Output failed file?

[Kerokus]

We pull event logs out of RAM for forensic analysis. This can lead to both complete and incomplete files, and when you have hundreds of event logs trying to figure out which ones are good and which ones are bad can be tedious. When Chainsaw hits an incomplete/corrupt file it stops the whole search with the message "an error occurred while trying to deserialize evtx stream". If there's 400 evtx logs and only 1 of them is bad, it will stop the whole search.

Is it possible to have it skip files it can't parse in order to complete the search? Or barring that can it at least output which file it hung up on so I can remove it from the directory?

[fscc-jamesd]

Hi @Kerokus

This is a good find, thanks for rasing this issue. I never considered the use case of needed to supported partially corrupted event logs, but your explanation makes sense. I'll look at adding this though a --skip-verify option or similar.

[fscc-jamesd]

Re-opened, closed it by mistake. I've got a fix on the way for this.

[fscc-jamesd]

@Kerokus This should be fixed in #44. Chainsaw will now output the name of the EVTX file that failed to parse. This PR also adds the --ignore-errors option to not stop chainsaw when it hits an evtx parsing error.