GrokEVT is a collection of scripts built for reading Windows® NT/2K/XP/2K3 event log files. The scripts work together on one or more mounted Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.
|Tags||Security Recovery Tools Forensics Utilities Logging|
|Operating Systems||POSIX BSD Linux|
Release Notes: This is a major code refresh release to catch up with the times. grokevt-builddb has been redesigned to use RegLookup's pyregfi library instead of executing the command line tools. A work-around has been added for the fact that many Linux distributions no longer make case-insensitive filesystem mounts easy. Support jas been added for Python 3. The license has been changed to the GPLv3. There are various Unicode fixes and other bugfixes.
Release Notes: A bug in grokevt-builddb which prevented it from working on certain broken registry configurations was fixed. Other validation was improved and verbose messages were added as well. The default example configuration tree was changed to use paths more commonly found in recent versions of Windows. No feature changes were made in this version.
Release Notes: This is a major release, including several new features. The grokevt-findlogs script was added, which can accurately detect individual log entries in raw binary files (such as memory dumps or disk partitions). The grokevt-dumpmsgs script was added, which can be used to display the log message templates stored in GrokEVT's databases. The man pages were converted to docbook templates.
Release Notes: This is a minor bugfix release. A workaround was made for buggy data (trailing NULs in filenames) sometimes found in registry entries and a reglookup/grokevt-builddb deadlock experienced by some users. No feature changes were made in this version.
Release Notes: Initial Jnicode support has been added. Windows UTF-16 is properly read from logs, and output is optionally produced in UTF-8. A new option has been added for printing log meta information, which is helpful in determining a log's level of corruption. A new script, grokevt-addlog, has been introduced. This allows one to add raw log files to an existing message template database. There is a much improved log parsing algorithm, which works with wrapped and fragmentary logs. Multiple bugfixes and improved exception handling.