The substitution mechanism allows to separate content from structure. Variable data will be moved into a separate table, the "Substitution Array". Placeholders within the XML stream, the substitution system tokens, will point to the proper element.
Parsing clear text can be a tedious piece of work, especially in the case of XML, which is known for its low entropy. Under the premise that XML messages are frequently re-read, the conversion of certain language elements into "tokens" can save a significant amount of computational power and also cuts down on the requirements for storage space.
By far the largest part of an event record consists of a complex binary XML structure. I'm going to explain its internals in a series of postings. I'm starting with an overview of the XML schema.
I'm excited to release the first version of a template for the 010 Editor which parses the outer structure of a Vista event log file. By "outer structure" I refer to the structures described earlier in this blog, from the file level down to the single record. However, the template can not yet decode the binary XML inside of an event record - and provably never will. For this task I will provide a more complex tool in a few weeks.
ACM SIGOPS is soliciting the submission of papers for its Operating Systems Review. This special issue will be dedicated to computer forensics, especially with the upcoming arts of live forensics and the analysis of volatile data.
The call for paper closes on December 1st, 2007.
(via Bradley Schatz)
This article documents the structure of a single event record within a Vista Event Log (.evtx) file. The event records go one by one, following the chunk header.
Each event log file contains one or many so-called "chunks", which store the event records. During operation, only the current chunk of an event log file is mapped into memory.
This article documents the Evtx file header. The file header provides some overall information about a Vista event log file.
"Chopstick" published two articles about CarvFS in his blog Chirashi Security.
Since version 2.3 the shared libraries and utility programs which implement the Advanced Forensic Format (AFF), are also available for the Microsoft Windows platform.
