-
Notifications
You must be signed in to change notification settings - Fork 49
Tools
Joachim Metz edited this page Mar 8, 2016
·
2 revisions
libevtx comes with several tools:
- evtxinfo; to show basic information about an XML Event Log (.evtx) file
- evtxexport; to export event records from an XML Event Log (.evtx) file
evtxinfo 20121019
Windows Event Viewer Log (EVTX) information:
Version : 3.1
Number of records : 20568
Number of recovered records : 0
Log type : Application
There are multi ways to export event records from an XML Event Log (.evtx) file.
- stand-alone XML Event Log file.
- mounted volume(s)
Stand-alone export of an XML Event Log (.evtx) support text and xml format.
To stand-alone export an XML Event Log in xml format:
evtxexport -f xml p1/Windows/System32/winevt/Logs/Application.evtx
To export the full event messages both the SYSTEM and SOFTWARE registry file and multi-language resources are needed, the latter are stored in executables (.exe, .dll) on the originating system.
Now consider a QEMU VM image of a Windows 7 machine:
1. First the image is mounted using fuse:
sudo qcowmount win7test.img fuse/
2. The offset of the volume is needed to loop-back mount it. mmls of the sleuthkit is used to determine it:
sudo mmls fuse/qcow1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000002047 0000002048 Unallocated
02: 00:00 0000002048 0016755794 0016753746 NTFS (0x07)
03: ----- 0016755795 0016777215 0000021421 Unallocated
3. Now to loop-back mount the volume:
sudo mount -o loop,offset=$(( 2048 * 512 )) fuse/qcow1 p1/
4. Then to export the full messages:
evtxexport -p p1/ -r p1/Windows/System32/config/ p1/Windows/System32/winevt/Logs/System.evtx
Or:
evtxexport -p p1/ -s p1/Windows/System32/config/SYSTEM -S p1/Windows/System32/config/SOFTWARE \
p1/Windows/System32/winevt/Logs/System.evtx