A Parser to Transform Vista Event Log Files into Plain Text

I am pleased to announce the release of my parser framework for Vista event log files. It mainly consists of a set of Perl modules that implement the data structures which are known to me at this time. The archive also contains two sample programs that transform the native, binary event log file into textual XML. This release accompanies my talk at the DFRWS 2007 in Pittsburgh.

The first of the two sample programs, evtxtemplates.pl, displays the XML templates that are defined in a log file. By default the tool suppresses the values of XML arguments. It also shows the mapping between XML elements and the positions in the substitution array.

$ ./evtxtemplates.pl Security.evtx
 
<Event xmlns="...">
<System>
<Provider Name="..." Guid="..." />
<EventID Qualifiers="#4 (type 6, optional)#">#3 (type 6, optional)#</EventID>
<Version>#11 (type 4, optional)#</Version>
<Level>#0 (type 4, optional)#</Level>
<Task>#2 (type 6, optional)#</Task>
<Opcode>#1 (type 4, optional)#</Opcode>
<Keywords>#5 (type 21, optional)#</Keywords>
<TimeCreated SystemTime="#6 (type 17, optional)#" />
<EventRecordID>#10 (type 10, optional)#</EventRecordID>
<Correlation ActivityID="#7 (type 15, optional)#" RelatedActivityID="#18 (type 15, optional)#" />
<Execution ProcessID="#8 (type 8, optional)#" ThreadID="#9 (type 8, optional)#" />
<Channel>...</Channel>
<Computer>...</Computer>
<Security UserID="#12 (type 19, optional)#" /></System>
<UserData>#19 (type 33, optional)#</UserData></Event>

The values to XML arguments are available on request:

$ ./evtxtemplates.pl --values Security.evtx
 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Eventlog" 
Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID Qualifiers="#4 (type 6, optional)#">#3 (type 6, optional)#</EventID>
...
<Computer>Vista-RTM</Computer>
<Security UserID="#12 (type 19, optional)#" /></System>
<UserData>#19 (type 33, optional)#</UserData></Event>

For the average user the second tool, evtxdump, might be of higher interest. This program transforms an event log file into textual XML. It is also capable of transforming single chunks, e.g. those that were obtained through file carving.

Please keep in mind that this still is proof-of-concept software. So expect some changes during the next couple of weeks. I release these programs in the hope that they will help others to better understand the complex structure of the new event log format. Do not use them in real forensic examinations.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.