nwf9
nwf9
Hi willi, Unfortunately it would not crash the process until i stop them by a kill signal because i see a lot of activity with iotop but no more results...
Thanks to you for all your discovery. In my case i test only in 60GB. It's currently underway.
Unfortunately the process kill itself ``` evtxtract raw_disk.001 > evtxcarve.xml INFO:evtxtract.carvers:Unknown exception processing record at 0xC74052200 Traceback (most recent call last): File "build/bdist.linux-x86_64/egg/evtxtract/carvers.py", line 174, in extract_chunk_records record_xml = Evtx.Views.evtx_record_xml_view(record,...
I have 32 Gigagbytes and more than 24 CPU core
I will test only the evtx into the unallocated cluster
I can confirm that it works better on the unallocated cluster image because i was recover more than 110MB of event while i recover only 510K with a disk image.
Willi do you need some other log to debug ?
With my pleasure, it will be very good to hunt with this artifact. You can also add sccm telemetry.
Hi Matias, The actual parser did not parse anything even of Windows 7. I obtain this message below : python AmCacheParser.py Amcache.hve doesn't appear to be an Amcache.hve hive Give...
It's not my issue. I have test this python script because i have a lot of warning messages when i want to ingest all the amcache artifact like below 2018-07-17...