williballenthin/python-evtx williballenthin/python-evtx

  • Stars
    star
    703
  • Rank 63,975 (Top 2 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 11 years ago
  • Updated about 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
williballenthin/python-evtx
github

williballenthin

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pure Python parser for Windows Event Log files (.evtx)

python-evtx

Introduction

python-evtx is a pure Python parser for recent Windows Event Log files (those with the file extension ".evtx"). The module provides programmatic access to the File and Chunk headers, record templates, and event entries. For example, you can use python-evtx to review the event logs of Windows 7 systems from a Mac or Linux workstation. The structure definitions and parsing strategies were heavily inspired by the work of Andreas Schuster and his Perl implementation "Parse-Evtx".

Background

With the release of Windows Vista, Microsoft introduced an updated event log file format. The format used in Windows XP was a circular buffer of record structures that each contained a list of strings. A viewer resolved templates hosted in system library files and inserted the strings into appropriate positions. The newer event log format is proprietary binary XML. Unpacking chunks from an event log file from Windows 7 results in a complete XML document with a variable schema. The changes helped Microsoft tune the file format to real-world uses of event logs, such as long running logs with hundreds of megabytes of data, and system independent template resolution.

Related Work

Andreas Schuster released the first public description of the .evtx file format in 2007. He is the author of the thorough document "Introducing the Microsoft Vista event log file format" that describes the motivation and details of the format. Mr. Schuster also maintains the Perl implementation of a parser called "Parse-Evtx". I referred to the source code of this library extensively during the development of python-evtx.

Joachim Metz also released a cross-platform, LGPL licensed C++ based parser in 2011. His document "Windows XML Event Log (EVTX): Analysis of EVTX" provides a detailed description of the structures and context of newer event log files.

Dependencies

python-evtx works on both the 2.7 and 3.x versions of the Python programming language. As it is purely Python, the module works equally well across platforms. The code does not depend on any modules that require separate compilation; however, if you have lxml installed, its even nicer.

python-evtx operates on event log files from Windows operating systems newer than Windows Vista. These files typically have the file extension .evtx. Version 5.09 of the file utility identifies such a file as "MS Vista Windows Event Log". To manual confirm the file type, look for the ASCII string "ElfFile" in the first seven bytes:

willi/evtx  ยป xxd -l 32 Security.evtx 
0000000: 456c 6646 696c 6500 0000 0000 0000 0000  ElfFile.........
0000010: d300 0000 0000 0000 375e 0000 0000 0000  ........7^......

Examples

Provided with the parsing module Evtx are four scripts that mimic the tools distributed with Parse-Evtx. evtx_info.py prints metadata about the event log and verifies the checksums of each chunk. evtx_templates.py builds and prints the templates used throughout the event log. evtx_dump.py parses the event log and transforms the binary XML into a human readable ASCII XML format. Finally, evtx_dump_json.py parses event logs, similar to evtx_dump.py and transforms the binary XML into JSON with the added capability to output the JSON array to a file.

Note the length of the evtx_dump.py script: its only 20 lines. Now, review the contents and notice the complete implementation of the logic:

print(e_views.XML_HEADER)
print('<Events>')
for record in log.records:
    print(record.xml())
print('</Events>')

Working with python-evtx is really easy!

Installation

Updates to python-evtx are pushed to PyPi, so you can install the module using either easy_install or pip. For example, you can use pip like so:

pip install python-evtx

The source code for python-evtx is hosted at Github, and you may download, fork, and review it from this repository (http://www.github.com/williballenthin/python-evtx). Please report issues or feature requests through Github's bug tracker associated with the project.

License

python-evtx is licensed under the Apache License, Version 2.0. This means it is freely available for use and modification in a personal and professional capacity.

More Repositories

1

python-idb

Pure Python parser and analyzer for IDA Pro database files (.idb).
Python
452
star
2

python-registry

Pure Python parser for Windows Registry hives.
Python
427
star
3

INDXParse

Tool suite for inspecting NTFS artifacts.
Python
210
star
4

EVTXtract

EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
Python
176
star
5

shellbags

Cross-platform, open-source shellbag parser
Python
148
star
6

process-forest

Reconstruct process trees from event logs
Python
144
star
7

idawilli

IDA Pro resources, scripts, and configurations
Python
112
star
8

python-sdb

Pure Python parser for Application Compatibility Shim Databases (.sdb files)
Python
104
star
9

lancelot

intel x86(-64) code analysis library that reconstructs control flow
Rust
94
star
10

python-ntfs

Open source Python library for NTFS analysis
Python
79
star
11

ida-netnode

Humane API for storing and accessing persistent data in IDA Pro databases
Python
74
star
12

govt

Virustotal API for Go
Go
64
star
13

python-dotnet-binaryformat

Pure Python parser for data encoded by .NET's BinaryFormatter
Python
46
star
14

python-evt

Pure Python parser for classic Windows Event Log files (.evt)
Python
46
star
15

go-reversing

Resources for reverse engineering Go binaries
Python
41
star
16

python-vb

analysis of visual basic code
Python
39
star
17

LfLe

Recover event log entries from an image by heurisitically looking for record structures.
Python
26
star
18

viv-utils

Utilities for working with vivisect
Python
20
star
19

ida-settings

Fetch and set configuration values from IDAPython scripts
Python
20
star
20

wevt_template

extract and parse WEVT_TEMPLATEs from PE files
Rust
17
star
21

Autopsy-WindowsRegistryContentViewer

no longer maintained
Java
16
star
22

reversing-clj

messing around writing reversing tools in clojure
JavaScript
14
star
23

Autopsy-WindowsRegistryIngestModule

no longer maintained
Java
13
star
24

siglib

function identification signatures
Python
10
star
25

python-pyqt5-hexview

PyQt5 hex viewer widget.
Python
10
star
26

ucutils

Convenience routines for working with the Unicorn emulator in Python
Python
9
star
27

python-pyqt5-vstructui

PyQt5 vstruct hex viewer widget.
Python
9
star
28

Rejistry

Pure Java parser for Windows Registry hive files.
Java
8
star
29

vivisect-vstruct

standalone copy of vstruct from vivisect
Python
5
star
30

dotfiles

Local configuration files for various Linux tools
Shell
5
star
31

williballenthin.com

Source for my personal website
JavaScript
2
star
32

zydis-wasm

example project with zydis targetting wasm
Rust
2
star
33

cfg-ui

experiments in user interfaces around control flow graphs
JavaScript
2
star
34

highlighter-minor-mode

An Emacs minor mode for log analysis.
Emacs Lisp
1
star