Getting Started

Learn the basic principles of exhuming artefacts from a disk image.

The exhume artefacts module is helping the investigator with the parsing of artefacts.

🛠️ Prerequisites

Installing Rust

The Exhume Toolkit is built with Rust and requires it for development or compilation.

Linux and MacOs
Windows

curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh

Visit https://www.rust-lang.org/tools/install to install rustup You can also use winget to install rustup using the following command in PowerShell:

winget install --id Rustlang.Rustup

important

Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.

Basic installation

cargo install exhume_artefacts
exhume_artefacts --help

As a default feature, exhume_artefacts take a file as an argument but you can also directly pass a disk image. For this will need to intall from source.

Installing from source

git clone https://github.com/forensicxlab/exhume_artefacts.git
cd exhume_artefacts
# Build optimized release version
cargo build --release

# Build examples
cargo build --examples

🚀 Basic Usage

Here, the following examples of usage provided works if you build from source which we recommend for testing.

# Run the main CLI with --help
./target/debug/exhume_artefacts --help

# List available parsers
./target/debug/exhume_artefacts --list-parsers

Test Example Programs

./target/debug/examples/parse_file --help

Parse a standalone file with a named parser and output JSONL.

Usage: parse_file [OPTIONS] [file] [parser]

Arguments:
  [file]
  [parser]

Options:
      --list-parsers           List available parsers (name + description) and exit.
  -l, --log-level <log_level>  [default: info] [possible values: error, warn, info, debug, trace]
  -h, --help                   Print help

# Test parse_from_fs example
./target/debug/examples/parse_from_fs --help
Parse a file (by filesystem record ID) inside a disk image and output JSONL.

Usage: parse_from_fs [OPTIONS]

Options:
      --list-parsers           List available parsers (name + description) and exit.
  -b, --body <body>
  -f, --format <format>        raw | ewf | vmdk | auto
  -o, --offset <offset>        Filesystem start (bytes, dec or hex)
  -s, --size <size>            Filesystem size (in sectors, dec or hex)
  -r, --record <file_id>       File record identifier
  -p, --parser <parser>
  -l, --log-level <log_level>  [default: info] [possible values: error, warn, info, debug, trace]
  -h, --help                   Print help

📘 Examples

Parsing from a file

./target/debug/examples/parse_file --file Security.evtx --parser windows_evtx


[2025-12-25T17:36:17Z INFO  evtx::evtx_chunk] Record id - 657
{"event_record_id":657,"timestamp":"2016-06-21T13:17:37.306573+00:00","event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Provider":{"#attributes":{"Name":"Microsoft-Windows-LocationProvider","Guid":"EAAB4D92-5199-46C4-A779-9721CE323D46"}},"EventID":2001,"Version":0,"Level":4,"Task":1,"Opcode":0,"Keywords":"0x2000000000000001","TimeCreated":{"#attributes":{"SystemTime":"2016-06-21T13:17:37.306573Z"}},"EventRecordID":657,"Correlation":null,"Execution":{"#attributes":{"ProcessID":5500,"ThreadID":5200}},"Channel":"Application","Computer":"4orensics","Security":{"#attributes":{"UserID":"S-1-5-19"}}},"EventData":null}}}
[2025-12-25T17:36:17Z INFO  evtx::evtx_chunk] Record id - 658
{"event_record_id":658,"timestamp":"2016-06-21T13:17:37.675333+00:00","event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Provider":{"#attributes":{"Name":"Microsoft-Windows-LocationProvider","Guid":"EAAB4D92-5199-46C4-A779-9721CE323D46"}},"EventID":2003,"Version":0,"Level":4,"Task":1,"Opcode":0,"Keywords":"0x2000000000000001","TimeCreated":{"#attributes":{"SystemTime":"2016-06-21T13:17:37.675333Z"}},"EventRecordID":658,"Correlation":null,"Execution":{"#attributes":{"ProcessID":5500,"ThreadID":6492}},"Channel":"Application","Computer":"4orensics","Security":{"#attributes":{"UserID":"S-1-5-19"}}},"EventData":null}}}
[...]

Parsing from a disk image

./target/debug/examples/parse_from_fs --body ./4orensics.001 --offset 0 --size 0x18A800000000 --record 81030 --parser windows_evtx


[2025-12-25T17:36:17Z INFO  evtx::evtx_chunk] Record id - 657
{"event_record_id":657,"timestamp":"2016-06-21T13:17:37.306573+00:00","event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Provider":{"#attributes":{"Name":"Microsoft-Windows-LocationProvider","Guid":"EAAB4D92-5199-46C4-A779-9721CE323D46"}},"EventID":2001,"Version":0,"Level":4,"Task":1,"Opcode":0,"Keywords":"0x2000000000000001","TimeCreated":{"#attributes":{"SystemTime":"2016-06-21T13:17:37.306573Z"}},"EventRecordID":657,"Correlation":null,"Execution":{"#attributes":{"ProcessID":5500,"ThreadID":5200}},"Channel":"Application","Computer":"4orensics","Security":{"#attributes":{"UserID":"S-1-5-19"}}},"EventData":null}}}
[2025-12-25T17:36:17Z INFO  evtx::evtx_chunk] Record id - 658
{"event_record_id":658,"timestamp":"2016-06-21T13:17:37.675333+00:00","event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Provider":{"#attributes":{"Name":"Microsoft-Windows-LocationProvider","Guid":"EAAB4D92-5199-46C4-A779-9721CE323D46"}},"EventID":2003,"Version":0,"Level":4,"Task":1,"Opcode":0,"Keywords":"0x2000000000000001","TimeCreated":{"#attributes":{"SystemTime":"2016-06-21T13:17:37.675333Z"}},"EventRecordID":658,"Correlation":null,"Execution":{"#attributes":{"ProcessID":5500,"ThreadID":6492}},"Channel":"Application","Computer":"4orensics","Security":{"#attributes":{"UserID":"S-1-5-19"}}},"EventData":null}}}
[2025-12-25T17:36:17Z INFO  evtx::evtx_chunk] Record id - 659
{"event_record_id":659,"timestamp":"2016-06-21T13:17:50.209486+00:00","event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Provider":{"#attributes":{"Name":"Microsoft-Windows-LocationProvider","Guid":"EAAB4D92-5199-46C4-A779-9721CE323D46"}},"EventID":2001,"Version":0,"Level":4,"Task":1,"Opcode":0,"Keywords":"0x2000000000000001","TimeCreated":{"#attributes":{"SystemTime":"2016-06-21T13:17:50.209486Z"}},"EventRecordID":659,"Correlation":null,"Execution":{"#attributes":{"ProcessID":5500,"ThreadID":2848}},"Channel":"Application","Computer":"4orensics","Security":{"#attributes":{"UserID":"S-1-5-19"}}},"EventData":null}}}
[2025-12-25T17:36:17Z INFO  evtx::evtx_chunk] Record id - 660
{"event_record_id":660,"timestamp":"2016-06-21T13:17:50.379997+00:00","event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Provider":{"#attributes":{"Name":"Microsoft-Windows-LocationProvider","Guid":"EAAB4D92-5199-46C4-A779-9721CE323D46"}},"EventID":2003,"Version":0,"Level":4,"Task":1,"Opcode":0,"Keywords":"0x2000000000000001","TimeCreated":{"#attributes":{"SystemTime":"2016-06-21T13:17:50.379997Z"}},"EventRecordID":660,"Correlation":null,"Execution":{"#attributes":{"ProcessID":5500,"ThreadID":6492}},"Channel":"Application","Computer":"4orensics","Security":{"#attributes":{"UserID":"S-1-5-19"}}},"EventData":null}}}
[...]

🛠️ Prerequisites​

Installing Rust​

Basic installation​

Installing from source​

🚀 Basic Usage​

Test Example Programs​

📘 Examples​

Parsing from a file​

Parsing from a disk image​