Category "Vista event log"

Evtx Parser Version 1.1.1

I'm releasing version 1.1.1 of the Windows Eventlog Parser library and tools collection for Perl. This version fixes a memory leak. I thank Heinz Mueller for reporting the issue and helping with testing. Please see the change log for other smaller changes.

The current version is now available for download.

Evtx Parser Version 1.1.0

It's my pleasure to announce a major release of my Evtx parser and tools collection. Version 1.1.0 significantly increases the ability to parse and transform Microsoft's proprietary binary XML dialect. The new version covers about 90% of XML tokens and data types.

Evtx Parser and the Parse::EVTX Perl library is now available for download (ZIP).

Evtx Parser Version 1.0.8

I'm releasing version 1.0.8 of my Windows Event Log Parser library and tools collection. While there are only minor enhancements to the library, the distribution format has been changed significantly. I apologize for any inconvenience this may cause. The archive is available for download here.

Evtx Parser Version 1.0.7

I'm releasing version 1.0.7 of my Windows Event Log Parser. This release fixes a couple of errors and enhances the handling of XML templates. The archive is available for download here.

Linking Event Messages and Resource DLLs

Without knowledge about the binary XML template, the data in a record's SubstitutionArray can not be interpreted properly. The template is commonly read from the EVTX file. But in some cases, like a single event records carved from unallocated, the template may not be available. Now there's a method to match an event record to its proper message DLL, based on a GUID.

EvtxParser on Ubuntu Linux

Andrew Hoog has written step-by-step instructions that explain how to install the event log parser and its prerequisites on Ubuntu Linux 10.04. Thank you very much, Andrew!

Evtx Parser Version 1.0.5

There's a new version of my Windows Event Log Parser available for download. Version 1.0.5 comes with faster calculations of CRC32 check sums and support for additional data types.

Slides from SANS Forensics Summit

Unfortunately, SANS had to postpose the London Forensics Summit due to massive travel problems caused by volcanic ash floating around the atmosphere. I intended to answer many questions from the forensic community on the native Windows Event Log file format during the presentation. I'm releasing my slides in the hope that this will answer at least some of the questions, though the narrative is missing.

Evtx Parser Version 1.0.4

Version 1.0.4 of my Microsoft Vista and Windows 2008 Event Log parser is now available for download. This version adds data integrity checking and fixes some errors.

A non-empty NullType

The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot contains a NullType "value", the system suppresses the placeholder and its containing XML element. These NullType slots do not contain any data. At least that's what I thought for too long.

 1 2 3 

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12