Can you add some error checking within the evtx.Open() function to check whether the evtx.Header.Magic is equal to ElfFile\000? It appears to be that the evtx.Header.Magic value will always be ElfFile\000 for a valid EVTX file. I implemented this in my code to handle the corrupt files but I think it would be appropriate to have more error/sanity checks within Open() so that users can handle potentially broken files cleanly.
Apologies for not being able to supply you with a corrupt EVTX file as I am not allowed to share it. Thank you.
I recently had to parse many event logs and came across some corrupt EVTX files. The
evtx.Open()
method does not return an error on corrupt EVTX files. After doing some research of my own I discovered this from libyal: https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#2-file-headerCan you add some error checking within the
evtx.Open()
function to check whether theevtx.Header.Magic
is equal toElfFile\000
? It appears to be that theevtx.Header.Magic
value will always beElfFile\000
for a valid EVTX file. I implemented this in my code to handle the corrupt files but I think it would be appropriate to have more error/sanity checks withinOpen()
so that users can handle potentially broken files cleanly.Apologies for not being able to supply you with a corrupt EVTX file as I am not allowed to share it. Thank you.