parse data from dirty chunks

Question

parse data from dirty chunks

xambroz opened this issue 2 years ago · 2 comments

Hello,
during HTB CTF 2023 I have noticed that the evtx_dump.py (nor evtx_dump_json) has the complete data.
There is event in attached sysmon log about executing "rclone", but it is not visible using the python-evtx:

Not displayed event:
"C:\Users\wade\AppData\Local\Temp\rclone-v1.61.1-windows-amd64\rclone.exe" config create remote mega user majmeret@protonmail.com pass FBMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI

workaround:
using https://github.com/libyal/libevtx or https://github.com/WithSecureLabs/chainsaw

Best regards
Michal Ambroz

Answer 1 · 2023-04-02T12:46:42.000Z

Microsoft-Windows-Sysmon%4Operational.evtx.zip

Answer 2 · 2023-04-02T13:02:14.000Z

python-evtx doesn't display records from the dirty chunks

$ evtx_info.py Microsoft-Windows-Sysmon%4Operational.evtx
Information from file header:
Format version  : 3.2
Flags           : 0x00000001
File is         : dirty
Log is full     : no
Current chunk   : 0 of 1
Oldest chunk    : 1
Next record#    : 1
Check sum       : pass

Suspected updated header values (header is dirty):
Current chunk   : 1 of 1
Next record#    : 58

Information from chunks:
  Chunk file (first/last)     log (first/last)      Header Data
- ----- --------------------- --------------------- ------ ------
*     1          1        57           1        57   pass   pass
      2         58        96          58        96   pass   pass
      3     [EMPTY]
      4     [EMPTY]
      5     [EMPTY]
      6     [EMPTY]
      7     [EMPTY]
      8     [EMPTY]
      9     [EMPTY]
     10     [EMPTY]
     11     [EMPTY]
     12     [EMPTY]
     13     [EMPTY]
     14     [EMPTY]
     15     [EMPTY]
     16     [EMPTY]
     17     [EMPTY]

evtx_dump.py exports only events 1-57.
evtxexport from https://github.com/libyal/libevtx exports events 1-96