010 Template to Parse an Evtx File
I'm excited to release the first version of a template for the 010 Editor which parses the outer structure of a Vista event log file. By "outer structure" I refer to the structures described earlier in this blog, from the file level down to the single record. However, the template can not yet decode the binary XML inside of an event record - and provably never will. For this task I will provide a more complex tool in a few weeks.
The template parses the following structures:
- File Header
- Chunk Header
- String Table
- Template Table
- Event Record
Here are a few screen shots of the output generated by the template. The first one shows the file header.
Here is the string table. The template tries to resolve the addresses stored within the hash buckets into actual strings for clarity.
This is what an event record looks like. Only the record number and a timestamp are given outside of the complex binary XML structure.
