Evtx Parser Version 1.1.0

It's my pleasure to announce a major release of my Evtx parser and tools collection. Version 1.1.0 significantly increases the ability to parse and transform Microsoft's proprietary binary XML dialect. The new version covers about 90% of XML tokens and data types.

Evtx Parser and the Parse::EVTX Perl library is now available for download (ZIP).

The library now parses CDATA sections (node type 0x07), XML entity references like & (node type 0x09) and processing instructions (node types 0x0a and 0x0b).

I've also added support for arrays of all kinds of integers, single and double precision floating point numbers, GUIDs, FILETIME and the SYSTEMTIME structure.

A couple of months ago I had recived one report about a node type 0x08, but, unfortunately, no data to analyze. So far, I did not succeed in creating this token on Windows 7, using version 7A of the SDK. Even though this appears to be a rare token, I'd like to add a proper handler routine to EvtxParser. I'd greatly appreciate any samples of this binary XML token.

This is also the moment to thank the community for their continued support by reporting bugs, and donating samples. Your samples helped me to improve my understanding of Microsoft's binary XML dialect. My thanks go to Mark Woan for providing specially crafted test data and teaching me how to create test cases. I plan to release my test data set over the next weeks, in order to support tool validation efforts.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12