Evtx Parser Version 1.0.4

Version 1.0.4 of my Microsoft Vista and Windows 2008 Event Log parser is now available for download. This version adds data integrity checking and fixes some errors.

This version fixes a bug that triggered an assertion in line 37 (or 38, depending on your version) of Module Node0x0c.pm. The root cause is quite interesting: Chunks may contain some data behind their last event record. These are either the remains of older records or the beginning of an record that finally grew too large for the remaining space. Commonly these fragments appear as binary garbage and the parser skips over them.

In some cases, however, there is a complete event record and it is in the right position. The parser now tries to recreate the XML structure and when Node0x0c.pm attempts to apply the XML template it can't access its definition. The definition was stored at lower offsets and has been irrecoverably overwritten. This, finally triggered the assertion mentioned above. This condition is now handled more gracefully.

I wish to thank Kristinn Gudjonsson for reporting this error and Michael Felber for providing me with test data.

Recently, I discovered an additional CRC32 check sum in the chunk header. This check sum is calculated over the event data portion of a chunk, from chunk offset 0x200 to OfsRecNext. The evtxinfo.pl sample program from now on applies this check to every chunk:

./evtxinfo.pl manipulated-SID.evtx 
Information from file header:
Format version  : 3.1
Flags           : 0x00000000
         File is: clean
     Log is full: no
Current chunk   : 2 of 2
Next Record#    : 161
Check sum       : pass

Information from chunks:
Chunk file (first/last)     log (first/last)      Header Data  
----- --------------------- --------------------- ------ ------
    1          1        113          1        113   pass   pass
    2        114        160        114        160   pass FAILED

For this example, a Security ID within an event record was changed by means of a hex editor. Please note the FAILED data integrity check for the manipulated second chunk. It should be noted that this kind of check will only detect accidental corruption. An adversary would simply have to recalculate the check sums to foil detection of his manipulation.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12