omerbenamram
commented
1 year ago It's technically possible using seek as you've mentioned. It's not implemented however by evtx_dump.
Open dkhokhlov opened 1 year ago
omerbenamram
commented
1 year ago It's technically possible using seek as you've mentioned. It's not implemented however by evtx_dump.
dkhokhlov
commented
1 year ago it looks like chunks get reused. is it why evtx dumps records out of order? will the tailing need to traverse whole file to get last record?
Is it possible to tail evtx files? using custom ReadSeek?