Evtx Magic

By Andreas Schuster on May 22, 2007 4:00 PM | 1 Comment

In this article I provide a spell of magic(5) which allows file(1) to identify Vista event log files in their native form (.evtx).

Hopefully this snippet will find its way into the next version of file(1).

0       string  ElfFile\0       Vista Event Log (.evtx)
>0x2a   leshort x               \b, %d chunks
>>0x10  lelong  x               \b (no. %d in use)
>0x18   lelong  >1              \b, next record no. %d
>0x18   lelong  =1              \b, empty
>0x78   lelong  &1              \b, DIRTY
>0x78   lelong  &2              \b, FULL

And here's some sample output:

  • an ordinary log file:
    System.evtx: Vista Event Log (.evtx), 6 chunks (no. 5 active), next record no. 744

  • log obtained while the system was running:
    Anwendung.evtx: Vista Event Log (.evtx), 2 chunks (no. 1 active), next record no. 171, DIRTY

  • log wrapped around, the 2nd chunk (counter starts at 0!) is currently reused:
    sample4.evtx: Vista Event Log (.evtx), 16 chunks (no. 1 in use), next record no. 5276

  • overflown log file:
    sample6.evtx: Vista Event Log (.evtx), 16 chunks (no. 15 in use), next record no. 4260, FULL

Categories:

Tags:

1 Comment

John H. Sawyer | June 6, 2007 4:19 PM

Thanks, Andreas. Excellent addition to my magic file. Keep up the great work!

Search

Deutsch

Deutschsprachige Ausgabe

Recent Entries

Tag Cloud

Categories

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12