Windows EVTX Fragment eXtension Parser (evtfx)

Introduction

The Windows operating system uses binary XML notation to record various events that occur during the normal course of system usage. In forensics, use of the data recorded in the Window's event log is extremely useful in determining the changes occurring in a machine over time periods of interest. There are many utilities that allow one to extract records from these same logs and package them by time or event to highlight activities that occurred. Occasionally, however, when a parser encounters a corrupted log file, parsing out records can be problematic at best. Therefore, the objective for evtfx was to focus on this area; parsing event logs that were either: (a) corrupted internally either intentionally or accidently by the system (during a crash) or (b) were partially recovered usually from a file carving operation, but still contained gaps in the data.

In order to design a tool that can parse EVTX type records from corrupted or partial fragments of a log, one needs to adjust the way a normal EVTX type parser works. As background, EVTX type logs, as part of their internal design, attempt to minimize the space usage by incorporating a position dependent record structure. Specifically, one record can rely on another record's definitions of field names or data values. This allows a reduction of space and acts as a compression technique when storing many similar events; many of the data labels are the same and will reference a main record containing a shared template definition. While this is very useful under normal circumstances, unfortunately, when the records become corrupted or deleted, this position dependence can cause undefined behavior for any parser relying on traversing the position related pointers. Case in point is the evtwalk tool from TZWorks; it does an excellent job at parsing uncorrupted records, however, does a best guess type parsing for those records that are deleted (using the -inc_slack option, which means to include the slack space during the parsing operation). Furthermore, if for whatever reason, the parser cannot find the template definition, it won't parse records that rely on the missing definition. By extension, any log records that are outside the log file structures usually get missed as well.

The purpose of evtfx is to address the shortfalls of EVTX parsers when it comes to corrupted or partial event logs. As part of its architecture, it is designed to be somewhat independent over the state of the previous records. This, in turn, adds robustness for handling missing/corrupted records.

The downside to the evtfx tool, is it is slower in actual parsing time when compared to evtwalk. In some cases, the evtfx tool misses some of the content of the data. In general, the accuracy of the results of evtfx comes close to that evtwalk. Therefore, if the event log is normal and intact, the evtwalk tool should be the tool of choice. If, however, one wishes to extract corrupted or deleted records from an event log, the evtfx tool is good choice.

Taken to the extreme, the evtfx tool can be used to pull out EVTX type records from any blob of data, assuming the data is uncompressed and unencrypted. The latter condition is very important, since Windows may incorporate NTFS file compression for the event log in question, in which case, the evtfx tool may fail to parse the compressed data. While evtfx makes some attempts to try to perform NTFS file decompression, the results are much more reliable if the raw cluster data is uncompressed.

How to use evtfx

One can display the menu options by typing in the executable name with no parameters. A screen shot of the menu is shown below.

evtfx menu

Below is an example of running the tool in its simplest form. The parsed output will dump to the screen, unless one sends the output to a file.

    > evtfx64 -log System.evtx -out results.csv
            

To process multiple databases one would use the -enumdir option while enumerating a folder and subfolder of databases, like so:

    > evtfx64 -enumdir evtx_folder -num_subdirs 2 -out results.csv
            

Below is a snapshot of the CSV output the tool produces (details about each of these fields are discussed in the user's guide)

evtfx output

The tool can also output the results into a SQLite database, using the -sqlite -db <output_db> syntax. Details about the database schema used and how to query the database is discussed in detail in the user's guide.

For more information

The user's guide can be viewed here

If you would like more information about evtfx, contact us via email.

Downloads

Intel 32-bit VersionIntel 64-bit VersionARM 64-bit Version
Windows:evtfx32.v.0.14.win.zipevtfx64.v.0.14.win.zipevtfx64a.v.0.14.win.zipmd5/sha1
Linux:evtfx32.v.0.14.lin.tar.gzevtfx64.v.0.14.lin.tar.gzevtfx64a.v.0.14.lin.tar.gzmd5/sha1
Mac OS X:Not Availableevtfx.v.0.14.dmgevtfx.v.0.14.dmgmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.