Closed codekoala closed 5 years ago
Hi Josh, Any particular reason why you want to carve from an EVTX file? Did you try without the -c switch? Carving option is rather to use on a disk image. Anyway if the bug happens on the EVTX file it is very likely it would happen on a disk image too. If you don't mind to share the file I would be interested to get it in order to fix the bug.
I used the carve option because without it evtxdump
immediately crashed with that same error. Carving was just the one thing I tried that produced some kind of output. I only stumbled upon this project an hour or so ago, so I'm still learning the ropes :)
@qjerome do you happen to have a GPG public key I can use to send an encrypted version of the .evtx file to you?
You probably already knew this, but after doing a little digging it's obvious that evtxdump
without the -c
flag did not immediately crash. It just didn't offer any other output before the stacktrace, which caused me to make some assumptions.
Yep, you can grab my GPG key there https://rawsec.lu/data/gpg/info@rawsec.lu.pub-gpg-key.txt I will dig into this, when I have time. Just a quick question about the context in which you got this file. Is this a file you got from a live acquisition (running system) or from a forensic image?
Cool, thank you!
The .evtx file was created from a live system (which I no longer have) just a few days ago.
Alright, that is very likely why there is parsing error, because EVTX on live system are not gently closed and some internal structure are only partial leading to further parsing issues. I will look at it and attempt to produce a fix for that.
We may not be talking about the same thing. When I said it was from a live system, I meant that I pulled up the Windows Event Log Viewer (or whatever it's called) and selected an option to save some logs to a .evtx file. I get the impression that you meant something different when you asked about a live system?
Also, how would you prefer to receive the encrypted file? Do you have a preferred email or shall I drop it in a temporary location online?
OK, then you are right. I did not meant this kind of live acquisition. I rather thought about copying the EVTX file straight from the file-system. So, in your scenario the file should be correctly formatted if it is an export from the event viewer. I will dig into this.
Thank you!
It looks like the error may originate from around here: https://github.com/0xrawsec/golang-evtx/blob/master/evtx/structs.go#L430
It seems to happen when uts.Size
is 0. I'm not sure how correct this is in the context of EVTX parsing, but adding a simple conditional around the unmarshaling of uts.String
seems to resolve the problem for me:
func (uts *UnicodeTextString) Parse(reader io.ReadSeeker) error {
err := encoding.Unmarshal(reader, &uts.Size, Endianness)
if err != nil {
return err
}
if uts.Size > 0 {
uts.String = make(UTF16String, uts.Size)
err = encoding.UnmarshaInitSlice(reader, &uts.String, Endianness)
//log.Debugf("len:%d value:%s", uts.Size, string(uts.String.ToASCII()))
}
return err
}
Yep, that is my exact same bug fix :)
I see this error (with a stacktrace) 9 times in a simple 7MB .evtx file when using
evtxdump -c thefile.evtx
.I haven't done much digging into the stack yet, but I can supply the .evtx file privately if necessary.