Skip to content
/ wlripEXE Public

WLrip - Parses WaitList.dat - Compiled Windows Executable Version

License

GPL-3.0 license
7 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

B2dfir/wlripEXE

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
wlrip.exe
wlrip.exe
 
 

Repository files navigation

WLripEXE (beta)

Version 0.2 - Compiled Windows Executable By Barnaby Skeggs (b2dfir.blogspot.com)

‘WaitList.dat’ (WaitList) is data file which has been found to contain stripped text from email, contact and document files as a function of the Windows Search Indexer.

WLripEXE is a Python 3.5 program compiled to a single Windows executable (pyinstaller), that will extract the metadata and body text of each indexed record to a new .txt file, and produce a metadata report in .csv format. Running WLrip with the ‘-x’ option will produce a .xlsx report with hyperlinks to each .txt file created. This is the recommended method to run WLrip, which utilises the Python ‘XLSXWriter’ module (https://github.com/jmcnamara/XlsxWriter).

Recommended execution of WLripEXE is as follows:

Wlrip.exe -c -x -f filename -o output directory

####Arguments:

Argument Description
-c Removes null characters, in an attempt to clean up the text output.
-x Produces a .xlsx report, as well as the default .csv report.
-k Kills the ‘Microsoft Windows Search Indexer’ process, which will lock the WaitList.dat file on a live system. Requires administrator privileges.
-f Specify WaitList.dat file location for processing.
-o Specifies an output directory. If not included, the report will be generated within a new folder in the current directory.

I have done my best to write this program in a way that allows it to capture new values (which I have not yet encountered) in the ‘other’ field. Values captured in the ‘other’ field will be appended with a [type], to indicate the field value stored in the data structure. Please inform me or propose changes to the git should you come across new value types for implementation in future release.

#####For Community Contribution

Two values are included in the output report for community analysis.

The first is Unkn, which I suspect is actually padding and/or zeros from another value of larger size, as it has had a value of 00 for all tested records so far. The second is DocID, which I suspect is an ID for the document which was indexed by Windows Search Indexer.

Please see b2dfir.blogspot.com for a description of the data structure understanding that underpins this parser.

#Change Log# v0.2 - Fixed error relating to email 'subject' output in report file

About

WLrip - Parses WaitList.dat - Compiled Windows Executable Version

Resources

Readme

License

GPL-3.0 license
Activity

Stars

7 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages