ParseEvtx handling of evtx log files with a space in the name

[shannaniggans]

When running ParseEvtx and specifying the event logs which contain spaces in their names:

• Microsoft-Windows-Windows Defender%4Operational.evtx
• Microsoft-Windows-Windows Defender%4WHC.evtx

The plugin separates the name into multiple items and therefore cannot find the files specified: 2022-04-01 07:01:02.482 ParseEvtxDbIngestModule process INFO: List Of Events ==> ['Other', 'Microsoft-Windows-Windows', 'Defender%4Operational.evtx,', 'Microsoft-Windows-Windows', 'Defender%4WHC.evtx'] <== Number of Events ==> 5

I have tried adding a "%20" instead of the space, adding " and ' around the file name but I cannot figure out how to tell the plugin that it's all one word and not to split it in two.

Is this known or a bit of a bug?

Autopsy 4.19.3 / ParseEvtx version 1.5 / Python 3.9.0

[markmckinnon]

My first guess is that it is spliting on something it should not. I think maybe if I change the split to split on a comma then it will behave like it should. I will test this out and get back with you if that will fix the problem.

[shannaniggans]

That works, I've added it in, ill attempt to push my changes and close this out.