williballenthin
commented
5 years ago that sounds great! i'd be happy to accept such a PR.
Closed WaryWolf closed 5 years ago
williballenthin
commented
5 years ago that sounds great! i'd be happy to accept such a PR.
WaryWolf
commented
5 years ago Thanks!
Hi,
First of all, thanks for writing such a useful tool!
I have used EVTXtract on memory images several times, and my usual process is to redirect stdout to a file, which i will then search with tools like grep, etc, to find events that are "interesting" to me. However, as all events get put into the one file with no delimiter in between, it can be hard to find where one event ends and another begins.
I'm not sure if there are better ways to ingest or interpret the output of EVTXtract - maybe I'm missing something and should be piping the output into another program.
Recently at a conference where I was doing a forensic challenge and using EVTXtract, I wrote a small modification to the code that lets the user choose to output each parsed event to its own file in a given directory. The files are named after the EventRecordID and also contain the EventID, so finding all events of a given ID is as easy as
ls *1234*.If this is useful to others then I can submit a pull request - please let me know.
Thanks, Anthony