Evtx Parser Version 1.1.1

I'm releasing version 1.1.1 of the Windows Eventlog Parser library and tools collection for Perl. This version fixes a memory leak. I thank Heinz Mueller for reporting the issue and helping with testing. Please see the change log for other smaller changes.

The current version is now available for download.

DFRWS 2012

The next Digital Forensic Research Conference (DFRWS) will held from August 6 to 8, 2012 in Washington, D.C. at the Embassy Suites Downtown hotel. The Call for Papers, workshops, and panels is now open; submissions are due February 20, 2012.

Evtx Parser Version 1.1.0

It's my pleasure to announce a major release of my Evtx parser and tools collection. Version 1.1.0 significantly increases the ability to parse and transform Microsoft's proprietary binary XML dialect. The new version covers about 90% of XML tokens and data types.

Evtx Parser and the Parse::EVTX Perl library is now available for download (ZIP).

Timers and Times

Microsoft Windows timer objects provide a means to execute code at a certain time or in a periodic interval. From analyzing timers we can make some assumptions about a system's future.

Evtx Parser Version 1.0.8

I'm releasing version 1.0.8 of my Windows Event Log Parser library and tools collection. While there are only minor enhancements to the library, the distribution format has been changed significantly. I apologize for any inconvenience this may cause. The archive is available for download here.

Mac OS X memory analysis with Volafox

Kyeong-Sik Lee and the Korean Digital Forensic Research Center have released Volafox, a free and open-source tool to analyze Mac OS X memory images. Volafox is based on work by Matthieu Suiche (paper and slides) and the Volatility memory analysis framework.

Evtx Parser Version 1.0.7

I'm releasing version 1.0.7 of my Windows Event Log Parser. This release fixes a couple of errors and enhances the handling of XML templates. The archive is available for download here.

Recent Advances in Memory Forensics

My slides from the ZISC Workshop 2010 on Digital Forensics and Security are now available. The speaker notes, unfortunately, are not. I hope my presentation on Recent Advances in Memory Forensics will be interesting anyway.

Linking Event Messages and Resource DLLs

Without knowledge about the binary XML template, the data in a record's SubstitutionArray can not be interpreted properly. The template is commonly read from the EVTX file. But in some cases, like a single event records carved from unallocated, the template may not be available. Now there's a method to match an event record to its proper message DLL, based on a GUID.

CarvFS on a Mac

CarvFS is a user space file system on top of LibCarvPath and FUSE that makes arbitrary parts of a file system accessible as files. Its main intended use is zero-storage or in-place file carving. I'm frequently using this tool to dissect large structured files and file system images. CarvFS compiles out of the box on Linux; installation on a Mac required a couple of tweaks and patches to sources and CMake files. With the kind help of Rob from the KLPD I eventually succeeded. I'm releasing my set of patches in the hope that it will help others.



This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.