EVTXtract-0.2.3-1.el8 > 6 6_6 3!&\Q7> `a] > `x_ jk WrpRrB ,U҇S9 hT~tUM Dm 9mX`Z{Vm/b}>ܣԑ!gA Sל;ڂYt`_EdbҌTȈ|KE3ڡ|aL!:9 c2[ f3X_Ϭl>0Oo@M+ʐ3c3b2b7bc378597c82d9933abb63a9b57f193e81df40e89f4fa90d7eb59cc56121abdc60139225dd37ed314d8e6530de9c66c84963!&\Q7> `a] > `"{'GT[_ OL鼅7 +"K,7d*sRf ;rpڃs 4/me<$c- @G6sATN:Ĉds`wrUV-X )GV*lăCzwϴ4V@R pLߵa5`tHtPKX0(LBK<7q$)qX]xn&:!,Sܔp<?|d   a$( ;Gtz  `         b  l    @\t(8 9:<>}@FG H I XY \8 ]` ^#b-d}eflt u vz,06xCEVTXtract0.2.31.el8Recover and reconstruct fragments of EVTX log files from raw binary dataPython 2 and Python 3. EVTX records are XML fragments encoded using a Microsoft-specific binary XML representation. Despite the convenient format, it is not easy to recover EVTX event log records from a corrupted file or unallocated space. This is because the complete representation of a record often depends on other records found nearby. The event log service recognizes similarities among records and refactors commonalities into "templates". A template is a fixed structure with placeholders that reserve space for variable content. The on-disk event log record structure is a reference to a template, and a list of substitutions (the variable content the replaces a placeholder in a template). To decode a record into XML, the event log service resolves the template and replaces its placeholders with the entries of the substitution array. Therefore, template corruption renders many records unrecoverable within the local 64KB "chunk". However, the substitution array for the remaining records may still be intact. If so, it may be possible to produce XML fragments that match the original records if the damaged template can be reconstructed. For many common events, such as process creation or account logon, empirical testing demonstrates the relevant templates remain mostly constant. In these cases, recovering event log records boils down to identifying appropriate templates found in other EVTX chunks. Algorithm 1. Scan for chunk signatures ("ElfChnk") a. check header for sane values (0x80 <= size <= 0x200) b. verify checksums (header, data) 2. Extract records from valid chunks found in (1) 3. Extract templates from valid chunks found in (1) 4. Scan for record signatures a. check header for sane values a. extract timestamp c. attempt to parse substitutions d. attempt to decode substitutions into EID, other fields 5. Reconstruct records by reusing old templates with recovered substitutionsa]lftr-centos-8-x86-64.cs2.cert.org[Apache License 2.0Unspecifiedhttps://github.com/williballenthin/EVTXtractlinuxx86_64echo Building the Python Virtual Environment for EVTXtract. This will take a while. > /proc/$PPID/fd/1 mkdir -p /usr/local/lib/PythonVirtualEnvironments/EVTXtract-0.2.3 virtualenv-3 -q /usr/local/lib/PythonVirtualEnvironments/EVTXtract-0.2.3 . /usr/local/lib/PythonVirtualEnvironments/EVTXtract-0.2.3/bin/activate cp /dev/null /tmp/EVTXtract-0.2.3-install.log for p in pip EVTXtract do echo -n Installing $p in the virtual environment ... > /proc/$PPID/fd/1 pip install --upgrade "$p" >> /tmp/EVTXtract-0.2.3-install.log 2>&1 echo " Done" > /proc/$PPID/fd/1 done echo Done building the Python Virtual Environment for EVTXtract. > /proc/$PPID/fd/1rm -rf /usr/local/lib/PythonVirtualEnvironments/EVTXtract-0.2.3iuwssiunnfa]a]a]a]a]a]a]a]a]a]7bc99d4752d8cc346aacc58686f1d78cca7163f3d505e9cee4d0f4d0c3cd0ec7db5d858e923a9d1c2d2526b1959fb4343e5803a0796c030c9ec3abf3a86e12474b03a361a326634c838c7f0127ee14b2cd88333e85506899d720abc82e27b791571621af77b9a887c5916bdc9005dac3f8e015df2dcfe1f1960672aab82e51d31a2fa26592a7c37c7395e28593695f285d9477b481dd488ddf759c545b6d599c60f3cee32eb5b057bc417af3bea4f3ea3f42ec9e87408d1bcf87c6614ecc282f9fb9f8f96dc1b7002f331ca74a0ac734a89c10576a6e87cf2436527c768c397c7a90524a56cd5a7b6593ac3d76674e96742b816869afeab1d413df75ecb761726209b4ea9feadcb7a9fd877007c4a540970c104feb21f62f7cf8fe663222f9671fa54ab760c048e5873b5f65da802452f6358ed81d3f8a293dbcaaf85ad35fe2rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootEVTXtract-0.2.3-1.el8.src.rpmEVTXtractEVTXtract(x86-64)    /bin/sh/bin/shrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a\>@Lawrence R. Rogers - 0.2.3-1- Release 0.2.4-3 Version 0.2.3, built as a virtual environment/bin/sh/bin/shlftr-centos-8-x86-64.cs2.cert.org 1633520100 0.2.3-1.el80.2.3-1.el8evtx_dump.pyevtx_dump_chunk_slack.pyevtx_eid_record_numbers.pyevtx_extract_record.pyevtx_filter_records.pyevtx_info.pyevtx_record_structure.pyevtx_structure.pyevtx_templates.pyevtxtract/usr/bin/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpioxz2x86_64-redhat-linux-gnuPOSIX shell script, ASCII text executablee? P,utf-8f5a3dc641387cafcd2433e2d8eb96dd076bf883fc9dbf922d390a7f69c15f4f0?@7zXZ !#, sY] b2u y-iSqiԦNzg:P}Y(J&d$í*CwؼLЯM-ł4i=H&t5@f8|wu1 dt͵4 `[jg Tće o\ObIt2 Vp#;D(\<)&7GAQzFi%i>vb _E۷gbwjmE_2I7m 4|p+6K`?x[5iJ{OSaGn>K8b,ƒSfCQB˗R ^tĉu&A)88$SYޫF XwjW#4 YZ