An event log can be so large that it has more chunks than allowable in the header's u16 chunk count. We can calculate the chunk count by taking size of evtx stream, the header size, and chunk size. This allows for parsing chunk where the index is greater than u16. Will submit a PR.
omerbenamram
commented
3 years ago
An event log can be so large that it has more chunks than allowable in the header's u16 chunk count. We can calculate the chunk count by taking size of evtx stream, the header size, and chunk size. This allows for parsing chunk where the index is greater than u16. Will submit a PR.