Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

Evtx Parser Version 1.0.7

By Andreas Schuster
Copyright © 2011 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

I'm releasing version 1.0.7 of my Windows Event Log Parser. This release fixes a couple of errors and enhances the handling of Xml Templates. The archive is available for download here.

Related Articles

The most important changes since version 1.0.5 are:

  1. Fixed an error in CRC32 checks. Thanks to Michael Felber for reporting this bug.
  2. Thanks to Andrew Hoog for reporting an error in the documentation.
  3. Precision of the time stamp reported by Type0x11.pm have been increased by one decimal. The outer structure's creation time stamp was not properly parsed by Event.pm. The value can now be accessed as a formatted string through get_time_created().
  4. The contents of all BXmlNodes can now be retrieved as a hex dump by calling get_hexdump().
  5. Handling of XML templates and NameStrings has been improved to support further research into that subject. Versions up to and including 1.0.5 built strings and template dictionaries on the fly while they parsed a chunk. From now on the dictionaries can be populated based on tables and lists in the chunk header, which is much faster. Template.pm now reports the GUID.
  6. The example program evtxtemplates.pl was rewritten to make use of the new features. There is now an option to dump templates in hex, too.
$ ./evtxtemplates.pl --hex sample1.evtx
Template {ECD34601-0225-3E67-B639-D77B70281CE9} at chunk 0, offset 0x0612:
<EventData>
<Data>#0 (type 0x81, optional)#</Data>
<Binary>#2 (type 0x0e, optional)#</Binary></EventData>
  0610:       00 00 00 00 01 46 d3 ec 25 02 67 3e b6 39    .....F..%.g>.9
  0620: d7 7b 70 28 1c e9 78 00 00 00 0f 01 01 00 01 ff  .{p(..x.........
  0630: ff 6c 00 00 00 39 06 00 00 00 00 00 00 44 82 09  .l...9.......D..
  0640: 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74  .E.v.e.n.t.D.a.t
  0650: 00 61 00 00 00 02 01 00 00 1c 00 00 00 61 06 00  .a...........a..
  0660: 00 00 00 00 00 8a 6f 04 00 44 00 61 00 74 00 61  ......o..D.a.t.a
  0670: 00 00 00 02 0e 00 00 81 04 01 02 00 20 00 00 00  ............ ...
  0680: 84 06 00 00 00 00 00 00 21 b8 06 00 42 00 69 00  ........!...B.i.
  0690: 6e 00 61 00 72 00 79 00 00 00 02 0e 02 00 0e 04  n.a.r.y.........
  06a0: 04 00                                            ..


This post first appeared on Computer Forensic, please read the originial post: here

Share the post

Evtx Parser Version 1.0.7

×

Subscribe to Computer Forensic

Get updates delivered right to your inbox!

Thank you for your subscription

×