Evtx Parser Version 1.0.2

Version 1.0.2 of the perl Evtx Parser library is now publicly available. This version fixes some bugs and introduces some small changes to the parser's architecture.

A couple of changes fix errors in the generated XML. Kristinn Gudjonsson pointed out that XML special characters were not quoted and provided me with a patch. Many thanks! While I was at it, I also removed excess terminators (null bytes) from strings. My sample files now pass the tests by XMLlint.

NullType objects in the context of a SubstitutionArray may now contain data. Don't worry if that doesn't make any sense to you. I'm going to describe my observations in a separate article. Thanks to Roberto De Vivo for the bug report and for providing me with a fascinating sample file!

There are also some minor changes to the parser's architecture. In the Chunk object, the stack of element names was replaced by a stack of pointers to the corresponding start elements. Closing elements (Node0x03 and Node0x04) now propagate their type back into the start element (Node0x01). This allows for the start element to produce the whole string. This facilitates using the Evtx Parser as a library from other tools.

Download the new version here.

02/25/2010: Please see also the announcement of version 1.0.3.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12