Add windows.evtlogs plugin for XP / Server 2003 event logs#1995
Open
ricardojrdez wants to merge 1 commit into
Open
Add windows.evtlogs plugin for XP / Server 2003 event logs#1995ricardojrdez wants to merge 1 commit into
ricardojrdez wants to merge 1 commit into
Conversation
Volatility 3 had no equivalent of vol2's evtlogs: the classic .evt event log format used by Windows XP / Server 2003 was unsupported (Vista+ uses the unrelated .evtx XML format). This adds a pure binary parser, no ISF/PDB symbols required. It locates the memory-mapped .evt files in the EventLog service process by walking each process's VADs for a mapped *.evt file, reads the region in the process's virtual layer (which reassembles non-contiguous physical pages), and parses the EVENTLOGRECORD structures: scanning for the 'LfLe' signature and validating each record via the trailing length field. Records split across the circular buffer's wrap point are reconstructed using MaxSize from the ELF_LOGFILE_HEADER. Decoded fields include record number, generated/written timestamps, event ID, type, source, computer, owning SID and the substitution strings (message). NT 6.x+ images are rejected with a warning that the .evtx format is unsupported. The only records that cannot be recovered are those whose pages were paged out to disk (absent from the RAM image). Validated on a Zeus XP SP2 image: recovers 43 records from AppEvent.Evt and SysEvent.Evt mapped into services.exe (the XP EventLog host), with correct timestamps, sources (Service Control Manager, WinMgmt, EventLog, ...) and messages. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Volatility 3 had no equivalent of vol2's evtlogs: the classic .evt event log format used by Windows XP / Server 2003 was unsupported (Vista+ uses the unrelated .evtx XML format). This adds a pure binary parser, no ISF/PDB symbols required.
It locates the memory-mapped .evt files in the EventLog service process by walking each process's VADs for a mapped *.evt file, reads the region in the process's virtual layer (which reassembles non-contiguous physical pages), and parses the EVENTLOGRECORD structures: scanning for the 'LfLe' signature and validating each record via the trailing length field. Records split across the circular buffer's wrap point are reconstructed using MaxSize from the ELF_LOGFILE_HEADER. Decoded fields include record number, generated/written timestamps, event ID, type, source, computer, owning SID and the substitution strings (message). NT 6.x+ images are rejected with a warning that the .evtx format is unsupported.
The only records that cannot be recovered are those whose pages were paged out to disk (absent from the RAM image).
Validated on a Zeus XP SP2 image: recovers 43 records from AppEvent.Evt and SysEvent.Evt mapped into services.exe (the XP EventLog host), with correct timestamps, sources (Service Control Manager, WinMgmt, EventLog, ...) and messages.