0 records read

[dlimanov]

Is there anything special I need to do to get it to understand the EVTX files from Win7 machine? Installed dependencies, all looks well but when I run it, I get this:

/event2timeline-master$ python event2timeline.py -e -f evt.evtx
[*] Reading EVTX file evt.evtx
0 records read
[*] Unique users: 5
[*] Mapped 38 sessions from 2012-11-07 21:36:06 to 2015-03-13 16:18:07

It creates evtdata.js in /timeline folder but nothing else. Am I missing something obvious? Thanks!

[tomchop]

That's actually the expected behavior (except for the 0 records read, it can happen if you have less than 2000 events to process, see this line).

Have you tried opening timeline-sessions.html in the /timeline folder in your browser? It should be displaying the timeline correctly.

[dlimanov]

Hi Thomas, Thank you for for replying. Problem is there is no html generated in the /timeline folder. There's a single JS file that contains all events but nothing else..

On Mar 15, 2015, at 7:50 AM, Thomas Chopitea notifications@github.com wrote:

That's actually the expected behavior (except for the 0 records read, it can happen if you have less than 2000 events to process, see this line).

Have you tried opening timeline-sessions.html in the /timeline folder in your browser? It should be displaying the timeline correctly.

— Reply to this email directly or view it on GitHub.

[tomchop]

The HTML file isn't generated by the script, it's already there when you clone the repo: https://github.com/certsocietegenerale/event2timeline/tree/master/timeline

[dlimanov]

Ok, so I started from scratch, deleted everything and pulled in a fresh version of the repo, fed it a new evtx file:

event2timeline-master$ python event2timeline.py -e -f ~/Desktop/evt.evtx [] Reading EVTX file /Desktop/evt.evtx 0 records read [] Unique users: 5 [*] Mapped 38 sessions from 2012-11-07 21:36:06 to 2015-03-13 16:18:07

I now have the following two files in /timeline folder:

event2timeline-master/timeline$ ls d3.v2.js  timeline-sessions.html

However when I try to open timeline-sessions.html, it renders an empty page in Firefox. Is this because there is not enough sessions in the evtx file?

From: Thomas Chopitea notifications@github.com Reply: certsocietegenerale/event2timeline reply@reply.github.com> Date: March 15, 2015 at 10:02:59 AM To: certsocietegenerale/event2timeline event2timeline@noreply.github.com> Cc: dlimanov dlimanov@gmail.com> Subject:  Re: [event2timeline] 0 records read (#2)

The HTML file isn't generated by the script, it's already there when you clone the repo: https://github.com/certsocietegenerale/event2timeline/tree/master/timeline

— Reply to this email directly or view it on GitHub.

[tomchop]

That's strange, the script should generate a evtdata.js file in the /timeline folder. Did it generate an evtdata.js file anywhere? If you can share the evtx file, I'll happily run some tests locally tomorrow.

[dlimanov]

Hi Thomas, evtdata.js does not seem to be created anywhere. Here’s a link to evtx file, let me know if you can’t get to it: https://drive.google.com/file/d/0B1yDJY-W7MEnSkFHSEtPTUl2VGM/view?usp=sharing

Thanks!

From: Thomas Chopitea notifications@github.com Reply: certsocietegenerale/event2timeline reply@reply.github.com> Date: March 15, 2015 at 6:55:22 PM To: certsocietegenerale/event2timeline event2timeline@noreply.github.com> Cc: dlimanov dlimanov@gmail.com> Subject:  Re: [event2timeline] 0 records read (#2)

That's strange, the script should generate a evtdata.js file in the /timeline folder. Did it generate an evtdata.js file anywhere? If you can share the evtx file, I'll happily run some tests locally tomorrow.

— Reply to this email directly or view it on GitHub.