Feature Request: "relaxed" mode parsing for use on files recovered from memory

[bryannolen]

Because of the strict file checks, it is not always possible to libevtx (and thus plaso etc.) to parse recovered EvtX files (i.e. via dumpfiles in volatility)

e.g. using https://github.com/williballenthin/EVTXtract as a baseline

Forensics:~> evtxtract artefacts/volatility/files/file.None.0xffffe001f66235d0.Microsoft-Windows-Sysmon%4Operational.evtx.dat >>/dev/null INFO:root:recovered 174 complete records INFO:root:recovered 0 incomplete records

Forensics:~> evtxexport artefacts/volatility/files/file.None.0xffffe001f66235d0.Microsoft-Windows-Sysmon%4Operational.evtx.dat evtxexport 20170122

Unable to open: artefacts/volatility/files/file.None.0xffffe001f66235d0.Microsoft-Windows-Sysmon%4Operational.evtx.dat. libevtx_io_handle_read_file_header: unsupported file signature. libevtx_file_open_read: unable to read file header. libevtx_file_open_file_io_handle: unable to read from file handle. libevtx_file_open: unable to open file: bsidesau2018/artefacts/volatility/files/file.None.0xffffe001f66235d0.Microsoft-Windows-Sysmon%4Operational.evtx.dat. export_handle_open_input: unable to open input file.

[joachimmetz]

to parse recovered EvtX files (i.e. via dumpfiles in volatility)

first of all these are not evtx files, but binary data that might contain evtx records

libevtx and EVTXtract have different goals:

• libevtx is library to parse evtx files; this implies that some of the metadata must be present, such as the file signature hence the error message libevtx_io_handle_read_file_header: unsupported file signature.
• EVTXtract is an evtx record carver

your request is out of scope of this project.

now for plaso to do recovery of evtx record recovery is another discussion