New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate winevt-kb extract and export functionality into plaso tool #636
Comments
Hi @joachimmetz . Is this going to be implemented in the 1.6.0 release? Would be nice 🥇 |
@rodgermoore this is not likely to get done before the next mid year release (1.6.0)
|
Storage changes have a higher priority at the moment, but should make it easier to implement this in plaso during extraction. |
Unlikely to be implemented before Jan 25, bumping release |
Not going to make release, removing milestone. Please do not re-assign to a milestone until this issue has been cleaned up. |
how to handle an event provider defined as event source:
and winevt publisher
Looks like the 0xb0000000 mask is also used
|
Regarding the use of 0xb0000000 it seems to be mixed e.g.
|
Also seen
Is this related to channels?
|
Maybe related to 2 event providers using the same message resource file?
Link to
More research is needed here added to #163 |
EventLog provides with multiple names:
|
Note to self to check for unsupported EventLog providers
|
Per libyal/winevt-kb#10 request to keep winevt-kb tooling and plaso closely synced. Best approach is to have the functionality to extract Windows EventLog resources embedded in Plaso.
add pyexe and pywrc dependencies to gift, l2tdevtools and l2tbinariesGIFTl2tbinaries win32l2tbinaries win64l2tbinaries macosxadd WindowsEventLogProviders artifact definition - Added WindowsEventLogProviders definition ForensicArtifacts/artifacts#422add PreprocessingWarningrelease new version of ForensicArtifacts - https://github.com/ForensicArtifacts/artifacts/releases/tag/20210620extract and store Windows EventLog providers in knowledge base (WindowsEventLogProviderArtifact, WindowsEventLogProvidersPlugin) - Changed preprocessing to extract Windows EventLog providers #636 #3755Move event log providers out of system configuration - Moved EventLog providers out of system configuration #636 #3819extract EventLog message strings - Changed pe parser to extract message strings #636 #3853move winevtrc-db and "native" winevtrc into output helper class - Added Windows EventLog resources output helper #636 #3856output extracted message strings - Changes Windows EventLog resources output helper #636 #3860add log2timeline option to set preferred language - Added preferred language extraction option #636 #3869add log2timeline option to disable message string extraction - Added extract Windows EventLog resources option #636 #3871Next steps and improvements captured in #163
The text was updated successfully, but these errors were encountered: