Evtx Parser Version 1.0.7

I'm releasing version 1.0.7 of my Windows Event Log Parser. This release fixes a couple of errors and enhances the handling of XML templates. The archive is available for download here.

The most important changes since version 1.0.5 are:

  1. Fixed an error in CRC32 checks. Thanks to Michael Felber for reporting this bug.
  2. Thanks to Andrew Hoog for reporting an error in the documentation.
  3. Precision of the time stamp reported by Type0x11.pm have been increased by one decimal. The outer structure's creation time stamp was not properly parsed by Event.pm. The value can now be accessed as a formatted string through get_time_created().
  4. The contents of all BXmlNodes can now be retrieved as a hex dump by calling get_hexdump().
  5. Handling of XML templates and NameStrings has been improved to support further research into that subject. Versions up to and including 1.0.5 built strings and template dictionaries on the fly while they parsed a chunk. From now on the dictionaries can be populated based on tables and lists in the chunk header, which is much faster. Template.pm now reports the GUID.
  6. The example program evtxtemplates.pl was rewritten to make use of the new features. There is now an option to dump templates in hex, too.
$ ./evtxtemplates.pl --hex sample1.evtx
Template {ECD34601-0225-3E67-B639-D77B70281CE9} at chunk 0, offset 0x0612:
<EventData>
<Data>#0 (type 0x81, optional)#</Data>
<Binary>#2 (type 0x0e, optional)#</Binary></EventData>

0610: 00 00 00 00 01 46 d3 ec 25 02 67 3e b6 39 .....F..%.g>.9 0620: d7 7b 70 28 1c e9 78 00 00 00 0f 01 01 00 01 ff .{p(..x......... 0630: ff 6c 00 00 00 39 06 00 00 00 00 00 00 44 82 09 .l...9.......D.. 0640: 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 .E.v.e.n.t.D.a.t 0650: 00 61 00 00 00 02 01 00 00 1c 00 00 00 61 06 00 .a...........a.. 0660: 00 00 00 00 00 8a 6f 04 00 44 00 61 00 74 00 61 ......o..D.a.t.a 0670: 00 00 00 02 0e 00 00 81 04 01 02 00 20 00 00 00 ............ ... 0680: 84 06 00 00 00 00 00 00 21 b8 06 00 42 00 69 00 ........!...B.i. 0690: 6e 00 61 00 72 00 79 00 00 00 02 0e 02 00 0e 04 n.a.r.y......... 06a0: 04 00 ..

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12