A non-empty NullType
The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot contains a NullType "value", the system suppresses the placeholder and its containing XML element. These NullType slots do not contain any data. At least that's what I thought for too long.
The image below shows a part of a typical substitution array. The data has been interpreted by means of my template for the 010 Editor.
In this example slot #12 holds 12 bytes of data. According to the type identifier this data needs to be interpreted as a security identifier (SID). The following slot, no. 13, is to be interpreted as NullType. Also, it does not contain any data.
This exactly is what I've seen in countless records. Then Roberto De Vivo provided me with an event log that made my parser crash. Several substitution arrays in his file look similar to slot #4 in the following image.
The length clearly is different from zero and the slot contains data. I found more non-empty NullType objects in the same file, some of them contain up to 16 bytes of data.
At first first I supposed that my understanding of the data type was wrong. So I let the Microsoft Event Viewer transform the records in question, but I couldn't find the "unsuspected" data anywhere in its XML output.
Further research is needed to determine what causes this "unexpected" data and whether it is of any forensic value.
