ArtifactExtractor

ArtifactExtractor is a script designed to extract common Windows artifacts from source images and Volume Shadow Copies (VSCs). Before extraction, the artifacts in VSCs will be checked (using hash comparison) to determine if they differ from a later VSC or image copy. Dependencies: - None if you are using the release executable on Windows. - Otherwise: Install backports.lzma. - For Windows: Use the latest wheel file available from [here]. - For Linux: Utilize a package manager, e.g., sudo apt install liblzma-dev. - Install libewf; use libewf-legacy instead of libewf (experimental). - Note that newer experimental releases may have a file corruption issue. - For Windows: Use the MSI installer available from [here]. - For Linux: Use the libewf-legacy build 20140806 (Windows ONLY). - Install pywin32 by running: pip install pywin32. - To install remaining requirements, use requirements.txt. - Use pip to install with: pip install -r requirements.txt. Usage: Create a destination directory with the command artifact_extractor.exe [-a ] or run artifact_extractor.exe -h for more options. Credits: Thanks to Joachim Metz and his libraries, and John Corcoran for Unix compatibility.