The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot contains a NullType "value", the system suppresses the placeholder and its containing XML element. These NullType slots do not contain any data. At least that's what I thought for too long.
In the course of time I found different tools to order event records differently. The Windows Event Viewer, for example, exports records from the highest to the lowest EventRecordID. My own tool parses an EVTX file from its beginning to its end and emits event records as they appear in the file. In most cases this will be in the opposite direction, from the lowest to the highest EventRecordID. But to make things worse, logs can be configured to wrap around, so the record with the lowest number may be found somewhere in the middle. A tool to sort event records in XML format by their EventRecordID would come in handy!
Version 1.0.2 of the perl Evtx Parser library is now publicly available. This version fixes some bugs and introduces some small changes to the parser's architecture.
On April 19 and 20, 2010 SANS will held their European Community Digital Forensics and Incident Response Summit in London, UK. Check out the agenda, there will be lots of interesting keynotes and briefings. I'm excited to announce that I will present on the native format of Windows Event Logs on the second day.
Two years ago I released the first version of a parser for the binary, XMl-based event log file format of Windows Vista. During the last weeks I finally received some bug reports and feature requests. I'm excited to release an improved version just in time for Christmas.
In Issue 16 of the free (IN)SECURE magazine Rob Faber describes the design and the various features of Microsoft Windows event logging services. His article covers both, the old log of the NT family of kernels and the redesigned event logging services found in Vista and Windows Server 2008.
I am pleased to announce the release of my parser framework for Vista event log files. It mainly consists of a set of Perl modules that implement the data structures which are known to me at this time. The archive also contains two sample programs that transform the native, binary event log file into textual XML. This release accompanies my talk at the DFRWS 2007 in Pittsburgh.
One of the major novelties of the Windows event logging is that it supports an extensive set of data types. Those above the API are documented in a header file (WinEvt.h) and in the Microsoft Developer Network, of course.
In the last post I've described how the substitution mechanism works and how it relies on a data structure called the "SubstitutionArray". If you know or assume a certain XML structure then the task of transforming a native event log file into a textual form actually consists in parsing the SubstitutionArray. I've written some small templates for the 010 Hex Editor in order to facilitate this task.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.