Evtx Parser Version 1.0.1
Two years ago I released the first version of a parser for the binary, XMl-based event log file format of Windows Vista. During the last weeks I finally received some bug reports and feature requests. I'm excited to release an improved version just in time for Christmas.
The most important changes are:
- I removed a to restrictive constraint from the Node0x0d.pm module. The parser now responds more flexible to unknown data types. I wish to thank Rob Hulley and Adrian Forschner for their bug reports, sample data and continued testing.
- The Evtx.pm modules now keeps track of the currently processed chunk. The get_current_chunk() method provides a pointer to the current chunk object.
- The Evtx.pm and Chunk.pm modules now parse more values from the file and chunk headers. Thanks again to Rob Hulley for his patch.
- A new sample program, evtxinfo.pl, displays these properties. In addition it lists the first and last event record number for each chunk. There are two sets of numbers: one refers to the examined file, while the other refers to the log channel.
$ ./evtxinfo.pl sample4.evtx
Information from file header:
Format version : 3.1
Flags : 0x00000000
File is: CLEAN
Log is full: NO
Current chunk : 2 of 16
Next Record# : 5276
Information from chunks:
Chunk file (first/last) log (first/last)
----- --------------------- ---------------------
1 4681 4976 4902 5197
2 4977 5054 5198 5275
3 593 888 814 1109
4 889 1135 1110 1356
5 1136 1431 1357 1652
6 1432 1727 1653 1948
7 1728 2023 1949 2244
8 2024 2312 2245 2533
9 2313 2608 2534 2829
10 2609 2904 2830 3125
11 2905 3200 3126 3421
12 3201 3496 3422 3717
13 3497 3792 3718 4013
14 3793 4088 4014 4309
15 4089 4384 4310 4605
16 4385 4680 4606 4901
02/04/2010: Please see also the release notes on version 1.0.2.
