Closed codekoala closed 5 years ago
qjerome
commented
5 years ago Hi Josh, Any particular reason why you want to carve from an EVTX file? Did you try without the -c switch? Carving option is rather to use on a disk image. Anyway if the bug happens on the EVTX file it is very likely it would happen on a disk image too. If you don't mind to share the file I would be interested to get it in order to fix the bug.
codekoala
commented
5 years ago I used the carve option because without it evtxdump immediately crashed with that same error. Carving was just the one thing I tried that produced some kind of output. I only stumbled upon this project an hour or so ago, so I'm still learning the ropes :)
codekoala
commented
5 years ago @qjerome do you happen to have a GPG public key I can use to send an encrypted version of the .evtx file to you?
codekoala
commented
5 years ago You probably already knew this, but after doing a little digging it's obvious that evtxdump without the -c flag did not immediately crash. It just didn't offer any other output before the stacktrace, which caused me to make some assumptions.
qjerome
commented
5 years ago Yep, you can grab my GPG key there https://rawsec.lu/data/gpg/info@rawsec.lu.pub-gpg-key.txt I will dig into this, when I have time. Just a quick question about the context in which you got this file. Is this a file you got from a live acquisition (running system) or from a forensic image?
codekoala
commented
5 years ago Cool, thank you!
The .evtx file was created from a live system (which I no longer have) just a few days ago.
qjerome
commented
5 years ago Alright, that is very likely why there is parsing error, because EVTX on live system are not gently closed and some internal structure are only partial leading to further parsing issues. I will look at it and attempt to produce a fix for that.
codekoala
commented
5 years ago We may not be talking about the same thing. When I said it was from a live system, I meant that I pulled up the Windows Event Log Viewer (or whatever it's called) and selected an option to save some logs to a .evtx file. I get the impression that you meant something different when you asked about a live system?
Also, how would you prefer to receive the encrypted file? Do you have a preferred email or shall I drop it in a temporary location online?
qjerome
commented
5 years ago OK, then you are right. I did not meant this kind of live acquisition. I rather thought about copying the EVTX file straight from the file-system. So, in your scenario the file should be correctly formatted if it is an export from the event viewer. I will dig into this.
codekoala
commented
5 years ago Thank you!
It looks like the error may originate from around here: https://github.com/0xrawsec/golang-evtx/blob/master/evtx/structs.go#L430
It seems to happen when uts.Size is 0. I'm not sure how correct this is in the context of EVTX parsing, but adding a simple conditional around the unmarshaling of uts.String seems to resolve the problem for me:
func (uts *UnicodeTextString) Parse(reader io.ReadSeeker) error {
err := encoding.Unmarshal(reader, &uts.Size, Endianness)
if err != nil {
return err
}
if uts.Size > 0 {
uts.String = make(UTF16String, uts.Size)
err = encoding.UnmarshaInitSlice(reader, &uts.String, Endianness)
//log.Debugf("len:%d value:%s", uts.Size, string(uts.String.ToASCII()))
}
return err
}Yep, that is my exact same bug fix :)
I see this error (with a stacktrace) 9 times in a simple 7MB .evtx file when using
evtxdump -c thefile.evtx.I haven't done much digging into the stack yet, but I can supply the .evtx file privately if necessary.