qjerome
commented
4 years ago Sorry for the delay to address this issue. Thank you for your feedback
Closed steve-offutt closed 4 years ago
qjerome
commented
4 years ago Sorry for the delay to address this issue. Thank you for your feedback
I recently had to parse many event logs and came across some corrupt EVTX files. The
evtx.Open()method does not return an error on corrupt EVTX files. After doing some research of my own I discovered this from libyal: https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#2-file-headerCan you add some error checking within the
evtx.Open()function to check whether theevtx.Header.Magicis equal toElfFile\000? It appears to be that theevtx.Header.Magicvalue will always beElfFile\000for a valid EVTX file. I implemented this in my code to handle the corrupt files but I think it would be appropriate to have more error/sanity checks withinOpen()so that users can handle potentially broken files cleanly.Apologies for not being able to supply you with a corrupt EVTX file as I am not allowed to share it. Thank you.