EVTX Input Fails on Parse

[GoogleCodeExporter]

What steps will reproduce the problem?

1. Run l2t against an evtx file where 'invalid' character values are found. In this case, the event log entry is on the Authentication Policy Change Event, where an odd character appears in the min password age / lockout threshold fields. (See attached screenshot - cannot provide evtx, sorry)

What is the expected output? What do you see instead?

I expect to see the timeline include all entries from the event log (or skip 
the entries it failed to parse), but it appears to stop after hitting the error 
below (used verbose mode to capture).
------------
[Log2Timeline] Error occured while parsing Security.evtx - The processing has 
died and therefore it will not be further
processed.
However the tool will continue running, trying to parse the next file.
The error that got displayed by the tool is:
:27: parser error : PCDATA invalid Char value 3
<Data Name="MinPasswordAge">♥</Data>
                            ^
:30: parser error : PCDATA invalid Char value 3
<Data Name="LockoutThreshold">♥</Data>
                              ^
[LOG2T] Parsing of file is completed
[LOG2T] Done.
------------

What version of the product are you using? On what operating system?

0.64 on Ubuntu and replicated error on Windows with Active Perl

Original issue reported on code.google.com by `andrew.h...@gmail.com` on 12 Sep 2012 at 4:18

Attachments:
* [view-of-entry.PNG](https://storage.googleapis.com/google-code-attachments/log2timeline/issue-11/comment-0/view-of-entry.PNG)

[GoogleCodeExporter]

This should be "fixed" now. The error really lies in the EVTX library, since it 
does not properly decode the value. And then the XML library in Perl croaks on 
the output, and displays it in a wrong format.

The "fix" is simply a check (try/catch) to see if this condition comes up, and 
then return an error for that particular entry instead of the entire file, so 
we can continue and parse the file and get the rest of the entries.

Since I don't have the file I need you to test this for me (the latest version 
in the repo should have the fix and the next release too).

Marking this as "fixed", but not done yet, since it hasn't been tested and 
fully verified.

Original comment by ki...@kiddaland.net on 19 Sep 2012 at 4:08

• Changed state: Fixed

[GoogleCodeExporter]

Kristinn,

 Thanks for the fix - it properly parsed the entire file this time, just skipping that one entry.

 I was able to complete my timeline using MS LogParser to build a csv output in l2t format, then inject it into my original timeline. I actually kind of like that custom output a hair better than the default evtx input module output, if you are interested in taking a look - I could send the query.

 Anyway, thanks again for your great support to the community with l2t!

Original comment by andrew.h...@gmail.com on 19 Sep 2012 at 12:35

[GoogleCodeExporter]

OK, great good to hear that it is done.

Yes, I am always open for new ways of presenting the data. Whether that is just 
to show me the output using this method or the script itself.

Original comment by ki...@kiddaland.net on 19 Sep 2012 at 6:06

• Changed state: Done