dfir-toolkit icon indicating copy to clipboard operation
dfir-toolkit copied to clipboard
verified publisher icon dfir-dd

evtx2bodyfile abort parsing when a single invalid evtx file found

Open Bitbee0 opened this issue 10 months ago • 0 comments

When parsing a list of evtx files, the evtx2bodyfile tool aborts directly if a file is invalid.

Maybe we can use some sort of fallback mechanism, that the other valid evtx files in the directory can be parsed and just print out a warning when an invalid evtx file found

The name of the invalid evtx file in my case: Microsoft-Windows-Global\ Secure\ Access\ Client-Debug.evtx (I figure this out by trying to parse every single evtx file)

RUST_BACKTRACE=full evtx2bodyfile Windows/System32/winevt/logs/*.evtx
thread 'main' panicked at /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/dfir-toolkit-0.11.2/src/bin/evtx2bodyfile/evtx_file.rs:65:46:
called `Result::unwrap()` on an `Err` value: An error occurred while trying to deserialize evtx stream.

Caused by:
    Invalid EVTX file header magic, expected `ElfFile0`, found `[ 0, 10,  0,  0,  0,  3,  0,  0]`

Stack backtrace:
   0: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
   1: evtx2bodyfile::evtx_file::EvtxFile::create_progress_bar
   2: evtx2bodyfile::evtx_file::EvtxFile::print_records
   3: evtx2bodyfile::main
   4: std::sys::backtrace::__rust_begin_short_backtrace
   5: std::rt::lang_start::{{closure}}
   6: std::rt::lang_start_internal
   7: main
   8: __libc_start_call_main
             at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
   9: __libc_start_main_impl
             at ./csu/../csu/libc-start.c:360:3
  10: _start
stack backtrace:
   0:     0x62401dffda5a - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::h304520fd6a30aa07
   1:     0x62401e020e6b - core::fmt::write::hf5713710ce10ff22
   2:     0x62401dffadc3 - std::io::Write::write_fmt::hda708db57927dacf
   3:     0x62401dffed42 - std::panicking::default_hook::{{closure}}::he1ad87607d0c11c5
   4:     0x62401dffe9ae - std::panicking::default_hook::h81c8cd2e7c59ee33
   5:     0x62401dfff53f - std::panicking::rust_panic_with_hook::had2118629c312a4a
   6:     0x62401dfff2b7 - std::panicking::begin_panic_handler::{{closure}}::h7fa5985d111bafa2
   7:     0x62401dffdf39 - std::sys::backtrace::__rust_end_short_backtrace::h704d151dbefa09c5
   8:     0x62401dffef44 - rust_begin_unwind
   9:     0x62401de94ce3 - core::panicking::panic_fmt::h3eea515d05f7a35e
  10:     0x62401de95156 - core::result::unwrap_failed::h7c8d8bbbcf45dc13
  11:     0x62401deafc74 - evtx2bodyfile::evtx_file::EvtxFile::print_records::h1b5eab8be952337e
  12:     0x62401deab40c - evtx2bodyfile::main::h4b4b222bfd3e378e
  13:     0x62401dec4be3 - std::sys::backtrace::__rust_begin_short_backtrace::h6b48135d3dc80fc2
  14:     0x62401decf03d - std::rt::lang_start::{{closure}}::h096248ab05e27a03
  15:     0x62401dff3400 - std::rt::lang_start_internal::h4d90db0530245041
  16:     0x62401deab585 - main
  17:     0x7c139b82a1ca - __libc_start_call_main
                               at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
  18:     0x7c139b82a28b - __libc_start_main_impl
                               at ./csu/../csu/libc-start.c:360:3
  19:     0x62401de95495 - _start
  20:                0x0 - <unknown>

Bitbee0 avatar Feb 13 '25 08:02 Bitbee0