This is the personal website of Willi Ballenthin. I am a consultant at Mandiant, specializing in incident response and computer forensics. Below, you’ll find an index of my public projects. Please feel encouraged to contact me via the link to your left.


  • python-registry - A pure Python interface to parsing and reading Windows Registry files.
  • python-evtx - A pure Python interface to parsing recent Windows Event Log files (.evtx files).
  • NTFS INDX Attribute Parsing - I wrote a tool to easily extract file entries from NTFS directory indices.
  • Windows Registry Shellbag Parsing - I wrote a tool to parse Windows shellbag entries into the Bodyfile format.
  • Tor - I’ve not contributed to Tor, but this webapp tracks Tor endpoints active over time.
  • Windows ReFS File System - I’ve dug into the on-disk structure of the ReFS file system soon.
  • The Sleuth Kit - I developed patches bringing basic Ext4 support to the Sleuthkit file system tools.
  • Windows Event Log Record Carving - I developed the script LfLe.py to recover Windows EVT event log records from a forensic image.
  • log2timeline - I submitted modules to the supertimelining tool, including the Apache2, Syslog, and Analog input modules.
  • Analog & Forensics - I successfully used the Analog web log analyzer cache file during a forensic investigation and described my usage.

Blog Posts