By Andreas Schuster
Copyright © 2011 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.
Version 1.0.4 of my Microsoft Vista and Windows 2008 Event Log Parser is now available for download. This version adds data integrity checking and fixes some errors.
Related Articles
This version fixes a bug that triggered an assertion in line 37 (or 38, depending on your version) of Module Node0x0c.pm. The root cause is quite interesting: Chunks may contain some data behind their last event record. These are either the remains of older records or the beginning of an record that finally grew too large for the remaining space. Commonly these fragments appear as binary garbage and the parser skips over them.
In some cases, however, there is a complete event record and it is in the right position. The parser now tries to recreate the XML structure and when Node0x0c.pm attempts to apply the XML template it can't access its definition. The definition was stored at lower offsets and has been irrecoverably overwritten. This, finally triggered the assertion mentioned above. This condition is now handled more gracefully.
I wish to thank Kristinn Gudjonsson for reporting this error and Michael Felber for providing me with test data.
Recently, I discovered an additional CRC32 Check Sum in the chunk header. This check sum is calculated over the event data portion of a chunk, from chunk offset 0x200 to OfsRecNext. The evtxinfo.pl sample program from now on applies this check to every chunk:
./evtxinfo.pl manipulated-SID.evtx
Information from file header:
Format version : 3.1
Flags : 0x00000000
File is: clean
Log is full: no
Current chunk : 2 of 2
Next Record# : 161
Check sum : pass
Information from chunks:
Chunk file (first/last) log (first/last) Header Data
----- --------------------- --------------------- ------ ------
1 1 113 1 113 pass pass
2 114 160 114 160 pass FAILED
For this example, a Security ID within an event record was changed by means of a hex editor. Please note the FAILED data integrity check for the manipulated second chunk. It should be noted that this kind of check will only detect accidental corruption. An adversary would simply have to recalculate the check sums to foil detection of his manipulation.
