Processing with elementary

Elementary is a command line tool that can create and process forensicstore files.

Unpack forensicstores

To extract all file artifacts stored in the forensicstore you can use:

elementary archive unpack TestMachine.forensicstore

More examples:

# Extract all prefetch files
elementary archive unpack --match "*.pf" TestMachine.forensicstore

# Extract all windows eventlogs recreateing the original folder structure
elementary archive unpack --match "*.evtx" --mode folder \
    --prefix-artifact=false TestMachine.forensicstore

Run forensic tasks

The elementary command line tool can run single commands, e.g.:

elementary run usb TestMachine.forensicstore