Matthew Seyer
Matthew Seyer
Ping @ohadravid or @omerbenamram
Ping. @ohadravid @omerbenamram
Any thoughts @ohadravid @omerbenamram? I added this as non-default option if that was a concern. This recovers a good amount of records. Also added tests for functionality.
> Why not the following json that is the output for the non-wec EVTX file? I think it's more representative of the orginal XML > > ``` > { >...
@OlafHaalstra , you will want to create a custom tool around the `evtx` library and do something like this: ```rust let mut evtx_parser = match EvtxParser::from_path(path) { Ok(p) => p.with_configuration(parser_settings),...
> Preferably I want to have it baked into the code. Not sure where to start. Running into problems with option (2): apparently renaming fields is not trivial. > >...
@OlafHaalstra I made a video that I think will answer your question on how to do this and also give you an example of how to create a CLI around...
I looked at this and see that the actually record's event id does no bit masking in this library: https://github.com/omerbenamram/evtx/blob/master/src/evtx_record.rs#L50 Thus, this should maintain the instance id (as no bit...
Both TZ and Zimmerman's tool parse these entries. Zimmerman will report that there is a mismatch, but continue with the parsing. I believe that is the correct approach.