Saturday, March 28, 2009

EventLog Parsing

It's a rainy day here in Northern VA, just the kind of day where you want to sit inside and code. Seriously. One of the things I've had to get back to is tweaking some of the issues I've had with the code for evt2xls.pl. For some reason, on smaller EVT files, it would rip right through them, but on larger files, particularly those around 16MB, it was having...issues.

Rather than try to wade through the mess of code I wrote two years ago, I decided to just rewrite the code from the ground up. Microsoft is nice enough to provide the EVENTLOGRECORD structure format, as well as the ELF_LOGFILE_HEADER structure and ELF_EOF_RECORD structure formats. Using this information, I completely rewrote the code that is the basis of evt2xls.pl. I will also be updating evtrpt.pl, which provides statistics about EVT files, such as the frequency of occurence of various event sources and IDs, as well as the date range of all of the records listed in the EVT file. I plan to add some statistics for SIDs, as well.

So the method for analyzing EVT files from Windows 2000, XP, and 2003 remains the same

1. Run the auditpol plugin from RegRipper (using rip.pl) against the Security hive file to see what's being audited.

2. Run evtrpt.pl (the new one when it's out) against the EVT file(s) to see what you have; for example, if the date range of the EVT records doesn't cover your incident, then there may be little of value.

3. Run evt2xls.pl to extract the event records to XLS, CSV, or a timeline-specific format for analysis.

A basic version of the rewritten evt2xls.pl will be available shortly. A more fully featured version will be available through some other means at a later date.

This is very useful, as the Perl script is platform-independent...it will run on any platform that has Perl, as no special or platform-specific modules are required (with the exception of Spreadsheet::WriteExcel, which can be easily installed on ActiveState Perl using PPM). Also, as the Windows API is not used, there's no worry about extracting event records from EVT files that other tools (particularly the Event Viewer) refer to as "corrupted", so their is not need to "fix" a corrupted EVT file (because it probably isn't corrupted at all).

Addendum: The next step is to create code for locating (and parsing) event records in memory dumps and unallocated space.

3 comments:

Augusto Barros said...

Not sure if you are aware of the DUMPEL tool from Windows Resource Kit. it can parse EVT files and dump them to text, including CSV. You can select the number of days that will be dumped from the log file, the event ids and other filtering options.

Parsing EVT files with dumpel:

dumpel -b -l filename.evt

Endurance trails said...

Are you perhaps closer to releasing the code for evtrpt.pl?

H. Carvey said...

There's a copy on the DVD with WFA 2/e...