This is the personal website of Willi Ballenthin. I am a reverse engineer with a background in incident response and computer forensics. Below, you’ll find an index of my public projects. Please feel encouraged to contact me via the link to your left.


  • python-registry - A pure Python interface to parsing and reading Windows Registry files.
  • python-evtx - A pure Python interface to parsing recent Windows Event Log files (.evtx files).
  • NTFS INDX Attribute Parsing - I wrote tools for forensic analysis of NTFS file systems, including a utility to easily extract file entries from NTFS directory indices.
  • Windows Registry Shellbag Parsing - I developed a tool to parse Windows shellbag entries into the Bodyfile format.
  • Tor - I’ve not contributed to Tor, but this webapp tracks Tor endpoints active over time.
  • Windows Event Log Record Carving - I published the script LfLe.py to recover Windows EVT event log records from a forensic image.
  • WMI forensics - At FireEye, we reverse engineered the WMI CIM repository file format and developed tools to enable forensic analysis.
  • Application Compatibility Infrastructure Analysis - Since the file format for “shim databases” (.sdb files) was undocumented, I reverse engineered the format and published a parsing library in Python.

Blog Posts