Singer/Songwriter","1886":"Music Videos|Rock|Southern Rock","1887":"Music Videos|Rock|Surf","1888":"Music Videos|Rock|Tex-Mex","1889":"Music Videos|Singer/Songwriter|Alternative Folk","1890":"Music Videos|Singer/Songwriter|Contemporary Folk","1891":"Music Videos|Singer/Songwriter|Contemporary Singer/Songwriter","1892":"Music Videos|Singer/Songwriter|Folk-Rock","1893":"Music Videos|Singer/Songwriter|New Acoustic","1894":"Music Videos|Singer/Songwriter|Traditional Folk","1895":"Music Videos|Soundtrack|Foreign Cinema","1896":"Music Videos|Soundtrack|Musicals","1897":"Music Videos|Soundtrack|Original Score","1898":"Music Videos|Soundtrack|Soundtrack","1899":"Music Videos|Soundtrack|TV Soundtrack","1900":"Music Videos|Vocal|Standards","1901":"Music Videos|Vocal|Traditional Pop","1902":"Music Videos|Jazz|Vocal Jazz","1903":"Music Videos|Vocal|Vocal Pop","1904":"Music Videos|World|Africa","1905":"Music Videos|World|Afro-Beat","1906":"Music Videos|World|Afro-Pop","1907":"Music Videos|World|Asia","1908":"Music Videos|World|Australia","1909":"Music Videos|World|Cajun","1910":"Music Videos|World|Caribbean","1911":"Music Videos|World|Celtic","1912":"Music Videos|World|Celtic Folk","1913":"Music Videos|World|Contemporary Celtic","1914":"Music Videos|World|Europe","1915":"Music Videos|World|France","1916":"Music Videos|World|Hawaii","1917":"Music Videos|World|Japan","1918":"Music Videos|World|Klezmer","1919":"Music Videos|World|North America","1920":"Music Videos|World|Polka","1921":"Music Videos|World|South Africa","1922":"Music Videos|World|South America","1923":"Music Videos|World|Traditional Celtic","1924":"Music Videos|World|Worldbeat","1925":"Music Videos|World|Zydeco","1926":"Music Videos|Christian & Gospel","1928":"Music Videos|Classical|Art Song","1929":"Music Videos|Classical|Brass & Woodwinds","1930":"Music Videos|Classical|Solo Instrumental","1931":"Music Videos|Classical|Contemporary Era","1932":"Music Videos|Classical|Oratorio","1933":"Music Videos|Classical|Cantata","1934":"Music Videos|Classical|Electronic","1935":"Music Videos|Classical|Sacred","1936":"Music Videos|Classical|Guitar","1938":"Music Videos|Classical|Violin","1939":"Music Videos|Classical|Cello","1940":"Music Videos|Classical|Percussion","1941":"Music Videos|Electronic|Dubstep","1942":"Music Videos|Electronic|Bass","1943":"Music Videos|Hip-Hop/Rap|UK Hip-Hop","1944":"Music Videos|Reggae|Lovers Rock","1945":"Music Videos|Alternative|EMO","1946":"Music Videos|Alternative|Pop Punk","1947":"Music Videos|Alternative|Indie Pop","1948":"Music Videos|New Age|Yoga","1949":"Music Videos|Pop|Tribute","1950":"Music Videos|Pop|Shows","4000":"TV Shows|Comedy","4001":"TV Shows|Drama","4002":"TV Shows|Animation","4003":"TV Shows|Action & Adventure","4004":"TV Shows|Classic","4005":"TV Shows|Kids","4006":"TV Shows|Nonfiction","4007":"TV Shows|Reality TV","4008":"TV Shows|Sci-Fi & Fantasy","4009":"TV Shows|Sports","4010":"TV Shows|Teens","4011":"TV Shows|Latino TV","4401":"Movies|Action & Adventure","4402":"Movies|Anime","4403":"Movies|Classics","4404":"Movies|Comedy","4405":"Movies|Documentary","4406":"Movies|Drama","4407":"Movies|Foreign","4408":"Movies|Horror","4409":"Movies|Independent","4410":"Movies|Kids & Family","4411":"Movies|Musicals","4412":"Movies|Romance","4413":"Movies|Sci-Fi & Fantasy","4414":"Movies|Short Films","4415":"Movies|Special Interest","4416":"Movies|Thriller","4417":"Movies|Sports","4418":"Movies|Western","4419":"Movies|Urban","4420":"Movies|Holiday","4421":"Movies|Made for TV","4422":"Movies|Concert Films","4423":"Movies|Music Documentaries","4424":"Movies|Music Feature Films","4425":"Movies|Japanese Cinema","4426":"Movies|Jidaigeki","4427":"Movies|Tokusatsu","4428":"Movies|Korean Cinema","4429":"Movies|Russian","4430":"Movies|Turkish","4431":"Movies|Bollywood","4432":"Movies|Regional Indian","4433":"Movies|Middle Eastern","4434":"Movies|African","6000":"App Store|Business","6001":"App Store|Weather","6002":"App Store|Utilities","6003":"App Store|Travel","6004":"App Store|Sports","6005":"App Store|Social Networking","6006":"App Store|Reference","6007":"App Store|Productivity","6008":"App Store|Photo & Video","6009":"App Store|News","6010":"App Store|Navigation","6011":"App Store|Music","6012":"App Store|Lifestyle","6013":"App Store|Health & Fitness","6014":"App Store|Games","6015":"App Store|Finance","6016":"App Store|Entertainment","6017":"App Store|Education","6018":"App Store|Books","6020":"App Store|Medical","6021":"App Store|Magazines & Newspapers","6022":"App Store|Catalogs","6023":"App Store|Food & Drink","6024":"App Store|Shopping","6025":"App Store|Stickers","7001":"App Store|Games|Action","7002":"App Store|Games|Adventure","7003":"App Store|Games|Arcade","7004":"App Store|Games|Board","7005":"App Store|Games|Card","7006":"App Store|Games|Casino","7007":"App Store|Games|Dice","7008":"App Store|Games|Educational","7009":"App Store|Games|Family","7011":"App Store|Games|Music","7012":"App Store|Games|Puzzle","7013":"App Store|Games|Racing","7014":"App Store|Games|Role Playing","7015":"App Store|Games|Simulation","7016":"App Store|Games|Sports","7017":"App Store|Games|Strategy","7018":"App Store|Games|Trivia","7019":"App Store|Games|Word","8001":"Tones|Ringtones|Alternative","8002":"Tones|Ringtones|Blues","8003":"Tones|Ringtones|Children's Music","8004":"Tones|Ringtones|Classical","8005":"Tones|Ringtones|Comedy","8006":"Tones|Ringtones|Country","8007":"Tones|Ringtones|Dance","8008":"Tones|Ringtones|Electronic","8009":"Tones|Ringtones|Enka","8010":"Tones|Ringtones|French Pop","8011":"Tones|Ringtones|German Folk","8012":"Tones|Ringtones|German Pop","8013":"Tones|Ringtones|Hip-Hop/Rap","8014":"Tones|Ringtones|Holiday","8015":"Tones|Ringtones|Inspirational","8016":"Tones|Ringtones|J-Pop","8017":"Tones|Ringtones|Jazz","8018":"Tones|Ringtones|Kayokyoku","8019":"Tones|Ringtones|Latin","8020":"Tones|Ringtones|New Age","8021":"Tones|Ringtones|Classical|Opera","8022":"Tones|Ringtones|Pop","8023":"Tones|Ringtones|R&B/Soul","8024":"Tones|Ringtones|Reggae","8025":"Tones|Ringtones|Rock","8026":"Tones|Ringtones|Singer/Songwriter","8027":"Tones|Ringtones|Soundtrack","8028":"Tones|Ringtones|Spoken Word","8029":"Tones|Ringtones|Vocal","8030":"Tones|Ringtones|World","8050":"Tones|Alert Tones|Sound Effects","8051":"Tones|Alert Tones|Dialogue","8052":"Tones|Alert Tones|Music","8053":"Tones|Ringtones","8054":"Tones|Alert Tones","8055":"Tones|Ringtones|Alternative|Chinese Alt","8056":"Tones|Ringtones|Alternative|College Rock","8057":"Tones|Ringtones|Alternative|Goth Rock","8058":"Tones|Ringtones|Alternative|Grunge","8059":"Tones|Ringtones|Alternative|Indie Rock","8060":"Tones|Ringtones|Alternative|Korean Indie","8061":"Tones|Ringtones|Alternative|New Wave","8062":"Tones|Ringtones|Alternative|Punk","8063":"Tones|Ringtones|Anime","8064":"Tones|Ringtones|Arabic","8065":"Tones|Ringtones|Arabic|Arabic Pop","8066":"Tones|Ringtones|Arabic|Islamic","8067":"Tones|Ringtones|Arabic|Khaleeji","8068":"Tones|Ringtones|Arabic|North African","8069":"Tones|Ringtones|Blues|Acoustic Blues","8070":"Tones|Ringtones|Blues|Chicago Blues","8071":"Tones|Ringtones|Blues|Classic Blues","8072":"Tones|Ringtones|Blues|Contemporary Blues","8073":"Tones|Ringtones|Blues|Country Blues","8074":"Tones|Ringtones|Blues|Delta Blues","8075":"Tones|Ringtones|Blues|Electric Blues","8076":"Tones|Ringtones|Brazilian","8077":"Tones|Ringtones|Brazilian|Axe","8078":"Tones|Ringtones|Brazilian|Baile Funk","8079":"Tones|Ringtones|Brazilian|Bossa Nova","8080":"Tones|Ringtones|Brazilian|Choro","8081":"Tones|Ringtones|Brazilian|Forro","8082":"Tones|Ringtones|Brazilian|Frevo","8083":"Tones|Ringtones|Brazilian|MPB","8084":"Tones|Ringtones|Brazilian|Pagode","8085":"Tones|Ringtones|Brazilian|Samba","8086":"Tones|Ringtones|Brazilian|Sertanejo","8087":"Tones|Ringtones|Children's Music|Lullabies","8088":"Tones|Ringtones|Children's Music|Sing-Along","8089":"Tones|Ringtones|Children's Music|Stories","8090":"Tones|Ringtones|Chinese","8091":"Tones|Ringtones|Chinese|Chinese Classical","8092":"Tones|Ringtones|Chinese|Chinese Flute","8093":"Tones|Ringtones|Chinese|Chinese Opera","8094":"Tones|Ringtones|Chinese|Chinese Orchestral","8095":"Tones|Ringtones|Chinese|Chinese Regional Folk","8096":"Tones|Ringtones|Chinese|Chinese Strings","8097":"Tones|Ringtones|Chinese|Taiwanese Folk","8098":"Tones|Ringtones|Chinese|Tibetan Native Music","8099":"Tones|Ringtones|Christian & Gospel","8100":"Tones|Ringtones|Christian & Gospel|CCM","8101":"Tones|Ringtones|Christian & Gospel|Christian Metal","8102":"Tones|Ringtones|Christian & Gospel|Christian Pop","8103":"Tones|Ringtones|Christian & Gospel|Christian Rap","8104":"Tones|Ringtones|Christian & Gospel|Christian Rock","8105":"Tones|Ringtones|Christian & Gospel|Classic Christian","8106":"Tones|Ringtones|Christian & Gospel|Contemporary Gospel","8107":"Tones|Ringtones|Christian & Gospel|Gospel","8108":"Tones|Ringtones|Christian & Gospel|Praise & Worship","8109":"Tones|Ringtones|Christian & Gospel|Southern Gospel","8110":"Tones|Ringtones|Christian & Gospel|Traditional Gospel","8111":"Tones|Ringtones|Classical|Avant-Garde","8112":"Tones|Ringtones|Classical|Baroque Era","8113":"Tones|Ringtones|Classical|Chamber Music","8114":"Tones|Ringtones|Classical|Chant","8115":"Tones|Ringtones|Classical|Choral","8116":"Tones|Ringtones|Classical|Classical Crossover","8117":"Tones|Ringtones|Classical|Early Music","8118":"Tones|Ringtones|Classical|High Classical","8119":"Tones|Ringtones|Classical|Impressionist","8120":"Tones|Ringtones|Classical|Medieval Era","8121":"Tones|Ringtones|Classical|Minimalism","8122":"Tones|Ringtones|Classical|Modern Era","8123":"Tones|Ringtones|Classical|Orchestral","8124":"Tones|Ringtones|Classical|Renaissance","8125":"Tones|Ringtones|Classical|Romantic Era","8126":"Tones|Ringtones|Classical|Wedding Music","8127":"Tones|Ringtones|Comedy|Novelty","8128":"Tones|Ringtones|Comedy|Standup Comedy","8129":"Tones|Ringtones|Country|Alternative Country","8130":"Tones|Ringtones|Country|Americana","8131":"Tones|Ringtones|Country|Bluegrass","8132":"Tones|Ringtones|Country|Contemporary Bluegrass","8133":"Tones|Ringtones|Country|Contemporary Country","8134":"Tones|Ringtones|Country|Country Gospel","8135":"Tones|Ringtones|Country|Honky Tonk","8136":"Tones|Ringtones|Country|Outlaw Country","8137":"Tones|Ringtones|Country|Thai Country","8138":"Tones|Ringtones|Country|Traditional Bluegrass","8139":"Tones|Ringtones|Country|Traditional Country","8140":"Tones|Ringtones|Country|Urban Cowboy","8141":"Tones|Ringtones|Dance|Breakbeat","8142":"Tones|Ringtones|Dance|Exercise","8143":"Tones|Ringtones|Dance|Garage","8144":"Tones|Ringtones|Dance|Hardcore","8145":"Tones|Ringtones|Dance|House","8146":"Tones|Ringtones|Dance|Jungle/Drum'n'bass","8147":"Tones|Ringtones|Dance|Techno","8148":"Tones|Ringtones|Dance|Trance","8149":"Tones|Ringtones|Disney","8150":"Tones|Ringtones|Easy Listening","8151":"Tones|Ringtones|Easy Listening|Lounge","8152":"Tones|Ringtones|Easy Listening|Swing","8153":"Tones|Ringtones|Electronic|Ambient","8154":"Tones|Ringtones|Electronic|Downtempo","8155":"Tones|Ringtones|Electronic|Electronica","8156":"Tones|Ringtones|Electronic|IDM/Experimental","8157":"Tones|Ringtones|Electronic|Industrial","8158":"Tones|Ringtones|Fitness & Workout","8159":"Tones|Ringtones|Folk","8160":"Tones|Ringtones|Hip-Hop/Rap|Alternative Rap","8161":"Tones|Ringtones|Hip-Hop/Rap|Chinese Hip-Hop","8162":"Tones|Ringtones|Hip-Hop/Rap|Dirty South","8163":"Tones|Ringtones|Hip-Hop/Rap|East Coast Rap","8164":"Tones|Ringtones|Hip-Hop/Rap|Gangsta Rap","8165":"Tones|Ringtones|Hip-Hop/Rap|Hardcore Rap","8166":"Tones|Ringtones|Hip-Hop/Rap|Hip-Hop","8167":"Tones|Ringtones|Hip-Hop/Rap|Korean Hip-Hop","8168":"Tones|Ringtones|Hip-Hop/Rap|Latin Rap","8169":"Tones|Ringtones|Hip-Hop/Rap|Old School Rap","8170":"Tones|Ringtones|Hip-Hop/Rap|Rap","8171":"Tones|Ringtones|Hip-Hop/Rap|Underground Rap","8172":"Tones|Ringtones|Hip-Hop/Rap|West Coast Rap","8173":"Tones|Ringtones|Holiday|Chanukah","8174":"Tones|Ringtones|Holiday|Christmas","8175":"Tones|Ringtones|Holiday|Christmas: Children's","8176":"Tones|Ringtones|Holiday|Christmas: Classic","8177":"Tones|Ringtones|Holiday|Christmas: Classical","8178":"Tones|Ringtones|Holiday|Christmas: Jazz","8179":"Tones|Ringtones|Holiday|Christmas: Modern","8180":"Tones|Ringtones|Holiday|Christmas: Pop","8181":"Tones|Ringtones|Holiday|Christmas: R&B","8182":"Tones|Ringtones|Holiday|Christmas: Religious","8183":"Tones|Ringtones|Holiday|Christmas: Rock","8184":"Tones|Ringtones|Holiday|Easter","8185":"Tones|Ringtones|Holiday|Halloween","8186":"Tones|Ringtones|Holiday|Thanksgiving","8187":"Tones|Ringtones|Indian","8188":"Tones|Ringtones|Indian|Bollywood","8189":"Tones|Ringtones|Indian|Devotional & Spiritual","8190":"Tones|Ringtones|Indian|Ghazals","8191":"Tones|Ringtones|Indian|Indian Classical","8192":"Tones|Ringtones|Indian|Indian Folk","8193":"Tones|Ringtones|Indian|Indian Pop","8194":"Tones|Ringtones|Indian|Regional Indian","8195":"Tones|Ringtones|Indian|Sufi","8196":"Tones|Ringtones|Indian|Tamil","8197":"Tones|Ringtones|Indian|Telugu","8198":"Tones|Ringtones|Instrumental","8199":"Tones|Ringtones|Jazz|Avant-Garde Jazz","8201":"Tones|Ringtones|Jazz|Big Band","8202":"Tones|Ringtones|Jazz|Bop","8203":"Tones|Ringtones|Jazz|Contemporary Jazz","8204":"Tones|Ringtones|Jazz|Cool Jazz","8205":"Tones|Ringtones|Jazz|Crossover Jazz","8206":"Tones|Ringtones|Jazz|Dixieland","8207":"Tones|Ringtones|Jazz|Fusion","8208":"Tones|Ringtones|Jazz|Hard Bop","8209":"Tones|Ringtones|Jazz|Latin Jazz","8210":"Tones|Ringtones|Jazz|Mainstream Jazz","8211":"Tones|Ringtones|Jazz|Ragtime","8212":"Tones|Ringtones|Jazz|Smooth Jazz","8213":"Tones|Ringtones|Jazz|Trad Jazz","8214":"Tones|Ringtones|Pop|K-Pop","8215":"Tones|Ringtones|Karaoke","8216":"Tones|Ringtones|Korean","8217":"Tones|Ringtones|Korean|Korean Classical","8218":"Tones|Ringtones|Korean|Korean Trad Instrumental","8219":"Tones|Ringtones|Korean|Korean Trad Song","8220":"Tones|Ringtones|Korean|Korean Trad Theater","8221":"Tones|Ringtones|Latin|Alternative & Rock in Spanish","8222":"Tones|Ringtones|Latin|Baladas y Boleros","8223":"Tones|Ringtones|Latin|Contemporary Latin","8224":"Tones|Ringtones|Latin|Latin Jazz","8225":"Tones|Ringtones|Latin|Latin Urban","8226":"Tones|Ringtones|Latin|Pop in Spanish","8227":"Tones|Ringtones|Latin|Raices","8228":"Tones|Ringtones|Latin|Musica Mexicana","8229":"Tones|Ringtones|Latin|Salsa y Tropical","8230":"Tones|Ringtones|Marching Bands","8231":"Tones|Ringtones|New Age|Healing","8232":"Tones|Ringtones|New Age|Meditation","8233":"Tones|Ringtones|New Age|Nature","8234":"Tones|Ringtones|New Age|Relaxation","8235":"Tones|Ringtones|New Age|Travel","8236":"Tones|Ringtones|Orchestral","8237":"Tones|Ringtones|Pop|Adult Contemporary","8238":"Tones|Ringtones|Pop|Britpop","8239":"Tones|Ringtones|Pop|C-Pop","8240":"Tones|Ringtones|Pop|Cantopop/HK-Pop","8241":"Tones|Ringtones|Pop|Indo Pop","8242":"Tones|Ringtones|Pop|Korean Folk-Pop","8243":"Tones|Ringtones|Pop|Malaysian Pop","8244":"Tones|Ringtones|Pop|Mandopop","8245":"Tones|Ringtones|Pop|Manilla Sound","8246":"Tones|Ringtones|Pop|Oldies","8247":"Tones|Ringtones|Pop|Original Pilipino Music","8248":"Tones|Ringtones|Pop|Pinoy Pop","8249":"Tones|Ringtones|Pop|Pop/Rock","8250":"Tones|Ringtones|Pop|Soft Rock","8251":"Tones|Ringtones|Pop|Tai-Pop","8252":"Tones|Ringtones|Pop|Teen Pop","8253":"Tones|Ringtones|Pop|Thai Pop","8254":"Tones|Ringtones|R&B/Soul|Contemporary R&B","8255":"Tones|Ringtones|R&B/Soul|Disco","8256":"Tones|Ringtones|R&B/Soul|Doo Wop","8257":"Tones|Ringtones|R&B/Soul|Funk","8258":"Tones|Ringtones|R&B/Soul|Motown","8259":"Tones|Ringtones|R&B/Soul|Neo-Soul","8260":"Tones|Ringtones|R&B/Soul|Soul","8261":"Tones|Ringtones|Reggae|Modern Dancehall","8262":"Tones|Ringtones|Reggae|Dub","8263":"Tones|Ringtones|Reggae|Roots Reggae","8264":"Tones|Ringtones|Reggae|Ska","8265":"Tones|Ringtones|Rock|Adult Alternative","8266":"Tones|Ringtones|Rock|American Trad Rock","8267":"Tones|Ringtones|Rock|Arena Rock","8268":"Tones|Ringtones|Rock|Blues-Rock","8269":"Tones|Ringtones|Rock|British Invasion","8270":"Tones|Ringtones|Rock|Chinese Rock","8271":"Tones|Ringtones|Rock|Death Metal/Black Metal","8272":"Tones|Ringtones|Rock|Glam Rock","8273":"Tones|Ringtones|Rock|Hair Metal","8274":"Tones|Ringtones|Rock|Hard Rock","8275":"Tones|Ringtones|Rock|Metal","8276":"Tones|Ringtones|Rock|Jam Bands","8277":"Tones|Ringtones|Rock|Korean Rock","8278":"Tones|Ringtones|Rock|Prog-Rock/Art Rock","8279":"Tones|Ringtones|Rock|Psychedelic","8280":"Tones|Ringtones|Rock|Rock & Roll","8281":"Tones|Ringtones|Rock|Rockabilly","8282":"Tones|Ringtones|Rock|Roots Rock","8283":"Tones|Ringtones|Rock|Singer/Songwriter","8284":"Tones|Ringtones|Rock|Southern Rock","8285":"Tones|Ringtones|Rock|Surf","8286":"Tones|Ringtones|Rock|Tex-Mex","8287":"Tones|Ringtones|Singer/Songwriter|Alternative Folk","8288":"Tones|Ringtones|Singer/Songwriter|Contemporary Folk","8289":"Tones|Ringtones|Singer/Songwriter|Contemporary Singer/Songwriter","8290":"Tones|Ringtones|Singer/Songwriter|Folk-Rock","8291":"Tones|Ringtones|Singer/Songwriter|New Acoustic","8292":"Tones|Ringtones|Singer/Songwriter|Traditional Folk","8293":"Tones|Ringtones|Soundtrack|Foreign Cinema","8294":"Tones|Ringtones|Soundtrack|Musicals","8295":"Tones|Ringtones|Soundtrack|Original Score","8296":"Tones|Ringtones|Soundtrack|Sound Effects","8297":"Tones|Ringtones|Soundtrack|Soundtrack","8298":"Tones|Ringtones|Soundtrack|TV Soundtrack","8299":"Tones|Ringtones|Vocal|Standards","8300":"Tones|Ringtones|Vocal|Traditional Pop","8301":"Tones|Ringtones|Vocal|Trot","8302":"Tones|Ringtones|Jazz|Vocal Jazz","8303":"Tones|Ringtones|Vocal|Vocal Pop","8304":"Tones|Ringtones|World|Africa","8305":"Tones|Ringtones|World|Afrikaans","8306":"Tones|Ringtones|World|Afro-Beat","8307":"Tones|Ringtones|World|Afro-Pop","8308":"Tones|Ringtones|World|Arabesque","8309":"Tones|Ringtones|World|Asia","8310":"Tones|Ringtones|World|Australia","8311":"Tones|Ringtones|World|Cajun","8312":"Tones|Ringtones|World|Calypso","8313":"Tones|Ringtones|World|Caribbean","8314":"Tones|Ringtones|World|Celtic","8315":"Tones|Ringtones|World|Celtic Folk","8316":"Tones|Ringtones|World|Contemporary Celtic","8317":"Tones|Ringtones|World|Dangdut","8318":"Tones|Ringtones|World|Dini","8319":"Tones|Ringtones|World|Europe","8320":"Tones|Ringtones|World|Fado","8321":"Tones|Ringtones|World|Farsi","8322":"Tones|Ringtones|World|Flamenco","8323":"Tones|Ringtones|World|France","8324":"Tones|Ringtones|World|Halk","8325":"Tones|Ringtones|World|Hawaii","8326":"Tones|Ringtones|World|Iberia","8327":"Tones|Ringtones|World|Indonesian Religious","8328":"Tones|Ringtones|World|Israeli","8329":"Tones|Ringtones|World|Japan","8330":"Tones|Ringtones|World|Klezmer","8331":"Tones|Ringtones|World|North America","8332":"Tones|Ringtones|World|Polka","8333":"Tones|Ringtones|World|Russian","8334":"Tones|Ringtones|World|Russian Chanson","8335":"Tones|Ringtones|World|Sanat","8336":"Tones|Ringtones|World|Soca","8337":"Tones|Ringtones|World|South Africa","8338":"Tones|Ringtones|World|South America","8339":"Tones|Ringtones|World|Tango","8340":"Tones|Ringtones|World|Traditional Celtic","8341":"Tones|Ringtones|World|Turkish","8342":"Tones|Ringtones|World|Worldbeat","8343":"Tones|Ringtones|World|Zydeco","8345":"Tones|Ringtones|Classical|Art Song","8346":"Tones|Ringtones|Classical|Brass & Woodwinds","8347":"Tones|Ringtones|Classical|Solo Instrumental","8348":"Tones|Ringtones|Classical|Contemporary Era","8349":"Tones|Ringtones|Classical|Oratorio","8350":"Tones|Ringtones|Classical|Cantata","8351":"Tones|Ringtones|Classical|Electronic","8352":"Tones|Ringtones|Classical|Sacred","8353":"Tones|Ringtones|Classical|Guitar","8354":"Tones|Ringtones|Classical|Piano","8355":"Tones|Ringtones|Classical|Violin","8356":"Tones|Ringtones|Classical|Cello","8357":"Tones|Ringtones|Classical|Percussion","8358":"Tones|Ringtones|Electronic|Dubstep","8359":"Tones|Ringtones|Electronic|Bass","8360":"Tones|Ringtones|Hip-Hop/Rap|UK Hip Hop","8361":"Tones|Ringtones|Reggae|Lovers Rock","8362":"Tones|Ringtones|Alternative|EMO","8363":"Tones|Ringtones|Alternative|Pop Punk","8364":"Tones|Ringtones|Alternative|Indie Pop","8365":"Tones|Ringtones|New Age|Yoga","8366":"Tones|Ringtones|Pop|Tribute","8367":"Tones|Ringtones|Pop|Shows","9002":"Books|Nonfiction","9003":"Books|Romance","9004":"Books|Travel & Adventure","9007":"Books|Arts & Entertainment","9008":"Books|Biographies & Memoirs","9009":"Books|Business & Personal Finance","9010":"Books|Children & Teens","9012":"Books|Humor","9015":"Books|History","9018":"Books|Religion & Spirituality","9019":"Books|Science & Nature","9020":"Books|Sci-Fi & Fantasy","9024":"Books|Lifestyle & Home","9025":"Books|Health, Mind & Body","9026":"Books|Comics & Graphic Novels","9027":"Books|Computers & Internet","9028":"Books|Cookbooks, Food & Wine","9029":"Books|Professional & Technical","9030":"Books|Parenting","9031":"Books|Fiction & Literature","9032":"Books|Mysteries & Thrillers","9033":"Books|Reference","9034":"Books|Politics & Current Events","9035":"Books|Sports & Outdoors","10001":"Books|Lifestyle & Home|Antiques & Collectibles","10002":"Books|Arts & Entertainment|Art & Architecture","10003":"Books|Religion & Spirituality|Bibles","10004":"Books|Health, Mind & Body|Spirituality","10005":"Books|Business & Personal Finance|Industries & Professions","10006":"Books|Business & Personal Finance|Marketing & Sales","10007":"Books|Business & Personal Finance|Small Business & Entrepreneurship","10008":"Books|Business & Personal Finance|Personal Finance","10009":"Books|Business & Personal Finance|Reference","10010":"Books|Business & Personal Finance|Careers","10011":"Books|Business & Personal Finance|Economics","10012":"Books|Business & Personal Finance|Investing","10013":"Books|Business & Personal Finance|Finance","10014":"Books|Business & Personal Finance|Management & Leadership","10015":"Books|Comics & Graphic Novels|Graphic Novels","10016":"Books|Comics & Graphic Novels|Manga","10017":"Books|Computers & Internet|Computers","10018":"Books|Computers & Internet|Databases","10019":"Books|Computers & Internet|Digital Media","10020":"Books|Computers & Internet|Internet","10021":"Books|Computers & Internet|Network","10022":"Books|Computers & Internet|Operating Systems","10023":"Books|Computers & Internet|Programming","10024":"Books|Computers & Internet|Software","10025":"Books|Computers & Internet|System Administration","10026":"Books|Cookbooks, Food & Wine|Beverages","10027":"Books|Cookbooks, Food & Wine|Courses & Dishes","10028":"Books|Cookbooks, Food & Wine|Special Diet","10029":"Books|Cookbooks, Food & Wine|Special Occasions","10030":"Books|Cookbooks, Food & Wine|Methods","10031":"Books|Cookbooks, Food & Wine|Reference","10032":"Books|Cookbooks, Food & Wine|Regional & Ethnic","10033":"Books|Cookbooks, Food & Wine|Specific Ingredients","10034":"Books|Lifestyle & Home|Crafts & Hobbies","10035":"Books|Professional & Technical|Design","10036":"Books|Arts & Entertainment|Theater","10037":"Books|Professional & Technical|Education","10038":"Books|Nonfiction|Family & Relationships","10039":"Books|Fiction & Literature|Action & Adventure","10040":"Books|Fiction & Literature|African American","10041":"Books|Fiction & Literature|Religious","10042":"Books|Fiction & Literature|Classics","10043":"Books|Fiction & Literature|Erotica","10044":"Books|Sci-Fi & Fantasy|Fantasy","10045":"Books|Fiction & Literature|Gay","10046":"Books|Fiction & Literature|Ghost","10047":"Books|Fiction & Literature|Historical","10048":"Books|Fiction & Literature|Horror","10049":"Books|Fiction & Literature|Literary","10050":"Books|Mysteries & Thrillers|Hard-Boiled","10051":"Books|Mysteries & Thrillers|Historical","10052":"Books|Mysteries & Thrillers|Police Procedural","10053":"Books|Mysteries & Thrillers|Short Stories","10054":"Books|Mysteries & Thrillers|British Detectives","10055":"Books|Mysteries & Thrillers|Women Sleuths","10056":"Books|Romance|Erotic Romance","10057":"Books|Romance|Contemporary","10058":"Books|Romance|Paranormal","10059":"Books|Romance|Historical","10060":"Books|Romance|Short Stories","10061":"Books|Romance|Suspense","10062":"Books|Romance|Western","10063":"Books|Sci-Fi & Fantasy|Science Fiction","10064":"Books|Sci-Fi & Fantasy|Science Fiction & Literature","10065":"Books|Fiction & Literature|Short Stories","10066":"Books|Reference|Foreign Languages","10067":"Books|Arts & Entertainment|Games","10068":"Books|Lifestyle & Home|Gardening","10069":"Books|Health, Mind & Body|Health & Fitness","10070":"Books|History|Africa","10071":"Books|History|Americas","10072":"Books|History|Ancient","10073":"Books|History|Asia","10074":"Books|History|Australia & Oceania","10075":"Books|History|Europe","10076":"Books|History|Latin America","10077":"Books|History|Middle East","10078":"Books|History|Military","10079":"Books|History|United States","10080":"Books|History|World","10081":"Books|Children & Teens|Children's Fiction","10082":"Books|Children & Teens|Children's Nonfiction","10083":"Books|Professional & Technical|Law","10084":"Books|Fiction & Literature|Literary Criticism","10085":"Books|Science & Nature|Mathematics","10086":"Books|Professional & Technical|Medical","10087":"Books|Arts & Entertainment|Music","10088":"Books|Science & Nature|Nature","10089":"Books|Arts & Entertainment|Performing Arts","10090":"Books|Lifestyle & Home|Pets","10091":"Books|Nonfiction|Philosophy","10092":"Books|Arts & Entertainment|Photography","10093":"Books|Fiction & Literature|Poetry","10094":"Books|Health, Mind & Body|Psychology","10095":"Books|Reference|Almanacs & Yearbooks","10096":"Books|Reference|Atlases & Maps","10097":"Books|Reference|Catalogs & Directories","10098":"Books|Reference|Consumer Guides","10099":"Books|Reference|Dictionaries & Thesauruses","10100":"Books|Reference|Encyclopedias","10101":"Books|Reference|Etiquette","10102":"Books|Reference|Quotations","10103":"Books|Reference|Words & Language","10104":"Books|Reference|Writing","10105":"Books|Religion & Spirituality|Bible Studies","10106":"Books|Religion & Spirituality|Buddhism","10107":"Books|Religion & Spirituality|Christianity","10108":"Books|Religion & Spirituality|Hinduism","10109":"Books|Religion & Spirituality|Islam","10110":"Books|Religion & Spirituality|Judaism","10111":"Books|Science & Nature|Astronomy","10112":"Books|Science & Nature|Chemistry","10113":"Books|Science & Nature|Earth Sciences","10114":"Books|Science & Nature|Essays","10115":"Books|Science & Nature|History","10116":"Books|Science & Nature|Life Sciences","10117":"Books|Science & Nature|Physics","10118":"Books|Science & Nature|Reference","10119":"Books|Health, Mind & Body|Self-Improvement","10120":"Books|Nonfiction|Social Science","10121":"Books|Sports & Outdoors|Baseball","10122":"Books|Sports & Outdoors|Basketball","10123":"Books|Sports & Outdoors|Coaching","10124":"Books|Sports & Outdoors|Extreme Sports","10125":"Books|Sports & Outdoors|Football","10126":"Books|Sports & Outdoors|Golf","10127":"Books|Sports & Outdoors|Hockey","10128":"Books|Sports & Outdoors|Mountaineering","10129":"Books|Sports & Outdoors|Outdoors","10130":"Books|Sports & Outdoors|Racket Sports","10131":"Books|Sports & Outdoors|Reference","10132":"Books|Sports & Outdoors|Soccer","10133":"Books|Sports & Outdoors|Training","10134":"Books|Sports & Outdoors|Water Sports","10135":"Books|Sports & Outdoors|Winter Sports","10136":"Books|Reference|Study Aids","10137":"Books|Professional & Technical|Engineering","10138":"Books|Nonfiction|Transportation","10139":"Books|Travel & Adventure|Africa","10140":"Books|Travel & Adventure|Asia","10141":"Books|Travel & Adventure|Specialty Travel","10142":"Books|Travel & Adventure|Canada","10143":"Books|Travel & Adventure|Caribbean","10144":"Books|Travel & Adventure|Latin America","10145":"Books|Travel & Adventure|Essays & Memoirs","10146":"Books|Travel & Adventure|Europe","10147":"Books|Travel & Adventure|Middle East","10148":"Books|Travel & Adventure|United States","10149":"Books|Nonfiction|True Crime","11001":"Books|Sci-Fi & Fantasy|Fantasy|Contemporary","11002":"Books|Sci-Fi & Fantasy|Fantasy|Epic","11003":"Books|Sci-Fi & Fantasy|Fantasy|Historical","11004":"Books|Sci-Fi & Fantasy|Fantasy|Paranormal","11005":"Books|Sci-Fi & Fantasy|Fantasy|Short Stories","11006":"Books|Sci-Fi & Fantasy|Science Fiction & Literature|Adventure","11007":"Books|Sci-Fi & Fantasy|Science Fiction & Literature|High Tech","11008":"Books|Sci-Fi & Fantasy|Science Fiction & Literature|Short Stories","11009":"Books|Professional & Technical|Education|Language Arts & Disciplines","11010":"Books|Communications & Media","11011":"Books|Communications & Media|Broadcasting","11012":"Books|Communications & Media|Digital Media","11013":"Books|Communications & Media|Journalism","11014":"Books|Communications & Media|Photojournalism","11015":"Books|Communications & Media|Print","11016":"Books|Communications & Media|Speech","11017":"Books|Communications & Media|Writing","11018":"Books|Arts & Entertainment|Art & Architecture|Urban Planning","11019":"Books|Arts & Entertainment|Dance","11020":"Books|Arts & Entertainment|Fashion","11021":"Books|Arts & Entertainment|Film","11022":"Books|Arts & Entertainment|Interior Design","11023":"Books|Arts & Entertainment|Media Arts","11024":"Books|Arts & Entertainment|Radio","11025":"Books|Arts & Entertainment|TV","11026":"Books|Arts & Entertainment|Visual Arts","11027":"Books|Biographies & Memoirs|Arts & Entertainment","11028":"Books|Biographies & Memoirs|Business","11029":"Books|Biographies & Memoirs|Culinary","11030":"Books|Biographies & Memoirs|Gay & Lesbian","11031":"Books|Biographies & Memoirs|Historical","11032":"Books|Biographies & Memoirs|Literary","11033":"Books|Biographies & Memoirs|Media & Journalism","11034":"Books|Biographies & Memoirs|Military","11035":"Books|Biographies & Memoirs|Politics","11036":"Books|Biographies & Memoirs|Religious","11037":"Books|Biographies & Memoirs|Science & Technology","11038":"Books|Biographies & Memoirs|Sports","11039":"Books|Biographies & Memoirs|Women","11040":"Books|Romance|New Adult","11042":"Books|Romance|Romantic Comedy","11043":"Books|Romance|Gay & Lesbian","11044":"Books|Fiction & Literature|Essays","11045":"Books|Fiction & Literature|Anthologies","11046":"Books|Fiction & Literature|Comparative Literature","11047":"Books|Fiction & Literature|Drama","11049":"Books|Fiction & Literature|Fairy Tales, Myths & Fables","11050":"Books|Fiction & Literature|Family","11051":"Books|Comics & Graphic Novels|Manga|School Drama","11052":"Books|Comics & Graphic Novels|Manga|Human Drama","11053":"Books|Comics & Graphic Novels|Manga|Family Drama","11054":"Books|Sports & Outdoors|Boxing","11055":"Books|Sports & Outdoors|Cricket","11056":"Books|Sports & Outdoors|Cycling","11057":"Books|Sports & Outdoors|Equestrian","11058":"Books|Sports & Outdoors|Martial Arts & Self Defense","11059":"Books|Sports & Outdoors|Motor Sports","11060":"Books|Sports & Outdoors|Rugby","11061":"Books|Sports & Outdoors|Running","11062":"Books|Health, Mind & Body|Diet & Nutrition","11063":"Books|Science & Nature|Agriculture","11064":"Books|Science & Nature|Atmosphere","11065":"Books|Science & Nature|Biology","11066":"Books|Science & Nature|Ecology","11067":"Books|Science & Nature|Environment","11068":"Books|Science & Nature|Geography","11069":"Books|Science & Nature|Geology","11070":"Books|Nonfiction|Social Science|Anthropology","11071":"Books|Nonfiction|Social Science|Archaeology","11072":"Books|Nonfiction|Social Science|Civics","11073":"Books|Nonfiction|Social Science|Government","11074":"Books|Nonfiction|Social Science|Social Studies","11075":"Books|Nonfiction|Social Science|Social Welfare","11076":"Books|Nonfiction|Social Science|Society","11077":"Books|Nonfiction|Philosophy|Aesthetics","11078":"Books|Nonfiction|Philosophy|Epistemology","11079":"Books|Nonfiction|Philosophy|Ethics","11080":"Books|Nonfiction|Philosophy|Language","11081":"Books|Nonfiction|Philosophy|Logic","11082":"Books|Nonfiction|Philosophy|Metaphysics","11083":"Books|Nonfiction|Philosophy|Political","11084":"Books|Nonfiction|Philosophy|Religion","11085":"Books|Reference|Manuals","11086":"Books|Kids","11087":"Books|Kids|Animals","11088":"Books|Kids|Basic Concepts","11089":"Books|Kids|Basic Concepts|Alphabet","11090":"Books|Kids|Basic Concepts|Body","11091":"Books|Kids|Basic Concepts|Colors","11092":"Books|Kids|Basic Concepts|Counting & Numbers","11093":"Books|Kids|Basic Concepts|Date & Time","11094":"Books|Kids|Basic Concepts|General","11095":"Books|Kids|Basic Concepts|Money","11096":"Books|Kids|Basic Concepts|Opposites","11097":"Books|Kids|Basic Concepts|Seasons","11098":"Books|Kids|Basic Concepts|Senses & Sensation","11099":"Books|Kids|Basic Concepts|Size & Shape","11100":"Books|Kids|Basic Concepts|Sounds","11101":"Books|Kids|Basic Concepts|Words","11102":"Books|Kids|Biography","11103":"Books|Kids|Careers & Occupations","11104":"Books|Kids|Computers & Technology","11105":"Books|Kids|Cooking & Food","11106":"Books|Kids|Arts & Entertainment","11107":"Books|Kids|Arts & Entertainment|Art","11108":"Books|Kids|Arts & Entertainment|Crafts","11109":"Books|Kids|Arts & Entertainment|Music","11110":"Books|Kids|Arts & Entertainment|Performing Arts","11111":"Books|Kids|Family","11112":"Books|Kids|Fiction","11113":"Books|Kids|Fiction|Action & Adventure","11114":"Books|Kids|Fiction|Animals","11115":"Books|Kids|Fiction|Classics","11116":"Books|Kids|Fiction|Comics & Graphic Novels","11117":"Books|Kids|Fiction|Culture, Places & People","11118":"Books|Kids|Fiction|Family & Relationships","11119":"Books|Kids|Fiction|Fantasy","11120":"Books|Kids|Fiction|Fairy Tales, Myths & Fables","11121":"Books|Kids|Fiction|Favorite Characters","11122":"Books|Kids|Fiction|Historical","11123":"Books|Kids|Fiction|Holidays & Celebrations","11124":"Books|Kids|Fiction|Monsters & Ghosts","11125":"Books|Kids|Fiction|Mysteries","11126":"Books|Kids|Fiction|Nature","11127":"Books|Kids|Fiction|Religion","11128":"Books|Kids|Fiction|Sci-Fi","11129":"Books|Kids|Fiction|Social Issues","11130":"Books|Kids|Fiction|Sports & Recreation","11131":"Books|Kids|Fiction|Transportation","11132":"Books|Kids|Games & Activities","11133":"Books|Kids|General Nonfiction","11134":"Books|Kids|Health","11135":"Books|Kids|History","11136":"Books|Kids|Holidays & Celebrations","11137":"Books|Kids|Holidays & Celebrations|Birthdays","11138":"Books|Kids|Holidays & Celebrations|Christmas & Advent","11139":"Books|Kids|Holidays & Celebrations|Easter & Lent","11140":"Books|Kids|Holidays & Celebrations|General","11141":"Books|Kids|Holidays & Celebrations|Halloween","11142":"Books|Kids|Holidays & Celebrations|Hanukkah","11143":"Books|Kids|Holidays & Celebrations|Other","11144":"Books|Kids|Holidays & Celebrations|Passover","11145":"Books|Kids|Holidays & Celebrations|Patriotic Holidays","11146":"Books|Kids|Holidays & Celebrations|Ramadan","11147":"Books|Kids|Holidays & Celebrations|Thanksgiving","11148":"Books|Kids|Holidays & Celebrations|Valentine's Day","11149":"Books|Kids|Humor","11150":"Books|Kids|Humor|Jokes & Riddles","11151":"Books|Kids|Poetry","11152":"Books|Kids|Learning to Read","11153":"Books|Kids|Learning to Read|Chapter Books","11154":"Books|Kids|Learning to Read|Early Readers","11155":"Books|Kids|Learning to Read|Intermediate Readers","11156":"Books|Kids|Nursery Rhymes","11157":"Books|Kids|Government","11158":"Books|Kids|Reference","11159":"Books|Kids|Religion","11160":"Books|Kids|Science & Nature","11161":"Books|Kids|Social Issues","11162":"Books|Kids|Social Studies","11163":"Books|Kids|Sports & Recreation","11164":"Books|Kids|Transportation","11165":"Books|Young Adult","11166":"Books|Young Adult|Animals","11167":"Books|Young Adult|Biography","11168":"Books|Young Adult|Careers & Occupations","11169":"Books|Young Adult|Computers & Technology","11170":"Books|Young Adult|Cooking & Food","11171":"Books|Young Adult|Arts & Entertainment","11172":"Books|Young Adult|Arts & Entertainment|Art","11173":"Books|Young Adult|Arts & Entertainment|Crafts","11174":"Books|Young Adult|Arts & Entertainment|Music","11175":"Books|Young Adult|Arts & Entertainment|Performing Arts","11176":"Books|Young Adult|Family","11177":"Books|Young Adult|Fiction","11178":"Books|Young Adult|Fiction|Action & Adventure","11179":"Books|Young Adult|Fiction|Animals","11180":"Books|Young Adult|Fiction|Classics","11181":"Books|Young Adult|Fiction|Comics & Graphic Novels","11182":"Books|Young Adult|Fiction|Culture, Places & People","11183":"Books|Young Adult|Fiction|Dystopian","11184":"Books|Young Adult|Fiction|Family & Relationships","11185":"Books|Young Adult|Fiction|Fantasy","11186":"Books|Young Adult|Fiction|Fairy Tales, Myths & Fables","11187":"Books|Young Adult|Fiction|Favorite Characters","11188":"Books|Young Adult|Fiction|Historical","11189":"Books|Young Adult|Fiction|Holidays & Celebrations","11190":"Books|Young Adult|Fiction|Horror, Monsters & Ghosts","11191":"Books|Young Adult|Fiction|Crime & Mystery","11192":"Books|Young Adult|Fiction|Nature","11193":"Books|Young Adult|Fiction|Religion","11194":"Books|Young Adult|Fiction|Romance","11195":"Books|Young Adult|Fiction|Sci-Fi","11196":"Books|Young Adult|Fiction|Coming of Age","11197":"Books|Young Adult|Fiction|Sports & Recreation","11198":"Books|Young Adult|Fiction|Transportation","11199":"Books|Young Adult|Games & Activities","11200":"Books|Young Adult|General Nonfiction","11201":"Books|Young Adult|Health","11202":"Books|Young Adult|History","11203":"Books|Young Adult|Holidays & Celebrations","11204":"Books|Young Adult|Holidays & Celebrations|Birthdays","11205":"Books|Young Adult|Holidays & Celebrations|Christmas & Advent","11206":"Books|Young Adult|Holidays & Celebrations|Easter & Lent","11207":"Books|Young Adult|Holidays & Celebrations|General","11208":"Books|Young Adult|Holidays & Celebrations|Halloween","11209":"Books|Young Adult|Holidays & Celebrations|Hanukkah","11210":"Books|Young Adult|Holidays & Celebrations|Other","11211":"Books|Young Adult|Holidays & Celebrations|Passover","11212":"Books|Young Adult|Holidays & Celebrations|Patriotic Holidays","11213":"Books|Young Adult|Holidays & Celebrations|Ramadan","11214":"Books|Young Adult|Holidays & Celebrations|Thanksgiving","11215":"Books|Young Adult|Holidays & Celebrations|Valentine's Day","11216":"Books|Young Adult|Humor","11217":"Books|Young Adult|Humor|Jokes & Riddles","11218":"Books|Young Adult|Poetry","11219":"Books|Young Adult|Politics & Government","11220":"Books|Young Adult|Reference","11221":"Books|Young Adult|Religion","11222":"Books|Young Adult|Science & Nature","11223":"Books|Young Adult|Coming of Age","11224":"Books|Young Adult|Social Studies","11225":"Books|Young Adult|Sports & Recreation","11226":"Books|Young Adult|Transportation","11227":"Books|Communications & Media","11228":"Books|Military & Warfare","11229":"Books|Romance|Inspirational","11231":"Books|Romance|Holiday","11232":"Books|Romance|Wholesome","11233":"Books|Romance|Military","11234":"Books|Arts & Entertainment|Art History","11236":"Books|Arts & Entertainment|Design","11243":"Books|Business & Personal Finance|Accounting","11244":"Books|Business & Personal Finance|Hospitality","11245":"Books|Business & Personal Finance|Real Estate","11246":"Books|Humor|Jokes & Riddles","11247":"Books|Religion & Spirituality|Comparative Religion","11255":"Books|Cookbooks, Food & Wine|Culinary Arts","11259":"Books|Mysteries & Thrillers|Cozy","11260":"Books|Politics & Current Events|Current Events","11261":"Books|Politics & Current Events|Foreign Policy & International Relations","11262":"Books|Politics & Current Events|Local Government","11263":"Books|Politics & Current Events|National Government","11264":"Books|Politics & Current Events|Political Science","11265":"Books|Politics & Current Events|Public Administration","11266":"Books|Politics & Current Events|World Affairs","11273":"Books|Nonfiction|Family & Relationships|Family & Childcare","11274":"Books|Nonfiction|Family & Relationships|Love & Romance","11275":"Books|Sci-Fi & Fantasy|Fantasy|Urban","11276":"Books|Reference|Foreign Languages|Arabic","11277":"Books|Reference|Foreign Languages|Bilingual Editions","11278":"Books|Reference|Foreign Languages|African Languages","11279":"Books|Reference|Foreign Languages|Ancient Languages","11280":"Books|Reference|Foreign Languages|Chinese","11281":"Books|Reference|Foreign Languages|English","11282":"Books|Reference|Foreign Languages|French","11283":"Books|Reference|Foreign Languages|German","11284":"Books|Reference|Foreign Languages|Hebrew","11285":"Books|Reference|Foreign Languages|Hindi","11286":"Books|Reference|Foreign Languages|Italian","11287":"Books|Reference|Foreign Languages|Japanese","11288":"Books|Reference|Foreign Languages|Korean","11289":"Books|Reference|Foreign Languages|Linguistics","11290":"Books|Reference|Foreign Languages|Other Languages","11291":"Books|Reference|Foreign Languages|Portuguese","11292":"Books|Reference|Foreign Languages|Russian","11293":"Books|Reference|Foreign Languages|Spanish","11294":"Books|Reference|Foreign Languages|Speech Pathology","11295":"Books|Science & Nature|Mathematics|Advanced Mathematics","11296":"Books|Science & Nature|Mathematics|Algebra","11297":"Books|Science & Nature|Mathematics|Arithmetic","11298":"Books|Science & Nature|Mathematics|Calculus","11299":"Books|Science & Nature|Mathematics|Geometry","11300":"Books|Science & Nature|Mathematics|Statistics","11301":"Books|Professional & Technical|Medical|Veterinary","11302":"Books|Professional & Technical|Medical|Neuroscience","11303":"Books|Professional & Technical|Medical|Immunology","11304":"Books|Professional & Technical|Medical|Nursing","11305":"Books|Professional & Technical|Medical|Pharmacology & Toxicology","11306":"Books|Professional & Technical|Medical|Anatomy & Physiology","11307":"Books|Professional & Technical|Medical|Dentistry","11308":"Books|Professional & Technical|Medical|Emergency Medicine","11309":"Books|Professional & Technical|Medical|Genetics","11310":"Books|Professional & Technical|Medical|Psychiatry","11311":"Books|Professional & Technical|Medical|Radiology","11312":"Books|Professional & Technical|Medical|Alternative Medicine","11317":"Books|Nonfiction|Philosophy|Political Philosophy","11319":"Books|Nonfiction|Philosophy|Philosophy of Language","11320":"Books|Nonfiction|Philosophy|Philosophy of Religion","11327":"Books|Nonfiction|Social Science|Sociology","11329":"Books|Professional & Technical|Engineering|Aeronautics","11330":"Books|Professional & Technical|Engineering|Chemical & Petroleum Engineering","11331":"Books|Professional & Technical|Engineering|Civil Engineering","11332":"Books|Professional & Technical|Engineering|Computer Science","11333":"Books|Professional & Technical|Engineering|Electrical Engineering","11334":"Books|Professional & Technical|Engineering|Environmental Engineering","11335":"Books|Professional & Technical|Engineering|Mechanical Engineering","11336":"Books|Professional & Technical|Engineering|Power Resources","11337":"Books|Comics & Graphic Novels|Manga|Boys","11338":"Books|Comics & Graphic Novels|Manga|Men","11339":"Books|Comics & Graphic Novels|Manga|Girls","11340":"Books|Comics & Graphic Novels|Manga|Women","11341":"Books|Comics & Graphic Novels|Manga|Other","12001":"Mac App Store|Business","12002":"Mac App Store|Developer Tools","12003":"Mac App Store|Education","12004":"Mac App Store|Entertainment","12005":"Mac App Store|Finance","12006":"Mac App Store|Games","12007":"Mac App Store|Health & Fitness","12008":"Mac App Store|Lifestyle","12010":"Mac App Store|Medical","12011":"Mac App Store|Music","12012":"Mac App Store|News","12013":"Mac App Store|Photography","12014":"Mac App Store|Productivity","12015":"Mac App Store|Reference","12016":"Mac App Store|Social Networking","12017":"Mac App Store|Sports","12018":"Mac App Store|Travel","12019":"Mac App Store|Utilities","12020":"Mac App Store|Video","12021":"Mac App Store|Weather","12022":"Mac App Store|Graphics & Design","12201":"Mac App Store|Games|Action","12202":"Mac App Store|Games|Adventure","12203":"Mac App Store|Games|Arcade","12204":"Mac App Store|Games|Board","12205":"Mac App Store|Games|Card","12206":"Mac App Store|Games|Casino","12207":"Mac App Store|Games|Dice","12208":"Mac App Store|Games|Educational","12209":"Mac App Store|Games|Family","12210":"Mac App Store|Games|Kids","12211":"Mac App Store|Games|Music","12212":"Mac App Store|Games|Puzzle","12213":"Mac App Store|Games|Racing","12214":"Mac App Store|Games|Role Playing","12215":"Mac App Store|Games|Simulation","12216":"Mac App Store|Games|Sports","12217":"Mac App Store|Games|Strategy","12218":"Mac App Store|Games|Trivia","12219":"Mac App Store|Games|Word","13001":"App Store|Magazines & Newspapers|News & Politics","13002":"App Store|Magazines & Newspapers|Fashion & Style","13003":"App Store|Magazines & Newspapers|Home & Garden","13004":"App Store|Magazines & Newspapers|Outdoors & Nature","13005":"App Store|Magazines & Newspapers|Sports & Leisure","13006":"App Store|Magazines & Newspapers|Automotive","13007":"App Store|Magazines & Newspapers|Arts & Photography","13008":"App Store|Magazines & Newspapers|Brides & Weddings","13009":"App Store|Magazines & Newspapers|Business & Investing","13010":"App Store|Magazines & Newspapers|Children's Magazines","13011":"App Store|Magazines & Newspapers|Computers & Internet","13012":"App Store|Magazines & Newspapers|Cooking, Food & Drink","13013":"App Store|Magazines & Newspapers|Crafts & Hobbies","13014":"App Store|Magazines & Newspapers|Electronics & Audio","13015":"App Store|Magazines & Newspapers|Entertainment","13017":"App Store|Magazines & Newspapers|Health, Mind & Body","13018":"App Store|Magazines & Newspapers|History","13019":"App Store|Magazines & Newspapers|Literary Magazines & Journals","13020":"App Store|Magazines & Newspapers|Men's Interest","13021":"App Store|Magazines & Newspapers|Movies & Music","13023":"App Store|Magazines & Newspapers|Parenting & Family","13024":"App Store|Magazines & Newspapers|Pets","13025":"App Store|Magazines & Newspapers|Professional & Trade","13026":"App Store|Magazines & Newspapers|Regional News","13027":"App Store|Magazines & Newspapers|Science","13028":"App Store|Magazines & Newspapers|Teens","13029":"App Store|Magazines & Newspapers|Travel & Regional","13030":"App Store|Magazines & Newspapers|Women's Interest","15000":"Textbooks|Arts & Entertainment","15001":"Textbooks|Arts & Entertainment|Art & Architecture","15002":"Textbooks|Arts & Entertainment|Art & Architecture|Urban Planning","15003":"Textbooks|Arts & Entertainment|Art History","15004":"Textbooks|Arts & Entertainment|Dance","15005":"Textbooks|Arts & Entertainment|Design","15006":"Textbooks|Arts & Entertainment|Fashion","15007":"Textbooks|Arts & Entertainment|Film","15008":"Textbooks|Arts & Entertainment|Games","15009":"Textbooks|Arts & Entertainment|Interior Design","15010":"Textbooks|Arts & Entertainment|Media Arts","15011":"Textbooks|Arts & Entertainment|Music","15012":"Textbooks|Arts & Entertainment|Performing Arts","15013":"Textbooks|Arts & Entertainment|Photography","15014":"Textbooks|Arts & Entertainment|Theater","15015":"Textbooks|Arts & Entertainment|TV","15016":"Textbooks|Arts & Entertainment|Visual Arts","15017":"Textbooks|Biographies & Memoirs","15018":"Textbooks|Business & Personal Finance","15019":"Textbooks|Business & Personal Finance|Accounting","15020":"Textbooks|Business & Personal Finance|Careers","15021":"Textbooks|Business & Personal Finance|Economics","15022":"Textbooks|Business & Personal Finance|Finance","15023":"Textbooks|Business & Personal Finance|Hospitality","15024":"Textbooks|Business & Personal Finance|Industries & Professions","15025":"Textbooks|Business & Personal Finance|Investing","15026":"Textbooks|Business & Personal Finance|Management & Leadership","15027":"Textbooks|Business & Personal Finance|Marketing & Sales","15028":"Textbooks|Business & Personal Finance|Personal Finance","15029":"Textbooks|Business & Personal Finance|Real Estate","15030":"Textbooks|Business & Personal Finance|Reference","15031":"Textbooks|Business & Personal Finance|Small Business & Entrepreneurship","15032":"Textbooks|Children & Teens","15033":"Textbooks|Children & Teens|Fiction","15034":"Textbooks|Children & Teens|Nonfiction","15035":"Textbooks|Comics & Graphic Novels","15036":"Textbooks|Comics & Graphic Novels|Graphic Novels","15037":"Textbooks|Comics & Graphic Novels|Manga","15038":"Textbooks|Communications & Media","15039":"Textbooks|Communications & Media|Broadcasting","15040":"Textbooks|Communications & Media|Digital Media","15041":"Textbooks|Communications & Media|Journalism","15042":"Textbooks|Communications & Media|Photojournalism","15043":"Textbooks|Communications & Media|Print","15044":"Textbooks|Communications & Media|Speech","15045":"Textbooks|Communications & Media|Writing","15046":"Textbooks|Computers & Internet","15047":"Textbooks|Computers & Internet|Computers","15048":"Textbooks|Computers & Internet|Databases","15049":"Textbooks|Computers & Internet|Digital Media","15050":"Textbooks|Computers & Internet|Internet","15051":"Textbooks|Computers & Internet|Network","15052":"Textbooks|Computers & Internet|Operating Systems","15053":"Textbooks|Computers & Internet|Programming","15054":"Textbooks|Computers & Internet|Software","15055":"Textbooks|Computers & Internet|System Administration","15056":"Textbooks|Cookbooks, Food & Wine","15057":"Textbooks|Cookbooks, Food & Wine|Beverages","15058":"Textbooks|Cookbooks, Food & Wine|Courses & Dishes","15059":"Textbooks|Cookbooks, Food & Wine|Culinary Arts","15060":"Textbooks|Cookbooks, Food & Wine|Methods","15061":"Textbooks|Cookbooks, Food & Wine|Reference","15062":"Textbooks|Cookbooks, Food & Wine|Regional & Ethnic","15063":"Textbooks|Cookbooks, Food & Wine|Special Diet","15064":"Textbooks|Cookbooks, Food & Wine|Special Occasions","15065":"Textbooks|Cookbooks, Food & Wine|Specific Ingredients","15066":"Textbooks|Engineering","15067":"Textbooks|Engineering|Aeronautics","15068":"Textbooks|Engineering|Chemical & Petroleum Engineering","15069":"Textbooks|Engineering|Civil Engineering","15070":"Textbooks|Engineering|Computer Science","15071":"Textbooks|Engineering|Electrical Engineering","15072":"Textbooks|Engineering|Environmental Engineering","15073":"Textbooks|Engineering|Mechanical Engineering","15074":"Textbooks|Engineering|Power Resources","15075":"Textbooks|Fiction & Literature","15076":"Textbooks|Fiction & Literature|Latino","15077":"Textbooks|Fiction & Literature|Action & Adventure","15078":"Textbooks|Fiction & Literature|African American","15079":"Textbooks|Fiction & Literature|Anthologies","15080":"Textbooks|Fiction & Literature|Classics","15081":"Textbooks|Fiction & Literature|Comparative Literature","15082":"Textbooks|Fiction & Literature|Erotica","15083":"Textbooks|Fiction & Literature|Gay","15084":"Textbooks|Fiction & Literature|Ghost","15085":"Textbooks|Fiction & Literature|Historical","15086":"Textbooks|Fiction & Literature|Horror","15087":"Textbooks|Fiction & Literature|Literary","15088":"Textbooks|Fiction & Literature|Literary Criticism","15089":"Textbooks|Fiction & Literature|Poetry","15090":"Textbooks|Fiction & Literature|Religious","15091":"Textbooks|Fiction & Literature|Short Stories","15092":"Textbooks|Health, Mind & Body","15093":"Textbooks|Health, Mind & Body|Fitness","15094":"Textbooks|Health, Mind & Body|Self-Improvement","15095":"Textbooks|History","15096":"Textbooks|History|Africa","15097":"Textbooks|History|Americas","15098":"Textbooks|History|Americas|Canada","15099":"Textbooks|History|Americas|Latin America","15100":"Textbooks|History|Americas|United States","15101":"Textbooks|History|Ancient","15102":"Textbooks|History|Asia","15103":"Textbooks|History|Australia & Oceania","15104":"Textbooks|History|Europe","15105":"Textbooks|History|Middle East","15106":"Textbooks|History|Military","15107":"Textbooks|History|World","15108":"Textbooks|Humor","15109":"Textbooks|Language Studies","15110":"Textbooks|Language Studies|African Languages","15111":"Textbooks|Language Studies|Ancient Languages","15112":"Textbooks|Language Studies|Arabic","15113":"Textbooks|Language Studies|Bilingual Editions","15114":"Textbooks|Language Studies|Chinese","15115":"Textbooks|Language Studies|English","15116":"Textbooks|Language Studies|French","15117":"Textbooks|Language Studies|German","15118":"Textbooks|Language Studies|Hebrew","15119":"Textbooks|Language Studies|Hindi","15120":"Textbooks|Language Studies|Indigenous Languages","15121":"Textbooks|Language Studies|Italian","15122":"Textbooks|Language Studies|Japanese","15123":"Textbooks|Language Studies|Korean","15124":"Textbooks|Language Studies|Linguistics","15125":"Textbooks|Language Studies|Other Language","15126":"Textbooks|Language Studies|Portuguese","15127":"Textbooks|Language Studies|Russian","15128":"Textbooks|Language Studies|Spanish","15129":"Textbooks|Language Studies|Speech Pathology","15130":"Textbooks|Lifestyle & Home","15131":"Textbooks|Lifestyle & Home|Antiques & Collectibles","15132":"Textbooks|Lifestyle & Home|Crafts & Hobbies","15133":"Textbooks|Lifestyle & Home|Gardening","15134":"Textbooks|Lifestyle & Home|Pets","15135":"Textbooks|Mathematics","15136":"Textbooks|Mathematics|Advanced Mathematics","15137":"Textbooks|Mathematics|Algebra","15138":"Textbooks|Mathematics|Arithmetic","15139":"Textbooks|Mathematics|Calculus","15140":"Textbooks|Mathematics|Geometry","15141":"Textbooks|Mathematics|Statistics","15142":"Textbooks|Medicine","15143":"Textbooks|Medicine|Anatomy & Physiology","15144":"Textbooks|Medicine|Dentistry","15145":"Textbooks|Medicine|Emergency Medicine","15146":"Textbooks|Medicine|Genetics","15147":"Textbooks|Medicine|Immunology","15148":"Textbooks|Medicine|Neuroscience","15149":"Textbooks|Medicine|Nursing","15150":"Textbooks|Medicine|Pharmacology & Toxicology","15151":"Textbooks|Medicine|Psychiatry","15152":"Textbooks|Medicine|Psychology","15153":"Textbooks|Medicine|Radiology","15154":"Textbooks|Medicine|Veterinary","15155":"Textbooks|Mysteries & Thrillers","15156":"Textbooks|Mysteries & Thrillers|British Detectives","15157":"Textbooks|Mysteries & Thrillers|Hard-Boiled","15158":"Textbooks|Mysteries & Thrillers|Historical","15159":"Textbooks|Mysteries & Thrillers|Police Procedural","15160":"Textbooks|Mysteries & Thrillers|Short Stories","15161":"Textbooks|Mysteries & Thrillers|Women Sleuths","15162":"Textbooks|Nonfiction","15163":"Textbooks|Nonfiction|Family & Relationships","15164":"Textbooks|Nonfiction|Transportation","15165":"Textbooks|Nonfiction|True Crime","15166":"Textbooks|Parenting","15167":"Textbooks|Philosophy","15168":"Textbooks|Philosophy|Aesthetics","15169":"Textbooks|Philosophy|Epistemology","15170":"Textbooks|Philosophy|Ethics","15171":"Textbooks|Philosophy|Philosophy of Language","15172":"Textbooks|Philosophy|Logic","15173":"Textbooks|Philosophy|Metaphysics","15174":"Textbooks|Philosophy|Political Philosophy","15175":"Textbooks|Philosophy|Philosophy of Religion","15176":"Textbooks|Politics & Current Events","15177":"Textbooks|Politics & Current Events|Current Events","15178":"Textbooks|Politics & Current Events|Foreign Policy & International Relations","15179":"Textbooks|Politics & Current Events|Local Governments","15180":"Textbooks|Politics & Current Events|National Governments","15181":"Textbooks|Politics & Current Events|Political Science","15182":"Textbooks|Politics & Current Events|Public Administration","15183":"Textbooks|Politics & Current Events|World Affairs","15184":"Textbooks|Professional & Technical","15185":"Textbooks|Professional & Technical|Design","15186":"Textbooks|Professional & Technical|Language Arts & Disciplines","15187":"Textbooks|Professional & Technical|Engineering","15188":"Textbooks|Professional & Technical|Law","15189":"Textbooks|Professional & Technical|Medical","15190":"Textbooks|Reference","15191":"Textbooks|Reference|Almanacs & Yearbooks","15192":"Textbooks|Reference|Atlases & Maps","15193":"Textbooks|Reference|Catalogs & Directories","15194":"Textbooks|Reference|Consumer Guides","15195":"Textbooks|Reference|Dictionaries & Thesauruses","15196":"Textbooks|Reference|Encyclopedias","15197":"Textbooks|Reference|Etiquette","15198":"Textbooks|Reference|Quotations","15199":"Textbooks|Reference|Study Aids","15200":"Textbooks|Reference|Words & Language","15201":"Textbooks|Reference|Writing","15202":"Textbooks|Religion & Spirituality","15203":"Textbooks|Religion & Spirituality|Bible Studies","15204":"Textbooks|Religion & Spirituality|Bibles","15205":"Textbooks|Religion & Spirituality|Buddhism","15206":"Textbooks|Religion & Spirituality|Christianity","15207":"Textbooks|Religion & Spirituality|Comparative Religion","15208":"Textbooks|Religion & Spirituality|Hinduism","15209":"Textbooks|Religion & Spirituality|Islam","15210":"Textbooks|Religion & Spirituality|Judaism","15211":"Textbooks|Religion & Spirituality|Spirituality","15212":"Textbooks|Romance","15213":"Textbooks|Romance|Contemporary","15214":"Textbooks|Romance|Erotic Romance","15215":"Textbooks|Romance|Paranormal","15216":"Textbooks|Romance|Historical","15217":"Textbooks|Romance|Short Stories","15218":"Textbooks|Romance|Suspense","15219":"Textbooks|Romance|Western","15220":"Textbooks|Sci-Fi & Fantasy","15221":"Textbooks|Sci-Fi & Fantasy|Fantasy","15222":"Textbooks|Sci-Fi & Fantasy|Fantasy|Contemporary","15223":"Textbooks|Sci-Fi & Fantasy|Fantasy|Epic","15224":"Textbooks|Sci-Fi & Fantasy|Fantasy|Historical","15225":"Textbooks|Sci-Fi & Fantasy|Fantasy|Paranormal","15226":"Textbooks|Sci-Fi & Fantasy|Fantasy|Short Stories","15227":"Textbooks|Sci-Fi & Fantasy|Science Fiction","15228":"Textbooks|Sci-Fi & Fantasy|Science Fiction & Literature","15229":"Textbooks|Sci-Fi & Fantasy|Science Fiction & Literature|Adventure","15230":"Textbooks|Sci-Fi & Fantasy|Science Fiction & Literature|High Tech","15231":"Textbooks|Sci-Fi & Fantasy|Science Fiction & Literature|Short Stories","15232":"Textbooks|Science & Nature","15233":"Textbooks|Science & Nature|Agriculture","15234":"Textbooks|Science & Nature|Astronomy","15235":"Textbooks|Science & Nature|Atmosphere","15236":"Textbooks|Science & Nature|Biology","15237":"Textbooks|Science & Nature|Chemistry","15238":"Textbooks|Science & Nature|Earth Sciences","15239":"Textbooks|Science & Nature|Ecology","15240":"Textbooks|Science & Nature|Environment","15241":"Textbooks|Science & Nature|Essays","15242":"Textbooks|Science & Nature|Geography","15243":"Textbooks|Science & Nature|Geology","15244":"Textbooks|Science & Nature|History","15245":"Textbooks|Science & Nature|Life Sciences","15246":"Textbooks|Science & Nature|Nature","15247":"Textbooks|Science & Nature|Physics","15248":"Textbooks|Science & Nature|Reference","15249":"Textbooks|Social Science","15250":"Textbooks|Social Science|Anthropology","15251":"Textbooks|Social Science|Archaeology","15252":"Textbooks|Social Science|Civics","15253":"Textbooks|Social Science|Government","15254":"Textbooks|Social Science|Social Studies","15255":"Textbooks|Social Science|Social Welfare","15256":"Textbooks|Social Science|Society","15257":"Textbooks|Social Science|Society|African Studies","15258":"Textbooks|Social Science|Society|American Studies","15259":"Textbooks|Social Science|Society|Asia Pacific Studies","15260":"Textbooks|Social Science|Society|Cross-Cultural Studies","15261":"Textbooks|Social Science|Society|European Studies","15262":"Textbooks|Social Science|Society|Immigration & Emigration","15263":"Textbooks|Social Science|Society|Indigenous Studies","15264":"Textbooks|Social Science|Society|Latin & Caribbean Studies","15265":"Textbooks|Social Science|Society|Middle Eastern Studies","15266":"Textbooks|Social Science|Society|Race & Ethnicity Studies","15267":"Textbooks|Social Science|Society|Sexuality Studies","15268":"Textbooks|Social Science|Society|Women's Studies","15269":"Textbooks|Social Science|Sociology","15270":"Textbooks|Sports & Outdoors","15271":"Textbooks|Sports & Outdoors|Baseball","15272":"Textbooks|Sports & Outdoors|Basketball","15273":"Textbooks|Sports & Outdoors|Coaching","15274":"Textbooks|Sports & Outdoors|Equestrian","15275":"Textbooks|Sports & Outdoors|Extreme Sports","15276":"Textbooks|Sports & Outdoors|Football","15277":"Textbooks|Sports & Outdoors|Golf","15278":"Textbooks|Sports & Outdoors|Hockey","15279":"Textbooks|Sports & Outdoors|Motor Sports","15280":"Textbooks|Sports & Outdoors|Mountaineering","15281":"Textbooks|Sports & Outdoors|Outdoors","15282":"Textbooks|Sports & Outdoors|Racket Sports","15283":"Textbooks|Sports & Outdoors|Reference","15284":"Textbooks|Sports & Outdoors|Soccer","15285":"Textbooks|Sports & Outdoors|Training","15286":"Textbooks|Sports & Outdoors|Water Sports","15287":"Textbooks|Sports & Outdoors|Winter Sports","15288":"Textbooks|Teaching & Learning","15289":"Textbooks|Teaching & Learning|Adult Education","15290":"Textbooks|Teaching & Learning|Curriculum & Teaching","15291":"Textbooks|Teaching & Learning|Educational Leadership","15292":"Textbooks|Teaching & Learning|Educational Technology","15293":"Textbooks|Teaching & Learning|Family & Childcare","15294":"Textbooks|Teaching & Learning|Information & Library Science","15295":"Textbooks|Teaching & Learning|Learning Resources","15296":"Textbooks|Teaching & Learning|Psychology & Research","15297":"Textbooks|Teaching & Learning|Special Education","15298":"Textbooks|Travel & Adventure","15299":"Textbooks|Travel & Adventure|Africa","15300":"Textbooks|Travel & Adventure|Americas","15301":"Textbooks|Travel & Adventure|Americas|Canada","15302":"Textbooks|Travel & Adventure|Americas|Latin America","15303":"Textbooks|Travel & Adventure|Americas|United States","15304":"Textbooks|Travel & Adventure|Asia","15305":"Textbooks|Travel & Adventure|Caribbean","15306":"Textbooks|Travel & Adventure|Essays & Memoirs","15307":"Textbooks|Travel & Adventure|Europe","15308":"Textbooks|Travel & Adventure|Middle East","15309":"Textbooks|Travel & Adventure|Oceania","15310":"Textbooks|Travel & Adventure|Specialty Travel","15311":"Textbooks|Comics & Graphic Novels|Comics","15312":"Textbooks|Reference|Manuals","16001":"App Store|Stickers|Emoji & Expressions","16003":"App Store|Stickers|Animals & Nature","16005":"App Store|Stickers|Art","16006":"App Store|Stickers|Celebrations","16007":"App Store|Stickers|Celebrities","16008":"App Store|Stickers|Comics & Cartoons","16009":"App Store|Stickers|Eating & Drinking","16010":"App Store|Stickers|Gaming","16014":"App Store|Stickers|Movies & TV","16015":"App Store|Stickers|Music","16017":"App Store|Stickers|People","16019":"App Store|Stickers|Places & Objects","16021":"App Store|Stickers|Sports & Activities","16025":"App Store|Stickers|Kids & Family","16026":"App Store|Stickers|Fashion","100000":"Music|Christian & Gospel","100001":"Music|Classical|Art Song","100002":"Music|Classical|Brass & Woodwinds","100003":"Music|Classical|Solo Instrumental","100004":"Music|Classical|Contemporary Era","100005":"Music|Classical|Oratorio","100006":"Music|Classical|Cantata","100007":"Music|Classical|Electronic","100008":"Music|Classical|Sacred","100009":"Music|Classical|Guitar","100010":"Music|Classical|Piano","100011":"Music|Classical|Violin","100012":"Music|Classical|Cello","100013":"Music|Classical|Percussion","100014":"Music|Electronic|Dubstep","100015":"Music|Electronic|Bass","100016":"Music|Hip-Hop/Rap|UK Hip-Hop","100017":"Music|Reggae|Lovers Rock","100018":"Music|Alternative|EMO","100019":"Music|Alternative|Pop Punk","100020":"Music|Alternative|Indie Pop","100021":"Music|New Age|Yoga","100022":"Music|Pop|Tribute","100023":"Music|Pop|Shows","40000000":"iTunes U","40000001":"iTunes U|Business","40000002":"iTunes U|Business|Economics","40000003":"iTunes U|Business|Finance","40000004":"iTunes U|Business|Hospitality","40000005":"iTunes U|Business|Management","40000006":"iTunes U|Business|Marketing","40000007":"iTunes U|Business|Personal Finance","40000008":"iTunes U|Business|Real Estate","40000009":"iTunes U|Engineering","40000010":"iTunes U|Engineering|Chemical & Petroleum Engineering","40000011":"iTunes U|Engineering|Civil Engineering","40000012":"iTunes U|Engineering|Computer Science","40000013":"iTunes U|Engineering|Electrical Engineering","40000014":"iTunes U|Engineering|Environmental Engineering","40000015":"iTunes U|Engineering|Mechanical Engineering","40000016":"iTunes U|Art & Architecture","40000017":"iTunes U|Art & Architecture|Architecture","40000019":"iTunes U|Art & Architecture|Art History","40000020":"iTunes U|Art & Architecture|Dance","40000021":"iTunes U|Art & Architecture|Film","40000022":"iTunes U|Art & Architecture|Design","40000023":"iTunes U|Art & Architecture|Interior Design","40000024":"iTunes U|Art & Architecture|Music","40000025":"iTunes U|Art & Architecture|Theater","40000026":"iTunes U|Health & Medicine","40000027":"iTunes U|Health & Medicine|Anatomy & Physiology","40000028":"iTunes U|Health & Medicine|Behavioral Science","40000029":"iTunes U|Health & Medicine|Dentistry","40000030":"iTunes U|Health & Medicine|Diet & Nutrition","40000031":"iTunes U|Health & Medicine|Emergency Medicine","40000032":"iTunes U|Health & Medicine|Genetics","40000033":"iTunes U|Health & Medicine|Gerontology","40000034":"iTunes U|Health & Medicine|Health & Exercise Science","40000035":"iTunes U|Health & Medicine|Immunology","40000036":"iTunes U|Health & Medicine|Neuroscience","40000037":"iTunes U|Health & Medicine|Pharmacology & Toxicology","40000038":"iTunes U|Health & Medicine|Psychiatry","40000039":"iTunes U|Health & Medicine|Global Health","40000040":"iTunes U|Health & Medicine|Radiology","40000041":"iTunes U|History","40000042":"iTunes U|History|Ancient History","40000043":"iTunes U|History|Medieval History","40000044":"iTunes U|History|Military History","40000045":"iTunes U|History|Modern History","40000046":"iTunes U|History|African History","40000047":"iTunes U|History|Asia-Pacific History","40000048":"iTunes U|History|European History","40000049":"iTunes U|History|Middle Eastern History","40000050":"iTunes U|History|North American History","40000051":"iTunes U|History|South American History","40000053":"iTunes U|Communications & Media","40000054":"iTunes U|Philosophy","40000055":"iTunes U|Religion & Spirituality","40000056":"iTunes U|Language","40000057":"iTunes U|Language|African Languages","40000058":"iTunes U|Language|Ancient Languages","40000061":"iTunes U|Language|English","40000063":"iTunes U|Language|French","40000064":"iTunes U|Language|German","40000065":"iTunes U|Language|Italian","40000066":"iTunes U|Language|Linguistics","40000068":"iTunes U|Language|Spanish","40000069":"iTunes U|Language|Speech Pathology","40000070":"iTunes U|Literature","40000071":"iTunes U|Literature|Anthologies","40000072":"iTunes U|Literature|Biography","40000073":"iTunes U|Literature|Classics","40000074":"iTunes U|Literature|Literary Criticism","40000075":"iTunes U|Literature|Fiction","40000076":"iTunes U|Literature|Poetry","40000077":"iTunes U|Mathematics","40000078":"iTunes U|Mathematics|Advanced Mathematics","40000079":"iTunes U|Mathematics|Algebra","40000080":"iTunes U|Mathematics|Arithmetic","40000081":"iTunes U|Mathematics|Calculus","40000082":"iTunes U|Mathematics|Geometry","40000083":"iTunes U|Mathematics|Statistics","40000084":"iTunes U|Science","40000085":"iTunes U|Science|Agricultural","40000086":"iTunes U|Science|Astronomy","40000087":"iTunes U|Science|Atmosphere","40000088":"iTunes U|Science|Biology","40000089":"iTunes U|Science|Chemistry","40000090":"iTunes U|Science|Ecology","40000091":"iTunes U|Science|Geography","40000092":"iTunes U|Science|Geology","40000093":"iTunes U|Science|Physics","40000094":"iTunes U|Psychology & Social Science","40000095":"iTunes U|Law & Politics|Law","40000096":"iTunes U|Law & Politics|Political Science","40000097":"iTunes U|Law & Politics|Public Administration","40000098":"iTunes U|Psychology & Social Science|Psychology","40000099":"iTunes U|Psychology & Social Science|Social Welfare","40000100":"iTunes U|Psychology & Social Science|Sociology","40000101":"iTunes U|Society","40000103":"iTunes U|Society|Asia Pacific Studies","40000104":"iTunes U|Society|European Studies","40000105":"iTunes U|Society|Indigenous Studies","40000106":"iTunes U|Society|Latin & Caribbean Studies","40000107":"iTunes U|Society|Middle Eastern Studies","40000108":"iTunes U|Society|Women's Studies","40000109":"iTunes U|Teaching & Learning","40000110":"iTunes U|Teaching & Learning|Curriculum & Teaching","40000111":"iTunes U|Teaching & Learning|Educational Leadership","40000112":"iTunes U|Teaching & Learning|Family & Childcare","40000113":"iTunes U|Teaching & Learning|Learning Resources","40000114":"iTunes U|Teaching & Learning|Psychology & Research","40000115":"iTunes U|Teaching & Learning|Special Education","40000116":"iTunes U|Art & Architecture|Culinary Arts","40000117":"iTunes U|Art & Architecture|Fashion","40000118":"iTunes U|Art & Architecture|Media Arts","40000119":"iTunes U|Art & Architecture|Photography","40000120":"iTunes U|Art & Architecture|Visual Art","40000121":"iTunes U|Business|Entrepreneurship","40000122":"iTunes U|Communications & Media|Broadcasting","40000123":"iTunes U|Communications & Media|Digital Media","40000124":"iTunes U|Communications & Media|Journalism","40000125":"iTunes U|Communications & Media|Photojournalism","40000126":"iTunes U|Communications & Media|Print","40000127":"iTunes U|Communications & Media|Speech","40000128":"iTunes U|Communications & Media|Writing","40000129":"iTunes U|Health & Medicine|Nursing","40000130":"iTunes U|Language|Arabic","40000131":"iTunes U|Language|Chinese","40000132":"iTunes U|Language|Hebrew","40000133":"iTunes U|Language|Hindi","40000134":"iTunes U|Language|Indigenous Languages","40000135":"iTunes U|Language|Japanese","40000136":"iTunes U|Language|Korean","40000137":"iTunes U|Language|Other Languages","40000138":"iTunes U|Language|Portuguese","40000139":"iTunes U|Language|Russian","40000140":"iTunes U|Law & Politics","40000141":"iTunes U|Law & Politics|Foreign Policy & International Relations","40000142":"iTunes U|Law & Politics|Local Governments","40000143":"iTunes U|Law & Politics|National Governments","40000144":"iTunes U|Law & Politics|World Affairs","40000145":"iTunes U|Literature|Comparative Literature","40000146":"iTunes U|Philosophy|Aesthetics","40000147":"iTunes U|Philosophy|Epistemology","40000148":"iTunes U|Philosophy|Ethics","40000149":"iTunes U|Philosophy|Metaphysics","40000150":"iTunes U|Philosophy|Political Philosophy","40000151":"iTunes U|Philosophy|Logic","40000152":"iTunes U|Philosophy|Philosophy of Language","40000153":"iTunes U|Philosophy|Philosophy of Religion","40000154":"iTunes U|Psychology & Social Science|Archaeology","40000155":"iTunes U|Psychology & Social Science|Anthropology","40000156":"iTunes U|Religion & Spirituality|Buddhism","40000157":"iTunes U|Religion & Spirituality|Christianity","40000158":"iTunes U|Religion & Spirituality|Comparative Religion","40000159":"iTunes U|Religion & Spirituality|Hinduism","40000160":"iTunes U|Religion & Spirituality|Islam","40000161":"iTunes U|Religion & Spirituality|Judaism","40000162":"iTunes U|Religion & Spirituality|Other Religions","40000163":"iTunes U|Religion & Spirituality|Spirituality","40000164":"iTunes U|Science|Environment","40000165":"iTunes U|Society|African Studies","40000166":"iTunes U|Society|American Studies","40000167":"iTunes U|Society|Cross-cultural Studies","40000168":"iTunes U|Society|Immigration & Emigration","40000169":"iTunes U|Society|Race & Ethnicity Studies","40000170":"iTunes U|Society|Sexuality Studies","40000171":"iTunes U|Teaching & Learning|Educational Technology","40000172":"iTunes U|Teaching & Learning|Information/Library Science","40000173":"iTunes U|Language|Dutch","40000174":"iTunes U|Language|Luxembourgish","40000175":"iTunes U|Language|Swedish","40000176":"iTunes U|Language|Norwegian","40000177":"iTunes U|Language|Finnish","40000178":"iTunes U|Language|Danish","40000179":"iTunes U|Language|Polish","40000180":"iTunes U|Language|Turkish","40000181":"iTunes U|Language|Flemish","50000024":"Audiobooks","50000040":"Audiobooks|Fiction","50000041":"Audiobooks|Arts & Entertainment","50000042":"Audiobooks|Biography & Memoir","50000043":"Audiobooks|Business","50000044":"Audiobooks|Kids & Young Adults","50000045":"Audiobooks|Classics","50000046":"Audiobooks|Comedy","50000047":"Audiobooks|Drama & Poetry","50000048":"Audiobooks|Speakers & Storytellers","50000049":"Audiobooks|History","50000050":"Audiobooks|Languages","50000051":"Audiobooks|Mystery","50000052":"Audiobooks|Nonfiction","50000053":"Audiobooks|Religion & Spirituality","50000054":"Audiobooks|Science","50000055":"Audiobooks|Sci Fi & Fantasy","50000056":"Audiobooks|Self Development","50000057":"Audiobooks|Sports","50000058":"Audiobooks|Technology","50000059":"Audiobooks|Travel & Adventure","50000061":"Music|Spoken Word","50000063":"Music|Disney","50000064":"Music|French Pop","50000066":"Music|German Pop","50000068":"Music|German Folk","50000069":"Audiobooks|Romance","50000070":"Audiobooks|Audiobooks Latino","50000071":"Books|Comics & Graphic Novels|Manga|Action","50000072":"Books|Comics & Graphic Novels|Manga|Comedy","50000073":"Books|Comics & Graphic Novels|Manga|Erotica","50000074":"Books|Comics & Graphic Novels|Manga|Fantasy","50000075":"Books|Comics & Graphic Novels|Manga|Four Cell Manga","50000076":"Books|Comics & Graphic Novels|Manga|Gay & Lesbian","50000077":"Books|Comics & Graphic Novels|Manga|Hard-Boiled","50000078":"Books|Comics & Graphic Novels|Manga|Heroes","50000079":"Books|Comics & Graphic Novels|Manga|Historical Fiction","50000080":"Books|Comics & Graphic Novels|Manga|Mecha","50000081":"Books|Comics & Graphic Novels|Manga|Mystery","50000082":"Books|Comics & Graphic Novels|Manga|Nonfiction","50000083":"Books|Comics & Graphic Novels|Manga|Religious","50000084":"Books|Comics & Graphic Novels|Manga|Romance","50000085":"Books|Comics & Graphic Novels|Manga|Romantic Comedy","50000086":"Books|Comics & Graphic Novels|Manga|Science Fiction","50000087":"Books|Comics & Graphic Novels|Manga|Sports","50000088":"Books|Fiction & Literature|Light Novels","50000089":"Books|Comics & Graphic Novels|Manga|Horror","50000090":"Books|Comics & Graphic Novels|Comics","50000091":"Books|Romance|Multicultural"}
diff --git a/Chapter04/av_metadata.py b/Chapter04/av_metadata.py
new file mode 100644
index 0000000..76c818b
--- /dev/null
+++ b/Chapter04/av_metadata.py
@@ -0,0 +1,104 @@
+from __future__ import print_function
+import argparse
+import json
+import mutagen
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to extract metadata from A/V Filess"
+
+
+def handle_id3(id3_file):
+ # Definitions from http://id3.org/id3v2.4.0-frames
+ id3_frames = {
+ 'TIT2': 'Title', 'TPE1': 'Artist', 'TALB': 'Album',
+ 'TXXX': 'Custom', 'TCON': 'Content Type', 'TDRL': 'Date released',
+ 'COMM': 'Comments', 'TDRC': 'Recording Date'}
+ print("{:15} | {:15} | {:38} | {}".format("Frame", "Description",
+ "Text", "Value"))
+ print("-" * 85)
+
+ for frames in id3_file.tags.values():
+ frame_name = id3_frames.get(frames.FrameID, frames.FrameID)
+ desc = getattr(frames, 'desc', "N/A")
+ text = getattr(frames, 'text', ["N/A"])[0]
+ value = getattr(frames, 'value', "N/A")
+ if "date" in frame_name.lower():
+ text = str(text)
+
+ print("{:15} | {:15} | {:38} | {}".format(
+ frame_name, desc, text, value))
+
+
+def handle_mp4(mp4_file):
+ # Definitions from
+ # http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/QuickTime.html
+ cp_sym = u"\u00A9"
+ qt_tag = {
+ cp_sym + 'nam': 'Title', cp_sym + 'art': 'Artist',
+ cp_sym + 'alb': 'Album', cp_sym + 'gen': 'Genre',
+ 'cpil': 'Compilation', cp_sym + 'day': 'Creation Date',
+ 'cnID': 'Apple Store Content ID', 'atID': 'Album Title ID',
+ 'plID': 'Playlist ID', 'geID': 'Genre ID', 'pcst': 'Podcast',
+ 'purl': 'Podcast URL', 'egid': 'Episode Global ID',
+ 'cmID': 'Camera ID', 'sfID': 'Apple Store Country',
+ 'desc': 'Description', 'ldes': 'Long Description'}
+ # Definitions from
+ # http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/QuickTime.html#GenreID
+ genre_ids = json.load(open('apple_genres.json'))
+
+ print("{:22} | {}".format('Name', 'Value'))
+ print("-" * 40)
+ for name, value in mp4_file.tags.items():
+ tag_name = qt_tag.get(name, name)
+ if isinstance(value, list):
+ value = "; ".join([str(x) for x in value])
+ if name == 'geID':
+ value = "{}: {}".format(
+ value, genre_ids[str(value)].replace("|", " - "))
+ print("{:22} | {}".format(tag_name, value))
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("AV_FILE", help="File to extract metadata from")
+ args = parser.parse_args()
+ av_file = mutagen.File(args.AV_FILE)
+
+ file_ext = args.AV_FILE.rsplit('.', 1)[-1]
+ if file_ext.lower() == 'mp3':
+ handle_id3(av_file)
+ elif file_ext.lower() == 'mp4':
+ handle_mp4(av_file)
diff --git a/Chapter04/exe_metadata.py b/Chapter04/exe_metadata.py
new file mode 100644
index 0000000..8c5d755
--- /dev/null
+++ b/Chapter04/exe_metadata.py
@@ -0,0 +1,112 @@
+from __future__ import print_function
+import argparse
+from datetime import datetime
+from pefile import PE
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to extract metadata from EXE files"
+
+parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+)
+parser.add_argument("EXE_FILE", help="Path to exe file")
+parser.add_argument("-v", "--verbose", help="Increase verbosity of output",
+ action='store_true', default=False)
+args = parser.parse_args()
+
+pe = PE(args.EXE_FILE)
+ped = pe.dump_dict()
+
+file_info = {}
+for structure in pe.FileInfo:
+ if structure.Key == b'StringFileInfo':
+ for s_table in structure.StringTable:
+ for key, value in s_table.entries.items():
+ if value is None or len(value) == 0:
+ value = "Unknown"
+ file_info[key] = value
+print("File Information: ")
+print("==================")
+for k, v in file_info.items():
+ if isinstance(k, bytes):
+ k = k.decode()
+ if isinstance(v, bytes):
+ v = v.decode()
+ print("{}: {}".format(k, v))
+
+# Compile time
+comp_time = ped['FILE_HEADER']['TimeDateStamp']['Value']
+comp_time = comp_time.split("[")[-1].strip("]")
+time_stamp, timezone = comp_time.rsplit(" ", 1)
+comp_time = datetime.strptime(time_stamp, "%a %b %d %H:%M:%S %Y")
+print("Compiled on {} {}".format(comp_time, timezone.strip()))
+
+# Extract IOCs from PE Sections
+print("\nSections: ")
+print("==========")
+for section in ped['PE Sections']:
+ print("Section '{}' at {}: {}/{} {}".format(
+ section['Name']['Value'], hex(section['VirtualAddress']['Value']),
+ section['Misc_VirtualSize']['Value'],
+ section['SizeOfRawData']['Value'], section['MD5'])
+ )
+
+# Display Imports, Names, and Addresses
+if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
+ print("\nImports: ")
+ print("=========")
+ for dir_entry in pe.DIRECTORY_ENTRY_IMPORT:
+ dll = dir_entry.dll
+ if not args.verbose:
+ print(dll.decode(), end=", ")
+ continue
+
+ name_list = []
+ for impts in dir_entry.imports:
+ if getattr(impts, "name", b"Unknown") is None:
+ name = b"Unknown"
+ else:
+ name = getattr(impts, "name", b"Unknown")
+ name_list.append([name.decode(), hex(impts.address)])
+ name_fmt = ["{} ({})".format(x[0], x[1]) for x in name_list]
+ print('- {}: {}'.format(dll.decode(), ", ".join(name_fmt)))
+ if not args.verbose:
+ print()
+
+# Display Exports, Names, and Addresses
+if hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'):
+ print("\nExports: ")
+ print("=========")
+ for sym in pe.DIRECTORY_ENTRY_EXPORT.symbols:
+ print('- {}: {}'.format(sym.name.decode(), hex(sym.address)))
diff --git a/Chapter04/msoffice_metadata.py b/Chapter04/msoffice_metadata.py
new file mode 100644
index 0000000..df2de29
--- /dev/null
+++ b/Chapter04/msoffice_metadata.py
@@ -0,0 +1,100 @@
+from __future__ import print_function
+from argparse import ArgumentParser
+from datetime import datetime as dt
+from xml.etree import ElementTree as etree
+import zipfile
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Read metadta from Office files"
+
+parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(", ".join(__authors__), __date__)
+)
+parser.add_argument("Office_File", help="Path to office file to read")
+args = parser.parse_args()
+
+# Check if input file is a zipfile
+zipfile.is_zipfile(args.Office_File)
+
+# Open the file (MS Office 2007 or later)
+zfile = zipfile.ZipFile(args.Office_File)
+
+# Extract key elements for processing
+core_xml = etree.fromstring(zfile.read('docProps/core.xml'))
+app_xml = etree.fromstring(zfile.read('docProps/app.xml'))
+
+# Core.xml tag mapping
+core_mapping = {
+ 'title': 'Title',
+ 'subject': 'Subject',
+ 'creator': 'Author(s)',
+ 'keywords': 'Keywords',
+ 'description': 'Description',
+ 'lastModifiedBy': 'Last Modified By',
+ 'modified': 'Modified Date',
+ 'created': 'Created Date',
+ 'category': 'Category',
+ 'contentStatus': 'Status',
+ 'revision': 'Revision'
+}
+
+for element in core_xml.getchildren():
+ for key, title in core_mapping.items():
+ if key in element.tag:
+ if 'date' in title.lower():
+ text = dt.strptime(element.text, "%Y-%m-%dT%H:%M:%SZ")
+ else:
+ text = element.text
+ print("{}: {}".format(title, text))
+
+app_mapping = {
+ 'TotalTime': 'Edit Time (minutes)',
+ 'Pages': 'Page Count',
+ 'Words': 'Word Count',
+ 'Characters': 'Character Count',
+ 'Lines': 'Line Count',
+ 'Paragraphs': 'Paragraph Count',
+ 'Company': 'Company',
+ 'HyperlinkBase': 'Hyperlink Base',
+ 'Slides': 'Slide count',
+ 'Notes': 'Note Count',
+ 'HiddenSlides': 'Hidden Slide Count',
+}
+for element in app_xml.getchildren():
+ for key, title in app_mapping.items():
+ if key in element.tag:
+ if 'date' in title.lower():
+ text = dt.strptime(element.text, "%Y-%m-%dT%H:%M:%SZ")
+ else:
+ text = element.text
+ print("{}: {}".format(title, text))
diff --git a/Chapter04/pdf_metadata.py b/Chapter04/pdf_metadata.py
new file mode 100644
index 0000000..db66270
--- /dev/null
+++ b/Chapter04/pdf_metadata.py
@@ -0,0 +1,94 @@
+from __future__ import print_function
+from argparse import ArgumentParser, FileType
+import datetime
+from PyPDF2 import PdfFileReader
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to extract metadata from PDF files"
+
+parser = ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(", ".join(__authors__), __date__)
+)
+parser.add_argument('PDF_FILE', help='Path to PDF file',
+ type=FileType('rb'))
+args = parser.parse_args()
+
+pdf_file = PdfFileReader(args.PDF_FILE)
+
+xmpm = pdf_file.getXmpMetadata()
+if xmpm is None:
+ print("No XMP metadata found in document.")
+ sys.exit()
+
+
+def custom_print(fmt_str, value):
+ if isinstance(value, list):
+ print(fmt_str.format(", ".join(value)))
+ elif isinstance(value, dict):
+ fmt_value = [":".join((k, v)) for k, v in value.items()]
+ print(fmt_str.format(", ".join(value)))
+ elif isinstance(value, str) or isinstance(value, bool):
+ print(fmt_str.format(value))
+ elif isinstance(value, bytes):
+ print(fmt_str.format(value.decode()))
+ elif isinstance(value, datetime.datetime):
+ print(fmt_str.format(value.isoformat()))
+ elif value is None:
+ print(fmt_str.format("N/A"))
+ else:
+ print("warn: unhandled type {} found".format(type(value)))
+
+
+# Definitions from
+# http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/xmp/pdfs/XMP%20SDK%20Release%20cc-2016-08/XMPSpecificationPart1.pdf
+custom_print("Title: {}", xmpm.dc_title)
+custom_print("Creator(s): {}", xmpm.dc_creator)
+custom_print("Contributors: {}", xmpm.dc_contributor)
+custom_print("Subject: {}", xmpm.dc_subject)
+custom_print("Description: {}", xmpm.dc_description)
+custom_print("Created: {}", xmpm.xmp_createDate)
+custom_print("Modified: {}", xmpm.xmp_modifyDate)
+custom_print("Event Dates: {}", xmpm.dc_date)
+custom_print("Created With: {}", xmpm.xmp_creatorTool)
+custom_print("Document ID: {}", xmpm.xmpmm_documentId)
+custom_print("Instance ID: {}", xmpm.xmpmm_instanceId)
+custom_print("Language: {}", xmpm.dc_language)
+custom_print("Publisher: {}", xmpm.dc_publisher)
+custom_print("Resource Type: {}", xmpm.dc_format)
+custom_print("Type: {}", xmpm.dc_type)
+
+if xmpm.custom_properties:
+ print("Custom Properties:")
+ for k, v in xmpm.custom_properties.items():
+ print("\t{}: {}".format(k, v))
diff --git a/Chapter04/pic_metadata.py b/Chapter04/pic_metadata.py
new file mode 100644
index 0000000..f4b9bfd
--- /dev/null
+++ b/Chapter04/pic_metadata.py
@@ -0,0 +1,87 @@
+from __future__ import print_function
+import argparse
+from PIL import Image
+from PIL.ExifTags import TAGS
+import simplekml
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to gather EXIF data from images"
+
+parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(", ".join(__authors__), __date__)
+)
+parser.add_argument('PICTURE_FILE', help="Path to picture")
+args = parser.parse_args()
+
+gmaps = "https://www.google.com/maps?q={},{}"
+open_maps = "http://www.openstreetmap.org/?mlat={}&mlon={}"
+
+
+def process_coords(coord):
+ coord_deg = 0
+ for count, values in enumerate(coord):
+ coord_deg += (float(values[0]) / values[1]) / 60**count
+ return coord_deg
+
+
+img_file = Image.open(args.PICTURE_FILE)
+exif_data = img_file._getexif()
+
+if exif_data is None:
+ print("No EXIF data found")
+ sys.exit()
+
+for name, value in exif_data.items():
+ gps_tag = TAGS.get(name, name)
+ if gps_tag is not 'GPSInfo':
+ continue
+
+ lat_ref = value[1] == u'N'
+ lat = process_coords(value[2])
+ if not lat_ref:
+ lat = lat * -1
+
+ lon_ref = value[3] == u'E'
+ lon = process_coords(value[4])
+ if not lon_ref:
+ lon = lon * -1
+
+ kml = simplekml.Kml()
+ kml.newpoint(name=args.PICTURE_FILE, coords=[(lon, lat)])
+ kml.save(args.PICTURE_FILE + ".kml")
+
+ print("GPS Coordinates: {}, {}".format(lat, lon))
+ print("Google Maps URL: {}".format(gmaps.format(lat, lon)))
+ print("OpenStreetMap URL: {}".format(open_maps.format(lat, lon)))
+ print("KML File {} created".format(args.PICTURE_FILE + ".kml"))
diff --git a/Chapter05/beautiful_preservation.py b/Chapter05/beautiful_preservation.py
new file mode 100644
index 0000000..0762e1b
--- /dev/null
+++ b/Chapter05/beautiful_preservation.py
@@ -0,0 +1,168 @@
+from __future__ import print_function
+import argparse
+from bs4 import BeautifulSoup, SoupStrainer
+from datetime import datetime
+import hashlib
+import logging
+import os
+import ssl
+import sys
+from urllib.request import urlopen
+import urllib.error
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "BeautifulSoup Website Preservation Tool"
+
+logger = logging.getLogger(__name__)
+
+
+def main(website, output_dir):
+ base_name = website.replace(
+ "https://", "").replace("http://", "").replace("www.", "")
+ link_queue = set()
+ if "http://" not in website and "https://" not in website:
+ logger.error(
+ "Exiting preservation - invalid user input: {}".format(
+ website))
+ sys.exit(1)
+ logger.info("Accessing {} webpage".format(website))
+ context = ssl._create_unverified_context()
+
+ try:
+ index = urlopen(website, context=context).read().decode("utf-8")
+ except urllib.error.HTTPError as e:
+ logger.error(
+ "Exiting preservation - unable to access page: {}".format(
+ website))
+ sys.exit(2)
+ logger.debug("Successfully accessed {}".format(website))
+ write_output(website, index, output_dir)
+ link_queue = find_links(base_name, index, link_queue)
+ logger.info("Found {} initial links on webpage".format(
+ len(link_queue)))
+ recurse_pages(website, link_queue, context, output_dir)
+ logger.info("Completed preservation of {}".format(website))
+
+
+def find_links(website, page, queue):
+ for link in BeautifulSoup(page, "html.parser",
+ parse_only=SoupStrainer("a", href=True)):
+ if website in link.get("href"):
+ if not os.path.basename(link.get("href")).startswith("#"):
+ queue.add(link.get("href"))
+ return queue
+
+
+def recurse_pages(website, queue, context, output_dir):
+ processed = []
+ counter = 0
+ while True:
+ counter += 1
+ if len(processed) == len(queue):
+ break
+ for link in queue.copy():
+ if link in processed:
+ continue
+ processed.append(link)
+ try:
+ page = urlopen(link, context=context).read().decode(
+ "utf-8")
+ except urllib.error.HTTPError as e:
+ msg = "Error accessing webpage: {}".format(link)
+ logger.error(msg)
+ continue
+ write_output(link, page, output_dir, counter)
+ queue = find_links(website, page, queue)
+ logger.info("Identified {} links throughout website".format(
+ len(queue)))
+
+
+def hash_data(data):
+ sha256 = hashlib.sha256()
+ sha256.update(data.encode("utf-8"))
+ return sha256.hexdigest()
+
+
+def hash_file(file):
+ sha256 = hashlib.sha256()
+ with open(file, "rb") as in_file:
+ sha256.update(in_file.read())
+ return sha256.hexdigest()
+
+
+def write_output(name, data, output_dir, counter=0):
+ name = name.replace("http://", "").replace("https://", "").rstrip("//")
+ directory = os.path.join(output_dir, os.path.dirname(name))
+ if not os.path.exists(directory) and os.path.dirname(name) != "":
+ os.makedirs(directory)
+
+ logger.debug("Writing {} to {}".format(name, output_dir))
+ logger.debug("Data Hash: {}".format(hash_data(data)))
+ path = os.path.join(output_dir, name)
+ path = path + "_" + str(counter)
+ with open(path, "w") as outfile:
+ outfile.write(data)
+ logger.debug("Output File Hash: {}".format(hash_file(path)))
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("DOMAIN", help="Website Domain")
+ parser.add_argument("OUTPUT_DIR", help="Preservation Output Directory")
+ parser.add_argument("-l", help="Log file path",
+ default=__file__[:-3] + ".log")
+ args = parser.parse_args()
+
+ logger.setLevel(logging.DEBUG)
+ msg_fmt = logging.Formatter("%(asctime)-15s %(funcName)-10s"
+ "%(levelname)-8s %(message)s")
+ strhndl = logging.StreamHandler(sys.stderr)
+ strhndl.setFormatter(fmt=msg_fmt)
+ fhndl = logging.FileHandler(args.l, mode='a')
+ fhndl.setFormatter(fmt=msg_fmt)
+
+ logger.addHandler(strhndl)
+ logger.addHandler(fhndl)
+
+ logger.info("Starting BS Preservation")
+ logger.debug("Supplied arguments: {}".format(sys.argv[1:]))
+ logger.debug("System " + sys.platform)
+ logger.debug("Version " + sys.version)
+
+ if not os.path.exists(args.OUTPUT_DIR):
+ os.makedirs(args.OUTPUT_DIR)
+
+ main(args.DOMAIN, args.OUTPUT_DIR)
diff --git a/Chapter05/ief_parser.py b/Chapter05/ief_parser.py
new file mode 100644
index 0000000..85f3fec
--- /dev/null
+++ b/Chapter05/ief_parser.py
@@ -0,0 +1,89 @@
+from __future__ import print_function
+import argparse
+import csv
+import os
+import sqlite3
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to extract reports from IEF"
+
+
+def main(database, out_directory):
+ print("[+] Connecting to SQLite database")
+ conn = sqlite3.connect(database)
+ c = conn.cursor()
+
+ print("[+] Querying IEF database for list of all tables to extract")
+ c.execute("select * from sqlite_master where type='table'")
+ # Remove tables that start with "_" or end with "_DATA"
+ tables = [x[2] for x in c.fetchall() if not x[2].startswith('_') and
+ not x[2].endswith('_DATA')]
+
+ print("[+] Dumping {} tables to CSV files in {}".format(
+ len(tables), out_directory))
+ for table in tables:
+ c.execute("pragma table_info('{}')".format(table))
+ table_columns = [x[1] for x in c.fetchall()]
+ c.execute("select * from '{}'".format(table))
+ table_data = c.fetchall()
+
+ csv_name = table + '.csv'
+ csv_path = os.path.join(out_directory, csv_name)
+ print('[+] Writing {} table to {} CSV file'.format(table,
+ csv_name))
+ with open(csv_path, "w", newline="") as csvfile:
+ csv_writer = csv.writer(csvfile)
+ csv_writer.writerow(table_columns)
+ csv_writer.writerows(table_data)
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("IEF_DATABASE", help="Input IEF database")
+ parser.add_argument("OUTPUT_DIR", help="Output DIR")
+ args = parser.parse_args()
+
+ if not os.path.exists(args.OUTPUT_DIR):
+ os.makedirs(args.OUTPUT_DIR)
+
+ if os.path.exists(args.IEF_DATABASE) and \
+ os.path.isfile(args.IEF_DATABASE):
+ main(args.IEF_DATABASE, args.OUTPUT_DIR)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.IEF_DATABASE))
+ sys.exit(1)
diff --git a/Chapter05/ief_yahoo_cache_parser.py b/Chapter05/ief_yahoo_cache_parser.py
new file mode 100644
index 0000000..1f11231
--- /dev/null
+++ b/Chapter05/ief_yahoo_cache_parser.py
@@ -0,0 +1,145 @@
+from __future__ import print_function
+import argparse
+import csv
+import json
+import os
+import sqlite3
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to extract Yahoo! webmail contacts from IEF"
+
+
+def main(database, out_csv):
+ print("[+] Connecting to SQLite database")
+ conn = sqlite3.connect(database)
+ c = conn.cursor()
+
+ print("[+] Querying IEF database for Yahoo Contact Fragments from "
+ "the Chrome Cache Records Table")
+ try:
+ c.execute(
+ "select * from 'Chrome Cache Records' where URL like "
+ "'https://data.mail.yahoo.com"
+ "/classicab/v2/contacts/?format=json%'")
+ except sqlite3.OperationalError:
+ print("Received an error querying the database -- database may be"
+ "corrupt or not have a Chrome Cache Records table")
+ sys.exit(2)
+
+ contact_cache = c.fetchall()
+ contact_data = process_contacts(contact_cache)
+ write_csv(contact_data, out_csv)
+
+
+def process_contacts(contact_cache):
+ print("[+] Processing {} cache files matching Yahoo contact cache "
+ " data".format(len(contact_cache)))
+ results = []
+ for contact in contact_cache:
+ url = contact[0]
+ first_visit = contact[1]
+ last_visit = contact[2]
+ last_sync = contact[3]
+ loc = contact[8]
+ contact_json = json.loads(contact[7].decode())
+ total_contacts = contact_json["total"]
+ total_count = contact_json["count"]
+
+ if "contacts" not in contact_json:
+ continue
+
+ for c in contact_json["contacts"]:
+ name, anni, bday, emails, phones, links = (
+ "", "", "", "", "", "")
+ if "name" in c:
+ name = c["name"]["givenName"] + " " + \
+ c["name"]["middleName"] + " " + c["name"]["familyName"]
+ if "anniversary" in c:
+ anni = c["anniversary"]["month"] + \
+ "/" + c["anniversary"]["day"] + "/" + \
+ c["anniversary"]["year"]
+ if "birthday" in c:
+ bday = c["birthday"]["month"] + "/" + \
+ c["birthday"]["day"] + "/" + c["birthday"]["year"]
+ if "emails" in c:
+ emails = ', '.join([x["ep"] for x in c["emails"]])
+ if "phones" in c:
+ phones = ', '.join([x["ep"] for x in c["phones"]])
+ if "links" in c:
+ links = ', '.join([x["ep"] for x in c["links"]])
+
+ company = c.get("company", "")
+ title = c.get("jobTitle", "")
+ notes = c.get("notes", "")
+
+ results.append([
+ url, first_visit, last_visit, last_sync, loc, name, bday,
+ anni, emails, phones, links, company, title, notes,
+ total_contacts, total_count])
+ return results
+
+
+def write_csv(data, output):
+ print("[+] Writing {} contacts to {}".format(len(data), output))
+ with open(output, "w", newline="") as csvfile:
+ csv_writer = csv.writer(csvfile)
+ csv_writer.writerow([
+ "URL", "First Visit (UTC)", "Last Visit (UTC)",
+ "Last Sync (UTC)", "Location", "Contact Name", "Bday",
+ "Anniversary", "Emails", "Phones", "Links", "Company", "Title",
+ "Notes", "Total Contacts", "Count of Contacts in Cache"])
+ csv_writer.writerows(data)
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("IEF_DATABASE", help="Input IEF database")
+ parser.add_argument("OUTPUT_CSV", help="Output CSV")
+ args = parser.parse_args()
+
+ directory = os.path.dirname(args.OUTPUT_CSV)
+ if not os.path.exists(directory):
+ os.makedirs(directory)
+
+ if os.path.exists(args.IEF_DATABASE) and \
+ os.path.isfile(args.IEF_DATABASE):
+ main(args.IEF_DATABASE, args.OUTPUT_CSV)
+ else:
+ print(
+ "[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.IEF_DATABASE))
+ sys.exit(1)
diff --git a/Chapter05/passive_lookup.py b/Chapter05/passive_lookup.py
new file mode 100644
index 0000000..205dbcd
--- /dev/null
+++ b/Chapter05/passive_lookup.py
@@ -0,0 +1,123 @@
+from __future__ import print_function
+import argparse
+import csv
+import json
+import os
+import subprocess
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to perform recon on IP addresses and domains"
+
+
+def main(domain_file, output):
+ domains = set()
+ with open(domain_file) as infile:
+ for line in infile:
+ domains.add(line.strip())
+ json_data = query_domains(domains)
+ write_csv(json_data, output)
+
+
+def query_domains(domains):
+ json_data = []
+ print("[+] Querying {} domains/IPs using PassiveTotal API".format(
+ len(domains)))
+ for domain in domains:
+ if "https://" in domain:
+ domain = domain.replace("https://", "")
+ elif "http://" in domain:
+ domain = domain.replace("http://", "")
+
+ proc = subprocess.Popen(
+ ["pt-client", "pdns", "-q", domain], stdout=subprocess.PIPE)
+ results, err = proc.communicate()
+ result_json = json.loads(results.decode())
+ if "message" in result_json:
+ if "quota_exceeded" in result_json["message"]:
+ print("[-] API Search Quota Exceeded")
+ continue
+
+ result_count = result_json["totalRecords"]
+
+ print("[+] {} results for {}".format(result_count, domain))
+ if result_count == 0:
+ pass
+ else:
+ json_data.append(result_json["results"])
+
+ return json_data
+
+
+def write_csv(data, output):
+ if data == []:
+ print("[-] No output results to write")
+ sys.exit(2)
+
+ print("[+] Writing output for {} domains/IPs with "
+ "results to {}".format(len(data), output))
+ field_list = ["value", "firstSeen", "lastSeen", "collected",
+ "resolve", "resolveType", "source", "recordType",
+ "recordHash"]
+
+ with open(output, "w", newline="") as csvfile:
+ csv_writer = csv.DictWriter(csvfile, fieldnames=field_list)
+ csv_writer.writeheader()
+ for result in data:
+ for dictionary in result:
+ csv_writer.writerow(dictionary)
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("INPUT_DOMAINS",
+ help="Text File containing Domains and/or IPs")
+ parser.add_argument("OUTPUT_CSV",
+ help="Output CSV with lookup results")
+ args = parser.parse_args()
+
+ directory = os.path.dirname(args.OUTPUT_CSV)
+ if not os.path.exists(directory):
+ os.makedirs(directory)
+
+ if os.path.exists(args.INPUT_DOMAINS) and \
+ os.path.isfile(args.INPUT_DOMAINS):
+ main(args.INPUT_DOMAINS, args.OUTPUT_CSV)
+ else:
+ print(
+ "[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.INPUT_DOMAINS))
+ sys.exit(1)
diff --git a/Chapter05/total_virus.py b/Chapter05/total_virus.py
new file mode 100644
index 0000000..14f5a3c
--- /dev/null
+++ b/Chapter05/total_virus.py
@@ -0,0 +1,198 @@
+from __future__ import print_function
+import argparse
+import csv
+import hashlib
+import json
+import os
+import requests
+import sys
+import time
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to review malicious websites or files with VT"
+
+
+def main(input_file, output, api, limit, type):
+ objects = set()
+ with open(input_file) as infile:
+ for line in infile:
+ if line.strip() != "":
+ objects.add(line.strip())
+ if type == "domain":
+ data = query_domain(objects, api, limit)
+ else:
+ data = query_file(objects, api, limit)
+ write_csv(data, output)
+
+
+def query_domain(domains, api, limit):
+ if not os.path.exists(api) and os.path.isfile(api):
+ print("[-] API key file {} does not exist or is not a file".format(
+ api))
+ sys.exit(2)
+
+ with open(api) as infile:
+ api = infile.read().strip()
+ json_data = []
+
+ print("[+] Querying {} Domains / IPs using VirusTotal API".format(
+ len(domains)))
+ count = 0
+ for domain in domains:
+ count += 1
+ params = {"resource": domain, "apikey": api, "scan": 1}
+ response = requests.post(
+ 'https://www.virustotal.com/vtapi/v2/url/report',
+ params=params)
+ json_response = response.json()
+ if "Scan finished" in json_response["verbose_msg"]:
+ json_data.append(json_response)
+
+ if limit and count == 3:
+ print("[+] Halting execution for a minute to comply with "
+ "public API key restrictions")
+ time.sleep(60)
+ print("[+] Continuing execution of remaining Domains / IPs")
+ count = 0
+
+ return json_data
+
+
+def query_file(files, api, limit):
+ if not os.path.exists(api) and os.path.isfile(api):
+ print("[-] API key file {} does not exist or is not a file".format(
+ api))
+ sys.exit(3)
+
+ with open(api) as infile:
+ api = infile.read().strip()
+ json_data = []
+
+ print("[+] Hashing and Querying {} Files using VirusTotal API".format(
+ len(files)))
+ count = 0
+ for file_entry in files:
+ if os.path.exists(file_entry):
+ file_hash = hash_file(file_entry)
+ elif len(file_entry) == 32:
+ file_hash = file_entry
+ else:
+ continue
+ count += 1
+ params = {"resource": file_hash, "apikey": api}
+ response = requests.post(
+ 'https://www.virustotal.com/vtapi/v2/file/report',
+ params=params)
+ json_response = response.json()
+ if "Scan finished" in json_response["verbose_msg"]:
+ json_data.append(json_response)
+
+ if limit and count == 3:
+ print("[+] Halting execution for a minute to comply with "
+ "public API key restrictions")
+ time.sleep(60)
+ print("[+] Continuing execution of remaining files")
+ count = 0
+
+ return json_data
+
+
+def hash_file(file_path):
+ sha256 = hashlib.sha256()
+ with open(file_path, 'rb') as open_file:
+ buff_size = 1024
+ buff = open_file.read(buff_size)
+
+ while buff:
+ sha256.update(buff)
+ buff = open_file.read(buff_size)
+ return sha256.hexdigest()
+
+
+def write_csv(data, output):
+ if data == []:
+ print("[-] No output results to write")
+ sys.exit(4)
+
+ print("[+] Writing output for {} domains with results to {}".format(
+ len(data), output))
+ flatten_data = []
+ field_list = ["URL", "Scan Date", "Service",
+ "Detected", "Result", "VirusTotal Link"]
+ for result in data:
+ for service in result["scans"]:
+ flatten_data.append(
+ {"URL": result.get("url", ""),
+ "Scan Date": result.get("scan_date", ""),
+ "VirusTotal Link": result.get("permalink", ""),
+ "Service": service,
+ "Detected": result["scans"][service]["detected"],
+ "Result": result["scans"][service]["result"]})
+
+ with open(output, "w", newline="") as csvfile:
+ csv_writer = csv.DictWriter(csvfile, fieldnames=field_list)
+ csv_writer.writeheader()
+ for result in flatten_data:
+ csv_writer.writerow(result)
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("INPUT_FILE",
+ help="Text File containing list of file paths/"
+ "hashes or domains/IPs")
+ parser.add_argument("OUTPUT_CSV",
+ help="Output CSV with lookup results")
+ parser.add_argument("API_KEY", help="Text File containing API key")
+ parser.add_argument("-t", "--type",
+ help="Type of data: file or domain",
+ choices=("file", "domain"), default="domain")
+ parser.add_argument(
+ "--limit", action="store_true",
+ help="Limit requests to comply with public API key restrictions")
+ args = parser.parse_args()
+
+ directory = os.path.dirname(args.OUTPUT_CSV)
+ if not os.path.exists(directory):
+ os.makedirs(directory)
+
+ if os.path.exists(args.INPUT_FILE) and os.path.isfile(args.INPUT_FILE):
+ main(args.INPUT_FILE, args.OUTPUT_CSV,
+ args.API_KEY, args.limit, args.type)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.INPUT_FILE))
+ sys.exit(1)
diff --git a/Chapter05/virus_hashset.py b/Chapter05/virus_hashset.py
new file mode 100644
index 0000000..e6073d0
--- /dev/null
+++ b/Chapter05/virus_hashset.py
@@ -0,0 +1,111 @@
+from __future__ import print_function
+import argparse
+import os
+import ssl
+import sys
+import tqdm
+from urllib.request import urlopen
+import urllib.error
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to download and generate hashlists for malware"
+
+
+def main(hashset, **kwargs):
+ url = "https://virusshare.com/hashes.4n6"
+ print("[+] Identifying hash set range from {}".format(url))
+ context = ssl._create_unverified_context()
+
+ try:
+ index = urlopen(url, context=context).read().decode("utf-8")
+ except urllib.error.HTTPError as e:
+ print("[-] Error accessing webpage - exiting..")
+ sys.exit(1)
+ tag = index.rfind(r'
stop:
+ print("[-] Supplied start argument must be greater than or equal "
+ "to zero but less than the latest hash list, "
+ "currently: {}".format(stop))
+ sys.exit(2)
+
+ print("[+] Creating a hashset from hash lists {} to {}".format(
+ start, stop))
+ hashes_downloaded = 0
+ for x in tqdm.trange(start, stop + 1, unit_scale=True,
+ desc="Progress"):
+ url_hash = "https://virusshare.com/hashes/VirusShare_"\
+ "{}.md5".format(str(x).zfill(5))
+ try:
+ hashes = urlopen(
+ url_hash, context=context).read().decode("utf-8")
+ hashes_list = hashes.split("\n")
+ except urllib.error.HTTPError as e:
+ print("[-] Error accessing webpage for hash list {}"
+ " - continuing..".format(x))
+ continue
+
+ with open(hashset, "a+") as hashfile:
+ for line in hashes_list:
+ if not line.startswith("#") and line != "":
+ hashes_downloaded += 1
+ hashfile.write(line + '\n')
+
+ print("[+] Finished downloading {} hashes into {}".format(
+ hashes_downloaded, hashset))
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("OUTPUT_HASH", help="Output Hashset")
+ parser.add_argument("--start", type=int,
+ help="Optional starting location")
+ args = parser.parse_args()
+
+ directory = os.path.dirname(args.OUTPUT_HASH)
+ if not os.path.exists(directory):
+ os.makedirs(directory)
+
+ if args.start:
+ main(args.OUTPUT_HASH, start=args.start)
+ else:
+ main(args.OUTPUT_HASH)
diff --git a/Chapter06/eml_parser.py b/Chapter06/eml_parser.py
new file mode 100644
index 0000000..71ccdf6
--- /dev/null
+++ b/Chapter06/eml_parser.py
@@ -0,0 +1,92 @@
+from __future__ import print_function
+from argparse import ArgumentParser, FileType
+from email import message_from_file
+import os
+import quopri
+import base64
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to parse text and attachments from EML files"
+
+
+def process_payload(payload):
+ print(payload.get_content_type() + "\n" + "=" * len(
+ payload.get_content_type()))
+ body = quopri.decodestring(payload.get_payload())
+ if payload.get_charset():
+ body = body.decode(payload.get_charset())
+ else:
+ try:
+ body = body.decode()
+ except UnicodeDecodeError:
+ body = body.decode('cp1252')
+
+ if payload.get_content_type() == "text/html":
+ outfile = os.path.basename(args.EML_FILE.name) + ".html"
+ open(outfile, 'w').write(body)
+ elif payload.get_content_type().startswith('application'):
+ outfile = open(payload.get_filename(), 'wb')
+ body = base64.b64decode(payload.get_payload())
+ outfile.write(body)
+ outfile.close()
+ print("Exported: {}\n".format(outfile.name))
+ else:
+ print(body)
+
+
+def main(input_file):
+ emlfile = message_from_file(input_file)
+
+ # Start with the headers
+ for key, value in emlfile._headers:
+ print("{}: {}".format(key, value))
+
+ # Read payload
+ print("\nBody\n")
+ if emlfile.is_multipart():
+ for part in emlfile.get_payload():
+ process_payload(part)
+ else:
+ process_payload(emlfile[1])
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EML_FILE",
+ help="Path to EML File", type=FileType('r'))
+ args = parser.parse_args()
+
+ main(args.EML_FILE)
diff --git a/Chapter06/mbox_parser.py b/Chapter06/mbox_parser.py
new file mode 100644
index 0000000..d687a9d
--- /dev/null
+++ b/Chapter06/mbox_parser.py
@@ -0,0 +1,189 @@
+from __future__ import print_function
+from argparse import ArgumentParser
+import mailbox
+import os
+import time
+import csv
+from tqdm import tqdm
+import base64
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to parse the MBOX mail file format"
+
+
+def custom_reader(data_stream):
+ data = data_stream.read()
+ try:
+ content = data.decode("ascii")
+ except (UnicodeDecodeError, UnicodeEncodeError) as e:
+ content = data.decode("cp1252", errors="replace")
+ return mailbox.mboxMessage(content)
+
+
+def get_filename(msg):
+ if 'name=' in msg.get("Content-Disposition", "N/A"):
+ fname_data = msg["Content-Disposition"].replace("\r\n", " ")
+ fname = [x for x in fname_data.split("; ") if 'name=' in x]
+ file_name = fname[0].split("=", 1)[-1]
+
+ elif 'name=' in msg.get("Content-Type", "N/A"):
+ fname_data = msg["Content-Type"].replace("\r\n", " ")
+ fname = [x for x in fname_data.split("; ") if 'name=' in x]
+ file_name = fname[0].split("=", 1)[-1]
+
+ else:
+ file_name = "NO_FILENAME"
+
+ fchars = [x for x in file_name if x.isalnum() or x.isspace() or
+ x == "."]
+ return "".join(fchars)
+
+
+def export_content(msg, out_dir, content_data):
+ file_name = get_filename(msg)
+ file_ext = "FILE"
+ if "." in file_name:
+ file_ext = file_name.rsplit(".", 1)[-1]
+
+ file_name = "{}_{:.4f}.{}".format(
+ file_name.rsplit(".", 1)[0], time.time(), file_ext)
+ file_name = os.path.join(out_dir, file_name)
+
+ if isinstance(content_data, str):
+ open(file_name, 'w').write(content_data)
+ else:
+ open(file_name, 'wb').write(content_data)
+
+ return file_name
+
+
+def write_payload(msg, out_dir):
+ pyld = msg.get_payload()
+ export_path = []
+ if msg.is_multipart():
+ for entry in pyld:
+ export_path += write_payload(entry, out_dir)
+
+ else:
+ content_type = msg.get_content_type()
+ if "application/" in content_type.lower():
+ content = base64.b64decode(msg.get_payload())
+ export_path.append(export_content(msg, out_dir, content))
+ elif "image/" in content_type.lower():
+ content = base64.b64decode(msg.get_payload())
+ export_path.append(export_content(msg, out_dir, content))
+ elif "video/" in content_type.lower():
+ content = base64.b64decode(msg.get_payload())
+ export_path.append(export_content(msg, out_dir, content))
+ elif "audio/" in content_type.lower():
+ content = base64.b64decode(msg.get_payload())
+ export_path.append(export_content(msg, out_dir, content))
+ elif "text/csv" in content_type.lower():
+ content = base64.b64decode(msg.get_payload())
+ export_path.append(export_content(msg, out_dir, content))
+ elif "info/" in content_type.lower():
+ export_path.append(export_content(msg, out_dir,
+ msg.get_payload()))
+ elif "text/calendar" in content_type.lower():
+ export_path.append(export_content(msg, out_dir,
+ msg.get_payload()))
+ elif "text/rtf" in content_type.lower():
+ export_path.append(export_content(msg, out_dir,
+ msg.get_payload()))
+ else:
+ if "name=" in msg.get('Content-Disposition', "N/A"):
+ content = base64.b64decode(msg.get_payload())
+ export_path.append(export_content(msg, out_dir, content))
+ elif "name=" in msg.get('Content-Type', "N/A"):
+ content = base64.b64decode(msg.get_payload())
+ export_path.append(export_content(msg, out_dir, content))
+
+ return export_path
+
+
+def create_report(output_data, output_file, columns):
+ with open(output_file, 'w', newline="") as outfile:
+ csvfile = csv.DictWriter(outfile, columns)
+ csvfile.writeheader()
+ csvfile.writerows(output_data)
+
+
+def main(mbox_file, output_dir):
+ # Read in the MBOX File
+ print("Reading mbox file...")
+ mbox = mailbox.mbox(mbox_file, factory=custom_reader)
+ print("{} messages to parse".format(len(mbox)))
+
+ # Prep for loop
+ parsed_data = []
+ attachments_dir = os.path.join(output_dir, "attachments")
+ if not os.path.exists(attachments_dir):
+ os.makedirs(attachments_dir)
+ columns = ["Date", "From", "To", "Subject", "X-Gmail-Labels",
+ "Return-Path", "Received", "Content-Type", "Message-ID",
+ "X-GM-THRID", "num_attachments_exported", "export_path"]
+
+ # Iterate through mbox with progressbar
+ for message in tqdm(mbox):
+ # Preserve header information
+ msg_data = dict()
+ header_data = dict(message._headers)
+ for hdr in columns:
+ msg_data[hdr] = header_data.get(hdr, "N/A")
+
+ # Extract attachments
+ if len(message.get_payload()):
+ export_path = write_payload(message, attachments_dir)
+ msg_data['num_attachments_exported'] = len(export_path)
+ msg_data['export_path'] = ", ".join(export_path)
+
+ parsed_data.append(msg_data)
+
+ # Create CSV report
+ create_report(
+ parsed_data, os.path.join(output_dir, "mbox_report.csv"), columns
+ )
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("MBOX", help="Path to mbox file")
+ parser.add_argument("OUTPUT_DIR",
+ help="Path to output directory to write report "
+ "and exported content")
+ args = parser.parse_args()
+
+ main(args.MBOX, args.OUTPUT_DIR)
diff --git a/Chapter06/msg_parser.py b/Chapter06/msg_parser.py
new file mode 100644
index 0000000..225fc47
--- /dev/null
+++ b/Chapter06/msg_parser.py
@@ -0,0 +1,139 @@
+from __future__ import print_function
+from argparse import ArgumentParser
+import os
+import win32com.client
+import pywintypes
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to read content from MSG files"
+
+
+def extract_msg_body(msg, out_dir):
+ # Extract HTML Data
+ html_data = msg.HTMLBody.encode('cp1252')
+ outfile = os.path.join(out_dir, os.path.basename(args.MSG_FILE))
+ open(outfile + ".body.html", 'wb').write(html_data)
+ print("Exported: {}".format(outfile + ".body.html"))
+
+ # Extract plain text
+ body_data = msg.Body.encode('cp1252')
+ open(outfile + ".body.txt", 'wb').write(body_data)
+ print("Exported: {}".format(outfile + ".body.txt"))
+
+
+def extract_attachments(msg, out_dir):
+ attachment_attribs = [
+ 'DisplayName', 'FileName', 'PathName', 'Position', 'Size'
+ ]
+ i = 1 # Attachments start at 1
+ while True:
+ try:
+ attachment = msg.Attachments(i)
+ except pywintypes.com_error:
+ break
+
+ print("\nAttachment {}".format(i))
+ print("=" * 15)
+ for entry in attachment_attribs:
+ print('{}: {}'.format(entry, getattr(attachment, entry,
+ "N/A")))
+ outfile = os.path.join(os.path.abspath(out_dir),
+ os.path.split(args.MSG_FILE)[-1])
+ if not os.path.exists(outfile):
+ os.makedirs(outfile)
+ outfile = os.path.join(outfile, attachment.FileName)
+ attachment.SaveAsFile(outfile)
+ print("Exported: {}".format(outfile))
+ i += 1
+
+
+def display_msg_attribs(msg):
+ # Display Message Attributes
+ attribs = [
+ 'Application', 'AutoForwarded', 'BCC', 'CC', 'Class',
+ 'ConversationID', 'ConversationTopic', 'CreationTime',
+ 'ExpiryTime', 'Importance', 'InternetCodePage', 'IsMarkedAsTask',
+ 'LastModificationTime', 'Links', 'OriginalDeliveryReportRequested',
+ 'ReadReceiptRequested', 'ReceivedTime', 'ReminderSet',
+ 'ReminderTime', 'ReplyRecipientNames', 'Saved', 'Sender',
+ 'SenderEmailAddress', 'SenderEmailType', 'SenderName', 'Sent',
+ 'SentOn', 'SentOnBehalfOfName', 'Size', 'Subject',
+ 'TaskCompletedDate', 'TaskDueDate', 'To', 'UnRead'
+ ]
+ print("\nMessage Attributes")
+ print("==================")
+ for entry in attribs:
+ print("{}: {}".format(entry, getattr(msg, entry, 'N/A')))
+
+
+def display_msg_recipients(msg):
+ # Display Recipient Information
+ recipient_attrib = [
+ 'Address', 'AutoResponse', 'Name', 'Resolved', 'Sendable'
+ ]
+ i = 1
+ while True:
+ try:
+ recipient = msg.Recipients(i)
+ except pywintypes.com_error:
+ break
+
+ print("\nRecipient {}".format(i))
+ print("=" * 15)
+ for entry in recipient_attrib:
+ print("{}: {}".format(entry, getattr(recipient, entry, 'N/A')))
+ i += 1
+
+
+def main(msg_file, output_dir):
+ mapi = win32com.client.Dispatch(
+ "Outlook.Application").GetNamespace("MAPI")
+ msg = mapi.OpenSharedItem(os.path.abspath(args.MSG_FILE))
+ display_msg_attribs(msg)
+ display_msg_recipients(msg)
+ extract_msg_body(msg, output_dir)
+ extract_attachments(msg, output_dir)
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("MSG_FILE", help="Path to MSG file")
+ parser.add_argument("OUTPUT_DIR", help="Path to output folder")
+ args = parser.parse_args()
+ out_dir = args.OUTPUT_DIR
+ if not os.path.exists(out_dir):
+ os.makedirs(out_dir)
+ main(args.MSG_FILE, args.OUTPUT_DIR)
diff --git a/Chapter06/pff_parser.py b/Chapter06/pff_parser.py
new file mode 100644
index 0000000..909c94e
--- /dev/null
+++ b/Chapter06/pff_parser.py
@@ -0,0 +1,145 @@
+from __future__ import print_function
+from argparse import ArgumentParser
+import csv
+import pypff
+import re
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to read content and metadata from PSTs and OSTs"
+
+
+def process_folders(pff_folder):
+ folder_name = pff_folder.name if pff_folder.name else "N/A"
+ print("Folder: {} (sub-dir: {}/sub-msg: {})".format(folder_name,
+ pff_folder.number_of_sub_folders,
+ pff_folder.number_of_sub_messages))
+
+ # Process messages within a folder
+ data_list = []
+ for msg in pff_folder.sub_messages:
+ data_dict = process_message(msg)
+ data_dict['folder'] = folder_name
+ data_list.append(data_dict)
+
+ # Process folders within a folder
+ for folder in pff_folder.sub_folders:
+ data_list += process_folders(folder)
+
+ return data_list
+
+
+def process_message(msg):
+ # Extract attributes
+ attribs = ['conversation_topic', 'number_of_attachments',
+ 'sender_name', 'subject']
+ data_dict = {}
+ for attrib in attribs:
+ data_dict[attrib] = getattr(msg, attrib, "N/A")
+
+ if msg.transport_headers is not None:
+ data_dict.update(process_headers(msg.transport_headers))
+
+ return data_dict
+
+
+def process_headers(header):
+ # Read and process header information
+ key_pattern = re.compile("^([A-Za-z\-]+:)(.*)$")
+ header_data = {}
+ for line in header.split("\r\n"):
+ if len(line) == 0:
+ continue
+
+ reg_result = key_pattern.match(line)
+ if reg_result:
+ key = reg_result.group(1).strip(":").strip()
+ value = reg_result.group(2).strip()
+ else:
+ value = line
+
+ if key.lower() in header_data:
+ if isinstance(header_data[key.lower()], list):
+ header_data[key.lower()].append(value)
+ else:
+ header_data[key.lower()] = [header_data[key.lower()],
+ value]
+ else:
+ header_data[key.lower()] = value
+ return header_data
+
+
+def write_data(outfile, data_list):
+ # Build out additional columns
+ print("Writing Report: ", outfile)
+ columns = ['folder', 'conversation_topic', 'number_of_attachments',
+ 'sender_name', 'subject']
+ formatted_data_list = []
+ for entry in data_list:
+ tmp_entry = {}
+
+ for k, v in entry.items():
+ if k not in columns:
+ columns.append(k)
+
+ if isinstance(v, list):
+ tmp_entry[k] = ", ".join(v)
+ else:
+ tmp_entry[k] = v
+ formatted_data_list.append(tmp_entry)
+
+ # Write CSV report
+ with open(outfile, 'wb') as openfile:
+ csvfile = csv.DictWriter(openfile, columns)
+ csvfile.writeheader()
+ csvfile.writerows(formatted_data_list)
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("PFF_FILE", help="Path to PST or OST File")
+ parser.add_argument("CSV_REPORT", help="Path to CSV report location")
+ args = parser.parse_args()
+
+ # Open file
+ pff_obj = pypff.file()
+ pff_obj.open(args.PFF_FILE)
+
+ # Parse and close file
+ parsed_data = process_folders(pff_obj.root_folder)
+ pff_obj.close()
+
+ # Write CSV report
+ write_data(args.CSV_REPORT, parsed_data)
diff --git a/Chapter07/axiom_daily_out.py b/Chapter07/axiom_daily_out.py
new file mode 100644
index 0000000..edf9be5
--- /dev/null
+++ b/Chapter07/axiom_daily_out.py
@@ -0,0 +1,175 @@
+from __future__ import print_function
+from axiom import *
+from datetime import datetime
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Artifact for Axiom to process daily.out files from macOS"
+
+
+class ProcessDailyOut(object):
+ def __init__(self, daily_out):
+ self.daily_out = daily_out
+ self.disk_status_columns = ['Filesystem', 'Size', 'Used', 'Avail',
+ 'Capacity', 'iused', 'ifree', '%iused',
+ 'Mounted on']
+ self.report_columns = ['event_date', 'event_tz'] + \
+ self.disk_status_columns
+
+ def process_disk(self, disk_lines, event_dates):
+ if len(disk_lines) == 0:
+ return {}
+
+ processed_data = []
+ for line_count, line in enumerate(disk_lines):
+ if line_count == 0:
+ continue
+ prepped_lines = [x for x in line.split(" ") if
+ len(x.strip()) != 0]
+ disk_info = {
+ "event_date": event_dates[0],
+ "event_tz": event_dates[1]
+ }
+ for col_count, entry in enumerate(prepped_lines):
+ curr_col = self.disk_status_columns[col_count]
+ if "/Volumes/" in entry:
+ disk_info[curr_col] = " ".join(
+ prepped_lines[col_count:])
+ break
+ disk_info[curr_col] = entry.strip()
+ processed_data.append(disk_info)
+ return processed_data
+
+ def process_event(self, event_lines):
+ section_header = ""
+ section_data = []
+ event_data = {}
+ for line in event_lines:
+ if line.endswith(":"):
+ if len(section_data) > 0:
+ event_data[section_header] = section_data
+ section_data = []
+ section_header = ""
+
+ section_header = line.strip(":")
+
+ elif line.count(":") == 2:
+ try:
+ split_line = line.split()
+ timezone = split_line[4]
+ date_str = " ".join(split_line[:4] + [split_line[-1]])
+ try:
+ date_val = datetime.strptime(
+ date_str, "%a %b %d %H:%M:%S %Y")
+ except ValueError:
+ date_val = datetime.strptime(
+ date_str, "%a %b %d %H:%M:%S %Y")
+ event_data["event_date"] = [date_val, timezone]
+ section_data = []
+ section_header = ""
+ except ValueError:
+ section_data.append(line)
+ except IndexError:
+ section_data.append(line)
+
+ else:
+ if len(line):
+ section_data.append(line)
+ return self.process_disk(event_data.get("Disk status", []),
+ event_data.get("event_date", []))
+
+ def run(self):
+ event_lines = []
+ parsed_events = []
+ for raw_line in self.daily_out:
+ line = raw_line.strip()
+ if line == '-- End of daily output --':
+ parsed_events += self.process_event(event_lines)
+ event_lines = []
+ else:
+ event_lines.append(line)
+ return parsed_events
+
+
+class DailyOutArtifact(Artifact):
+ def __init__(self):
+ self.AddHunter(DailyOutHunter())
+
+ def GetName(self):
+ return 'daily.out parser'
+
+ def CreateFragments(self):
+ self.AddFragment('Snapshot Date - LocalTime (yyyy-mm-dd)',
+ Category.DateTimeLocal, FragmentType.DateTime)
+ self.AddFragment('Snapshot Timezone', Category.None,
+ FragmentType.String)
+ self.AddFragment('Volume Name',
+ Category.None, FragmentType.String)
+ self.AddFragment('Filesystem Mount',
+ Category.None, FragmentType.String)
+ self.AddFragment('Volume Size',
+ Category.None, FragmentType.String)
+ self.AddFragment('Volume Used',
+ Category.None, FragmentType.String)
+ self.AddFragment('Percentage Used',
+ Category.None, FragmentType.String)
+
+
+class DailyOutHunter(Hunter):
+
+ def __init__(self):
+ self.Platform = Platform.Computer
+
+ def Register(self, registrar):
+ registrar.RegisterFileName('daily.out')
+
+ def Hunt(self, context):
+ temp_daily_out = open(context.Searchable.FileCopy, 'r')
+
+ processor = ProcessDailyOut(temp_daily_out)
+ parsed_events = processor.run()
+ for entry in parsed_events:
+ hit = Hit()
+ hit.AddValue(
+ "Snapshot Date - LocalTime (yyyy-mm-dd)",
+ entry['event_date'].strftime("%Y-%m-%d %H:%M:%S"))
+ hit.AddValue("Snapshot Timezone", entry['event_tz'])
+ hit.AddValue("Volume Name", entry['Mounted on'])
+ hit.AddValue("Filesystem Mount", entry["Filesystem"])
+ hit.AddValue("Volume Size", entry['Size'])
+ hit.AddValue("Volume Used", entry['Used'])
+ hit.AddValue("Percentage Used", entry['Capacity'])
+ self.PublishHit(hit)
+
+ if temp_daily_out is not None:
+ temp_daily_out.close()
+
+RegisterArtifact(DailyOutArtifact())
diff --git a/Chapter07/daily_parser.py b/Chapter07/daily_parser.py
new file mode 100644
index 0000000..c1bde66
--- /dev/null
+++ b/Chapter07/daily_parser.py
@@ -0,0 +1,143 @@
+from __future__ import print_function
+from argparse import ArgumentParser, FileType
+from datetime import datetime
+import csv
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to interpret the daily.out log"
+
+
+class ProcessDailyOut(object):
+ def __init__(self, daily_out):
+ self.daily_out = daily_out
+ self.disk_status_columns = [
+ 'Filesystem', 'Size', 'Used', 'Avail', 'Capacity', 'iused',
+ 'ifree', '%iused', 'Mounted on']
+ self.report_columns = ['event_date', 'event_tz'] + \
+ self.disk_status_columns
+
+ def process_disk(self, disk_lines, event_dates):
+ if len(disk_lines) == 0:
+ return {}
+
+ processed_data = []
+ for line_count, line in enumerate(disk_lines):
+ if line_count == 0:
+ continue
+ prepped_lines = [x for x in line.split(" ")
+ if len(x.strip()) != 0]
+ disk_info = {
+ "event_date": event_dates[0],
+ "event_tz": event_dates[1]
+ }
+ for col_count, entry in enumerate(prepped_lines):
+ curr_col = self.disk_status_columns[col_count]
+ if "/Volumes/" in entry:
+ disk_info[curr_col] = " ".join(
+ prepped_lines[col_count:])
+ break
+ disk_info[curr_col] = entry.strip()
+ processed_data.append(disk_info)
+ return processed_data
+
+ def process_event(self, event_lines):
+ section_header = ""
+ section_data = []
+ event_data = {}
+ for line in event_lines:
+ if line.endswith(":"):
+ if len(section_data) > 0:
+ event_data[section_header] = section_data
+ section_data = []
+ section_header = ""
+
+ section_header = line.strip(":")
+
+ elif line.count(":") == 2:
+ try:
+ split_line = line.split()
+ timezone = split_line[4]
+ date_str = " ".join(split_line[:4] + [split_line[-1]])
+ try:
+ date_val = datetime.strptime(
+ date_str, "%a %b %d %H:%M:%S %Y")
+ except ValueError:
+ date_val = datetime.strptime(
+ date_str, "%a %b %d %H:%M:%S %Y")
+ event_data["event_date"] = [date_val, timezone]
+ section_data = []
+ section_header = ""
+ except ValueError:
+ section_data.append(line)
+ except IndexError:
+ section_data.append(line)
+
+ else:
+ if len(line):
+ section_data.append(line)
+ return self.process_disk(event_data.get("Disk status", []),
+ event_data.get("event_date", []))
+
+ def run(self):
+ event_lines = []
+ parsed_events = []
+ for raw_line in self.daily_out:
+ line = raw_line.strip()
+ if line == '-- End of daily output --':
+ parsed_events += self.process_event(event_lines)
+ event_lines = []
+ else:
+ event_lines.append(line)
+ return parsed_events
+
+
+def write_csv(outfile, fieldnames, data):
+ with open(outfile, 'w', newline="") as open_outfile:
+ csvfile = csv.DictWriter(open_outfile, fieldnames)
+ csvfile.writeheader()
+ csvfile.writerows(data)
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("daily_out", help="Path to daily.out file",
+ type=FileType('r'))
+ parser.add_argument("output_report", help="Path to csv report")
+ args = parser.parse_args()
+
+ processor = ProcessDailyOut(args.daily_out)
+ parsed_events = processor.run()
+ write_csv(args.output_report, processor.report_columns, parsed_events)
diff --git a/Chapter07/date_parser.py b/Chapter07/date_parser.py
new file mode 100644
index 0000000..5c27b4e
--- /dev/null
+++ b/Chapter07/date_parser.py
@@ -0,0 +1,105 @@
+from __future__ import print_function
+from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter
+from datetime import datetime as dt
+from datetime import timedelta
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to interpret date values"
+
+
+class ParseDate(object):
+ def __init__(self, date_value, source, data_type):
+ self.date_value = date_value
+ self.source = source
+ self.data_type = data_type
+ self.timestamp = None
+
+ def run(self):
+ if self.source == 'unix-epoch':
+ self.parse_unix_epoch()
+ elif self.source == 'unix-epoch-ms':
+ self.parse_unix_epoch(True)
+ elif self.source == 'windows-filetime':
+ self.parse_windows_filetime()
+
+ @classmethod
+ def get_supported_formats(cls):
+ return ['unix-epoch', 'unix-epoch-ms', 'windows-filetime']
+
+ def parse_unix_epoch(self, milliseconds=False):
+ if self.data_type == 'hex':
+ conv_value = int(self.date_value)
+ if milliseconds:
+ conv_value = conv_value / 1000.0
+ elif self.data_type == 'number':
+ conv_value = float(self.date_value)
+ if milliseconds:
+ conv_value = conv_value / 1000.0
+ else:
+ print("Unsupported data type '{}' provided".format(
+ self.data_type))
+ sys.exit('1')
+
+ ts = dt.fromtimestamp(conv_value)
+ self.timestamp = ts.strftime('%Y-%m-%d %H:%M:%S.%f')
+
+ def parse_windows_filetime(self):
+ if self.data_type == 'hex':
+ microseconds = int(self.date_value, 16) / 10.0
+ elif self.data_type == 'number':
+ microseconds = float(self.date_value) / 10
+ else:
+ print("Unsupported data type '{}' provided".format(
+ self.data_type))
+ sys.exit('1')
+
+ ts = dt(1601, 1, 1) + timedelta(microseconds=microseconds)
+ self.timestamp = ts.strftime('%Y-%m-%d %H:%M:%S.%f')
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ formatter_class=ArgumentDefaultsHelpFormatter,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("date_value", help="Raw date value to parse")
+ parser.add_argument("source", help="Source format of date",
+ choices=ParseDate.get_supported_formats())
+ parser.add_argument("type", help="Data type of input value",
+ choices=('number', 'hex'), default='int')
+ args = parser.parse_args()
+
+ date_parser = ParseDate(args.date_value, args.source, args.type)
+ date_parser.run()
+ print(date_parser.timestamp)
diff --git a/Chapter07/iis_parser.py b/Chapter07/iis_parser.py
new file mode 100644
index 0000000..70bccd3
--- /dev/null
+++ b/Chapter07/iis_parser.py
@@ -0,0 +1,130 @@
+from __future__ import print_function
+from argparse import ArgumentParser, FileType
+import re
+import shlex
+import logging
+import sys
+import csv
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to parse IIS logs"
+logger = logging.getLogger(__file__)
+
+iis_log_format = [
+ ("date", re.compile(r"\d{4}-\d{2}-\d{2}")),
+ ("time", re.compile(r"\d\d:\d\d:\d\d")),
+ ("s-ip", re.compile(
+ r"((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}")),
+ ("cs-method", re.compile(
+ r"(GET)|(POST)|(PUT)|(DELETE)|(OPTIONS)|(HEAD)|(CONNECT)")),
+ ("cs-uri-stem", re.compile(r"([A-Za-z0-1/\.-]*)")),
+ ("cs-uri-query", re.compile(r"([A-Za-z0-1/\.-]*)")),
+ ("s-port", re.compile(r"\d*")),
+ ("cs-username", re.compile(r"([A-Za-z0-1/\.-]*)")),
+ ("c-ip", re.compile(
+ r"((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}")),
+ ("cs(User-Agent)", re.compile(r".*")),
+ ("sc-status", re.compile(r"\d*")),
+ ("sc-substatus", re.compile(r"\d*")),
+ ("sc-win32-status", re.compile(r"\d*")),
+ ("time-taken", re.compile(r"\d*"))
+]
+
+
+def main(iis_log, report_file, logger):
+ parsed_logs = []
+ for raw_line in iis_log:
+ line = raw_line.strip()
+ log_entry = {}
+ if line.startswith("#") or len(line) == 0:
+ continue
+ if '\"' in line:
+ line_iter = shlex.shlex(line_iter)
+ else:
+ line_iter = line.split(" ")
+ for count, split_entry in enumerate(line_iter):
+ col_name, col_pattern = iis_log_format[count]
+ if col_pattern.match(split_entry):
+ log_entry[col_name] = split_entry
+ else:
+ logger.error("Unknown column pattern discovered. "
+ "Line preserved in full below")
+ logger.error("Unparsed Line: {}".format(line))
+
+ parsed_logs.append(log_entry)
+
+ logger.info("Parsed {} lines".format(len(parsed_logs)))
+
+ cols = [x[0] for x in iis_log_format]
+ logger.info("Creating report file: {}".format(report_file))
+ write_csv(report_file, cols, parsed_logs)
+ logger.info("Report created")
+
+
+def write_csv(outfile, fieldnames, data):
+ with open(outfile, 'w', newline="") as open_outfile:
+ csvfile = csv.DictWriter(open_outfile, fieldnames)
+ csvfile.writeheader()
+ csvfile.writerows(data)
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument('iis_log', help="Path to IIS Log",
+ type=FileType('r'))
+ parser.add_argument('csv_report', help="Path to CSV report")
+ parser.add_argument('-l', help="Path to processing log",
+ default=__name__ + '.log')
+ args = parser.parse_args()
+
+ logger.setLevel(logging.DEBUG)
+ msg_fmt = logging.Formatter("%(asctime)-15s %(funcName)-10s "
+ "%(levelname)-8s %(message)s")
+
+ strhndl = logging.StreamHandler(sys.stdout)
+ strhndl.setFormatter(fmt=msg_fmt)
+ fhndl = logging.FileHandler(args.log, mode='a')
+ fhndl.setFormatter(fmt=msg_fmt)
+
+ logger.addHandler(strhndl)
+ logger.addHandler(fhndl)
+
+ logger.info("Starting IIS Parsing ")
+ logger.debug("Supplied arguments: {}".format(", ".join(sys.argv[1:])))
+ logger.debug("System " + sys.platform)
+ logger.debug("Version " + sys.version)
+ main(args.iis_log, args.csv_report, logger)
+ logger.info("IIS Parsing Complete")
diff --git a/Chapter07/splunk_connector.py b/Chapter07/splunk_connector.py
new file mode 100644
index 0000000..37c3a53
--- /dev/null
+++ b/Chapter07/splunk_connector.py
@@ -0,0 +1,189 @@
+from __future__ import print_function
+from argparse import ArgumentParser, ArgumentError
+from argparse import ArgumentDefaultsHelpFormatter
+import splunklib.client as client
+import splunklib.results as results
+import os
+import sys
+import csv
+
+if sys.version_info.major != 2:
+ print("Invalid python version. Must use Python 2 due to splunk api "
+ "library")
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to ingest, query, and export data with Splunk"
+
+
+class Spelunking(object):
+ def __init__(self, service, action, index_name, cols):
+ self.service = service
+ self.action = action
+ self.index = index_name
+ self.file = None
+ self.query = None
+ self.sid = None
+ self.job = None
+ self.cols = cols
+
+ def run(self):
+ index_obj = self.get_or_create_index()
+ if self.action == 'index':
+ self.index_data(index_obj)
+ elif self.action == 'query':
+ self.query_index()
+ elif self.action == 'export':
+ self.export_report()
+ return
+
+ def get_or_create_index(self):
+ # Create a new index
+ if self.index not in self.service.indexes:
+ return service.indexes.create(self.index)
+ else:
+ return self.service.indexes[self.index]
+
+ def index_data(self, splunk_index):
+ splunk_index.upload(self.file)
+
+ def query_index(self):
+ self.query = self.query + "| fields + " + ", ".join(self.cols)
+ self.job = self.service.jobs.create(self.query, rf=self.cols)
+ self.sid = self.job.sid
+ print("Query job {} created. will expire in {} seconds".format(
+ self.sid, self.job['ttl']))
+
+ def export_report(self):
+ job_obj = None
+ for j in self.service.jobs:
+ if j.sid == self.sid:
+ job_obj = j
+
+ if job_obj is None:
+ print("Job SID {} not found. Did it expire?".format(self.sid))
+ sys.exit()
+
+ if not job_obj.is_ready():
+ print("Job SID {} is still processing. "
+ "Please wait to re-run".format(self.sir))
+
+ export_data = []
+ job_results = job_obj.results(rf=self.cols)
+ for result in results.ResultsReader(job_results):
+ export_data.append(result)
+
+ self.write_csv(self.file, self.cols, export_data)
+
+ @staticmethod
+ def write_csv(outfile, fieldnames, data):
+ with open(outfile, 'wb') as open_outfile:
+ csvfile = csv.DictWriter(open_outfile, fieldnames,
+ extrasaction="ignore")
+ csvfile.writeheader()
+ csvfile.writerows(data)
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ formatter_class=ArgumentDefaultsHelpFormatter,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument('action', help="Action to run",
+ choices=['index', 'query', 'export'])
+ parser.add_argument('--index-name', help="Name of splunk index",
+ required=True)
+ parser.add_argument('--config',
+ help="Place where login details are stored."
+ " Should have the username on the first line and"
+ " the password on the second."
+ " Please Protect this file!",
+ default=os.path.expanduser("~/.splunk_py.ini"))
+ parser.add_argument('--file', help="Path to file")
+ parser.add_argument('--query', help="Splunk query to run or sid of "
+ "existing query to export")
+ parser.add_argument(
+ '--cols',
+ help="Speficy columns to export. comma seperated list",
+ default='_time,date,time,sc_status,c_ip,s_ip,cs_User_Agent')
+ parser.add_argument('--host', help="hostname of server",
+ default="localhost")
+ parser.add_argument('--port', help="help", default="8089")
+ args = parser.parse_args()
+
+ with open(args.config, 'r') as open_conf:
+ username, password = [x.strip() for x in open_conf.readlines()]
+ conn_dict = {'host': args.host, 'port': int(args.port),
+ 'username': username, 'password': password}
+ del(username)
+ del(password)
+ service = client.connect(**conn_dict)
+ del(conn_dict)
+
+ if len(service.apps) == 0:
+ print("Login likely unsuccessful, cannot find any applications")
+ sys.exit()
+
+ cols = args.cols.split(",")
+ spelunking = Spelunking(service, args.action, args.index_name, cols)
+
+ if spelunking.action == 'index':
+ if 'file' not in vars(args):
+ ArgumentError('--file parameter required')
+ sys.exit()
+ else:
+ spelunking.file = os.path.abspath(args.file)
+
+ elif spelunking.action == 'export':
+ if 'file' not in vars(args):
+ ArgumentError('--file parameter required')
+ sys.exit()
+ if 'query' not in vars(args):
+ ArgumentError('--query parameter required')
+ sys.exit()
+ spelunking.file = os.path.abspath(args.file)
+ spelunking.sid = args.query
+
+ elif spelunking.action == 'query':
+ if 'query' not in vars(args):
+ ArgumentError('--query parameter required')
+ sys.exit()
+ else:
+ spelunking.query = "search index={} {}".format(args.index_name,
+ args.query)
+
+ else:
+ ArgumentError('Unknown action required')
+ sys.exit()
+
+ spelunking.run()
diff --git a/Chapter07/yara_scanner.py b/Chapter07/yara_scanner.py
new file mode 100644
index 0000000..708f2dd
--- /dev/null
+++ b/Chapter07/yara_scanner.py
@@ -0,0 +1,117 @@
+from __future__ import print_function
+from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter
+import os
+import csv
+import yara
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to scan for matching patterns within files"
+
+
+def process_directory(yrules, folder_path):
+ match_info = []
+ for root, _, files in os.walk(folder_path):
+ for entry in files:
+ file_entry = os.path.join(root, entry)
+ match_info += process_file(yrules, file_entry)
+ return match_info
+
+
+def process_file(yrules, file_path):
+ match = yrules.match(file_path)
+ match_info = []
+ for rule_set in match:
+ for hit in rule_set.strings:
+ match_info.append({
+ 'file_name': file_path,
+ 'rule_name': rule_set.rule,
+ 'rule_tag': ",".join(rule_set.tags),
+ 'hit_offset': hit[0],
+ 'rule_string': hit[1],
+ 'hit_value': hit[2]
+ })
+ return match_info
+
+
+def write_csv(outfile, fieldnames, data):
+ with open(outfile, 'w', newline="") as open_outfile:
+ csvfile = csv.DictWriter(open_outfile, fieldnames)
+ csvfile.writeheader()
+ csvfile.writerows(data)
+
+
+def write_stdout(columns, match_info):
+ for entry in match_info:
+ for col in columns:
+ print("{}: {}".format(col, entry[col]))
+ print("=" * 30)
+
+
+def main(yara_rules, path_to_scan, output):
+ if os.path.isdir(yara_rules):
+ yrules = yara.compile(yara_rules)
+ else:
+ yrules = yara.compile(filepath=yara_rules)
+
+ if os.path.isdir(path_to_scan):
+ match_info = process_directory(yrules, path_to_scan)
+ else:
+ match_info = process_file(yrules, path_to_scan)
+
+ columns = ['rule_name', 'hit_value', 'hit_offset', 'file_name',
+ 'rule_string', 'rule_tag']
+
+ if output is None:
+ write_stdout(columns, match_info)
+ else:
+ write_csv(output, columns, match_info)
+
+
+if __name__ == '__main__':
+ parser = ArgumentParser(
+ description=__description__,
+ formatter_class=ArgumentDefaultsHelpFormatter,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument(
+ 'yara_rules',
+ help="Path to Yara rule to scan with. May be file or folder path.")
+ parser.add_argument(
+ 'path_to_scan',
+ help="Path to file or folder to scan")
+ parser.add_argument(
+ '--output',
+ help="Path to output a CSV report of scan results")
+ args = parser.parse_args()
+
+ main(args.yara_rules, args.path_to_scan, args.output)
diff --git a/Chapter08/evidence_metadata.py b/Chapter08/evidence_metadata.py
new file mode 100644
index 0000000..6d54400
--- /dev/null
+++ b/Chapter08/evidence_metadata.py
@@ -0,0 +1,135 @@
+from __future__ import print_function
+import argparse
+import os
+import pytsk3
+import pyewf
+import sys
+from tabulate import tabulate
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to gather metadata from evidence containers"
+
+
+class EWFImgInfo(pytsk3.Img_Info):
+ def __init__(self, ewf_handle):
+ self._ewf_handle = ewf_handle
+ super(EWFImgInfo, self).__init__(url="",
+ type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
+
+ def close(self):
+ self._ewf_handle.close()
+
+ def read(self, offset, size):
+ self._ewf_handle.seek(offset)
+ return self._ewf_handle.read(size)
+
+ def get_size(self):
+ return self._ewf_handle.get_media_size()
+
+
+def main(image, img_type, part_type):
+ print("[+] Opening {}".format(image))
+ if img_type == "ewf":
+ try:
+ filenames = pyewf.glob(image)
+ except IOError:
+ print("[-] Invalid EWF format:\n {}".format(e))
+ sys.exit(2)
+
+ ewf_handle = pyewf.handle()
+ ewf_handle.open(filenames)
+ e01_metadata(ewf_handle)
+
+ # Open PYTSK3 handle on EWF Image
+ img_info = EWFImgInfo(ewf_handle)
+ else:
+ img_info = pytsk3.Img_Info(image)
+
+ try:
+ if part_type is not None:
+ attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type)
+ volume = pytsk3.Volume_Info(img_info, attr_id)
+ else:
+ volume = pytsk3.Volume_Info(img_info)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to read partition table:\n {}".format(e))
+ sys.exit(3)
+ part_metadata(volume)
+
+
+def part_metadata(vol):
+ table = [["Index", "Type", "Offset Start (Sectors)",
+ "Length (Sectors)"]]
+ for part in vol:
+ table.append([part.addr, part.desc.decode("utf-8"), part.start,
+ part.len])
+ print("\n Partition Metadata")
+ print("-" * 20)
+ print(tabulate(table, headers="firstrow"))
+
+
+def e01_metadata(e01_image):
+ print("\nEWF Acquisition Metadata")
+ print("-" * 20)
+ headers = e01_image.get_header_values()
+ hashes = e01_image.get_hash_values()
+ for k in headers:
+ print("{}: {}".format(k, headers[k]))
+ for h in hashes:
+ print("Acquisition {}: {}".format(h, hashes[h]))
+ print("Bytes per Sector: {}".format(e01_image.bytes_per_sector))
+ print("Number of Sectors: {}".format(
+ e01_image.get_number_of_sectors()))
+ print("Total Size: {}".format(e01_image.get_media_size()))
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("TYPE", help="Type of Evidence",
+ choices=("raw", "ewf"))
+ parser.add_argument("-p", help="Partition Type",
+ choices=("DOS", "GPT", "MAC", "SUN"))
+ args = parser.parse_args()
+
+ if os.path.exists(args.EVIDENCE_FILE) and \
+ os.path.isfile(args.EVIDENCE_FILE):
+ main(args.EVIDENCE_FILE, args.TYPE, args.p)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)
diff --git a/Chapter08/extract_file_type.py b/Chapter08/extract_file_type.py
new file mode 100644
index 0000000..fb37847
--- /dev/null
+++ b/Chapter08/extract_file_type.py
@@ -0,0 +1,200 @@
+from __future__ import print_function
+import argparse
+import csv
+import os
+import pytsk3
+import pyewf
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to extract files from evidence containers"
+
+
+def main(image, img_type, ext, output, part_type):
+ volume = None
+ print("[+] Opening {}".format(image))
+ if img_type == "ewf":
+ try:
+ filenames = pyewf.glob(image)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Invalid EWF format:\n {}".format(e))
+ sys.exit(2)
+
+ ewf_handle = pyewf.handle()
+ ewf_handle.open(filenames)
+
+ # Open PYTSK3 handle on EWF Image
+ img_info = EWFImgInfo(ewf_handle)
+ else:
+ img_info = pytsk3.Img_Info(image)
+
+ try:
+ if part_type is not None:
+ attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type)
+ volume = pytsk3.Volume_Info(img_info, attr_id)
+ else:
+ volume = pytsk3.Volume_Info(img_info)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to read partition table:\n {}".format(e))
+
+ open_fs(volume, img_info, ext, output)
+
+
+def open_fs(vol, img, ext, output):
+ # Open FS and Recurse
+ print("[+] Recursing through files and writing file extension matches "
+ "to output directory")
+ if vol is not None:
+ for part in vol:
+ if part.len > 2048 and "Unallocated" not in part.desc \
+ and "Extended" not in part.desc \
+ and "Primary Table" not in part.desc:
+ try:
+ fs = pytsk3.FS_Info(
+ img, offset=part.start * vol.info.block_size)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to open FS:\n {}".format(e))
+ root = fs.open_dir(path="/")
+ recurse_files(part.addr, fs, root, [], [""], ext, output)
+
+ else:
+ try:
+ fs = pytsk3.FS_Info(img)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to open FS:\n {}".format(e))
+ root = fs.open_dir(path="/")
+ recurse_files(1, fs, root, [], [""], ext, output)
+
+
+def recurse_files(part, fs, root_dir, dirs, parent, ext, output):
+ extensions = [x.strip().lower() for x in ext.split(',')]
+ dirs.append(root_dir.info.fs_file.meta.addr)
+ for fs_object in root_dir:
+ # Skip ".", ".." or directory entries without a name.
+ if not hasattr(fs_object, "info") or \
+ not hasattr(fs_object.info, "name") or \
+ not hasattr(fs_object.info.name, "name") or \
+ fs_object.info.name.name in [".", ".."]:
+ continue
+ try:
+ file_name = fs_object.info.name.name
+ file_path = "{}/{}".format("/".join(parent),
+ fs_object.info.name.name)
+ try:
+ if fs_object.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
+ f_type = "DIR"
+ file_ext = ""
+ else:
+ f_type = "FILE"
+ if "." in file_name:
+ file_ext = file_name.rsplit(".")[-1].lower()
+ else:
+ file_ext = ""
+ except AttributeError:
+ continue
+
+ if file_ext.strip() in extensions:
+ print("{}".format(file_path))
+ file_writer(fs_object, file_name, file_ext, file_path,
+ output)
+
+ if f_type == "DIR":
+ parent.append(fs_object.info.name.name)
+ sub_directory = fs_object.as_directory()
+ inode = fs_object.info.meta.addr
+ if inode not in dirs:
+ recurse_files(part, fs, sub_directory, dirs,
+ parent, ext, output)
+ parent.pop(-1)
+
+ except IOError:
+ pass
+ dirs.pop(-1)
+
+
+def file_writer(fs_object, name, ext, path, output):
+ output_dir = os.path.join(output, ext,
+ os.path.dirname(path.lstrip("//")))
+ if not os.path.exists(output_dir):
+ os.makedirs(output_dir)
+ with open(os.path.join(output_dir, name), "w") as outfile:
+ outfile.write(fs_object.read_random(0, fs_object.info.meta.size))
+
+
+class EWFImgInfo(pytsk3.Img_Info):
+ def __init__(self, ewf_handle):
+ self._ewf_handle = ewf_handle
+ super(EWFImgInfo, self).__init__(
+ url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
+
+ def close(self):
+ self._ewf_handle.close()
+
+ def read(self, offset, size):
+ self._ewf_handle.seek(offset)
+ return self._ewf_handle.read(size)
+
+ def get_size(self):
+ return self._ewf_handle.get_media_size()
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("TYPE", help="Type of Evidence",
+ choices=("raw", "ewf"))
+ parser.add_argument("EXT",
+ help="Comma-delimited file extensions to extract")
+ parser.add_argument("OUTPUT_DIR", help="Output Directory")
+ parser.add_argument("-p", help="Partition Type",
+ choices=("DOS", "GPT", "MAC", "SUN"))
+ args = parser.parse_args()
+
+ if not os.path.exists(args.OUTPUT_DIR):
+ os.makedirs(args.OUTPUT_DIR)
+
+ if os.path.exists(args.EVIDENCE_FILE) and \
+ os.path.isfile(args.EVIDENCE_FILE):
+ main(args.EVIDENCE_FILE, args.TYPE, args.EXT, args.OUTPUT_DIR,
+ args.p)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)
diff --git a/Chapter08/open_evidence.py b/Chapter08/open_evidence.py
new file mode 100644
index 0000000..43f3a69
--- /dev/null
+++ b/Chapter08/open_evidence.py
@@ -0,0 +1,118 @@
+from __future__ import print_function
+import argparse
+import os
+import pytsk3
+import pyewf
+import sys
+from tabulate import tabulate
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to gather open evidence containers"
+
+
+class EWFImgInfo(pytsk3.Img_Info):
+ def __init__(self, ewf_handle):
+ self._ewf_handle = ewf_handle
+ super(EWFImgInfo, self).__init__(url="",
+ type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
+
+ def close(self):
+ self._ewf_handle.close()
+
+ def read(self, offset, size):
+ self._ewf_handle.seek(offset)
+ return self._ewf_handle.read(size)
+
+ def get_size(self):
+ return self._ewf_handle.get_media_size()
+
+
+def main(image, img_type, offset):
+ print("[+] Opening {}".format(image))
+ if img_type == "ewf":
+ try:
+ filenames = pyewf.glob(image)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Invalid EWF format:\n {}".format(e))
+ sys.exit(2)
+ ewf_handle = pyewf.handle()
+ ewf_handle.open(filenames)
+ # Open PYTSK3 handle on EWF Image
+ img_info = EWFImgInfo(ewf_handle)
+ else:
+ img_info = pytsk3.Img_Info(image)
+
+ # Get Filesystem Handle
+ try:
+ fs = pytsk3.FS_Info(img_info, offset)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to open FS:\n {}".format(e))
+ exit()
+
+ root_dir = fs.open_dir(path="/")
+ table = [["Name", "Type", "Size", "Create Date", "Modify Date"]]
+ for f in root_dir:
+ name = f.info.name.name
+ if f.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
+ f_type = "DIR"
+ else:
+ f_type = "FILE"
+ size = f.info.meta.size
+ create = f.info.meta.crtime
+ modify = f.info.meta.mtime
+ table.append([name, f_type, size, create, modify])
+ print(tabulate(table, headers="firstrow"))
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("TYPE",
+ help="Type of evidence: raw (dd) or EWF (E01)",
+ choices=("raw", "ewf"))
+ parser.add_argument("-o", "--offset",
+ help="Partition byte offset", type=int)
+ args = parser.parse_args()
+
+ if os.path.exists(args.EVIDENCE_FILE) and \
+ os.path.isfile(args.EVIDENCE_FILE):
+ main(args.EVIDENCE_FILE, args.TYPE, args.offset)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)
diff --git a/Chapter08/recurse_files.py b/Chapter08/recurse_files.py
new file mode 100644
index 0000000..096617e
--- /dev/null
+++ b/Chapter08/recurse_files.py
@@ -0,0 +1,219 @@
+from __future__ import print_function
+import argparse
+import csv
+from datetime import datetime
+import os
+import pytsk3
+import pyewf
+import sys
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to iterate over files in an evidence containers"
+
+
+def main(image, img_type, output, part_type):
+ volume = None
+ print("[+] Opening {}".format(image))
+ if img_type == "ewf":
+ try:
+ filenames = pyewf.glob(image)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Invalid EWF format:\n {}".format(e))
+ sys.exit(2)
+
+ ewf_handle = pyewf.handle()
+ ewf_handle.open(filenames)
+
+ # Open PYTSK3 handle on EWF Image
+ img_info = EWFImgInfo(ewf_handle)
+ else:
+ img_info = pytsk3.Img_Info(image)
+
+ try:
+ if part_type is not None:
+ attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type)
+ volume = pytsk3.Volume_Info(img_info, attr_id)
+ else:
+ volume = pytsk3.Volume_Info(img_info)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to read partition table:\n {}".format(e))
+
+ open_fs(volume, img_info, output)
+
+
+def open_fs(vol, img, output):
+ print("[+] Recursing through files..")
+ recursed_data = []
+ # Open FS and Recurse
+ if vol is not None:
+ for part in vol:
+ if part.len > 2048 and "Unallocated" not in part.desc and \
+ "Extended" not in part.desc and \
+ "Primary Table" not in part.desc:
+ try:
+ fs = pytsk3.FS_Info(
+ img, offset=part.start * vol.info.block_size)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to open FS:\n {}".format(e))
+ root = fs.open_dir(path="/")
+ data = recurse_files(part.addr, fs, root, [], [], [""])
+ recursed_data.append(data)
+
+ else:
+ try:
+ fs = pytsk3.FS_Info(img)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to open FS:\n {}".format(e))
+ root = fs.open_dir(path="/")
+ data = recurse_files(1, fs, root, [], [], [""])
+ recursed_data.append(data)
+ write_csv(recursed_data, output)
+
+
+def recurse_files(part, fs, root_dir, dirs, data, parent):
+ dirs.append(root_dir.info.fs_file.meta.addr)
+ for fs_object in root_dir:
+ # Skip ".", ".." or directory entries without a name.
+ if not hasattr(fs_object, "info") or \
+ not hasattr(fs_object.info, "name") or \
+ not hasattr(fs_object.info.name, "name") or \
+ fs_object.info.name.name in [".", ".."]:
+ continue
+ try:
+ file_name = fs_object.info.name.name
+ file_path = "{}/{}".format(
+ "/".join(parent), fs_object.info.name.name)
+ try:
+ if fs_object.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
+ f_type = "DIR"
+ file_ext = ""
+ else:
+ f_type = "FILE"
+ if "." in file_name:
+ file_ext = file_name.rsplit(".")[-1].lower()
+ else:
+ file_ext = ""
+ except AttributeError:
+ continue
+
+ size = fs_object.info.meta.size
+ create = convert_time(fs_object.info.meta.crtime)
+ change = convert_time(fs_object.info.meta.ctime)
+ modify = convert_time(fs_object.info.meta.mtime)
+ data.append(["PARTITION {}".format(part), file_name, file_ext,
+ f_type, create, change, modify, size, file_path])
+
+ if f_type == "DIR":
+ parent.append(fs_object.info.name.name)
+ sub_directory = fs_object.as_directory()
+ inode = fs_object.info.meta.addr
+
+ # This ensures that we don't recurse into a directory
+ # above the current level and thus avoid circular loops.
+ if inode not in dirs:
+ recurse_files(part, fs, sub_directory, dirs, data,
+ parent)
+ parent.pop(-1)
+
+ except IOError:
+ pass
+ dirs.pop(-1)
+ return data
+
+
+def write_csv(data, output):
+ if data == []:
+ print("[-] No output results to write")
+ sys.exit(3)
+
+ print("[+] Writing output to {}".format(output))
+ with open(output, "wb") as csvfile:
+ csv_writer = csv.writer(csvfile)
+ headers = ["Partition", "File", "File Ext", "File Type",
+ "Create Date", "Modify Date", "Change Date", "Size",
+ "File Path"]
+ csv_writer.writerow(headers)
+ for result_list in data:
+ csv_writer.writerows(result_list)
+
+
+def convert_time(ts):
+ if str(ts) == "0":
+ return ""
+ return datetime.utcfromtimestamp(ts)
+
+
+class EWFImgInfo(pytsk3.Img_Info):
+ def __init__(self, ewf_handle):
+ self._ewf_handle = ewf_handle
+ super(EWFImgInfo, self).__init__(url="",
+ type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
+
+ def close(self):
+ self._ewf_handle.close()
+
+ def read(self, offset, size):
+ self._ewf_handle.seek(offset)
+ return self._ewf_handle.read(size)
+
+ def get_size(self):
+ return self._ewf_handle.get_media_size()
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("TYPE", help="Type of Evidence",
+ choices=("raw", "ewf"))
+ parser.add_argument("OUTPUT_CSV", help="Output CSV with lookup results")
+ parser.add_argument("-p", help="Partition Type",
+ choices=("DOS", "GPT", "MAC", "SUN"))
+ args = parser.parse_args()
+
+ directory = os.path.dirname(args.OUTPUT_CSV)
+ if not os.path.exists(directory) and directory != "":
+ os.makedirs(directory)
+
+ if os.path.exists(args.EVIDENCE_FILE) and os.path.isfile(args.EVIDENCE_FILE):
+ main(args.EVIDENCE_FILE, args.TYPE, args.OUTPUT_CSV, args.p)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)
diff --git a/Chapter08/search_evidence_hashes.py b/Chapter08/search_evidence_hashes.py
new file mode 100644
index 0000000..6d88f1e
--- /dev/null
+++ b/Chapter08/search_evidence_hashes.py
@@ -0,0 +1,221 @@
+from __future__ import print_function
+import argparse
+import csv
+import hashlib
+import os
+import pytsk3
+import pyewf
+import sys
+from tqdm import tqdm
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to hash files within an evidence containers"
+
+
+def main(image, img_type, hashes, part_type, pbar_total=0):
+ hash_list, hash_type = read_hashes(hashes)
+ volume = None
+ print("[+] Opening {}".format(image))
+ if img_type == "ewf":
+ try:
+ filenames = pyewf.glob(image)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Invalid EWF format:\n {}".format(e))
+ sys.exit(2)
+
+ ewf_handle = pyewf.handle()
+ ewf_handle.open(filenames)
+
+ # Open PYTSK3 handle on EWF Image
+ img_info = EWFImgInfo(ewf_handle)
+ else:
+ img_info = pytsk3.Img_Info(image)
+
+ try:
+ if part_type is not None:
+ attr_id = getattr(pytsk3, "TSK_VS_TYPE_" + part_type)
+ volume = pytsk3.Volume_Info(img_info, attr_id)
+ else:
+ volume = pytsk3.Volume_Info(img_info)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to read partition table:\n {}".format(e))
+
+ open_fs(volume, img_info, hash_list, hash_type, pbar_total)
+
+
+def read_hashes(hashes):
+ hash_list = []
+ hash_type = None
+ with open(hashes) as infile:
+ for line in infile:
+ if hash_type is None:
+ if len(line.strip()) == 32:
+ hash_type = "md5"
+ elif len(line.strip()) == 40:
+ hash_type == "sha1"
+ elif len(line.strip()) == 64:
+ hash_type == "sha256"
+ hash_list.append(line.strip().lower())
+ if hash_type is None:
+ print("[-] No valid hashes identified in {}".format(hashes))
+ sys.exit(3)
+
+ return hash_list, hash_type
+
+
+def open_fs(vol, img, hashes, hash_type, pbar_total=0):
+ # Open FS and Recurse
+ print("[+] Recursing through and hashing files")
+ pbar = tqdm(desc="Hashing", unit=" files",
+ unit_scale=True, total=pbar_total)
+ if vol is not None:
+ for part in vol:
+ if part.len > 2048 and "Unallocated" not in part.desc and \
+ "Extended" not in part.desc and \
+ "Primary Table" not in part.desc:
+ try:
+ fs = pytsk3.FS_Info(
+ img, offset=part.start * vol.info.block_size)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to open FS:\n {}".format(e))
+ root = fs.open_dir(path="/")
+ recurse_files(part.addr, fs, root, [], [""], hashes,
+ hash_type, pbar)
+
+ else:
+ try:
+ fs = pytsk3.FS_Info(img)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ print("[-] Unable to open FS:\n {}".format(e))
+ root = fs.open_dir(path="/")
+ recurse_files(1, fs, root, [], [""], hashes, hash_type, pbar)
+ pbar.close()
+
+
+def recurse_files(part, fs, root_dir, dirs, parent, hashes,
+ hash_type, pbar):
+ dirs.append(root_dir.info.fs_file.meta.addr)
+ for fs_object in root_dir:
+ # Skip ".", ".." or directory entries without a name.
+ if not hasattr(fs_object, "info") or \
+ not hasattr(fs_object.info, "name") or \
+ not hasattr(fs_object.info.name, "name") or \
+ fs_object.info.name.name in [".", ".."]:
+ continue
+ try:
+ file_path = "{}/{}".format("/".join(parent),
+ fs_object.info.name.name)
+ if getattr(fs_object.info.meta, "type", None) == \
+ pytsk3.TSK_FS_META_TYPE_DIR:
+ parent.append(fs_object.info.name.name)
+ sub_directory = fs_object.as_directory()
+ inode = fs_object.info.meta.addr
+
+ # This ensures that we don't recurse into a directory
+ # above the current level and thus avoid circular loops.
+ if inode not in dirs:
+ recurse_files(part, fs, sub_directory, dirs,
+ parent, hashes, hash_type, pbar)
+ parent.pop(-1)
+ else:
+ hash_file(fs_object, file_path, hashes, hash_type, pbar)
+
+ except IOError:
+ pass
+ dirs.pop(-1)
+
+
+def hash_file(fs_object, path, hashes, hash_type, pbar):
+ if hash_type == "md5":
+ hash_obj = hashlib.md5()
+ elif hash_type == "sha1":
+ hash_obj = hashlib.sha1()
+ elif hash_type == "sha256":
+ hash_obj = hashlib.sha256()
+ f_size = getattr(fs_object.info.meta, "size", 0)
+ pbar.set_postfix(File_Size="{:.2f}MB".format(f_size / 1024.0 / 1024))
+ hash_obj.update(fs_object.read_random(0, f_size))
+ hash_digest = hash_obj.hexdigest()
+ pbar.update()
+
+ if hash_digest in hashes:
+ pbar.write("[*] MATCH: {}\n{}".format(path, hash_digest))
+
+
+class EWFImgInfo(pytsk3.Img_Info):
+ def __init__(self, ewf_handle):
+ self._ewf_handle = ewf_handle
+ super(EWFImgInfo, self).__init__(
+ url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
+
+ def close(self):
+ self._ewf_handle.close()
+
+ def read(self, offset, size):
+ self._ewf_handle.seek(offset)
+ return self._ewf_handle.read(size)
+
+ def get_size(self):
+ return self._ewf_handle.get_media_size()
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("TYPE", help="Type of Evidence",
+ choices=("raw", "ewf"))
+ parser.add_argument("HASH_LIST",
+ help="Filepath to Newline-delimited list of "
+ "hashes (either MD5, SHA1, or SHA-256)")
+ parser.add_argument("-p", help="Partition Type",
+ choices=("DOS", "GPT", "MAC", "SUN"))
+ parser.add_argument("-t", type=int,
+ help="Total number of files, for the progress bar")
+ args = parser.parse_args()
+
+ if os.path.exists(args.EVIDENCE_FILE) and \
+ os.path.isfile(args.EVIDENCE_FILE) and \
+ os.path.exists(args.HASH_LIST) and \
+ os.path.isfile(args.HASH_LIST):
+ main(args.EVIDENCE_FILE, args.TYPE, args.HASH_LIST, args.p, args.t)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)
diff --git a/Chapter10/.DS_Store b/Chapter10/.DS_Store
new file mode 100644
index 0000000..8aaf494
Binary files /dev/null and b/Chapter10/.DS_Store differ
diff --git a/Chapter10/evt_explorer.py b/Chapter10/evt_explorer.py
new file mode 100644
index 0000000..0267ef6
--- /dev/null
+++ b/Chapter10/evt_explorer.py
@@ -0,0 +1,162 @@
+from __future__ import print_function
+import argparse
+import unicodecsv as csv
+import os
+import pytsk3
+import pyewf
+import pyevt
+import pyevtx
+import sys
+from utility.pytskutil import TSKUtil
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Script to handle event logs"
+
+
+def main(evidence, image_type, log, win_event, fuzzy):
+ # Create TSK object and query event log directory for Windows XP
+ tsk_util = TSKUtil(evidence, image_type)
+ event_dir = tsk_util.query_directory(win_event)
+ if event_dir is not None:
+ if fuzzy is True:
+ event_log = tsk_util.recurse_files(log, path=win_event)
+ else:
+ event_log = tsk_util.recurse_files(
+ log, path=win_event, logic="equal")
+ if event_log is not None:
+ event_data = []
+ for hit in event_log:
+ event_file = hit[2]
+ temp_evt = write_file(event_file)
+ if pyevt.check_file_signature(temp_evt):
+ evt_log = pyevt.open(temp_evt)
+ print("[+] Identified {} records in {}".format(
+ evt_log.number_of_records, temp_evt))
+ for i, record in enumerate(evt_log.records):
+ strings = ""
+ for s in record.strings:
+ if s is not None:
+ strings += s + "\n"
+
+ event_data.append([
+ i, hit[0], record.computer_name,
+ record.user_security_identifier,
+ record.creation_time, record.written_time,
+ record.event_category, record.source_name,
+ record.event_identifier, record.event_type,
+ strings, "",
+ os.path.join(win_event, hit[1].lstrip("//"))
+ ])
+
+ elif pyevtx.check_file_signature(temp_evt):
+ evtx_log = pyevtx.open(temp_evt)
+ print("[+] Identified {} records in {}".format(
+ evtx_log.number_of_records, temp_evt))
+ for i, record in enumerate(evtx_log.records):
+ strings = ""
+ for s in record.strings:
+ if s is not None:
+ strings += s + "\n"
+
+ event_data.append([
+ i, hit[0], record.computer_name,
+ record.user_security_identifier, "",
+ record.written_time, record.event_level,
+ record.source_name, record.event_identifier,
+ "", strings, record.xml_string,
+ os.path.join(win_event, hit[1].lstrip("//"))
+ ])
+ else:
+ print("[-] {} not a valid event log. Removing temp "
+ "file...".format(temp_evt))
+ os.remove(temp_evt)
+ continue
+ write_output(event_data)
+ else:
+ print("[-] {} Event log not found in {} directory".format(
+ log, win_event))
+ sys.exit(3)
+
+ else:
+ print("[-] Win XP Event Log Directory {} not found".format(
+ win_event))
+ sys.exit(2)
+
+
+def write_file(event_file):
+ with open(event_file.info.name.name, "w") as outfile:
+ outfile.write(event_file.read_random(0, event_file.info.meta.size))
+ return event_file.info.name.name
+
+
+def write_output(data):
+ output_name = "parsed_event_logs.csv"
+ print("[+] Writing {} to current working directory: {}".format(
+ output_name, os.getcwd()))
+ with open(output_name, "wb") as outfile:
+ writer = csv.writer(outfile)
+
+ writer.writerow([
+ "Index", "File name", "Computer Name", "SID",
+ "Event Create Date", "Event Written Date",
+ "Event Category/Level", "Event Source", "Event ID",
+ "Event Type", "Data", "XML Data", "File Path"
+ ])
+
+ writer.writerows(data)
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("TYPE", help="Type of Evidence",
+ choices=("raw", "ewf"))
+ parser.add_argument("LOG_NAME",
+ help="Event Log Name (SecEvent.Evt, SysEvent.Evt, "
+ "etc.)")
+ parser.add_argument("-d", help="Event log directory to scan",
+ default="/WINDOWS/SYSTEM32/WINEVT")
+ parser.add_argument("-f", help="Enable fuzzy search for either evt or"
+ " evtx extension", action="store_true")
+ args = parser.parse_args()
+
+ if os.path.exists(args.EVIDENCE_FILE) and \
+ os.path.isfile(args.EVIDENCE_FILE):
+ main(args.EVIDENCE_FILE, args.TYPE, args.LOG_NAME, args.d, args.f)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)
diff --git a/Chapter10/index_parser.py b/Chapter10/index_parser.py
new file mode 100644
index 0000000..f786320
--- /dev/null
+++ b/Chapter10/index_parser.py
@@ -0,0 +1,151 @@
+from __future__ import print_function
+import argparse
+from datetime import datetime, timedelta
+import os
+import pytsk3
+import pyewf
+import pymsiecf
+import sys
+import unicodecsv as csv
+from utility.pytskutil import TSKUtil
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Script to parse index.dat files"
+
+
+def main(evidence, image_type, path):
+ # Create TSK object and query for Internet Explorer index.dat files
+ tsk_util = TSKUtil(evidence, image_type)
+ index_dir = tsk_util.query_directory(path)
+ if index_dir is not None:
+ index_files = tsk_util.recurse_files("index.dat", path=path,
+ logic="equal")
+ if index_files is not None:
+ print("[+] Identified {} potential index.dat files".format(
+ len(index_files)))
+ index_data = []
+ for hit in index_files:
+ index_file = hit[2]
+ temp_index = write_file(index_file)
+ if pymsiecf.check_file_signature(temp_index):
+ index_dat = pymsiecf.open(temp_index)
+ print("[+] Identified {} records in {}".format(
+ index_dat.number_of_items, temp_index))
+ for i, record in enumerate(index_dat.items):
+ try:
+ data = record.data
+ if data is not None:
+ data = data.rstrip("\x00")
+ except AttributeError:
+ if isinstance(record, pymsiecf.redirected):
+ index_data.append([
+ i, temp_index, "", "", "", "", "",
+ record.location, "", "", record.offset,
+ os.path.join(path, hit[1].lstrip("//"))
+ ])
+
+ elif isinstance(record, pymsiecf.leak):
+ index_data.append([
+ i, temp_index, record.filename, "",
+ "", "", "", "", "", "", record.offset,
+ os.path.join(path, hit[1].lstrip("//"))
+ ])
+
+ continue
+
+ index_data.append([
+ i, temp_index, record.filename,
+ record.type, record.primary_time,
+ record.secondary_time,
+ record.last_checked_time, record.location,
+ record.number_of_hits, data, record.offset,
+ os.path.join(path, hit[1].lstrip("//"))
+ ])
+
+ else:
+ print("[-] {} not a valid index.dat file. Removing "
+ "temp file..".format(temp_index))
+ os.remove("index.dat")
+ continue
+
+ os.remove("index.dat")
+ write_output(index_data)
+ else:
+ print("[-] Index.dat files not found in {} directory".format(
+ path))
+ sys.exit(3)
+
+ else:
+ print("[-] Directory {} not found".format(win_event))
+ sys.exit(2)
+
+
+def write_file(index_file):
+ with open(index_file.info.name.name, "w") as outfile:
+ outfile.write(index_file.read_random(0, index_file.info.meta.size))
+ return index_file.info.name.name
+
+
+def write_output(data):
+ output_name = "Internet_Indexdat_Summary_Report.csv"
+ print("[+] Writing {} with {} parsed index.dat files to current "
+ "working directory: {}".format(output_name, len(data),
+ os.getcwd()))
+ with open(output_name, "wb") as outfile:
+ writer = csv.writer(outfile)
+ writer.writerow(["Index", "File Name", "Record Name",
+ "Record Type", "Primary Date", "Secondary Date",
+ "Last Checked Date", "Location", "No. of Hits",
+ "Record Data", "Record Offset", "File Path"])
+ writer.writerows(data)
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("TYPE", help="Type of Evidence",
+ choices=("raw", "ewf"))
+ parser.add_argument("-d", help="Index.dat directory to scan",
+ default="/USERS")
+ args = parser.parse_args()
+
+ if os.path.exists(args.EVIDENCE_FILE) and os.path.isfile(
+ args.EVIDENCE_FILE):
+ main(args.EVIDENCE_FILE, args.TYPE, args.d)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)
diff --git a/Chapter10/pf_parser.py b/Chapter10/pf_parser.py
new file mode 100644
index 0000000..f5a4410
--- /dev/null
+++ b/Chapter10/pf_parser.py
@@ -0,0 +1,183 @@
+from __future__ import print_function
+import argparse
+from datetime import datetime, timedelta
+import os
+import pytsk3
+import pyewf
+import struct
+import sys
+import unicodecsv as csv
+from utility.pytskutil import TSKUtil
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = " Read information from prefetch files"
+
+
+def main(evidence, image_type, output_csv, path):
+ # Create TSK object and query path for prefetch files
+ tsk_util = TSKUtil(evidence, image_type)
+ prefetch_dir = tsk_util.query_directory(path)
+ prefetch_files = None
+ if prefetch_dir is not None:
+ prefetch_files = tsk_util.recurse_files(
+ ".pf", path=path, logic="endswith")
+ if prefetch_files is None:
+ print("[-] No .pf files found")
+ sys.exit(2)
+
+ print("[+] Identified {} potential prefetch files".format(
+ len(prefetch_files)))
+ prefetch_data = []
+ for hit in prefetch_files:
+ prefetch_file = hit[2]
+ pf_version = check_signature(prefetch_file)
+ if pf_version is None:
+ continue
+
+ pf_name = hit[0]
+ if pf_version == 17:
+ parsed_data = parse_pf_17(prefetch_file, pf_name)
+ parsed_data.append(os.path.join(path, hit[1].lstrip("//")))
+ prefetch_data.append(parsed_data)
+
+ elif pf_version == 23:
+ print("[-] Windows Vista / 7 PF file {} -- unsupported".format(
+ pf_name))
+ continue
+ elif pf_version == 26:
+ print("[-] Windows 8 PF file {} -- unsupported".format(
+ pf_name))
+ continue
+ elif pf_version == 30:
+ print("[-] Windows 10 PF file {} -- unsupported".format(
+ pf_name))
+ continue
+
+ else:
+ print("[-] Signature mismatch - Name: {}\nPath: {}".format(
+ hit[0], hit[1]))
+ continue
+
+ write_output(prefetch_data, output_csv)
+
+
+def parse_pf_17(prefetch_file, pf_name):
+ # Parse Windows XP, 2003 Prefetch File
+ create = convert_unix(prefetch_file.info.meta.crtime)
+ modify = convert_unix(prefetch_file.info.meta.mtime)
+
+ pf_size, name, vol_info, vol_entries, vol_size, filetime, \
+ count = struct.unpack("d", struct.pack(">Q", ts))[0]
+ try:
+ dt = datetime(1899, 12, 30, 0, 0, 0) + timedelta(days=ole)
+ except OverflowError:
+ return ts
+ return dt
+
+
+def write_output(table, data):
+ if len(data[table]["data"]) == 0:
+ return
+ if table in TABLE_LOOKUP:
+ output_name = TABLE_LOOKUP[table] + ".csv"
+ else:
+ output_name = "SRUM_Table_{}.csv".format(table)
+ print("[+] Writing {} to current working directory: {}".format(
+ output_name, os.getcwd()))
+ with open(output_name, "wb") as outfile:
+ writer = csv.writer(outfile)
+ writer.writerow(data[table]["columns"])
+ writer.writerows(data[table]["data"])
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("TYPE", help="Type of Evidence",
+ choices=("raw", "ewf"))
+ args = parser.parse_args()
+
+ if os.path.exists(args.EVIDENCE_FILE) and os.path.isfile(
+ args.EVIDENCE_FILE):
+ main(args.EVIDENCE_FILE, args.TYPE)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)
diff --git a/Chapter10/utility/__init__.py b/Chapter10/utility/__init__.py
new file mode 100644
index 0000000..59434e4
--- /dev/null
+++ b/Chapter10/utility/__init__.py
@@ -0,0 +1 @@
+import pytskutil
diff --git a/Chapter10/utility/pytskutil.py b/Chapter10/utility/pytskutil.py
new file mode 100644
index 0000000..fd2a82d
--- /dev/null
+++ b/Chapter10/utility/pytskutil.py
@@ -0,0 +1,311 @@
+from __future__ import print_function
+import os
+import pytsk3
+import sys
+import pyewf
+from datetime import datetime
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+
+class EWFImgInfo(pytsk3.Img_Info):
+ """EWF Image Format helper class"""
+ def __init__(self, ewf_handle):
+ self._ewf_handle = ewf_handle
+ super(EWFImgInfo, self).__init__(url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
+
+ def close(self):
+ self._ewf_handle.close()
+
+ def read(self, offset, size):
+ self._ewf_handle.seek(offset)
+ return self._ewf_handle.read(size)
+
+ def get_size(self):
+ return self._ewf_handle.get_media_size()
+
+
+class TSKUtil(object):
+ def __init__(self, evidence, image_type):
+ self.evidence = evidence
+ self.image_type = image_type
+
+ # Assigned parameters
+ self.vol = None
+ self.image_handle = None
+ self.fs = []
+
+ # Prep volume and fs objects
+ self.run()
+
+ def run(self):
+ self.open_vol()
+ self.open_FS()
+
+ def return_vol(self):
+ sys.stderr.write("[+] Opening {}\n".format(self.evidence))
+ # Handle EWF/Raw Images
+ if self.image_type == "ewf":
+ try:
+ filenames = pyewf.glob(self.evidence)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ sys.stderr.write("[-] Invalid EWF format:\n {}\n".format(e))
+ raise IOError
+
+ ewf_handle = pyewf.handle()
+ ewf_handle.open(filenames)
+
+ # Open PYTSK3 handle on EWF Image
+ self.image_handle = EWFImgInfo(ewf_handle)
+ else:
+ self.image_handle = pytsk3.Img_Info(self.evidence)
+
+ # Open volume from image
+ try:
+ self.vol = pytsk3.Volume_Info(self.image_handle)
+ except IOError:
+ return None
+
+ return self.vol
+
+ def open_vol(self):
+ sys.stderr.write("[+] Opening {}\n".format(self.evidence))
+ # Handle EWF/Raw Images
+ if self.image_type == "ewf":
+ try:
+ filenames = pyewf.glob(self.evidence)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ sys.stderr.write("[-] Invalid EWF format:\n {}\n".format(e))
+ raise IOError
+
+ ewf_handle = pyewf.handle()
+ ewf_handle.open(filenames)
+
+ # Open PYTSK3 handle on EWF Image
+ self.image_handle = EWFImgInfo(ewf_handle)
+ else:
+ self.image_handle = pytsk3.Img_Info(self.evidence)
+
+ # Open volume from image
+ try:
+ self.vol = pytsk3.Volume_Info(self.image_handle)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ sys.stderr.write("[-] Unable to read partition table. Possible logical image:\n {}\n".format(e))
+
+ def open_FS(self):
+ # Open FS and Recurse
+ if self.vol is not None:
+ for partition in self.vol:
+ if partition.len > 2048 and "Unallocated" not in partition.desc and "Extended" not in partition.desc and "Primary Table" not in partition.desc:
+ try:
+ self.fs.append(pytsk3.FS_Info(
+ self.image_handle,
+ offset=partition.start * self.vol.info.block_size))
+ except IOError:
+ _, e, _ = sys.exc_info()
+ sys.stderr.write("[-] Unable to open FS:\n {}\n".format(e))
+ else:
+ try:
+ self.fs.append(pytsk3.FS_Info(self.image_handle))
+ except IOError:
+ _, e, _ = sys.exc_info()
+ sys.stderr.write("[-] Unable to open FS:\n {}\n".format(e))
+
+ def detect_ntfs(self, vol, partition):
+ try:
+ block_size = vol.info.block_size
+ fs_object = pytsk3.FS_Info(self.image_handle, offset=(partition.start * block_size))
+ except Exception:
+ sys.stderr.write("[-] Unable to open FS\n")
+ return False
+ if fs_object.info.ftype == pytsk3.TSK_FS_TYPE_NTFS_DETECT:
+ return True
+ else:
+ return False
+
+ def recurse_files(self, substring, path="/", logic="contains", case=False):
+ files = []
+ for i, fs in enumerate(self.fs):
+ try:
+ root_dir = fs.open_dir(path)
+ except IOError:
+ continue
+ files += self.recurse_dirs(i, fs, root_dir, [], [], [""], substring, logic, case)
+
+ if files == []:
+ return None
+ else:
+ return files
+
+ def query_directory(self, path):
+ dirs = []
+ for i, fs in enumerate(self.fs):
+ try:
+ dirs.append((i, fs.open_dir(path)))
+ except IOError:
+ continue
+
+ if dirs == []:
+ return None
+ else:
+ return dirs
+
+ def recurse_dirs(self, part, fs, root_dir, dirs, data, parent, substring, logic, case):
+ dirs.append(root_dir.info.fs_file.meta.addr)
+ for fs_object in root_dir:
+ # Skip ".", ".." or directory entries without a name.
+ if not hasattr(fs_object, "info") or not hasattr(fs_object.info, "name") or not hasattr(fs_object.info.name, "name") or fs_object.info.name.name in [".", ".."]:
+ continue
+ try:
+ file_name = fs_object.info.name.name
+ file_path = "{}/{}".format("/".join(parent), fs_object.info.name.name)
+ try:
+ if fs_object.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
+ f_type = "DIR"
+ file_ext = ""
+ else:
+ f_type = "FILE"
+
+ except AttributeError:
+ continue # Which object has the AttributeError?
+
+ if f_type == "FILE":
+ if logic.lower() == 'contains':
+ if case is False:
+ if substring.lower() in file_name.lower():
+ data.append((file_name, file_path, fs_object, part))
+ else:
+ if substring in file_name:
+ data.append((file_name, file_path, fs_object, part))
+ elif logic.lower() == 'startswith':
+ if case is False:
+ if file_name.lower().startswith(substring.lower()):
+ data.append((file_name, file_path, fs_object, part))
+ else:
+ if file_name.startswith(substring):
+ data.append((file_name, file_path, fs_object, part))
+ elif logic.lower() == 'endswith':
+ if case is False:
+ if file_name.lower().endswith(substring.lower()):
+ data.append((file_name, file_path, fs_object, part))
+ else:
+ if file_name.endswith(substring):
+ data.append((file_name, file_path, fs_object, part))
+ elif logic.lower() == 'equal':
+ if case is False:
+ if substring.lower() == file_name.lower():
+ data.append((file_name, file_path, fs_object, part))
+ else:
+ if substring == file_name:
+ data.append((file_name, file_path, fs_object, part))
+ else:
+ sys.stderr.write("[-] Warning invalid logic {} provided\n".format(logic))
+ sys.exit()
+
+ elif f_type == "DIR":
+ parent.append(fs_object.info.name.name)
+ sub_directory = fs_object.as_directory()
+ inode = fs_object.info.meta.addr
+
+ # This ensures that we don't recurse into a directory
+ # above the current level and thus avoid circular loops.
+ if inode not in dirs:
+ self.recurse_dirs(part, fs, sub_directory, dirs, data, parent, substring, logic, case)
+ parent.pop(-1)
+
+ except IOError:
+ pass
+ dirs.pop(-1)
+ return data
+
+
+def openVSSFS(img, count):
+ # Open FS and Recurse
+ try:
+ fs = pytsk3.FS_Info(img)
+ except IOError:
+ _, e, _ = sys.exc_info()
+ sys.stderr.write("[-] Unable to open FS: {}".format(e))
+ root = fs.open_dir(path="/")
+ data = recurseFiles(count, fs, root, [], [], [""])
+ return data
+
+
+def recurseFiles(count, fs, root_dir, dirs, data, parent):
+ dirs.append(root_dir.info.fs_file.meta.addr)
+ for fs_object in root_dir:
+ # Skip ".", ".." or directory entries without a name.
+ if not hasattr(fs_object, "info") or not hasattr(fs_object.info, "name") or not hasattr(fs_object.info.name, "name") or fs_object.info.name.name in [".", ".."]:
+ continue
+ try:
+ file_name = fs_object.info.name.name
+ file_path = "{}/{}".format("/".join(parent), fs_object.info.name.name)
+ try:
+ if fs_object.info.meta.type == pytsk3.TSK_FS_META_TYPE_DIR:
+ f_type = "DIR"
+ file_ext = ""
+ else:
+ f_type = "FILE"
+ if "." in file_name:
+ file_ext = file_name.rsplit(".")[-1].lower()
+ else:
+ file_ext = ""
+ except AttributeError:
+ continue
+
+ size = fs_object.info.meta.size
+ create = convertTime(fs_object.info.meta.crtime)
+ change = convertTime(fs_object.info.meta.ctime)
+ modify = convertTime(fs_object.info.meta.mtime)
+ data.append(["VSS {}".format(count), file_name, file_ext, f_type, create, change, modify, size, file_path])
+
+ if f_type == "DIR":
+ parent.append(fs_object.info.name.name)
+ sub_directory = fs_object.as_directory()
+ inode = fs_object.info.meta.addr
+
+ # This ensures that we don't recurse into a directory
+ # above the current level and thus avoid circular loops.
+ if inode not in dirs:
+ recurseFiles(count, fs, sub_directory, dirs, data, parent)
+ parent.pop(-1)
+
+ except IOError:
+ pass
+ dirs.pop(-1)
+ return data
+
+
+def convertTime(ts):
+ if str(ts) == "0":
+ return ""
+ return datetime.utcfromtimestamp(ts)
diff --git a/Chapter10/utility/vss.py b/Chapter10/utility/vss.py
new file mode 100644
index 0000000..8c5299c
--- /dev/null
+++ b/Chapter10/utility/vss.py
@@ -0,0 +1,166 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# Copyright 2012 The Plaso Project Authors.
+# Please see the AUTHORS file for details on individual authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#This file was copied from https://code.google.com/p/plaso/source/browse/plaso/pvfs/vss.py
+
+"""This file contains a simple library to read files stored in VSS."""
+import logging
+import os
+
+import pytsk3
+import pyvshadow
+
+
+class VShadowImgInfo(pytsk3.Img_Info):
+ """Extending the TSK Img_Info to allow VSS images to be read in."""
+
+ def __init__(self, store):
+ self._store = store
+ super(VShadowImgInfo, self).__init__()
+
+ # Implementing an interface
+ def read(self, offset, size):
+ self._store.seek(offset)
+ return self._store.read(size)
+
+ # Implementing an interface
+ def get_size(self):
+ return self._store.get_size()
+
+
+class VShadowVolume(object):
+ """Disk file implementation faking volume file.
+ pyvhsadow does not support disk images, only volume based ones.
+ In order for us to be able to use disk images we need to provide
+ an interface that exposes volumes inside of a disk image.
+ """
+
+ def __init__(self, file_path, offset=0, sector_size=512):
+ """Provide a file like object of a volume inside a disk image.
+ Args:
+ file_path: String, denoting the file path to the disk image.
+ offset: An offset in bytes to the volume within the disk.
+ sector_size: The size in bytes of a single sector, defaults to 512.
+ """
+ self._block_size = 0
+ self._offset_start = 0
+ self._orig_offset = offset
+
+ ofs = int(offset / sector_size)
+ self._block_size, self._image_size = GetImageSize(file_path, ofs)
+
+ self._fh = open(file_path, 'rb')
+ self._fh.seek(0, os.SEEK_END)
+ self._fh_size = self._fh.tell()
+ self._image_offset = ofs
+
+ if self._block_size:
+ self._offset_start = self._image_offset * self._block_size
+ self._fh.seek(self._offset_start, 0)
+
+ def read(self, size=None):
+ """"Return read bytes from volume as denoted by the size parameter."""
+ if not self._orig_offset:
+ return self._fh.read(size)
+
+ # Check upper bounds, we need to return empty values for above bounds.
+ if size + self.tell() > self._offset_start + self._image_size:
+ size = self._offset_start + self._image_size - self.tell()
+
+ if size < 1:
+ return ''
+
+ return self._fh.read(size)
+
+ def get_size(self):
+ """Return the size in bytes of the volume."""
+ if self._block_size:
+ return self._block_size * self._image_size
+
+ return self._fh_size
+
+ def close(self):
+ self._fh.close()
+
+ def seek(self, offset, whence=os.SEEK_SET):
+ """Seek into the volume."""
+ if not self._block_size:
+ self._fh.seek(offset, whence)
+ return
+
+ ofs = 0
+ abs_ofs = 0
+ if whence == os.SEEK_SET:
+ ofs = offset + self._offset_start
+ abs_ofs = ofs
+ elif whence == os.SEEK_CUR:
+ ofs = offset
+ abs_ofs = self.tell() + ofs
+ elif whence == os.SEEK_END:
+ size_diff = self._fh_size - (self._offset_start + self._image_size)
+ ofs = offset - size_diff
+ abs_ofs = self._image_size + self._offset_start + offset
+ else:
+ raise RuntimeError('Illegal whence value %s' % whence)
+
+ # check boundary
+ if abs_ofs < self._offset_start:
+ raise IOError('Invalid seek, out of bounds. Seek before start.')
+
+ self._fh.seek(ofs, whence)
+
+ def tell(self):
+ if not self._block_size:
+ return self._fh.tell()
+
+ return self._fh.tell() - self._offset_start
+
+ def get_offset(self):
+ return self.tell()
+
+
+def GetVssStoreCount(image, offset=0):
+ """Return the number of VSS stores available in an image."""
+ volume = pyvshadow.volume()
+ fh = VShadowVolume(image, offset)
+ try:
+ volume.open_file_object(fh)
+ return volume.number_of_stores
+ except IOError as e:
+ logging.warning('Error while trying to read VSS information: %s', e)
+
+ return 0
+
+
+def GetImageSize(file_path, offset):
+ """Read the partition information to gather volume size."""
+ if not offset:
+ return 0, 0
+
+ img = pytsk3.Img_Info(file_path)
+ try:
+ volume = pytsk3.Volume_Info(img)
+ except IOError:
+ return 0, 0
+
+ size = 0
+ for vol in volume:
+ if vol.start == offset:
+ size = vol.len
+ break
+
+ size *= volume.info.block_size
+ return volume.info.block_size, size
diff --git a/Chapter10/vss_explorer.py b/Chapter10/vss_explorer.py
new file mode 100644
index 0000000..0ace381
--- /dev/null
+++ b/Chapter10/vss_explorer.py
@@ -0,0 +1,118 @@
+from __future__ import print_function
+import argparse
+from datetime import datetime, timedelta
+import os
+import pytsk3
+import pyewf
+import pyvshadow
+import sys
+import unicodecsv as csv
+from utility import vss
+from utility.pytskutil import TSKUtil
+from utility import pytskutil
+
+"""
+MIT License
+
+Copyright (c) 2017 Chapin Bryce, Preston Miller
+
+Please share comments and questions at:
+ https://github.com/PythonForensics/PythonForensicsCookbook
+ or email pyforcookbook@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+"""
+
+__authors__ = ["Chapin Bryce", "Preston Miller"]
+__date__ = 20170815
+__description__ = "Utility to explore VSS on NTFS volumes"
+
+
+def main(evidence, output):
+ # Create TSK object and query path for prefetch files
+ tsk_util = TSKUtil(evidence, "raw")
+ img_vol = tsk_util.return_vol()
+ if img_vol is not None:
+ for part in img_vol:
+ if tsk_util.detect_ntfs(img_vol, part):
+ print("Exploring NTFS Partition for VSS")
+ explore_vss(evidence, part.start * img_vol.info.block_size,
+ output)
+ else:
+ print("[-] Must be a physical preservation to be compatible "
+ "with this script")
+ sys.exit(2)
+
+
+def explore_vss(evidence, part_offset, output):
+ vss_volume = pyvshadow.volume()
+ vss_handle = vss.VShadowVolume(evidence, part_offset)
+ vss_count = vss.GetVssStoreCount(evidence, part_offset)
+ if vss_count > 0:
+ vss_volume.open_file_object(vss_handle)
+ vss_data = []
+ for x in range(vss_count):
+ print("Gathering data for VSC {} of {}".format(x, vss_count))
+ vss_store = vss_volume.get_store(x)
+ image = vss.VShadowImgInfo(vss_store)
+ vss_data.append(pytskutil.openVSSFS(image, x))
+
+ write_csv(vss_data, output)
+
+
+def write_csv(data, output):
+ if data == []:
+ print("[-] No output results to write")
+ sys.exit(3)
+
+ print("[+] Writing output to {}".format(output))
+ if os.path.exists(output):
+ append = True
+ with open(output, "ab") as csvfile:
+ csv_writer = csv.writer(csvfile)
+ headers = ["VSS", "File", "File Ext", "File Type", "Create Date",
+ "Modify Date", "Change Date", "Size", "File Path"]
+ if not append:
+ csv_writer.writerow(headers)
+ for result_list in data:
+ csv_writer.writerows(result_list)
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser(
+ description=__description__,
+ epilog="Developed by {} on {}".format(
+ ", ".join(__authors__), __date__)
+ )
+ parser.add_argument("EVIDENCE_FILE", help="Evidence file path")
+ parser.add_argument("OUTPUT_CSV",
+ help="Output CSV with VSS file listing")
+ args = parser.parse_args()
+
+ directory = os.path.dirname(args.OUTPUT_CSV)
+ if not os.path.exists(directory) and directory != "":
+ os.makedirs(directory)
+
+ if os.path.exists(args.EVIDENCE_FILE) and \
+ os.path.isfile(args.EVIDENCE_FILE):
+ main(args.EVIDENCE_FILE, args.OUTPUT_CSV)
+ else:
+ print("[-] Supplied input file {} does not exist or is not a "
+ "file".format(args.EVIDENCE_FILE))
+ sys.exit(1)