May 26th, 2010 by ahoogAndreas Schuster‘s EvtxParser is a fantastic tools for extracting the new log file format found in Windows Vista, Windows 7 as well as the new Windows 2008 Server and other platforms. Like Kristinn’s log2timeline tool, though, there are a few steps to complete the install. This should work on most Ubuntu versions but I’m on 10.04:
Download latest version
wget http://computer.forensikblog.de/files/evtx/EvtxParser-current.zip tar xzvf EvtxParser-current.zip
Install dependencies
sudo apt-get install libdatetime-perl libcarp-assert-perl sudo -s perl -MCPAN -e shell install Digest::CRC install Data::Hexify
Run program
./evtxdump.pl Security.evtx
Sample output
Here’s some sample output from a Windows 2008 Server R2 security log:
<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes” ?>
<Events>
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”Microsoft-Windows-Security-Auditing” Guid=”{54849625-5478-4994-A5BA-3E3B0328C30D}” />
<EventID>4608</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12288</Task>
<Opcode>0</Opcode>
<Keywords>0×8020000000000000</Keywords>
<TimeCreated SystemTime=”2010-05-24T17:41:15.4843Z” />
<EventRecordID>1</EventRecordID>
<Correlation />
<Execution ProcessID=”460″ ThreadID=”464″ />
<Channel>Security</Channel>
<Computer>37L4247D25-07</Computer>
<Security /></System>
<EventData></EventData></Event>
