int for(ensic){blog;}

Andrew Hoog has written step-by-step instructions that explain how to install the event log parser and its prerequisites on Ubuntu Linux 10.04. Thank you very much, Andrew!

By Andreas Schuster at 08/09/2010, 04:00 PM | Permalink

There's a new version of my Windows Event Log Parser available for download. Version 1.0.5 comes with faster calculations of CRC32 check sums and support for additional data types.

By Andreas Schuster at 05/07/2010, 04:00 PM | Permalink

Unfortunately, SANS had to postpose the London Forensics Summit due to massive travel problems caused by volcanic ash floating around the atmosphere. I intended to answer many questions from the forensic community on the native Windows Event Log file format during the presentation. I'm releasing my slides in the hope that this will answer at least some of the questions, though the narrative is missing.

By Andreas Schuster at 04/19/2010, 04:00 PM | Permalink

Version 1.0.4 of my Microsoft Vista and Windows 2008 Event Log parser is now available for download. This version adds data integrity checking and fixes some errors.

By Andreas Schuster at 03/25/2010, 04:00 PM | Permalink

The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot contains a NullType "value", the system suppresses the placeholder and its containing XML element. These NullType slots do not contain any data. At least that's what I thought for too long.

By Andreas Schuster at 03/11/2010, 04:00 PM | Permalink

Version 1.0.3 of the Microsoft Vista and Windows 2008 Event Log parser is now available for download. As usual, it fixes some bugs and introduces new features.

By Andreas Schuster at 02/25/2010, 04:00 PM | Permalink

In the course of time I found different tools to order event records differently. The Windows Event Viewer, for example, exports records from the highest to the lowest EventRecordID. My own tool parses an EVTX file from its beginning to its end and emits event records as they appear in the file. In most cases this will be in the opposite direction, from the lowest to the highest EventRecordID. But to make things worse, logs can be configured to wrap around, so the record with the lowest number may be found somewhere in the middle. A tool to sort event records in XML format by their EventRecordID would come in handy!

By Andreas Schuster at 02/08/2010, 04:00 PM | Permalink

Version 1.0.2 of the perl Evtx Parser library is now publicly available. This version fixes some bugs and introduces some small changes to the parser's architecture.

By Andreas Schuster at 02/04/2010, 04:00 PM | Permalink

On April 19 and 20, 2010 SANS will held their European Community Digital Forensics and Incident Response Summit in London, UK. Check out the agenda, there will be lots of interesting keynotes and briefings. I'm excited to announce that I will present on the native format of Windows Event Logs on the second day.

By Andreas Schuster at 02/01/2010, 04:00 PM | Permalink

Two years ago I released the first version of a parser for the binary, XMl-based event log file format of Windows Vista. During the last weeks I finally received some bug reports and feature requests. I'm excited to release an improved version just in time for Christmas.

By Andreas Schuster at 12/22/2009, 04:00 PM | Permalink