By Andreas Schuster
Copyright © 2011 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

It's my pleasure to announce a major release of my Evtx Parser and tools collection. Version 1.1.0 significantly increases the ability to parse and transform Microsoft's proprietary Binary Xml Dialect. The new version covers about 90% of XML tokens and data types.

Evtx Parser and the Parse::EVTX Perl library is now available for download (ZIP).

I've also added support for arrays of all kinds of integers, single and double precision floating point numbers, GUIDs, FILETIME and the SYSTEMTIME structure.

A couple of months ago I had recived one report about a node type 0x08, but, unfortunately, no data to analyze. So far, I did not succeed in creating this token on Windows 7, using version 7A of the SDK. Even though this appears to be a rare token, I'd like to add a proper handler routine to EvtxParser. I'd greatly appreciate any samples of this Binary Xml token.

This is also the moment to thank the community for their continued support by reporting bugs, and donating samples. Your samples helped me to improve my understanding of Microsoft's binary Xml Dialect. My thanks go to Mark Woan for providing specially crafted test data and teaching me how to create test cases. I plan to release my test data set over the next weeks, in order to support tool validation efforts.