All, Joachim Metz, from Google, has written a set of c libraries to work with Microsoft files in linux. LGPLv3+ A overview is at http://code.google.com/p/libyal/wiki/Overview I have many of them now in factory with more coming. (If you see one you want that is not yet in factory, let me know.) They often include CLI tools to use the functionality. See libregf-tools - tools to parse MS registry files libevt-tools - tools to parse MS event logs in the pre-vista format libevtx-tools - tools to parse MS event logs in the vista and newer format libmsiecf-tools - tools to parse MS Internet Explorer Cache Files liblnk-tools - tools to parse MS link files. Similar to a symbolic link file libvshadow-tools (not yet submitted, find it in the filesystems repo) - tools to parse NTFS volume shadow copies libpff-tools - (not yet submitted, find it in the security repo) - tools to parse PST and OST files I am most intrigued by libvshadow. This is the only OSS tool I know of that even tries to give users access to NTFS volume shadow copies. FYI: The driving force behind me packaging most of these is that plaso is using them. Plaso is a new python application that parses filesystems and creates a single integrated timeline of all the activity found on the computer. It pulls events out of all of the above so the timeline can be comprehensive. (I don't think it uses libpff yet.) I just submitted python-plaso to factory a few minutes ago, but I think all of the dependencies it needs are already there. Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org