Closed devgc closed 5 years ago
Here is an example of missing data. (See Data tags).
H_Application.evtx.evtx_dump.xml
Record 3308 <?xml version="1.0" encoding="utf-8"?> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ESENT"> </Provider> <EventID Qualifiers="0">916</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-08-09 07:21:00.046087 UTC"> </TimeCreated> <EventRecordID>3308</EventRecordID> <Channel>Application</Channel> <Computer>DESKTOP-1N4R894</Computer> <Security> </Security> </System> <EventData> <Data></Data> <Binary></Binary> </EventData> </Event> Record 3309 <?xml version="1.0" encoding="utf-8"?> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ESENT"> </Provider> <EventID Qualifiers="0">916</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-08-09 08:22:00.061763 UTC"> </TimeCreated> <EventRecordID>3309</EventRecordID> <Channel>Application</Channel> <Computer>DESKTOP-1N4R894</Computer> <Security> </Security> </System> <EventData> <Data></Data> <Binary></Binary> </EventData> </Event>
Compared to H_Application.evtx.evtxecmd.xml
<?xml version="1.0" encoding="utf-16"?> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ESENT" /> <EventID Qualifiers="0">916</EventID> <Level>4</Level> <Task>1</Task> <Keywords>EventlogClassic</Keywords> <TimeCreated SystemTime="2018-08-09 07:21:00.0460872" /> <EventRecordID>3308</EventRecordID> <Channel>Application</Channel> <Computer>DESKTOP-1N4R894</Computer> <Security /> </System> <EventData> <Data>svchost, 2672,G,98, EseDiskFlushConsistency, ESENT, 0x800000</Data> <Binary></Binary> </EventData> </Event> <?xml version="1.0" encoding="utf-16"?> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ESENT" /> <EventID Qualifiers="0">916</EventID> <Level>4</Level> <Task>1</Task> <Keywords>EventlogClassic</Keywords> <TimeCreated SystemTime="2018-08-09 08:22:00.0617638" /> <EventRecordID>3309</EventRecordID> <Channel>Application</Channel> <Computer>DESKTOP-1N4R894</Computer> <Security /> </System> <EventData> <Data>svchost, 2672,G,98, EseDiskFlushConsistency, ESENT, 0x800000</Data> <Binary></Binary> </EventData> </Event>
You can find the RAW evtxs here: https://www.dropbox.com/s/0vejq9lsjq1cskq/DEFCON_2018_DESKTOP_KAPE_EVTX_SET.zip?dl=0
You can find the output reports here: https://www.dropbox.com/s/emx7lbkmq6xrwuc/DEFCON_2018_DESKTOP_EVTX_COMPARISON.zip?dl=0
In this example the file that contains the data depicted here can be found in the DEFCON_2018_DESKTOP_KAPE_EVTX_SET.zip set [\H\Windows\system32\winevt\logs\Application.evtx]
Should be now fixed with #25
omerbenamram
commented
5 years ago
Here is an example of missing data. (See Data tags).
H_Application.evtx.evtx_dump.xml
Compared to H_Application.evtx.evtxecmd.xml
You can find the RAW evtxs here: https://www.dropbox.com/s/0vejq9lsjq1cskq/DEFCON_2018_DESKTOP_KAPE_EVTX_SET.zip?dl=0
You can find the output reports here: https://www.dropbox.com/s/emx7lbkmq6xrwuc/DEFCON_2018_DESKTOP_EVTX_COMPARISON.zip?dl=0
In this example the file that contains the data depicted here can be found in the DEFCON_2018_DESKTOP_KAPE_EVTX_SET.zip set [\H\Windows\system32\winevt\logs\Application.evtx]