velociraptor icon indicating copy to clipboard operation
velociraptor copied to clipboard

Published 20 hours ago verified publisher icon Velocidex

Native EVTX carving

Open mgreen27 opened this issue 3 years ago • 2 comments

We would like a VQL native EVTX carver.

Scan logical disk using yara for file type headers. Extract bytes and use binary parser for parsing out records/part records.

Windows.Carving.USN is a similar example.

mgreen27 avatar Feb 10 '22 13:02 mgreen27

This is a duplicate of #319

scudette avatar Feb 18 '22 05:02 scudette

This is a duplicate of #319

H3kc avatar Oct 28 '22 19:10 H3kc