def find_evtx_chunks(state, buf, progress_class=NullProgress):
"""
Scans the given data for valid EVTX chunk structures and adds the offsets
to the State instance.
@type state: State
@type buf: bytestring
@rtype: int
@return: The number of chunks found and added to the State database.
"""
progress = progress_class(len(buf))
num_chunks_found = 0
index = buf.find(EVTX_HEADER_MAGIC)
while index != -1:
progress.set_current(index)
if does_offset_seems_like_chunk_header(buf, index):
chunk = ChunkHeader(buf, index)
if len(buf) - index < 0x10000:
logger.debug("%s\t%s" % ("CHUNK_BAD_SIZE", hex(index)))
elif chunk.calculate_header_checksum() != chunk.header_checksum():
logger.debug("%s\t%s" % ("CHUNK_BAD_HEADER", hex(index)))
elif chunk.calculate_data_checksum() != chunk.data_checksum():
logger.debug("%s\t%s" % ("CHUNK_BAD_DATA", hex(index)))
else:
state.add_valid_chunk_offset(index)
num_chunks_found += 1
index = buf.find(EVTX_HEADER_MAGIC, index + 1)
progress.set_complete()
return num_chunks_found
def extract_chunk(buf, offset, state, templates):
"""
Parse an EVTX chunk
updating the State with new valid records, and
extracting the templates into a TemplateDatabase.
@sideeffect: parameter `templates`
@sideeffect: parameter `state`
@type buf: bytestring
@type offset: int
@type state: State
@type templates: TemplateDatabase
"""
logger.debug("Considering chunk at offset %d", offset)
chunk = ChunkHeader(buf, offset)
xml = []
cache = {}
for record in chunk.records():
try:
offset = record.offset()
logger.debug("Considering record at offset %d", offset)
record_xml = evtx_record_xml_view(record, cache=cache)
eid = get_eid(record_xml)
state.add_valid_record(offset, eid, record_xml)
template = get_template(record, record_xml)
templates.add_template(template)
except UnicodeEncodeError:
logger.info("Unicode encoding issue processing record at %s" % \
hex(record.offset()))
continue
except UnicodeDecodeError:
logger.info("Unicode decoding issue processing record at %s" % \
hex(record.offset()))
continue
except InvalidRecordException:
logger.info("EVTX parsing issue processing record at %s" % \
hex(record.offset()))
continue
except Exception as e:
logger.info("Unknown exception processing record at %s: %s" % \
(hex(record.offset()), str(e)))
continue
def extract_chunk(buf, offset, state, templates):
"""
Parse an EVTX chunk
updating the State with new valid records, and
extracting the templates into a TemplateDatabase.
@sideeffect: parameter `templates`
@sideeffect: parameter `state`
@type buf: bytestring
@type offset: int
@type state: State
@type templates: TemplateDatabase
"""
logger.debug("Considering chunk at offset %d", offset)
chunk = ChunkHeader(buf, offset)
xml = []
cache = {}
for record in chunk.records():
try:
offset = record.offset()
logger.debug("Considering record at offset %d", offset)
record_xml = evtx_record_xml_view(record, cache=cache)
eid = get_eid(record_xml)
state.add_valid_record(offset, eid, record_xml)
template = get_template(record, record_xml)
templates.add_template(template)
except UnicodeEncodeError:
logger.info("Unicode encoding issue processing record at %s" % \
hex(record.offset()))
continue
except UnicodeDecodeError:
logger.info("Unicode decoding issue processing record at %s" % \
hex(record.offset()))
continue
except InvalidRecordException:
logger.info("EVTX parsing issue processing record at %s" % \
hex(record.offset()))
continue
except Exception as e:
logger.info("Unknown exception processing record at %s: %s" % \
(hex(record.offset()), str(e)))
continue
def find_evtx_chunks(state, buf, progress_class=NullProgress):
"""
Scans the given data for valid EVTX chunk structures and adds the offsets
to the State instance.
@type state: State
@type buf: bytestring
@rtype: int
@return: The number of chunks found and added to the State database.
"""
progress = progress_class(len(buf))
num_chunks_found = 0
index = buf.find(EVTX_HEADER_MAGIC)
while index != -1:
progress.set_current(index)
if does_offset_seems_like_chunk_header(buf, index):
chunk = ChunkHeader(buf, index)
if len(buf) - index < 0x10000:
logger.debug("%s\t%s" % ("CHUNK_BAD_SIZE", hex(index)))
elif chunk.calculate_header_checksum() != chunk.header_checksum():
logger.debug("%s\t%s" % ("CHUNK_BAD_HEADER", hex(index)))
elif chunk.calculate_data_checksum() != chunk.data_checksum():
logger.debug("%s\t%s" % ("CHUNK_BAD_DATA", hex(index)))
else:
state.add_valid_chunk_offset(index)
num_chunks_found += 1
index = buf.find(EVTX_HEADER_MAGIC, index + 1)
progress.set_complete()
return num_chunks_found