Extracting Data from Event Payload in .evtx Event Logs with X-Ways Forensics

On page 138 of the X-Ways Forensics/WinHex Manual (Updated 2021-12-31), it states:

X-Ways Forensics can extract specific data from the event payload in .evtx event logs and list them directly in the event list.

The definition file, Event Log Events.txt, may be configured. It’s only a matter of listing the individual data fields to extract, and verifying that it works.

While exploring X-Ways Forensics’ events list feature for a previous blog post where I briefly mentioned event ID 1006 from Microsoft-Windows-Partition/Diagnostic, I noted that the output was sparse. I wanted to try and populate the description column with additional information.

I remembered that Eric Zimmerman’s EvtxECmd already has the most pertinent fields mapped out, so I just used that to reference which fields I wanted to pull.

‘Microsoft-Windows-Partition-Diagnostic_Microsoft-Windows-Partition_1006.map’

To extract specific fields, start with X-Ways Forensics’ default definition file, Event Log Events.txt. If in doubt, start again with a fresh manual installation of X-Ways Forensics. Then add a new row, while retaining the tab delimiters.

EventID <tab> optional log provider <tab> datafield1,datafield2,datafield3

Extracting data from .evtx files with X-Ways Forensics.
Opening the file in a text-editor.

If <Event data> is available, X-Ways Forensics will parse it when refining a volume snapshot (RVS).

Verify “Extract internal metadata…” with “Adopt entries in .evtx event logs completely” are checked.
Filtered for rows where <Event data> is available.

Considerations:

During my initial attempts to extract fields, I was inadvertently adding quotation marks in the .txt definition file. I recently learned the parser will not work correctly if it does.

Quotation marks would appear in the .txt file when viewing it in a text-editor after the following sequence:
1) Opening the default tab-separated .txt file in MS Excel.
2) Save file.

After some searching, MS Excel adds the quotation marks around the extracted fields because the comma in CSV files may represent it as delimiter. The quotes are used as text qualifiers.

While quotation marks are OK for File Type Signatures *.txt, it is not for Event Log Events.txt.

Edit, 06/08/2022: While I am able to parse <Event data> that XWF was able to process, it does not appear to be complete when compared to EvtxECmd. With the same file, EvtxECmd.exe is able to map out 24, 1006 event IDs with the map that it is packaged with. XWF, as of v20.5 SR-2, processes 8 of the 24.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.