-
Notifications
You must be signed in to change notification settings - Fork 23
Tools
joachimmetz edited this page Sep 28, 2014
·
1 revision
libevt comes with several tools:
- evtinfo; to show basic information about an Event Log (.evt) file
- evtexport; to export event records from an Event Log (.evt) file
evtinfo AppEvent.Evt
evtinfo 20120422
Windows Event Log (EVT) information:
Version : 1.1
Number of records : 898
Number of recovered records : 0
Log type : Application
Flags:
Should be archived
There are multi ways to export event records from an Event Log (.evt) file.
- stand-alone Event Log file.
- mounted volume(s)
To export the full event records both the SYSTEM and SOFTWARE registry file and multi-language resources are needed, the latter are stored in executables (.exe, .dll) on the originating system.
Now consider a QEMU VM image of a Windows XP machine:
1. First the image is mounted using fuse:
sudo qcowmount xptest.img fuse/
2. The offset of the volume is needed to loop-back mount it. mmls of the sleuthkit is used to determine it:
sudo mmls fuse/qcow1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 Unallocated
02: 00:00 0000000063 0016755794 0016755732 NTFS (0x07)
03: ----- 0016755795 0016777215 0000021421 Unallocated
3. Now to loop-back mount the volume:
sudo mount -o loop,offset=$(( 63 * 512 )) fuse/qcow1 p1/
4. Then to export the full messages:
evtexport -p p1/ -r p1/Windows/System32/config/ p1/Windows/System32/config/SysEvent.Evt
Or:
evtexport -p p1/ -s p1/Windows/System32/config/SYSTEM -S p1/Windows/System32/config/SOFTWARE \
p1/Windows/System32/config/SysEvent.Evt